DDIDS Dynamic Distributed Intrusion Detection System - PowerPoint PPT Presentation

1 / 42

About This Presentation

Title:

DDIDS Dynamic Distributed Intrusion Detection System

Description:

DDIDS (Dynamic Distributed Intrusion Detection System) 11/04/04. Kevin Skapinetz. Daniel Hanley ... time frame = Probable successful system compromise ... – PowerPoint PPT presentation

Number of Views:553

Avg rating:3.0/5.0

Slides: 43

Provided by: ccGa

Category:

more less

Transcript and Presenter's Notes

Title: DDIDS Dynamic Distributed Intrusion Detection System

1
DDIDS(Dynamic Distributed Intrusion Detection
System)

11/04/04
Kevin Skapinetz
Daniel Hanley
Andrew Thigpen

2
Outline

IDS History
IDS Types
Intrusion Prevention
Attack Correlation
Current Technology
DDIDS

3
What is Intrusion Detection?

all processes used in discovery of unauthorized
uses of network or computer devices
Detection of unusual and abnormal activity/events
in real-time
Detects break-ins or attacks through various data
sources from logs / audits / surveillance and
network traffic

4
History of IDS

Early 1970s paper by James P. Anderson
US Air Force paper first acknowledging the need
for increased awareness of computer security
problems
Erose from unique need of USAF for security with
different levels of classification
1980 Computer Security Threat Monitoring and
Surveillance, by James P. Anderson
Notion of automated intrusion detection born
Outlines ways to improve computer security
auditing and surveillance
Must define and understand threats then design
IDS tailored to these threats
Risk assessment process -gt security policy

5
History of IDS (cont.)

1984 Stanford Research Institute
Developed means of tracking and analyzing audit
data for ARPANET
Navy SPAWAR contract to realize first functional
IDS (IDES)
Mid-1980s - Dorothy Denning and Peter Neumann
Significant research in ID for SRI
Developed actual model for real-time IDS (IDES)
Prototype
First to address break-ins, masquerading, system
penetrations, Trojan horses, viruses, leakages,
DNS attacks
Initially rule based expert system
Developed into NIDES

6
History of IDS (cont.)

1988 University of Davis Lawrence Livermore
Laboratories
Haystack project -gt IDS for USAF
Analyzed audit data by comparing with defined
patters
searching through this large amount of data for
one specific misuse was equivalent to looking for
a needle in a haystack
1989 Haystack Labs
Last generation called Stalker
DIDS
host-based, pattern matching system that
included robust search capabilities to manually
and automatically query the audit data

7
History of IDS (cont.)

1990 UC Daviss Todd Heberlein
NSM (Network Security Monitor)
First Network-based ID
Major government installations
Contributions with DIDS with idea of Hybrid ID
Introduced to commercial world
Late-1990s commercialization
CMDS (Computer Misuse Detection System)
ASIM (Automated Security Measurement System)
RealSecure ISS product

8
Types of IDS

Implementation
Host-based vs. Network-based
Methodology Models
Anomaly vs. Signature detection

9
Host-based (HIDS)

Operate on a host to detect malicious activity
Load pieces of software on system
Uses system log files or auditing agents as
sources of data
Two primary classes
Host wrappers/personal firewalls
Agent-based software
Effective in detecting trusted-insider attacks
(anomalous activity)
Pros
High level of detail
Use centralized system to manage multiple hosts
Can examine encrypted traffic
Cons
May decrease network performance
Foiled by DoS attacks
Consumes host resources

10
Network-based (NIDS)

Operate on network data flows
Monitors traffic on network segment for sources
of data
NIC set to promiscuous mode
Complete knowledge
Lots of data
Signature matching
String
Port
Header condition
Pros
Can monitor large networks
Little overhead
Easy to secure
Cons
May overlook attacks peak traffic periods
Cannot analyze encrypted data
Cannot report success or failure of attacks

11
Anomaly Detection

Detects activity that deviates from normal
activity
Depends on statistical definition of normal
Prone to large number of false positives
Subcategories
Profile-based
Protocol-based
Pros
If implemented properly, can detect unknown
attacks
Offers low overhead (learning vs. development)
Cons
Not definitive
Definition of normal
High false positive rate

12
Signature Detection

Matches known patterns of events specific to
known attacks
Requires knowledge of attack signatures
Requires method to compare and match behavior to
signature
Types
Pattern matching
Stateful pattern matching
Protocol decode based
Heuristic based

13
Pattern Matching

Fixed sequence of bytes in a single packet
Pros
Simple to employ
Highly specific
Applicable across all protocols
Cons
High false positive rate
Multiple signatures for a single vulnerability

