Download INTRUSION DETECTION SYSTEM (IDS)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts

Cyberwarfare wikipedia , lookup

Deep packet inspection wikipedia , lookup

Unix security wikipedia , lookup

Distributed firewall wikipedia , lookup

Security-focused operating system wikipedia , lookup

Network tap wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cross-site scripting wikipedia , lookup

Cyberattack wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Social engineering (security) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
INTRUSION
DETECTION SYSTEM
(IDS)
by
Kilausuria Abdullah (GCIH)
Cyberspace Security Lab, MIMOS Berhad
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
2
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
3
Security incident landscape in
Malaysia
-High value that contributed
to intrusion
-Total intrusion reported that
related to intrusion
(excluding spam) is more
than 300 cases
Fig 1: Mycert quarterly
report
4
Losses incurred from security incident
• Total losses have also declined, could be related to reduced in
number of incidents reported
Source: CSI, CSO, PWC, MIMOS Analysis,
5
Pre-attack
Victim
Attacker
Target
6
Post-attack
7
Security incidents from intruder view
• an attack is unsuccessful from the perspective of intruder if none of their
objective are fulfilled
• some components of an attack from the perspective an intruder are :
- Objective ?
- Exploits scripts ?
- Vulnerabilities in target system ?
- Risk carrying out an intrusion ?
- Damage caused or consequences to victim ?
intruder
8
Security Incident from victim view
• A victim perspectives on intrusion is an attack is unsuccessful if
there are no consequences that result from the attack
• Some components of an attack from the perspective of a victim
are :
-What happened ?
-Who is affected ?
-Who is the intruder ?
-How did the intrusion happen ?
victim
9
OUTLINE
•Security incident
•Attack scenario
•Introduction to IDS
•IDS technologies
•Issues and challenges
•Conclusion
10
Attack scenario
• There are 5 steps involved in the attack scenario :
1.Reconnaissance
2.Scanning
3.Exploit the system
4.Keeping access
5.Covering the track
• Basically analyst use this flow of attack scenario to detect an
attack. Intruder may not use all the 5 steps, it depends on the modus
operandi and skills of the intruder.
11
Step 1 : Reconnaissance
• Conduct open source investigation to extract information about a target such
as domain name server (DNS), internet protocol (IP) and staff information
Reconnaissance tool
Description
Whois
DNS interrogation
Web site searchers
Acquire name servers
Google
Sam Spade
Web-based reconnaissance
Domain name and IP address
Acquiring information about company
from public databases
Googling for vulnerable system and etc
Capabilities such : ping, DNS lookup,
whois, DNS zone transfer, trace route,
finger, check time
Numerous web site offer the capability to
research or attack other sites
12
Step 2 : Scanning
• An attacker uses a variety of vulnerability scanning tools to
survey a target to find vulnerabilities in the target defenses
Scanning tool
Description
THC-scan
Scan network looking for
unprotected modems that autoanswer with no passwords
War driving with
NetStumbler
Trying to connect to unprotected
wireless networks to gain
network or internet access
To see which port are open.
Port Scanning with
nmap
Vulnerability
scanning nessus
Basically run port scanner and try
to connect to each port
13
Step 3 : Exploit to system
• An attacker tries to gain access, undermine an application or deny
access to other users
• There are 3 ways in exploit the system :
– Gaining access
– Web application attack
– Denial of Service (DoS)
14
Gaining access
-Unauthorized access by eavesdropping into communication
channel
-e.g : IP address spoofing, session hijacking, password
cracking and worm
Alice
Bob
Intruder
15
Step 3 : Exploit to system
Web Application attack
Alice
Bob
Intruder
- The information not only intercepted, but modified by an
unauthorized party while transit from the source to the
destination
-example : account harvesting, SQL injection and cross-site
scripting
16
ATTACK SCENARIO
Exploit to system
Denial of Service (DoS)
Source
Destination
- An asset of the system gets destroyed or becomes unavailable
Local
Network-based
Launch
1.Stopping services
2.Exhausting resources
-process killing,
-process crashing,
-system reconfig
-spawning to fill process
table
- malformed
packet(bonk)
- packet floods(SYN
flood)
-filling up the whole file
system
17
ATTACK EXAMPLE
SYN Flood Attack
-A normal connection between a user (Alice) and a server.
-The three-way handshake is correctly performed.
18
ATTACK EXAMPLE
SYN Flood Attack
-The attacker (Bob) sends several packets but does not send the
"ACK" back to the server.
-The connections are hence half-opened and eat the server
resources.
-Alice, a legitimate user, tries to connect but the server refuses to
open a connection resulting in a denial of service.
19
Step 4 : Keeping access
• Attacker maintain access by manipulating the software installed on the
system to achieve backdoor access
• Example : backdoor and trojan horses
backdoor
Bob
Alice
attacker
20
Step 5 : Covering the track
• Attacker maintain hard fought access by covering tracks. Hide from
users and system admin using variety of techniques
• covering track in Unix, Windows and network is different
– Hide files to simply name like dot space
21
Attack scenarios
Communication
Information
source
Information
destination
1. Interruption
2. Interception
3. Modification
4. Fabrication
22
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
23
Intrusion detection system (IDS)
Intrusion:
