Intrusion Detection Systems II

1
Intrusion Detection Systems (II)

• CS 6262 Spring 02 - Lecture 6
• (Thursday, 1/24/2002)

2
STAT/USTAT

• State transition analysis a rule-based intrusion
  detection approach
• USTAT for Unix real-time intrusion detection
• Misuse detection
• Modeling intrusion signature
• Initial state the state of the system prior to
  execution of the attack
• Compromised state the state of the system
  resulting from the completion of the attack
• Intermediate states and transitions attack steps

3
An Example
User Create File1
User Execute File1
S2
S3
S1
1. File Set 1 ! empty 2. Files are suid
privileged
1. access (user,euid) root
1. name(File1) 2. typeof(File1)
link 3. owner(link_to(File1)) ! user 4.
name(link_to(File1)) exists_in File Set 1
4
A Sense of Self - Immunology Approach

• Prof. Forrest at University of New Mexico
• Anomaly detection
• Simple and short sequences of events to
  distinguish self from not
• Currently looking at system calls (strace)
• Apply to detection of lpr and sendmail

5
Some Details

• Anomaly detection for Unix processes
• Short sequences of system calls as normal
  profile (Forrest et al. UNM)

,open,read,mmap,mmap,open,getrlimit,mmap,close,
6
Evaluation of IDS

• Type I error (false negative)
• Intrusive but not being detected
• Type II error (false positive)
• Not intrusive but being detected as intrusive
• Evaluation
• How to measure?
• ROC - receiver operating characteristics curve
  analysis - detection rate vs. False alarm rate
• What else? Efficiency? Cost?

7
Example ROC Curve
IDS1
Detect
IDS2
False Alarm

• Ideal system should have 100 detection rate with
  0 false alarm

8
Problems with Current IDSs

• Knowledge and signature-based
• We have the largest knowledge/signature base
• Ineffective against new attacks
• Individual attack-based
• Intrusion A detected Intrusion B detected
• No long-term proactive detection/prediction
• Statistical accuracy-based
• x detection rate and y false alarm rate
• Are the most damaging intrusions detected?
• Statically configured.

9
Next Generation IDSs

• Adaptive
• Detect new intrusions
• Scenario-based
• Correlate (multiple sources of) audit data and
  attack information
• Cost-sensitive
• Model cost factors related to intrusion detection
• Dynamically configure IDS components for best
  protection/cost performance

10
Adaptive IDSs
ID Modeling Engine
IDS
anomaly detection
semiautomatic
IDS
IDS
11
Semi-automatic Generation of ID Models
models
Learning
features
patterns
connection/ session records
Data mining
packets/ events (ASCII)
raw audit data
12
The Feature Construction Problem
How? Use temporal and statistical patterns, e.g.,
a lot of S0 connections to same service/host
within a short time window
13
Feature Construction Example

• An example syn flood patterns (dst_host is
  reference attribute)
• (flag S0, service http), (flag S0, service
  http) ? (flag S0, service http) 0.6, 2s
• add features
• count the connections to the same dst_host in the
  past 2 seconds, and among these connections,
• the percentage with the same service,
• the percentage with S0

14
An Adaptive IDS Architecture
15
Integrating Intrusion Detection and Network
Management

• Xinzhou Qin
• January 24, 2002

16
Introduction

• Network Management System( NMS )
• The Operation, Administration, Maintenance, and
  Provisioning of network services
• Functions Fault, Accounting, Configuration,
  Performance and Security management
• Network Manager Agents
• Standards
• CMIP, SNMP, TMN
• Intrusion Detection System( IDS )
• You have learnt from this class. ?

17
Issues in IDS NMS

• Issues in the Current IDS
• Anomaly Detection
• Model Construction, Feature Selection
• Attack Coverage
• Trying to Cover All Categories of Intrusions
• Alarm Correlation
• Low Level Correlation ? High Level Correlation
• Knowledge of the Networks
• What Does the IDS Need to Know about the Network?
  How?
• Issues in NMS
• Lack of Intrusion Alarm Analysis Management

18
Current Work

• MIB-Based ID Model
• Alarm Correlation

19
MIB II-Based ID Model

• To Provide a Different Data Source to ID
• MIB II Variables (RFC 1213)
• Interface, ICMP, IP, TCP, UDP, SNMP, EGP
  Transmission Group
• Comprehensive Statistics(Error,Control) of
  Network and Hosts
• To Increase the Efficiency Accuracy of IDS
• To Cover a Certain Category of Intrusions
• To Provide a Distributed Hybrid ID Infrastructure

20
MIB II based ID Model

• Misuse Detection
• Key MIB II Variables
• Based on Intrusion Pattern MIB II Variable
  Definitions
• Anomaly Detection
• Object-Time Approach
• MIB Model Based on Conditional Entropy
• Window Size Optimization
• Classification Algorithm
• Clustering Detection
• ID Sub-Module
• Based on Layers Protocols