14
Stateful pattern matching

More sophisticated
Employs the concept of contextual matches within
the state of the data stream
Pros
Similar to Non-stateful pattern matching
Makes evasion more difficult
Cons
Same as Non-stateful pattern matching

15
Protocol-decode based

Breaks down elements of protocol
Applies rules defined by RFCs to look for
violations
Pros
Minimizes chance for false positives if well
defined and enforced
More general to allow for catching variations on
themes
Reliably alerts on violation of rules
Cons
Can lead to high false positives if RFC not well
defined
Longer development times

16
Heuristic based

Uses algorithmic logic to base alarm decisions
Statistical evaluation of traffic
Pros
Certain types of activity can only be detected
through this type
Cons
Algorithms may require tuning and modification to
conform to traffic and limit false positives

17
Intrusion Prevention

Evolution of IDS to IPS
Incorporates other network devices
Passive gt Active detection
Proactive defense mechanisms
Stops offending traffic prior to damage
Host IPS
Direct system installation
Binds close to kernel to intercept system calls
(Audits)
Not very upgradeable (change controls,
availability)
Network IPS
Combines IDS, IPS, and a firewall
In-line IDS or Gateway IDS
Discards malicious packets
Unable to compete with current speed of networks

18
IDS Correlation

What is Correlation with respect to IDS systems?
The process of transforming raw threat data into
prioritized and actionable data.
Need for Correlation technology
Low accuracy rates in current IDS (reduces false
positives)
Decision support in real-time incident response
Sheer volume of information can overwhelm human
operators
Ability to detect distributed attacks
Opportunity to take advantage of multiple data
sources for more accurate detection
Allows the security management team to focus on a
subset of higher priority alerts
Increases IDS productivity and effectiveness

19
IDS Correlation

Good IDS correlation systems will
Separate and highlight events that are more
likely to cause damage
Distinguish successful intrusions from
unsuccessful ones
Identify widely distributed attacks
Track events in real-time in an automated fashion
Have an automated response capability that can
help protect against serious threats
Offer user-defined and configurable signatures to
adapt to the customer environment

20
IDS Assessment Correlation

Lowers or Increases the priority of an event if
the target is vulnerable or not vulnerable to the
threat.
Requires assessment scanning of network resources
and storage of the results.
Assessment scanning determines the following
Type of resource (OS / Version information).
Services running on that resource.
If the resource is vulnerable to a known exploit.
May be done remotely or from an agent installed
directly on the host.
Central point of Correlation.

21
IDSVA Correlation Diagram

Scanner profiles servers to build Vulnerability
information on IDS Server.
Sensor picks up attack aimed at First Server,
sends event to IDS Server.
IDS Server determines if the Server is vulnerable
to the attack. If there is a high probability
that the attack will be successful, the priority
of the event raised in the IDS Console is
increased.

22
IDSVA Correlation

Limitations of IDSVA Correlation
Requires Vulnerability Assessment scans to be
performed on a regular basis.
Does not do a good job with handling roaming
hosts (WLAN, DHCP, environments).
Does not assist in Intrusion Prevention, only
alters the way the threat is presented in the
management console.

23
Attack Pattern Correlation

Combines different events/attacks into a single
incident.
Events may originate from the a single or
multiple sensors on the network.
The ability to correlate Host and Network
intrusion information for an added level of
verification.

24
Attack Pattern Correlation (ex 1)
25
Attack Pattern Correlation (ex 1)
26
Attack Pattern Correlation (ex 1)
27
Attack Pattern Correlation (ex 1)
28
Attack Pattern Correlation (ex 1)
29
Attack Pattern Correlation (ex 1)
30
Attack Correlation from different Sensors

Successful buffer overflow attack against DNS
server followed by login and attempt to install
Trojan backdoor.
Correlate across network engines and system
agents
DNS buffer overflow attack (network)
Login with admin privileges (system)
Audit disable attempt (system)
netbus install (system)
Same source (network, system)
lttime framegt
Probable successful system compromise

31
Current IDS Correlation Technology

ISS Security Fusion Module (APVA)
Qualys QuIDScor (VA)
Cisco Threat Response (VA)
Symantec Incident Manager (AP VA)
Juniper Networks Netscreen (AP)

32
Internet Security Systems Solution
33
Current Correlation Prevention Architecture

Sensors send events to a separate device in the
IDS system.
Correlation engine in a centralized location.
Correlation engine only affects notification
responses (i.e. increasing the priority of an
alert in the management console).
Preventative response have no relation with event
correlation.

34
Project Motivation