2. PRESENTATION OUTLINE
Introduction
What ?
Why ?
History
Typical Intrusion Scenario
Types of Attacks
What IDS does ?
Types of IDS
Based on detection approach
Advantages/ Disadvantages
Based on protected system
Network / Host based detection
Evaluation of IDS
Commercially available IDS
Snort
References
Q/A
1/31/2015
2
INTRUSIONDETECTION
3. WHAT IS INTRUSION DETECTION SYSTEM?
1/31/2015
3
INTRUSIONDETECTION
Intrusion
Any unauthorized access, not permitted attempt to
access/damage or malicious use of information resources
Intrusion Detection
Detection of break-ins and break-in attempts via
automated software systems
Intrusion Detection Systems(IDS)
Defense systems, which detect and possibly prevent
intrusion detection activities
4. WHAT IS NOT AN IDS ?
Network logging systems
Security Scanners
vulnerability assessment tools to check flaws in OS,N/W
Antivirus products
Security/Cryptographic systems
E.g. VPN,SSL, Kerbose
Firewalls
1/31/2015INTRUSIONDETECTION
4
5. WHY IDS ?
1/31/2015
5
INTRUSIONDETECTION
Straight Forward Reason
to protect data and system integrity.
Fact :
can not be done with ordinary password and file security
Misconception :
A network firewall will keep the bad guys off my network, right?
My anti-virus will recognize and get rid of any virus I might catch, right?
And my password-protected access control will stop the office cleaner
trawling through my network after I've gone home, right?
So that's it – “I'm fully protected”
6. Anti-virus systems are only good at detecting viruses they
already know about
Passwords can be hacked or stolen or changed by other
Firewalls DO NOT recognize attacks and block them
Simply a fence around your network
no capacity to detect someone is trying to break-in(digging a
hole underneath it)
Can’t determine whether somebody coming through gate is
allowed to enter or not.
Roughly 80% of financial losses occur hacking from inside the
network
“BEWARE OF INTERNAL INTRUDERS”
Example :
In April 1999, many sites were hacked via a bug in ColdFusion. All had firewalls
to block other access except port 80. But it was the Web Server that was hacked.
HERE IS THE REALITY
1/31/2015
6
INTRUSIONDETECTION
7. ID- A BRIEF HISTORY
1980 - James Anderson Paper Computer Security
Threat Monitoring and Surveillance
Concept of “detecting” misuse and specific user events
emerged
1984 - Dr. Dorothy Denning and SRI developed first
model for intrusion detection, Intrusion Detection Expert
System developed
1988 – HayStack Project at University of California Lab,
released intrusion detection system for US Air force
1989 – Commercial company HayStack Labs released
Stalker
1990 – UC’s Todd Heberlein introduced idea of Network
Detection System”
Developed Network Security Monitor
SAIC developed Computer Misuse Detection System
1/31/2015
7
INTRUSIONDETECTION
8. HISTORY – CONTD..
US Air force developed Automated Security
Measurement System
ID Market gain popularity around 1997
1998 ISS developed RealSecure
Cisco purchased Wheel Group
First host-based detection company Centrax
Corporation emerged
Currently IDS is the top selling security technology
1/31/2015
8
INTRUSIONDETECTION
Source : www.symantic.com/connect/articles/evolution-detection-systems
9. TYPICAL INTRUSION SCENARIO
1/31/2015
9
INTRUSIONDETECTION
Information Gathering
Further Information Gathering
Attack !
Successful Intrusion
Fun and Profit
-Find as much as info. As possible
-whois lookup and DNS Zone transfers
-Normal browsing ; gather important info.
