Download Slide 1

NET 536
NETWORK SECURITY
Networks and
Communication
Department
Lecture 7: Intrusion Detection
Outline
2


Intruders definition and main classes
Intrusion Detection
 Classification
 Components
 Basic


Principles
Host-based Intrusion Detection
Network-based Intrusion Detection
25-May-17
Networks and Communication Department
Intruders



Intruder is a significant issue for networked systems is hostile or
unwanted access either via network or local.
Three classes of intruders:
 Masquerader: an individual who is not authorized to use the
computer and who penetrate a system’s access controls to exploit a
legitimate user’s account. ( usually outside)
 Misfeasor: A legitimate user who access data, program, or
resources for which such access is not authorized , or who is
authorized for such access but misuses them. ( usually inside)
 clandestine user: an individual who seizes supervisory control of the
system and uses this control to evade auditing and access controls or
to suppress audit collection.( can be either inside or outside)
varying levels of competence
Intruders Examples






Performing a remote root compromise of an e-mail server
Defacing a Web server.
Guessing and Cracking passwords.
Copying a database containing credit card numbers.
Viewing sensitive data ( i.e. Payroll records and media without
authorizations).
Running a packet sniffer on a workstation to capture usernames and
passwords.
Intrusion Techniques


aim to increase privileges on system
basic attack methodology
 target
acquisition and information gathering
 initial access
 privilege escalation
 covering tracks


key goal often is to acquire passwords
so then exercise access rights of owner
Intrusion Detection

Security Intrusion:
A security event, or a combination of multiple security events that
constitute a security incident in which an intruder gain, or
attempts to gain, access to a system (or system resource )
without having authorization to do so.

Intrusion Detection:
A security service that monitors and analyzes system events for
the purpose of finding, and providing real- time or near real
time warning of, attempts to access system resources in an
unauthorized manner.
Intrusion Detection

Intrusion Detection Systems ( IDSs) can be classified as
follows:
Host-based IDS:
Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity.

Network-based IDS:
Monitors network traffic for particular network segments or
devices and analyzes network, transport, and application
protocols to identify suspicious activity.

Intrusion Detection

An IDS comprises three logical components:

Sensors: sensors are responsible for collecting data ( i.e.
network packets, log files, and system call traces)

Analyzers: analyzers receive inputs from one or more sensors
or from other analyzers. The analyzer is responsible for
determining if an intrusion has occurred.

User Interface: it enables a user to view output from the
system or control behavior of the system. ( i.e. UI may associate
to a manager, director, or console component)
Intrusion Detection

Basic Principles of IDSs
1)
If an intruder is detected quickly enough, the intruder can be
identified and ejected from the system before any damage.
Therefore, The sooner that the intrusion is detected, the less the
amount of damage and the more that recovery can be achieved.
2)
An effective IDS can serve as a deterrent, thus acting to prevent
intrusion.
3)
Intrusion detection enables the collection of information about
intrusion techniques that can be used to strengthen intrusion
prevention measures.
Intrusion Detection

Although the typical behavior of an intruder differs from
the typical behavior of an authorized user, there is an
overlap in these behaviors. Twos cases may arise:



false positives: authorized users identified as intruders.
false negatives: intruders not identified as intruders.
Profile of Behaviors of Intruders and Authorized Users
Host-based Intrusion Detection
12
Host-based IDS can detect both external and internal
intrusions. There are two general approaches :
1.
Anomaly detection
It involves a collection of information about legitimate user’s behavior
over a period of time. Then, statistical tests are applied to observe them.
There are two approaches to statistical anomaly detection:
a)
Threshold detection: defining threshold independent of user, for the
frequency of occurrence of various events.
b)
Profile based : A profile of the activity of each user is developed
and used to detect changes in behavior of individual accounts.
25-May-17
Networks and Communication Department
Host-based Intrusion Detection
13
2. Signature detection
Involves an attempts to define a set of rules or attack
patterns that can be used to decide that a given
behavior is that of an intruder.
Indeed, anomaly approaches attempt to define normal, or
expected, behavior, whereas signature-based
approaches attempt to define proper behavior.
25-May-17
Networks and Communication Department
Audit Records


fundamental tool for intrusion detection
native audit records
 part
of all common multi-user O/S
 already present for use
 may not have info wanted in desired form

detection-specific audit records
 created
specifically to collect wanted info
 at cost of additional overhead on system
Statistical Anomaly Detection

threshold detection
 count
occurrences of specific event over time
 if exceed reasonable value assume intrusion
 alone is a crude & ineffective detector

profile based
 characterize
past behavior of users
 detect significant deviations from this
 profile usually multi-parameter
Statistical Anomaly Detection: Audit Record Analysis



Audit Record Analysis is the foundation of statistical approaches.
Analyze records to get metrics over time
Example of metrics that are useful for profile-based include:

Counter: is a nonnegative integer that may be incremented but not
decremented until it is reset by management action. It counts certain events
over a period of time( e.g. numbers of login during one hour.)

