Testing Intrusion Testing Detection Systems

1
Testing Intrusion Testing Detection Systems
2
Introduction

• Intrusion Detection System (IDS) is a system that
  attempts to identify intrusions.
• What is an Intrusion ?
• Un-authorized Use
• Misuse
• Abuse of computer systems by authorized user
• How IDS
  detects intrusion?
• By analyzing information about user activity from
  resources such as audit records, system tables
  and network traffic summaries.
• Who uses IDS ?
• National Security Agencys Multics Intrusion
  Detection and Alerting System (MIDAS) ,
  Distributed Intrusion Detection System (DIDS) etc.

3

• Why we need to test IDS?
• User needs to know how effective their IDSs are ?
• To what extent they can rely on their IDS?
• Evaluating an IDS to decide to buy it for their
  system ?
• Evaluating an IDS is
  a difficult task why ?
• It can be difficult or impossible to identify the
  set of all possible intrusion that might occur at
  the site where a particular IDS is employed. Why?
• - Number of intrusion techniques
  is large
• - site may not have access to information
  about all the past
• intrusion.
• - Intruders can discover previously known
  vulnerabilities in a
• computer system and then use
  new intrusion techniques to
• exploit the vulnerabilities .

4

• IDS can be affected by various conditions in the
  computer system.
• - Even if an IDS detect an intrusion , it
  may not detect the same
• intrusion when overall level of computer
  activity in the system is
• high.
• So we have to adopt a methodology for testing
  IDS which confronts these difficulties.
• Methodology will measure the effectiveness of an
  IDS with respect to these objectives.
• It consists of strategies for selecting test
  cases , and a series of detailed testing
  procedures.
• Unix Tool expect is used as a software platform
  for creating user-simulation scripts for testing
  expriments.

5
Scenarios for Intrusion

• Following scenarios are examples of intrusion
• An employee browse through his/her bosss
  employee reviews
• A user exploits a flaw in a file server program
  to gain access to and then to corrupt another
  users file.
• A user exploits a flaw in the system program to
  obtain super-user status
• An intruder uses a script to crack the passwords
  of other users on a computer
• An intruder installs a snooping program on a
  computer to inspect network traffic which may
  contain sensitive data.
• An intruder modifies router tables in a network
  to prevent the delivery of messages to a
  particular computer. (Denial of Service attack)

6
Concurrent Intrusion

• Single Intruder Single Terminal (SIST)
  Intrusion are launched by a single intruder from
  a single terminal device or its logical
  equivalent.
• Single Intruder Multiple Terminal ( SIMT)
  Intruder uses multiple windows on a computer to
  carry out or more intrusion. Alternatively
  intruder might use multiple windows to establish
  several connections to the same target , hoping
  to hide the intrusive activity by distributing
  the activity over several windows, each having a
  separate session to target computer
• Multiple Intruder Multiple Terminal ( MIMT)
  Multiple intruders participate in one or more
  intrusion simultaneously.

7
(No Transcript)
8
Approaches to Intrusion Detection

• Main Approaches used by IDS are
• Anomaly Detection
• This is based on the premise that an attack on a
  computer system will be noticeably different from
  normal system activity.
• It will exhibit a pattern of behaviors different
  from normal user.
• So IDS attempts to characterize each users
  normal behavior by maintaining the profiles of
  each users activities.
• Predefined bounds are checked while comparing
  recent activities with past activities.
• Misuse Detection
• IDS watches for indication of specific,
  precisely representable techniques for computer
  system abuse .
• IDS includes a collection of signatures which
  are encapsulation of identifying characteristics
  of specific intrusion techniques.

9
Software Platform

• Both computer user and intruder are simulated
  while IDS is running.
• Unix Package expect to simulate users in our
  testing experiment.
• Unix Package called Tcl ( Tool Command
  Language)
• Using expect , scripts ( similar to UNIX shell
  scripts) are written that include intrusive
  commands.
• For running the scripts, expect provides a
  script interpreter which issues the scripts
  commands to the computer system.
• TCL package provides an interpreter for a
  simple programming language that includes
  variables, procedures, control constructs such as
  if and for statements.
• Tcl is implemented as a C library package.
• expect extends the Tcl command set to include
  several components to controlling interactive
  programs.

