ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l07, Steve/Courses/2013/s2/its335/lectures/intrusion.tex, r2958 1/30
ITS335 Intruders and Intrusion Detection Intrusion Detection ◮ Attacks will occur Intruders ◮ Successful attacks allow intruders to gain unauthorised Intrusion Detection access to resources Host-Based Distributed ◮ Often cheaper to prevent some attacks and detect the Host-Based rest Network-Based ◮ Intrusion Detection Systems (IDS) aim to detect attacks Honeypots Summary ◮ Monitor and analyse system events to find, log and warn of intrusions ◮ Response from a detected attack may be technical or legal 2/30
ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 3/30
ITS335 Types of Intruders Intrusion Detection Masquerader someone who is not authorised to use system Intruders and penetrates access controls to exploit a legitimate Intrusion Detection user’s account; outsider Host-Based Misfeasor legitimate user who accesses resources they are Distributed Host-Based not authorised to, or misuses privileges; insider Network-Based Clandestine user takes administrator control of system and Honeypots uses it to evade detection and access controls; insider Summary or outside 4/30
ITS335 Examples of Intrusion Intrusion Detection ◮ Remote root/administrator compromise of server Intruders ◮ Defacing a web server Intrusion Detection ◮ Guessing/obtaining passwords Host-Based Distributed ◮ Copying databases containing private information, e.g. Host-Based credit card numbers Network-Based Honeypots ◮ Viewing sensitive data, e.g. payroll records, medical Summary information ◮ Capturing network packets to obtain usernames and passwords ◮ Using computer resources to distribute inappropriate/illegal material ◮ Posing as other people (e.g. executive, help-desk) to gain passwords ◮ Using unattended, logged-in computer without permission 5/30
ITS335 Intruder Behaviour Intrusion Detection Cracker Intruders Intrusion Detection ◮ Motivated by thrill of access and/or status Host-Based ◮ Look for open targets; may share information with Distributed Host-Based others Network-Based ◮ Use security flaws in software to gain access Honeypots ◮ IDS and IPS are very useful Summary Criminal Enterprise ◮ Motivated by financial reward and/or political/religious ideologies ◮ Corporations, government funded, gangs ◮ Specific targets; avoid publicity ◮ Use security flaws and social engineering to gain access ◮ IDS and IPS are useful 6/30
ITS335 Intruder Behaviour Intrusion Detection Internal Threat Intruders Intrusion Detection ◮ Motivated by revenge and/or entitlement Host-Based ◮ Have access to system; difficult to detect Distributed Host-Based ◮ Internal security mechanisms are useful: least privilege, Network-Based strong authentication, log and auditing, employee Honeypots termination policies Summary 7/30
ITS335 Intrusion Techniques Intrusion Detection Aim: gain access to system or increase privileges on system Intruders Exploit flaws in software Intrusion Detection Host-Based ◮ Bugs in software that allow execution of code by Distributed Host-Based intruder Network-Based ◮ Solution: keep track of vulnerabilities (CERT); regular Honeypots software updates Summary Acquire protected information ◮ Passwords guessing or cracking ◮ Social engineering attacks ◮ Solution: appropriate technologies, policies and education for confidential information 8/30
ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 9/30
ITS335 Intrusion Detection Systems Intrusion Detection Types Intruders Intrusion Detection Host-based monitor characteristics of a single computer Host-Based Distributed host-based monitor characteristics on set of Distributed Host-Based computers, with central module detecting intrusions Network-Based Network-based monitor network traffic to identify suspicious Honeypots activity Summary Common Components Sensors collect data, e.g. packets, log files, system call traces Analysers received collected data, analyse it and determine if intrusion User Interface allow user to view output and control behaviour of IDS 10/30
ITS335 IDS Principles Intrusion Detection Assume intruder behaviour is different from that of Intruders legitimate users Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary Credit: Figure 8.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 False positives: legitimate user identified as intruder False negative: intruder not identified 11/30
ITS335 IDS Requirements Intrusion Detection ◮ Run continually with minimal human supervision Intruders ◮ Recover from system restart/crashes Intrusion Detection ◮ Monitor itself and detect attacks on itself Host-Based Distributed ◮ Impose minimal overhead on system Host-Based ◮ Configurable according to system security policies Network-Based Honeypots ◮ Adapt to system and user behaviour changes over time Summary ◮ Scale to monitor large number of hosts ◮ Still (partially) work if some components stop working 12/30
ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 13/30
ITS335 Host-Based IDS Intrusion Detection ◮ Special layer of software to protect vulnerable systems Intruders ◮ Primary purpose: detect intrusions, log suspicious Intrusion Detection events, send alerts Host-Based Distributed ◮ May be able to stop attacks if detected early Host-Based ◮ Can detect both internal and external attacks Network-Based Honeypots Summary 14/30
ITS335 Anomaly vs Signature Detection Intrusion Detection Anomaly Detection Intruders Intrusion Detection ◮ Compare observed behaviour against previously Host-Based collected normal behaviour Distributed Host-Based ◮ Threshold detection: thresholds based on frequency of Network-Based occurrence of events, independent of user Honeypots ◮ Profile-based: profiles of users created and compared Summary against Signature Detection ◮ Define behaviour or attacks by set of rules or patterns; compare observed behaviour against rules/patterns ◮ Rule-based anomaly detection: define rules based on past observed normal behaviour ◮ Rule-based penetration identification: define rules based on attacks 15/30
ITS335 Audit Records Intrusion Detection Native Intruders Intrusion Detection ◮ Most operating systems have logs of software and user Host-Based activity Distributed Host-Based ◮ Advantage: no additional collection software needed Network-Based ◮ Disadvantage: information may not contain all needed Honeypots information or in inconvenient form Summary Detection-specific ◮ Records generated specifically for IDS ◮ Advantage: may work on different systems ◮ Disadvantage: extra overhead in collecting information 16/30
ITS335 Example Measures for Intrusion Detection Intrusion Detection Intruders Login and Session Activity Intrusion Detection Measure Type of Intrusion Detected Host-Based Login frequency by day and time Intruders may be likely to log in during off hours Frequency of login at different Intruders may log in from a location that a particular user never Distributed locations uses Host-Based Time since last login Break-in on a “dead” account Elapsed time per sessions Significant deviations might indicate masquerader Network-Based Quantity of output to location Excessive amounts of data transmitted to remote locations could signify leakage of sensitive data Honeypots Session resource utilisation Unusual processor or I/O levels could signal intruder Summary Password failures at login Attempted break-in by password guessing Failures to login from specified Attempted break-in terminals Command or Program Execution Activity Execution frequency Detect intruders based on their use of different commands Program resource utilisation Increased processor utilisation or I/O may indicate virus/Trojan Execution denials May detect attempt by user seeking higher privileges File Access Activity Read, write, create, delete frequency Abnormal values may indicate masquerading Records read, written Abnormal values may indicate attempt to obtain sensitive data Failure count for read, write May detect users who persistently attempt to access create, delete unauthorised files 17/30
Recommend
More recommend