The Evolution of IDS

1
The Evolution of IDS

• Greg DeArment
• Chad Ozust
• Aaron Sproul
• Steven R. French
• Zhen Zhan
• John Hannafin

2
Presentation Overview

• History of IDS
• Overview of IDS A-IDS, H-IDS, N-IDS
• Open Source IDS
• Commercial IDS
• Conclusion Q/A

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
3
History of IDS

• John Anderson
• Computer Security Threat Monitoring and
  Surveillance (1980)
• Dorothy Denning
• An Intrusion Detection Model
• (1983)

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
4
History of IDS

• Lawrence Livermore Laboratories
• Haystack project (1988)
• Stalker
• Todd Heberlein
• Network Security Monitor (1990)
• Hybrid Technology
• United States Air Force
• Automated Security Measurement System (ASIM)
• SAIC
• Computer Misuse Detection System (CMDS)

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
5
Overview of IDS

• AIDS (Application)
• HIDS (Host)
• NIDS (Network)

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
6
AIDS

• Honeypots
• Most common
• Common Software
• Honeyd, mod_security

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
7
HIDS

• Three Subcategories
• System Integrity Verifiers (SIV)
• Log File Monitors (LFM)
• Operating System Patches (OS Extender)

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
8
NIDS

• Port scan detection
• PortSentry
• Packet Filter/Firewall
• Snort

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
9
Snort

• What is it?
• Analyses IP traffic at network gateway
• Signature-based analysis
• Protocol analysis
• Configurable

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
10
Snort

• What is it?
• Highly Flexible
• Interaction with many applications
• Interaction with enterprise level firewall to
  prevent future attacks
• Integrated into multiple products

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
11
Snort

• Some Plugins
• SnortSnarf
• Sguil
• BASE
• BleedingSnort
• ClamAV
• SPADE
• SIFT

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
12
Snort

• Features
• Protocol analysis
• Content searching and matching
• Can Detect
• Buffer overflows
• Stealth port scans
• CGI attacks
• SMB probes
• OS Fingerprinting attempts

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
13
Snort
History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
14
Snort
History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
15
Snort

• Problems
• Complicated Setup
• Only as good as its ruleset
• Alert Flooding
• Management Problem

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
16
Tripwire

• What is it?
• HIDS that compares certain log files on the host
  system to a previously defined known and compiled
  md5 hash of those files
• If hash changes, an attacker may have compromised
  the system

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
17
Tripwire

• Example
• Attacker overwrote the /bin/login file with
  another file which allows the attacker to gain
  root access to the system
• Tripwire caught the discrepancy in the filesystem

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
18
Tripwire
History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
19
Tripwire
History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
20
Tripwire

• Problems
• Reactive system, not proactive
• Schedule job to check filesystem
• May produce false positives
• If logs not protected, check logs could be
  overwritten without the knowledge of the
  administrator
• Must be installed on each server
• How does an admin control many servers?

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
21
LIDS

• What is it?
• a HIDS, linux kernel enhancement
• History

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
22
LIDS

• Features
• Mandatory Access Controls
• Port Scan Detector
• File Protection
• Process Protection

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
23
Commercial IDS Solutions

• Two general categories of detection
• Signature-based Detection
• Anomaly-based Detection

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
24
Signature Based Detection

• Effective against known vulnerabilities
• Ineffective against unidentified vulnerabilities.
  
• Zero-day Updates

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
25
Anomaly Detection

• Also known as Protocol-analysis detection or
  Behavior Anomaly Detection
• More effective at detecting undefined
  vulnerabilities
• Seeks to identify known good traffic, marks all
  other as a potential attack
• Problems
• Higher rate of false positives
• Requires constant tuning of definition of good
  traffic

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
26
Trends in Current Commercial Products

• Multi-Vector detection methods
• Combines Signature based, traffic and protocol
  anomaly based, and layer 2 based detection
• Zero-day updates of signatures
• IDS included as part of an entire Security
  Solution
• Initial support for Critical Infrastructure
  Protection (ICCP)

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
27
Some Current Commercial Products

• Cisco Systems ASA 5500 Series
• Proventia Intrusion Prevention System
• Juniper Networks IDP Series

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion
28
Conclusion

• Questions?

History
AIDS
HIDS
NIDS
Commercial
Open Source
Conclusion