10
(No Transcript)
11
(No Transcript)
12
Testing Issues

• Performance Objectives for an IDS
• -- Broad Objectives for an IDS For each
  intrusion in a broad range of known intrusions,
  the IDS should be able to distinguish the
  intrusion from normal behavior.
• -- Economy in Resource Usage The IDS
  should function without using too much system
  resources such as main memory, CPU time and disk
  space .
• -- Resilience to Stress The IDS should
  still function correctly under stressed condition
  in the system.

13
Test Case Selection

• Test case is a simulated user session
• A key problem is to select which intrusions to
  simulate
• Testers should first collect as much as intrusion
  possible.
• Testers must partition the set of intrusion into
  classes, and then create a representative subset
  of intrusion. Equivalence Partitioning.
• One test case from each class can be selected to
  represent the class in the final set of test
  cases.
• Intrusions can be classified on the basis of
  signatures.

14
Limitation on Test Case Selection

• The software problem that we use to simulate
  users cannot completely simulate the behavior of
  a user working with a GUI based program.
• --- The intruders activities
  generate some system activity ,
• subset of which is related
  directly to the attack.
• --- The simulation tool must be
  capable of causing that
• subset of activity to
  occur.
• Testing is designed to test systems that
  primarily perform misuse detection.
• --- Some of the testing procedures can
  be adapted for
• testing IDS that perform
  anomaly detection as well.

15
Testing Methodology

• Basic Testing procedure is as follows
• Create and /or select a set of test scripts
• Establish the desired conditions in the computing
  environment.
• Start the IDS
• Run the test scripts
• Analyze the IDS output.
• we divide the test procedures into three
  categories which occurred directly to the three
  performance objectives.

16
Intrusion Identification Tests

• Two intrusion identification tests measure the
  ability of the IDS to distinguish known intrusion
  from normal behavior.
• Basic Detection Test
• Create a set of intrusion scripts
• As much as possible, eliminate unrelated
  computing activity in the environment.
• Start the IDS
• Run the intrusion scripts.
• Normal User Test
• Creates a set of user scripts
• Start the IDS
• Run the normal-user scripts.

17
Resource Usage Test

• The Resource Usage test measure how much system
  resources used by the IDS .
• Results from these tests can be used to decide if
  it is practical to run a particular IDS in a
  particular computing environment.
• Disk Space Test ( A type of Resource Usage Test)
  
• Eliminate unrelated activity in the test
  environment
• Start the IDS
• Run the test scripts for a measured period of
  time
• Calculate the total disk space used by the IDS to
  record the session associated with the scripts.

18
Stress Test

• Stress test check if the IDS can be affected by
  stressful conditions in the computing
  environment.
• An intrusion that the IDS would ordinarily detect
  might go undetected under such condition.
• Stress Test Smoke Screen Noise
• Noise is an activity that is not directly
  part of an intrusion. An intruder might attempt
  to disguise an intrusion by employing noise as
  smoke screen.
• Create suitable test scripts.
• Test should be conducted like Basic Detection
  Test.
• Testers should conduct further tests to determine
  the cause of problem.

19

• Stress Test Intensity The intensity checks if
  the IDS affected by sessions in which a lot of
  activity is generated very quickly, and therefore
  the IDS information source logs a lot of activity
  in short time.
• Stress Scripts that simulates such a session
  should be created.
• Script should simulate several user sessions.
• Scripts logs all the activity after the intrusion
  and then logs out the user session.
• Such script is normally combine form of Basic
  detection tests scripts.
• The scripts should be run once.
• Stress test can be repeated by several times ,
  each time with different number of stress scripts
  running.

20

• Stress Test Load
• The load Stress test investigates the effect of
  the load on the IDS host CPU.
• A high load should be established on the IDS host
  .
• A high load can be created by running additional
  program on the IDS host.
• Unix nice command can be used.
• The output from this test should be compared to
  the output from the basic detection Test.
• Difference may be evidence that the IDS is
  missing some intrusive activity.
• Test should be repeated several times, each time
  with a different load on the IDS host.