-ping sweeps, port scanning
-web server vulnerabilities
-version of application/services
-start trying out different attacks
- UNICODE attack if has IIS installed
-try to find misconfigured running services
-Passive Attack / Active Attack
-install own backdoors and delete log files
-replace existing services with own Trojen
horses that have backdoor passwords or
create own user accounts
- Steal confidential information
- Use compromised host to lunch further
attacks
- Change the web-site for FUN
11. TYPES OF ATTACK
Unauthorized access to the resources
Password cracking
Spoofing e.g. DNS spoofing
Scanning ports & services
Network packet listening
Stealing information
Unauthorized network access
Uses of IT resources for private purpose
Unauthorized alternation of resources
Falsification of identity
Information altering and deletion
Unauthorized transmission and creation of data
Configuration changes to systems and n/w services
1/31/2015
11
INTRUSIONDETECTION
12. TYPES OF ATTACK CONTD..
Denial of Service
Flooding
Ping flood
Mail flood
Compromising system
Buffer overflow
Remote system shutdown
Web application attack
“Most attacks are not a single attack but a series of
individual events developed in coordinated manner”
1/31/2015
12
INTRUSIONDETECTION
14. WHAT AN IDEAL IDS IS SUPPOSED TO DO ?
Identify possible incidents
detect an attacker has compromised system
Report administrator
Log information
keep log of suspicious activities
Can be configured to
Recognize violations of security policies
Monitor file transfers
Copying a large database onto a user’s laptop
Identify reconnaissance activity
Attack tools and worms perform reconnaissance activity
like : host and port scans
1/31/2015
14
INTRUSIONDETECTION
16. IDS TYPES : BASED ON DETECTION APPROACH
Knowledge-based or Signature-based
Behavior-based or Anomaly-based
Knowledge-based
Matching signature of well-known attacks against state-
change in systems or stream of packets flowing through
network
Example of signatures :
A telnet attempt with username “root” which is violation of an
organization’s security policy
An e-mail with a subject “Free Pictures” and an attachment
“freepics.exe” -characteristics of a malware
1/31/2015
16
INTRUSIONDETECTION
17. ADVANTAGE / DISADVANTAGES OF KB-IDS
Very few false alarm
Very effective to detect previously known threats
Ineffective to detect new threats
Threats disguised by use of evasion techniques
Compares a current unit of activity (e.g. a n/w packet or
a log entry) to a list of signatures using string
comparisons operations
Little understanding of n/w or application protocol and
can’t track the state of complex communication
e.g. can’t pair request with the corresponding response
Cant remember a previous request while
processing the current request
1/31/2015
17
INTRUSIONDETECTION
18. BEHAVIOR-BASED IDS
Compares normal event against observed events to
identify significant deviation
Has profiles to represent normal behavior of
Users, hosts, network connections or applications
Developed by monitoring the characteristics of typical
activity over a period of time
Profiles can be for behavioral attributes like:
Number of email sent by a user, number of failed logins
for a host, level of processor usage etc.
Example
A profile for a network might show that in an average, 13% of network
bandwidth are due to Web activities during typical workday hours. Then IDS can
use statistical methods to compare current Web activity bandwidth with expected
one and alert administrator if high bandwidth is being occupied by web activities
1/31/2015
18
INTRUSIONDETECTION
19. STATIC VS. DYNAMIC PROFILES
Profiles are generated over a period of time (days
or sometimes weeks)
Static profile is unchanged unless required to
generate new profile
Change in systems and/or networks inaccurate
static profile (Generate Again)
Dynamic profile defect : susceptible to evasion
attempts from attackers
Frequently performing malicious activity
1/31/2015
19
INTRUSIONDETECTION
20. ADVANTAGES / DISADVANTAGES OF BBIDS
Very effective to detect unknown threats
Example :
Suppose computer is infected with a new type of malware. The malware
consumes large computer’s processor resources and send large number of
emails, initiating large number of network connections. This is definitely a
significantly different behavior from established profiles.
