Intrusion%20Detection%20Systems

1
Intrusion Detection Systems

• Sai Nandoor
• Priya Selvam
• Balaji Badam

2
How insecure are we?

• Attacks on computer infrastructures are a serious
  problem.
• Information theft is up over 250 in the last 5
  years.
• 99 of all major companies report at least one
  major incident.
• Telecom and computer fraud totaled 10 billion in
  the US alone.
• Source Eugene H Spafford. Security Seminar,
• Department of Computer Sciences, Purdue
  University, Jan 1996.

3
IDS Based on Data Source

• Host Based IDS
• Its role is to identify tampering or malicious
  activity occurring on the system.
• This is achieved by monitoring log files, users,
  and the file system.
• Network Based IDS
• Its role is to identify tampering or malicious
  activity occurring in the network traffic.
• This is achieved by monitoring network traffic on
  the wire for specific activities/signatures that
  represent an attack.
• Hybrid IDS
• Combination of network and host based IDS.

4
Host Based - Network Based
5
Advantages
Network Host
Lowers cost of ownership Lower cost of entry
Detects what HIDS miss Detects what NIDS miss
Difficult to remove evidence Verifies success/failure of attack
Real-time detection response Suited for encrypted environments
Detects unsuccessful attacks Monitors specific activities
OS independent Requires no additional hardware
6
Host Based IDS

• Specific files to be monitored are defined in a
  configuration file.
• Digest of the file is stored in a database.
• Multiple digest algorithms can be used.
• Examples
• TRIPWIRE/AIDE/SAMHAIN

7
TRIPWIRE

• Can be reconfigured to prevent false-alarms.
• Flexible policy language with predefined policy
  files and wildcard support.

AIDE

• Similar to lighter version TRIPWIRE

SAMHAIN

• Support for Stealth mode of operation.
• Encrypted and authenticated client/server
  connections.

8
Network Based IDS

• Packet Sniffing front end.
• Pattern matching engine.
• Backend database.
• Examples
• SNORT/SHOKI/BRO

9
SNORT

• Can also operate as packet sniffer/logger.
• Flexible rule based language to describe traffic.
• Can perform protocol analysis, content
  searching/matching.

SHOKI

• Multi-filter rule sets that match individual
  packets.
• SNORT rules can be converted to SHOKI filters.

BRO

• Provides its own language.
• Passive, doesnt terminate malicious activity.

10
SNORT Rules

• var EXTERNAL_NET !128.3.0.0/16,131.243.0.0/16
• var HTTP_SERVERS 128.3.0.0/16,131.243.0.0/16
• var HTTP_PORTS 80
• preprocessor http_decode 80 unicode
  iis_alt_unicode double_encode iis_flip_slash
  full_whitespace
• output alert_fast alarms.log
• include file1.config
• alert tcp EXTERNAL_NET any -gt HTTP_SERVERS
  HTTP_PORTS (msg"WEB-ATTACKS ps command
  attempt" flowto_server,established
  uricontent"/bin/ps" nocase sid1328
  classtypeweb-application-attack rev4)

11
Bro Rules

• rule sid-1328
• header ip91 6
• header ip124 ! 128.3.0.0/16,131.243.0.0/16
• header ip164 128.3.0.0/16,131.243.0.0/16
• header tcp22 80
• tcp-state originator,established
• http /.\/\\bBiInN\/\\pPsS/
• msg "WEB-ATTACKS ps command attempt"

SHOKI Rules
tcp 65536 THRESHOLD11020 SAMP-6 http
h(tp)// ALL tcp 65536
HOST_SCAN22040 SAMP-7 host scan NULL
ALL tcp 65536 PORT_SCAN33050
SAMP-8 p_scan 0x687474 ALL
12
ACID screen capture for SNORT
13
Hybrid IDS

• Can be clustered
• Centralized database
• Provides file protection by using digest
• Network sensing using packet sniffing
• Blends strengths of HIDS NIDS
• Examples
• MANHUNT/PRELUDE/DRAGON

14
MANHUNT

• Detects new and modified attacks
• Dynamically reassign ports scanned
• Flowchaser and Trackback to fight DDoS

PRELUDE

• Incorporates information from other IDS
• Provides hooks to firewalls, honeypots, etc
• Uses multiple sensors and a report server

DRAGON

• Provides IDS evasion counter measures, by Keeping
  a large database of known hacker techniques and
  searching for anomalies.

15
Goals

• Design a hybrid system
• Send instantaneous alerts to network
  administrator and other hosts
• Use secure communication channels
• Keep configuration file secure
• Keep checksum database secure
• Maintain list of intruders
• Maintain a log of attacks

16
Design
Intruder
Host
Administrator
Firewall
Database
Other Hosts
17
Implementation

• Dedicated Sockets for Communication
• Messages encrypted using AES
• Configuration file included in list of secure
  files
• Checksums encoded using AES
• Network Administrator maintains log of intrusions
• Hosts maintain a list of intruders

18
Sample execution
19
Future Work
Lessons Learned

• Hybrid IDS involves a lot of components
• Comm. between hosts and admins must be secure
• Configuration files are vulnerable
• Hybrid IDS provides better security

• Network sensors to defend DDoS attacks
• Incorporate different hashing algorithms
• Add feature to track sources of DDoS
• Incorporate data from existing IDS
• Add a file change notification component

20
References

• Intrusion Detection Systems
• By Ricky M. Magalhaes http//www.windowsecurity.co
  m
• An Introduction to Intrusion Detection
• By Aurobindo Sundaram, ACM Crossroads
• Network Vs. Host Based Intrusion Detection
• http//www.isskk.co.jp
• IDS Products
• http//www.netsmart.net.au
• Intrusion Detection and Network Auditing on the
  Internet
• http//www.infosyssec.com