21
MIB II-based ID Model

• Attack Coverage
• Probing Attack
• Port Scan e.g. NMAP
• Traffic-Based Attack
• E.g. DoS, DDoS
• Good Performance
• MIB II-Based ID Agent
• Other MIBs
• RMON MIB

22
Alarm Correlation

• Undergoing.
• Hierarchical Correlation
• Local Regional Global
• Hybrid- Alarm Correlation
• IDS probes, MIB-Based ID Agents, SNMP Agents,
  RMON Probes
• Attack Scenario Construction Intrusion
  Prediction

23
Related Work

• Intrusion Detection System
• Anomaly Detection e.g. EMERALD by SRI
• Ji-Nao by NC State Univ. MCNC
• Misuse Anomaly Detection MIB Information
• Limitations
• Detection for Routing Attacks
• MIB only for Storing the Detection Results, not
  Used as a Source
• Fault Detection _at_ Network Management
• Intelligent Agents for Fault Detection by RPI
• Using MIB II Objects
• Fault Prediction Based on Temporal Correlation
• Limitations
• Focus on Fault Detection on Network Layer only,
  Limited MIB Objects

24
Related Work( Alert Correlation)

• SRI International
• Probability-based approach
• Features source of attack, hostsports, class of
  attack, time
• Meta-alert sets
• Overall similarity
• Hierarchical Correlation
• Sensor
• Security Incident
• Correlated Attack

25
Related Work( Alert Correlation)

• IBM
• Relationship-based approach
• Duplicates Consequences
• Situations
• For different intrusion scenario
• E.g. situation 1 several different alert
  classes w/ same target at different time -gt
  distributed attack

26
Q A

• Thank You !

27
Anomaly Detection for Mobile Ad-Hoc Routing
Protocols

• Introduction
• Methodology
• Protocols overview
• Case study and results
• Conclusion
• Future work

28
Mobile Ad-Hoc Networks

• First ad-hoc routing protocol
• DARPA packet radio networks
• In the early 1970s
• Dynamic environment
• No fixed infrastructure
• Multi-hop networking

29
Ad-Hoc Routing Vulnerability

• Open medium
• Dynamic topology
• Distributed collaboration
• Constrained capability
• Why routing protocols?

30
Routing Attacks

• Routing logic compromise
• Black-hole
• Misrouting
• Location disclosure
• Traffic data distortion
• Denial Of Service
• Identity Impersonation

31
Security Countermeasures

• Authorization
• Authentication
• Misuse scenario detection
• Anomaly detection

32
Anomaly Detection Framework

• Determine useful feature set
• Collect training data
• Train and build model
• Monitor network and generate audit logs in real
  time
• Test
• Respond promptly in case of intrusion!

33
Routing Feature Selection

• Principles
• Relying on trusted information only
• Currently based on local features
• Route cache entries
• Traffic statistics
• Location information

34
Simulation Environment

• Network Simulator 2
• Available ad-hoc protocols in ns-2
• DSDV
• DSR
• AODV
• Mobility scenario and traffic pattern generation
  scripts, based on CMU Monarch Projects work

35
Results

• Detection Rate

36
Results (cont.)

• False Alarm Rate

37
Discussion

• System parameter combinations
• Better routing protocols
• High correlation among feature categories
• Traffic flow
• Routing activities
• Topological patterns
• Hybrid protocols
• Location-Aided Routing Protocol

38
Related Work

• Intrusion detection research in hardwired
  networks
• Ad-Hoc routing security
• Zhou and Haas, distributed key management service
• Smith et al., provide extra information in DSDV
  protocol

39
Future Work

• More routing protocols
• More features
• Data set size
• Parameter space partition
• Global cooperative system

40
Thank you!
41
The Problem

• IDS can be attacked
• Overload attacks
• Crash attacks

42
Overload Attack

• High volume of traffic
• Intentional (to evade detection)
• Or
• Unintentional
• Packet drops
• Attack can slip through

43
Static Configuration Is Bad

• Static configuration ? Vulnerable
• Trick adapt to the traffic
• Maximize IDS value given constraints
• Knapsack problem

44
Adaptive IDS

• Performance monitoring
• Metrics used
• Packet drops
• Delay seen by a probe packet

45
Adaptive IDS

• Ways to reduce load
• Use more specific filter
• tcp udp
• ?Less specific
• ?Captures more or less all the
  packets
• (tcp130x7) or (http) or (ftp) or (telnet)
• or (udp port 53)
• ?More specific

46
Adaptive IDS

• Ways to reduce load
• Shed load
• Backend IDS does part of the work
• Main point
• Should not miss higher priority attacks/tasks in
  the event of high volume of less priority ones
• No priority inversion

47
Architecture

• Load shedding
• Load balancing

48
Experiments
49
Experiments
50
Thank You