Distributed Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Distributed Intrusion Detection

Description:

Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay Overview What is intrusion ? Dealing with intrusion Intrusion detection ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 28
Provided by: Gue284
Category:

less

Transcript and Presenter's Notes

Title: Distributed Intrusion Detection


1
Distributed Intrusion Detection
  • Mamata Desai (99305903)
  • M.Tech.,CSE dept,
  • IIT Bombay

2
Overview
  • What is intrusion ?
  • Dealing with intrusion
  • Intrusion detection principles
  • Our problem definition
  • Packages analyzed
  • Our approach
  • Experiments and Results
  • Conclusions

3
What is intrusion ?
  • The potential possibility of a deliberate
    unauthorized attempt to
  • Access information
  • Manipulate information
  • Render a system unreliable or unusable
  • Types of intrusions
  • External attacks
  • Password cracks, network sniffing, machine
    services discovery utilities, packet spoofing,
    flooding utilities, DOS attacks
  • Internal penetrations Masqueraders, clandestine
    users
  • Misfeasors authorized misuse

4
Example attacks
  • Password cracking
  • Buffer overflow
  • Network reconnaissance
  • Denial of service (DoS)
  • IP spoofing

5
Dealing with intrusion
  • Prevention
  • isolate from n/w, strict auth, encryption
  • Preemption
  • do unto others, before they do unto you
  • Deterrence
  • dire warnings we have a bomb too
  • Deflection
  • diversionary techniques to lure away
  • Counter measures
  • Detection

6
Intrusion Detection principles
  • Anomaly-based
  • Form an opinion on what constitutes normal, and
    decide on a threshold to flag as abnormal
  • Cannot distinguish illegal from abnormal
  • Signature-based
  • Model signatures of previous attacks and flag
    matching patterns
  • Cannot detect new intrusions
  • Compound

7
System characteristics
  • Time of detection
  • Granularity of data processing
  • Source of audit data
  • Response to detected intrusions
  • passive v/s active
  • Locus of data-processing
  • Locus of data-collection
  • Security
  • Degree of inter-operability

8
Host-based v/s Network-based IDS
  • Host-based IDS
  • Verifies success or failure of an attack
  • Monitors specific system activities
  • Detects attacks that n/w based systems miss
  • Well-suited for encrypted and switched
    environments
  • Near-real-time detection and response
  • Requires no additional hardware
  • Lower cost of entry

9
contd.
  • Network-based IDS
  • Lower cost of ownership
  • Detects attacks that host-based systems miss
  • More difficult for an attacker to remove evidence
  • Real-time detection and response
  • Detects unsuccessful attacks and malicious intent
  • Operating system independence
  • Performance issues

10
Our problem definition
  • Portscanning
  • Our laboratory setup
  • Multiple machines with similar configuration
  • Portscan on a single machine
  • Distributed portscan - Small evasive scans on
    multiple machines
  • Aim Detect such distributed scans

11
Typical lab setup
12
Types of Portscans
  • Scan types
  • TCP connect() scan
  • Stealth SYN scan
  • Stealth FIN scan
  • Xmas scan
  • Null scan
  • Scan sweeps
  • One-to-one, one-to-many, many-to-one, many-to-many

13
Normal sequence of packets
Source
Target
Network Messages
Send SYN, seqx
Receive SYN segment
Send SYN, seqy, ACK x1
Receive SYN ACK segment
Send ACK y1
Receive ACK segment
more packet exchanges
Send ACKFINRST
Receive ACKFINRST
14
Stealth SYN scan
Source
Target
Network Messages
Send SYN, seqx
Receive SYN segment
Send SYN, seqy, ACK x1
Receive SYN ACK segment
Send RST
Receive RST
15
Stealth FIN scan
Source
Target
Network Messages
Send FIN
Receive FIN
16
Stealth Xmas scan
Source
Target
Network Messages
Send FINPSHURG
Receive FINPSHURG
17
Packages analyzed
  • Sniffit (http//sniffit.rug.ac.be/sniffit/sniffit.
    html)
  • A network sniffer for TCP/UDP/ICMP packets
  • Interactive mode
  • Tcpdump (http//www.tcpdump.org)
  • A tool for network monitoring and data
    acquisition
  • Nmap (http//www.nmap.org)
  • Network mapper for network exploration,
    security auditing
  • Various types of TCP/UDP scans, ping scans

18
contd
  • Portsentry (http//www.psionic.com/abacus/portsent
    ry)
  • Host-based TCP/UDP portscan detection and active
    defense system
  • Stealth scan detection
  • Reacts to portscans by blocking hosts
  • Internal state engine to remember previously
    connected hosts
  • All violations reported to syslog
  • Snort (http//www.snort.org)
  • Network-based IDS real-time analysis and
    traffic logging
  • Content searching/matching to detect attacks and
    probes buffer overflows, CGI attacks, SMB
    probes, OS fingerprinting attacks
  • Rules language to describe traffic to collect or
    pass
  • Alerts via syslog, user files, WinPopUp messages
  • 3 functional modes sniffer, packet logger, NIDS

19
contd
  • Portsentry
  • Binds to all ports to be monitored
  • A static list of ports monitored
  • State engine different hosts
  • Snort
  • Preprocessor connections to P ports in T
    seconds
  • V1.8 only one-to-one and one-to-many portscans
    detected

20
Our approach
  • Pick up network packets
  • Based on which type of portscan is to be
    analyzed, identify the scan signature
  • Add each source and target IP address, to the
    correlation lists
  • Use the correlation lists to infer the scan sweep
    one-to-one, one-to-many, many-to-one,
    many-to-many

21
Experimental Setup
22
Detection algorithm
  • Examine each TCP packet on the network.
  • Extract source and target IP addrs and ports.
  • For each scan type to be detected, maintain a
    list of valid connections.
  • When a scan signature is detected, add source and
    target IP addrs to 2 correlation lists pointed to
    by srcIP and tarIP, remove entry from connections
    list.

23
contd
  • Identical correlation lists record source and
    target IP addrs info, along with number of scans.
  • Scan sweeps one-to-one, one-to-many, many-to-one,
    and many-to-many are detected by passes thru the
    correlation lists.

24
(No Transcript)
25
Experiments
One-to-one scan
Source Target TCP ports
pro-13 pro-19 25, 119
pro-15 pro-21 21, 23, 80
pro-17 pro-23 22, 79
One-to-many scan
Source Target TCP ports
pro-13 pro-19 pro-21 pro-23 7, 20, 21 22, 23, 25, 53 69, 79, 80, 88
pro-15 pro-19 pro-21 110, 111, 119 139, 143, 194, 220
26
contd
Many-to-one scan
Source Target TCP ports
pro-13 pro-21 443, 513, 518
pro-15 pro-21 873, 3130, 6667
pro-17 pro-21 107, 20, 21, 23
Many-to-many scan
Source Target TCP ports
pro-13 pro-19 pro-21 pro-23 7, 20, 21, 79 80, 113, 119, 139 143, 194, 667
pro-15
pro-17
27
Conclusions
  • All the scans performed by nmap were detected
    successfully by our detector and the correlations
    were accurate.
  • Some stray incidents of ident lookups did get
    classified as scans, due to the way closed ports
    behave.
Write a Comment
User Comments (0)
About PowerShow.com