Gauge: is a nonnegative integer that may be incremented or
decremented. It is used to measure the current value of some entity.(e.g.
number of logical connections assigned to a user application. )

Interval timer: the length of time between two related events. ( e.g.
length of time between successive login to account)

Resource use: Quantity of resources consumed during a specified period.
(e.g. total time consumed by a program execution)
Statistical Anomaly Detection: Audit Record Analysis

There are various tests that applied on the metrics to
determine if current behavior is acceptable, include:
 mean





& standard deviation
multivariate
markov process
time series
operational
key advantage is no prior knowledge
Signature Detection : Rule-Based Intrusion Detection

Signature techniques detect intrusion by observing events on
system & apply rules to decide if activity is suspicious or not.
1- Rule-based anomaly detection:
analyze historical audit records to identify usage patterns &
auto-generate rules for them
 then observe current behavior & match against rules to see if
conforms
 like statistical anomaly detection does not require prior
knowledge of security flaws
 It requires to have a large database of rules to be effective.

Signature Detection: Rule-Based Intrusion Detection
2- Rule-based penetration identification
 uses
expert systems technology
 with rules identifying known penetration, weakness
patterns, or suspicious behavior
 rules usually machine & O/S specific
 rules are generated by experts who interview & codify
knowledge of security admins
 quality depends on how well this is done
 compare audit records or states against rules
Base-Rate Fallacy

Practically an intrusion detection system needs to detect a
substantial percentage of intrusions while keeping the false
alarms rate at acceptable level.
 if
too few intrusions detected -> false security
 if too many false alarms -> ignore / waste time while
analyzing the false alarm


this is very hard to do
existing systems seem not to have a good record
Network-Based Intrusion Detection Systems
(NIDS)
21




A network-based IDS (NIDS) monitors traffic at selected points
on a network or interconnected set of networks.
NIDS examines the traffic packet by packet in real time or close
to real time in order to detect intrusion patterns.
NIDS may examine network-, transport- and/or application-level
protocol.
NIDS includes a number of sensors to monitor packet traffic.
25-May-17
Networks and Communication Department
Network-Based Intrusion Detection Systems
(NIDS)
22

There are two mode of sensors:
 Inline sensor: is inserted into a network segment so that the
traffic that is monitoring must pass through the sensor.
 Passive sensor: it monitors a copy of network traffic; the actual
traffic doesn’t pass through the device.

Passive sensor is the most common and most efficient than the
inline sensor, because it doesn’t add extra handling step that
contribute to packet delay.
25-May-17
Networks and Communication Department
Network-Based Intrusion Detection Systems
(NIDS) : Intrusion Detection Techeniques
23
As with host-based intrusion detection, network-based intrusion
detection makes use of signature and anomaly detection.
 Signature Detection
lists the following as examples of that types of attacks that are suitable
for signature detection:


Application layer reconnaissance and attacks:
e.g. buffer overflows, password guessing, and malware transmission.

Transport layer reconnaissance and attacks:
e.g. SYN floods.

Network layer reconnaissance and attacks:
e.g. spoofed IP addresses and illegal IP header.
25-May-17
Networks and Communication Department
Network-Based Intrusion Detection Systems
(NIDS) : Intrusion Detection Techniques
24

Anomaly Detection
Examples of attacks types of that are suitable for Anomaly Detection :

Denial-of-Service (DoS) Attacks
the attacker aims to increase packet traffic or increase connection attempts.

Scanning
the attacker probe a target system by sending different kind of packets.
Using the responses received from targets, the attacker can learn many of
the system’s characteristics.

Worms:
a program that can replicate itself and send copies from computer to computer
across network connections. Worms can cause hosts to use ports that normally
they do not use
25-May-17
Networks and Communication Department
Network-Based Intrusion Detection Systems
(NIDS) : Intrusion Detection Techniques
25

Logging of Alert
 When a sensor detects a potential violation, it sends an alert and logs
information related to the event.
 NIDS can use this info to refine intrusion detection parameters and
algorithms.
 The security admin can use this info to design prevention techniques.
 Typical information logged by a NIDS sensor includes the following:








Timestamp (usually date & time)
Connection or session ID
Event or alert type
Rating e.g. priority
Network, transport, application protocol
Source and Destination IP addresses
Number of bytes transmitted over the connection
Decoded payload data such as application requests and responses
State-related information e.g. authentication username.

25-May-17
Networks and Communication Department