High false alarm rate
All activities excluded during training phase
Making a profile is very challenging
1/31/2015
20
INTRUSIONDETECTION
21. NETWORK BASED INTRUSION DETECTION
IDS are placed on the network, nearby system(s)
being monitored
Monitors n/w traffic for particular n/w segments or
devices
The network interface card placed in promiscuous
mode to capture all n/w traffic
Sensors placed on n/w segment to check the
packets
Primary types of signatures are
String signature
Port Signature
Header Condition Signature
1/31/2015
21
INTRUSIONDETECTION
22. NETWORK BASED INTRUSION DETECTION
CONTD..
String Signature
Look text/string that may indicate possible attack
Example: UNIX system “cat” “+ +” > /.rhosts”
Port Signature
Watch for connection attempts to well-known, frequently attacked ports
Example : telnet (TCP port 23) , FTP (TCP port 21/20)
Ports are not used but packets are coming that port.
Header Signature
Watch for dangerous or illogical combination of packet headers
Example : TCP packet with both SYN and FIN flags set
Request wished to start and stop the connection at the same time.
Limitations
Can not detect attacks on encrypted n/w traffic (E.g. HTPS, VPN)
IDS sensors are susceptible to various attacks
Large volume of traffic can crash IDS sensor itself
1/31/2015
22
INTRUSIONDETECTION
24. HOST BASED IDS
Piece or pieces of software on the system to be
monitored
Uses log files and network traffic in/out of that host
as data source
Monitors:
Incoming packets
Login activities
Root activities
File systems
Host based IDS might monitor
Wired and wireless network traffic ;Systems logs
Running process; file access/modification
1/31/2015
24
INTRUSIONDETECTION
26. EVALUATION OF IDS’S
1/31/2015
26
INTRUSIONDETECTION
Source : Iftikhar Ahmad , Azween B Abdullah and Abdullah S Alghamdi ,“Comparative Analysis of
Intrusion Detection Approaches”, 12th International Conference on Computer Modelling and
Simulation, 2010
27. CURRENTLY AVAILABLE IDSS
Network Based IDS Host Based IDS
Internet Security Systems Real
Secure
Internet Security Systems Real
Secure
Symantec Net Prowler Symantec Intruder Alert
Network Ice Black Ice Defender Tripwire
CyberSafe Centrax Cyber Safe Centrax
Detection Appliance
1/31/2015
27
INTRUSIONDETECTION
Snort, Fragroute /Fragrouter, OSSEC HIDS, are some of the most
popular Open Source IDS
28. SNORT
Open source NIDS developed by Sourcefire
It combines the benefits of signature based and
behavior based intrusion detection techniques
It has 300,000 registered users
1/31/2015
28
INTRUSIONDETECTION
29. How to install SNORT (in Linux)
http://www.youtube.com/watch?v=TZ0Hj0t5b5k&feature=related
How to install and use SNORT (in XP)
http://www.youtube.com/watch?v=nAWN989WA0A&feature=related
carbo.dll is the file that can be used to remotely view any file your
web server has permissions to view
1/31/2015
29
INTRUSIONDETECTION
30. REFERENCES
Roman V. Yampolskiy and Venu Govindaraju, “Computer Security: a Survey of Methods
and Systems”, Journal of Computer Science 3 (7), 2007
Iftikhar Ahamad, Azween B Abdullah and Abdullah S Alghamdi, “Comparative Analysis of
Intrusion Detection Approaches”, 12 th International Conference on Computer Modeling
and Simulation,2010
David Elson, “Intrusion Detection, Theory and Practice”, www.symantec.com
Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems
(IDPS)” , Special Publication 800-94
ISS, “Network- vs. Host-based Intrusion Detection”, A Guide to Intrusion Detection
Technology
FAQ's : http://www.sans.org/security-resources/idfaq/
http://ids.nic.in/JCES%20TNL%20OCT%202008/IDS/IDS.htm
http://sectools.org/ids.html
http://www.snort.org/
http://www.wikipedia.org
1/31/2015
30
INTRUSIONDETECTION