Chapter 25: Intrusion Detection

Dr. Wayne Summers

Department of Computer Science

Columbus State University

Summers_wayne@colstate.edu

http://csc.colstate.edu/summers

2Principles

Computer Systems under attack

– Actions of users and processes do not conform to a statistically predictable pattern

– Actions of users and processes include sequences of commands that attempt to subvert the security policy of the system

– Actions of processes do not conform to set of specifications that are allowed for the process

3Basic Intrusion Detection

Attack tool- automated script designed to violate a security policy (ex. rootkit)

Goals of an IDS

– Detect a wide variety of intrusions (inside / outside; known/unknown attacks)

– Detect intrusions in a timely fashion

– Present the analysis in simple, easy-to-use format

– Be accurate (minimize false positives and false negatives)

4Models

Anomaly Modeling – analyzes set of characteristics of system and compares behavior to expected values– Threshold metric: uses minimum/maximum values

– Statistical moments: uses mean/std. dev. & other measures of correlation

– Markov model: uses set of probabilities of transition (requires training data)

Misuse Modeling – determines whether a sequence of instructions being executed is known to violate the site security policy

Specification Modeling – determines whether a sequence of instructions violates a specification of how a program/system should execute

5Architecture

Agent – obtains information from data source (“logger”)– Host-based Intrusion Detection System (HIDS)

• Uses system and application logs

– Network-based Intrusion Detection System (NIDS)• Uses devices and software to monitor network traffic

Director – reduces log entries and then determines if an attack is underway (“analyzer”)

Notifier – accepts information from director and takes appropriate action (GUI, email)

6Architecture of IDS

HOST AHIDS

HOST BHIDS

HOST NNIDS

HOST CHIDS

Director(Analyzer

)

Notifier

HIDS: Host Intrusion Detection System

NIDS: Network Intrusion Detection System(logger)

7Host-based IDS

– Periodically analyze logs, perform file system integrity check.

– Examples: • Generic: ISS RealSecure Server Sensor.• Check host file system: Tripwire, AIDE• Check host network connections: BlackICE,

PortSentry• Check host’s log files: LogSentry, Swatch • Intrusion Prevention System: Cisco Security

Agent (Okena Stormwatch).

8Network-based IDS

– Analyze network traffic content and pattern for signs of intrusion

– Examples:• Snort • Cisco Sensors

9Organization of IDSs

Monitoring Network Traffic for Intrusions

– Network Security Monitor• Develops profile of expected usage of network

and compares current usage with the profile

– Distributed IDS – combines abilities of NSM with host-based IDS

– Autonomous Agents for ID – autonomous agents that work together

10IDS Placement

DNSServer

Intra1

Internet

Outer Firewall

Firewall

Inner Firewall

Firewall

SW

SW

MailServer

WebServer

DMZ

Router

IDS

IDS

IDS

11Intrusion Response

Incident Prevention – Intrusion Prevention Systems– Identify attack before it completes

– Jail (sandbox) attacks

Intrusion Handling– Preparation for attack

– Identification of attack

– Containment of the attack

– Eradication of the attack (blocks further attacks)

– Recovery from the attack

– Follow-up to the attack• Pursue legal action• Tracing attack: thumbprinting, IP header markers