Intrusion Detection Systems IDS

1
Intrusion Detection Systems (IDS)

• By
• Rick Wagner

2
What is IDS?
A security system designed to identify intrusive
or malicious behavior via monitoring of
activity.  An IDS identifies suspicious patterns
that may indicate an attempt to attack, break in
to, or otherwise compromise a system. An IDS can
issue an alert or take a predefined action once a
suspicious pattern has been detected. For
instance, if a port scan is detected, then an
alert is issued to an administrator. This alert
could be in the form of an email, popup window,
log entry, or page.
3
Why use an IDS system?

• To increase the chance of discovering a
  compromised system.
• To detect the threats of which your system may be
  vulnerable.
• To provide auditability in the event that an
  intrusion takes place.
• To serve as a deterrent against break in
  attempts.
• To provide documentation to justify the expenses
  associated with new security technologies.

4
Types of IDS systems.

• Network Based
• Host Based
• Application Based

5
Network Based IDS
A network based IDS system is installed on a
computer or appliance and monitors the traffic of
a network segment. Typically an NIDS system is
attached to a network via a span port. Eg Snort
6
Network Based IDS
SPAN (Switched Port Analyzer) - The SPAN on a
switch mirrors the traffic from a switched
segment onto a predefined SPAN port. A monitoring
device attached to the SPAN port can see all the
traffic from any of the other switched ports.
7
Network Based IDS

• NIDS systems use signature matching to
  determine if an attack has occurred or is
  underway. NIDS systems try to match patterns in
  network traffic to known signatures.
• There are several verification methods that
  can be used to detect attacks as well.

• Protocol Stack (IP, TCP, UDP)
• DOS, DDOS Use malformed packets

8
Network Based IDS

• Application Protocol (Http, Ftp, Telnet)
• DNS Cache poisoning.

9
Network Based IDS

• Advantages
• If placed appropriately and on a well designed
  network, it can monitor a large number of hosts.
• NIDS systems are usually passive. They can be
  implemented with little to no disruptions.
• NIDS systems are usually not detectable or
  susceptible to attacks.

10
Network Based IDS

• Disadvantages
• Can be overwhelmed by network volume and fail to
  detect attacks.
• Requires access to all network traffic to be
  monitored, which may not be reliably obtained.
• NIDS systems can not analyze encrypted traffic.
• Can not reliably determine if an attack was
  successful.
• Some form of attacks such as those involving
  fragmented packets are not easily identified by
  NIDSs.

11
Host Based IDS

• A host based IDS system resides on a computer and
• monitors only activity on that machine. This type
  of system
• can be used to detect when a user creates,
  deletes, or
• modifies a monitored file.
• Eg Tripwire, CFengine

12
Host Based IDS

• Advantages
• Can detect events local to a computer and some
  attacks not detectable by NIDS.
• Can process traffic before it is encrypted.
• Switched networks do not affect HIDSs.
• Adds audibility locally for detecting attacks or
  for determining how an attack took place.

13
Host Based IDS

• Disadvantages
• More management, since they are host based.
• Vulnerable to direct attacks and attacks against
  the host operating system.
• Not aware of multi-host attacks. Eg port
  scanning
• Requires a large amount of disk space for log
  files.
• Can cause performance overhead on the host system.

14
Application Based IDS

• An application based IDS system is used to detect
• the abnormal behavior of an application.
• Eg Functions in MS Word used to detect malicious
  VB scripts

15
Application Based IDS

• Advantages
• It is aware of specific users. It can track
  unauthorized activity of a user.
• Can process data before it is encrypted and
  leaves the application or after it has been
  decrypted by the program.

16
Application Based IDS

• Disadvantages
• Most susceptible IDS system to attacks.
• Less capable of detecting software tampering.

17
Signature Based IDS

• Signature based IDS systems examine data for
  patterns
• and attempts to match them to know attacks.
• Eg Virus protection software

18
Signature Based IDS

• Attacks typically have clear and distinct
  patterns.
• Footprinting and fingerprinting activities.
• Exploits involving a specific attack sequence.
• Port scans, DOS, DDOS attacks
• The problem with signature based IDS systems is
  that they
• must continually be updated so that they can
  detect new
• types of attacks. Another problem is that slow
  attacks can
• often go unnoticed.

19
Statistical Anomaly Based IDS

• Statistical anomaly based IDS systems create a
  normal
• network activity baseline. Network activity is
  then
• periodically sampled. If activity is found that
  is outside of
• the baseline, then an alert is triggered.
• Disk, CPU, memory, and network usage can all be
  used as
• a baseline for comparison.

20
Statistical Anomaly Based IDS

• Advantage
• A statistical anomaly based IDS system is that it
  can
• detect new types of attacks without requiring
  constant
• updates.
• Disadvantage
• Requires more overhead and processing then a
  signature
• based system.

21
Log File Monitor

• A log file monitor examines logs from servers,
  network
• devices, and other IDSs for abnormal activity.
• Advantage
• It can scan activity across multiple hosts.
• Disadvantage
• Requires a lot of disk space for log files and
  overhead for
• processing.

22
Extras

• NIDS System
• Snort
• http//www.snort.org/
• NIDS .avi demo
• Bro Intrusion Detection Monitor
• http//www.cse.ohio-state.edu/rwagner/cube.avi
• HIDS System
• Tripwire
• http//www.tripwire.org/

23
Snort

• Rule
• alert tcp EXTERNAL_NET any -gt HOME_NET 111
  (msg"RPC portmap proxy attempt TCP"
  flowto_server,established content"00 01 86
  A0" depth4 offset16 content"00 00 00
  05" within4 distance4 content"00 00 00
  00" depth4 offset8 classtyperpc-portmap-dec
  ode sid1922 rev6)
• Alert
• 119236 RPC portmap proxy attempt UDP
  
• Classification Decode of an RPC Query
  Priority 2
• 02/25-104456.627405 164.107.112.3332846 -gt
  164.107.112.255111
• UDP TTL64 TOS0x0 ID0 IpLen20 DgmLen144 DF
• Len 116