Sequence related actions performed by a malicious adversary
that results in the compromise of a target computing or
networking domain
Intrusion detection :
Processes to identify and respond to malicious activity targeted
at target computing and networking domain
Intrusion Detection System (IDS ):
is a system that automates the intrusion detection process
24
Terminology in IDS
• Attack
– a failed attempt to enter the system
• False negative
– test result implying a condition does not exist when in fact it does.
• False positive
– test result implying a condition exists when in fact it does not.
25
Common Intrusion Detection Framework (CIDF),
models an IDS aggregate as four component :
R-box
A-box
A-box
D-box
A-box
E-box
E-box
Basically in CIDF, IDS
implementation have :
- event box (E-box)
- analysis box (A-box)
- database box (D-box)
- response box (R-box)
Exchange raw audit
data
exchange events
Monitored environment
[Porras et al.,1998 ]
26
Intrusion Detection Characterization
Intrusion detection characterization
approach
protected
system
HIDS NIDS Hybrids
anomaly
detection
signature
detection
structure
data source
audit
trail
network
packet
centralised distributed
system
system
behavior
after an attack
system state
analysis
(kernel,
Services, files)
analysis
timing
Real time
processing
internal
based
IDS
active passive
response response
agent
system
Source : przemyslaw & piotr
27
IDS approach
Signature vs Anomaly
Audit Data
Signature
Base
Match?
1.Signature based – Audit data collected by the IDS
is compared with the content of the signature, if a
match IS found, alert generated
Audit Data
System
Profile
Statistically
anomalous ?
2.Anomaly based – Audit data collected by the IDS is
compared with the system profile (normal behaviour),
if a match NOT found, alert generated
28
Protected system in IDS
Network intrusion
detection system (NIDS)
- Detects attack by analyzing
the network traffic exchanged
on a network link .
- defense at the network level
NIDS
29
Host-based intrusion
detection system(HIDS)
-Detects attack against a specific
host by analyzing audit data
produced by the host operating
system
- defense at the application level
HIDS
30
Hybrids
- Detects attack against a
specific host by analyzing audit
data produced by the host
operating system and network
traffic
31
IDS structure
Centralized system
- IDS can operate standalone
Centralized application
- integrated applications that create a distributed system
- multiple IDS
Agent
- a particular architecture with autonomous agents that are able to take
pre-emptive and reactive measures and even to move over the network
32
IDS Data Source
• Audit trail – event log processing
• Network packet – a stream of network packet
• System state analysis -from kernel, services, files
33
IDS Behaviour after attack
• Active Response
– IDS responds to the suspicious activity by logging off a user or by
reprogramming the firewall to block network traffic from the suspected
malicious source.
• Passive Response
– IDS detects a potential security breach, logs the information and signals
an alert
34
IDS Analysis Timing
• Real time processing
– Perform online verification of system events
– Require large amount RAM since no data storage is used
– Online monitoring, analyze events and user actions
• Interval based
– Related to audit trail (event log processing)
– Recording every event, consumption of system resources
– Vulnerable to DoS attack by over flowing the system's free space
35
IDS Technologies
• IDS product
– Non commercial IDS
• Snort, Emerald, Netstat, Bro and many others
– Commercial IDS
• SourceFire, NetProwler, NetRanger, Centrax, RealSecure and
many others
36
IDS TECHNOLOGIES
• Immature and dynamic
• Research product
– eg. Emerald, Netstat, Bro etc
• Commercial products ( CMDS, NetProwler,
NetRanger, Centrax, RealSecure etc
37
OUTLINE
•Security incident
•Attack scenario
•Intrusion detection system
•Issues and challenges
•Conclusion
38
IDS issues and challenges
• Operational challenges with IDS
– Too many of IDS product
• IDS do not have the capability to look at every possible security
event
– Difficulty with evaluating IDS technologies
• Identify and evaluate the processes,procedures and tools
– Lack of qualified technical staff
• To evaluate, select, install, operate and maintain IDS
technologies
• Events from multiple sources
– Need to correlate the event
39
IDS issues and challenges
• IDS vs Intrusion prevention system (IPS)
- IPS is a system to detect and also prevent the intrusion
- The difference between IPS and IDS mainly it has the prevention
process in line
• Will IPS replace IDS?
– Use both
40
Conclusion
- IDS is a technology that can be use to detect an attack , but for
future capabilities in IDS can be improved
41
References :
Christopher Kruegel, Fredrik Valeur, Giovanni Vigna (2005). Intrusion Detection
and Correlation, Challenges and Solution, Springer Science+Business Media Inc,
USA.
Ed Skoudis and SANS. Computer and network hacking exploits –SANS 2006
http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028chap0
1.html
http://www.windowsecurity.com/articles/IDS-Part2-Classification-methodstechniques.html
42
Thank you
43
Related documents
Intrusion Prevention Systems
Intrusion Prevention Systems
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
CHAPTER 1 THE INTRUSION DETECTION SYSTEM
CHAPTER 1 THE INTRUSION DETECTION SYSTEM
ppt
ppt
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
History 105C: Civ I
History 105C: Civ I
IDS
IDS
Intrusion Detection
Intrusion Detection
Abstract-The paper`s object is to develop a network intrusion
Abstract-The paper`s object is to develop a network intrusion
Prep sheet for midterm
Prep sheet for midterm