Distributed Intrusion Detection
Mamata Desai (99305903)
M.Tech.,CSE dept,
IIT Bombay
Overview
What is intrusion ? Dealing with intrusion Intrusion detection principles Our problem definition Packages analyzed Our approach Experiments and Results Conclusions
What is intrusion ? The potential possibility of a deliberate
unauthorized attempt to:1. Access information2. Manipulate information3. Render a system unreliable or unusable
Types of intrusions:– External attacks
• Password cracks, network sniffing, machine & services discovery utilities, packet spoofing, flooding utilities, DOS attacks
– Internal penetrations – Masqueraders, clandestine users
– Misfeasors – authorized misuse
Example attacks
Password cracking Buffer overflow Network reconnaissance Denial of service (DoS) IP spoofing
Dealing with intrusion Prevention
– isolate from n/w, strict auth, encryption
Preemption – “do unto others, before they do unto you”
Deterrence – dire warnings: “we have a bomb too”
Deflection – diversionary techniques to lure away
Counter measures Detection
Intrusion Detection principles
Anomaly-based– Form an opinion on what constitutes “normal”,
and decide on a threshold to flag as “abnormal”– Cannot distinguish illegal from abnormal
Signature-based– Model signatures of previous attacks and flag
matching patterns– Cannot detect new intrusions
Compound
System characteristics
Time of detection Granularity of data processing Source of audit data Response to detected intrusions
– passive v/s active Locus of data-processing Locus of data-collection Security Degree of inter-operability
Host-based v/s Network-based IDS
Host-based IDS1. Verifies success or failure of an attack
2. Monitors specific system activities
3. Detects attacks that n/w based systems miss
4. Well-suited for encrypted and switched environments
5. Near-real-time detection and response
6. Requires no additional hardware
7. Lower cost of entry
…contd.
Network-based IDS1. Lower cost of ownership
2. Detects attacks that host-based systems miss
3. More difficult for an attacker to remove evidence
4. Real-time detection and response
5. Detects unsuccessful attacks and malicious intent
6. Operating system independence
7. Performance issues
Our problem definition
Portscanning Our laboratory setup
– Multiple machines with similar configuration
Portscan on a single machine Distributed portscan - Small evasive scans
on multiple machines Aim – Detect such distributed scans
Typical lab setup
Types of Portscans
Scan types:– TCP connect() scan– Stealth SYN scan– Stealth FIN scan– Xmas scan– Null scan
Scan sweeps:– One-to-one, one-to-many, many-to-one, many-
to-many
Source TargetNetwork Messages
Send SYN, seq=x
Receive SYN segment
Send SYN, seq=y, ACK x+1Receive SYN +ACK segment
Send ACK y+1
Receive ACK segment
Send ACK+FIN+RST
Receive ACK+FIN+RST
… more packet exchanges
Normal sequence of packets
Source TargetNetwork Messages
Send SYN, seq=x
Receive SYN segment
Send SYN, seq=y, ACK x+1Receive SYN +ACK segment
Send RST
Receive RST
Stealth SYN scan
Source TargetNetwork Messages
Stealth FIN scan
Send FIN
Receive FIN
Source TargetNetwork Messages
Stealth Xmas scan
Send FIN+PSH+URG
Receive FIN+PSH+URG
Packages analyzed
Sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html)
– A network sniffer for TCP/UDP/ICMP packets
– Interactive mode
Tcpdump (http://www.tcpdump.org)
– A tool for network monitoring and data acquisition
Nmap (http://www.nmap.org)
– “Network mapper” for network exploration, security auditing
– Various types of TCP/UDP scans, ping scans
…contd Portsentry (http://www.psionic.com/abacus/portsentry)
– Host-based TCP/UDP portscan detection and active defense system
– Stealth scan detection
– Reacts to portscans by blocking hosts
– Internal state engine to remember previously connected hosts
– All violations reported to syslog
Snort (http://www.snort.org)
– Network-based IDS – real-time analysis and traffic logging
– Content searching/matching to detect attacks and probes – buffer overflows, CGI attacks, SMB probes, OS fingerprinting attacks
– Rules language to describe traffic to collect or pass
– Alerts via syslog, user files, WinPopUp messages
– 3 functional modes – sniffer, packet logger, NIDS
…contd
Portsentry– Binds to all ports to be monitored– A static “list” of ports monitored– State engine – different hosts
Snort– Preprocessor – connections to P ports in T
seconds– V1.8 – only one-to-one and one-to-many
portscans detected
Our approach Pick up network packets Based on which type of portscan is to be
analyzed, identify the scan signature Add each source and target IP address, to
the correlation lists Use the correlation lists to infer the scan
sweep – one-to-one, one-to-many, many-to-one, many-to-many
Experimental Setup
Detection algorithm
Examine each TCP packet on the network. Extract source and target IP addrs and ports. For each scan type to be detected, maintain
a list of “valid” connections. When a scan signature is detected, add
source and target IP addrs to 2 correlation lists pointed to by srcIP and tarIP, remove entry from connections list.
…contd
Identical correlation lists record source and target IP addrs info, along with number of scans.
Scan sweeps one-to-one, one-to-many, many-to-one, and many-to-many are detected by passes thru the correlation lists.
ExperimentsSource Target TCP ports
pro-13 pro-19 25, 119
pro-15 pro-21 21, 23, 80
pro-17 pro-23 22, 79
Source Target TCP ports
pro-13 pro-19
pro-21
pro-23
7, 20, 21
22, 23, 25, 53
69, 79, 80, 88
pro-15 pro-19
pro-21
110, 111, 119
139, 143, 194, 220
One-to-one scan
One-to-many scan
…contdSource Target TCP ports
pro-13 pro-21 443, 513, 518
pro-15 pro-21 873, 3130, 6667
pro-17 pro-21 107, 20, 21, 23
Source Target TCP ports
pro-13 pro-19
pro-21
pro-23
7, 20, 21, 79
80, 113, 119, 139
143, 194, 667
pro-15 … …
pro-17 … …
Many-to-one scan
Many-to-many scan
Conclusions
All the scans performed by nmap were detected successfully by our detector and the correlations were accurate.
Some stray incidents of ident lookups did get classified as scans, due to the way closed ports behave.
Top Related