Lesson 6 Intrusion Detection Systems

1
Lesson 6Intrusion Detection Systems
2
Overview

• History
• Definitions
• Common Commercial IDS
• Specialized IDS

3
Why Even Bother?

• One of the problems with anomaly detection is
  that even the current best research systems have
  something like a 75 success rate.
• Marcus Ranum
• Network Flight Recorder

4
Intrusion Detection Defined

• The process of monitoring the events occuring in
  a computer system or network and analyzing them
  for signs of intrusions, defined as attempts to
  compromise the confidentiality, integrity,
  availability, or to bypass the security
  mechanisms of a computer or network.

5
General Thoughts about ID

• No Defense is Impenetrable
• Vulnerabilities exist to bypass system security
  precautions
• Automated tools exist to find and exploit
  vulnerabilities
• A methodology to detect and report suspicious
  host and network activity must be implemented
• IDS Goal to characterize attack manifestations
  to positively identify all true attacks without
  falsely identifying non-attacks
• ID is an instance of the general signal detection
  problem

6
Why use ID?

• Increase the perceived risk of discovery and
  punishment
• To detect attacks not prevented by other means
• Detect and deal with probing
• Document existing threats
• QC for security design and admin
• Forensics for improved security or prosecution

7
Goals of IDS

• Accountability - I can deal with security
  attacks that occur on my systems as long as I
  know who did it (and where to find them.)
• Response - I dont care who attacks my system as
  long as I can recognize that the attack is taking
  place and block it.

8
History of ID

• 1980 - John Andersons Computer Security Threat
  Monitoring and Surveillance
• 1987 - Dorothy Denning An Intrusion Detection
  Model
• Laid groundwork for commercial products
• First IDS, circa 1993 USAF ASIM

9
Generic Intrusion Detection Model
Activity Profile
Design New Profiles
Event Generator
Update Profile State
Create Anomaly Records
Rule Set/ Detection Engine
Define new modify existing rules
Audit trails, network packets application logs
CLOCK
10
Model Components

• Rule Set - inference engine decides whether an
  intrusion has occurred
• or
• Generic detector examing events and state data
  using models, rules, patterns and statistics to
  flag intrusive behavior

• Activity Profile -
• Maintains state of system or network being
  monitored
• Feedback critical
• No architectural limitations
• Rule base can learn if programmed

11
Current IDS Trends

• Immature
• Manpower intensive
• High false alarm rates
• Dynamic to the point of instability
• Quietly Evolving

12
Type of IDS

• Signature based system
• Attack description that can be matched to sense
  attack manifestations
• Anomaly based detectors
• equate unusual or abnormal as intrusions

13
IDS Classification

• Can base classification on what they sense
• Network based systems (NIDS)
• Sense packets on a network segment
• Easy to deploy, but they suffer throughout
  problems
• Host-based systems (HIDS)
• Inspect audit or log data
• Can affect performance on host
• Hybrids
• Combine the best of both

14
Intrusion Detection System--Network Based A
Layer in the Defense
Adversary
INTERNET
External ROUTER
FIREWALL
DMZ Server(s)
INTERNAL NETWORK
15
NIDS

• Some detect intrusions after the bad guy is
  inside.but at least you know
• Others detect attacks (attack detect systems)
• Location in architecture determines which one you
  have
• Number of IDSes in architecture can add
  protetection
• Balance comes between being inundated with false
  alarms or alert conditions requiring action
• Ideal NIDs installation start buy adding as few
  sensors as possible

16
HIDS

• Setup a HIDs like a selective burglar alarm
• Deploy HIDs on critical servers devoid of
  interactive users
• Configuration optios
• Critical file modification
• When log files get smaller
• Process table grows larger than normal or too fast

17
Five Functional Areas of HIDS
Log/Event Monitoring
File Integrity Checking
Policy Compliance
Network Traffic Monitoring
System Monitoring
Ref Rasmussen, ISSA, Mar 02
18
Honey Pot

• New Player..not quite an IDS, but results are the
  same
• Decoy System
• Mislead Hackers
• Begin Incident Response (early!)

19
Centralized IDS Hierarchy
Corporate
Central Director
All Business Offices
...
20
Partially Distributed IDS Hierarchy
Corporate
Upper Domain
Central Director
Regional Offices
Intermediate Domain

Intermediate Director
Intermediate Director
Intermediate Director
Intermediate Director
Business Offices
...
Lower Domain
21
Fully Distributed IDS Hierarchy
Corporate
Upper Domain
Central Director
Regional Offices
Intermediate Domain

Intermediate Director
Intermediate Director
Intermediate Director
Intermediate Director
Business Offices
...
Lower Domain
22
Strengths of IDSes

• Monitor and analysis of system events and user
  behaviors
• Testing security states of system configurations
• Recognizing known attack patterns
• Recognizing anomalies
• Measuring security policy enforcement
• Managing Data Flow

23
Weaknesses of IDSes

• Compensating for weak or missing security
  mechanisms
• Instantaneous detection, reporting, and attack
  response
• Detecting newly published attacks
• Compensating for info source fidelity
• Reducing manpower needs

24
IDS Adjusted Expectations

• Consider a building with motion detectors
• Works great when building is empty
• But if activated during day many false positives
• Building managers dont expect them to work
  during the day
• Its possible to set up network-based IDS (NIDS)
  and a host-based IDS (HIDS) to limit false
  positives

25
IDS Fad

• People buy the hottest IDS tool that will be
  very good about telling them about DOS in the
  network, but is useless detecting problems inside
  the host.
• Matt Bishop, UC Davis

26
Defense-in-Depth

• Key Security Concept
• Usually considered in shallow ways
• We dont so good job implementing organization
  wide
• Very seldom do we simultaneously simplify and
  improve security

27
5 Different Control Types

• Protect - firewalls/router ACLs
• Detect - IDSes
• Recover - Incident Response/Recovery Plans
• Deter - Laws and marketing
• Transfer - Insurance

28
Problem with Approaches

• Each control has binary effectiveness
• No security is perfect
• Better approach is synergistic security
• Success hinges on redundancy of security controls

29
Security Synergy

• Bayes Theorem
• Effectivness(TOTAL) 1-((1-E1)(1-E2)(1-E3))
• Synergistic
• Controls Efficiency of Each Control
• 60 70 80 90
• 1 60 70 80 90
• 2 84 91 96 99
• 3 93.6 97.3 99.2 99.9
• 4 94.7 99.2 99.8 100
• 5 99 99.8 100 100

30
Commercial Systems

• Internet Security Systems Real Secure
• Cisco Cisco Secure Intrusion Detection System
• NFR Security Network Flight Recorder
• Niksun NetDetector
• Sandstorm NetIntercept
• Pentasafe Vigilent Security Manager
• SourceFire Open Snort Sensor
• Symantec Intruder AlertEnterprise Security
  Manager

31
Government Systems

• Air Force Automated Security Incident
  Measurement Sensor (ASIMs)
• DISA Joint Intrusion Detection Sensor (JIDS)

32
The Challenge

• The real challenge is for people who can write
  good models for the data that comes out. The
  problem we have is that different enterprise
  networks create quite different traffic. Trying
  to model it and pull out interesting patterns
  with it while minimizing false positives and
  thing like that, is very difficult.
• Bob Gleichauf
• Cisco Systems

33
Summary

• IDSes are still maturing
• IDSes when used best are manpower intensive
• IDSes are not silver bulletsthey cannot overcome
  inherent security weaknesses
• But, IDSes are usually the primary detectors to
  start the incident response process
• Synergistic Security (Defense-in-depth) is the key