network intrusion detection forensics
play

Network Intrusion Detection & Forensics with Bro Matthias - PowerPoint PPT Presentation

Feb 29, 2024 •105 likes •432 views

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

  1. Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016

  2. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29

  3. Detection vs. Blocking Intrusion Prevention ◮ Inline ◮ Critical Intrusion Detection ◮ Passive ◮ Independent 2 / 29

  4. Deployment Styles Host-based ◮ Scope: single machine ◮ Example: anti-virus (AV), system monitors (e.g., OSSEC) ✓ Access to internal system state (memory, disk, processes) ✓ Easy to block attacks ✗ High management overhead for large fleet of machines ✗ Expensive analysis can decrease performance Network-based ◮ Scope: entire network ◮ Example: Bro, Snort, Suricata ✓ Network-wide vantage-point ✓ Easy to manage, best bang for the buck ✗ Lack of visibility: tunneling, encryption (TLS) ✗ All eggs in one basket 3 / 29

  5. Detection Terminology Alert No Alert True Positive (TP) False Negative (FN) Attack False Positive (FP) True Negative (TN) No Attack 4 / 29

  6. Detection Styles Four main styles 1. Misuse detection 2. Anomaly detection 3. Specification-based detection 4. Behavioral detection 5 / 29

  7. Misuse Detection Goal Detect known attacks via signatures / pattern or black lists Pros ✓ Easy to understand, readily shareable ✓ FPs: management likes warm fuzzy feeling Cons ✗ Polymorphism: unable to detect new attacks or variants ✗ Accuracy: finding sweetspot between FPs and FNs is hard Example Snort, regular expression matching 6 / 29

  8. Anomaly Detection Goal Flag deviations from a known profile of “normal” Pros ✓ Detect wide range of attacks ✓ Detect novel attacks Cons ✗ High FP rate ✗ Efficacy depends on training data purity Example Look at distribution of characters in URLs, learn some are rare 7 / 29

  9. Specification-Based Detection Goal Describe what constitutes allowed activity via policy or white list Pros ✓ Can detect novel attacks ✓ Can have low FPs Cons ✗ Expensive: requires significant development ✗ Churn: must be kept up to date Example Firewall 8 / 29

  10. Behavioral Detection Goal Look for evidence of compromise, rather than the attack itself Pros ✓ Works well when attack is hard to describe ✓ Finds novel attacks, cheap to detect, and low FPs Cons ✗ Misses unsuccessful attempts ✗ Might be too late to take action Example unset $HISTFILE 9 / 29

  11. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 9 / 29

  12. Broverview History ◮ Created by Vern Paxson, 1996 ◮ Since then monitors the border of LBNL ◮ At the time, difficult to use, expert NIDS Today ◮ Much easier to use than 10 years ago ◮ Established open-source project, backed by Free Software Consortium ◮ Widely used in industry and academia ◮ General-purpose tool for network analysis ◮ “The scripting language for your network” ◮ Supports all major detection styles ◮ Produces a wealth of actionable logs by default 10 / 29

  13. The Bro Network Security Monitor Architecture ◮ Real-time network analysis framework User Interface ◮ Policy-neutral at the core Logs Notifications ◮ Highly stateful Script Interpreter Key components Events 1. Event engine ◮ TCP stream reassembly Event Engine ◮ Protocol analysis ◮ Policy-neutral Packets 2. Script interpreter ◮ Construct & generate logs Network ◮ Apply site policy ◮ Raise alarms 11 / 29

  14. TCP Reassembly in Bro Abstraction: from packets to byte streams ◮ Elevate packet data into byte streams ◮ Separate for connection originator and responder ◮ Passive TCP state machine: mimic endpoint semantics Originator Responder Connection 1 Connection 2 ... IP packets 12 / 29

  15. Bro’s Event Engine http_request, smtp_reply, ssl_certificate Messages Application Byte stream Transport new_connection, udp_request Packets (Inter)Network new_packet, packet_contents Frames Link arp_request, arp_reply Bro event and data model ◮ Rich-typed : first-class networking types ( addr , port , . . . ) ◮ Deep : across the whole network stack ◮ Fine-grained : detailed protocol-level information ◮ Expressive : nested data with container types (aka. semi-structured) 13 / 29

  16. Bro Logs Events → Scripts → Logs ◮ Policy-neutral by default: no notion of good or bad ◮ Forensic investigations highly benefit from unbiased information ◮ Hence no use of the term “alert” → NOTICE instead ◮ Flexible output formats: 1. ASCII 2. Binary (coming soon) 3. Custom 14 / 29

  17. Log Example conn.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn #open 2016-01-06-15-28-58 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_.. #types time string addr port addr port enum string interval count count string bool bool count string 1258531.. Cz7SRx3.. 192.168.1.102 68 192.168.1.1 67 udp dhcp 0.163820 301 300 SF - - 0 Dd 1 329 1 328 (empty) 1258531.. CTeURV1.. 192.168.1.103 137 192.168.1.255 137 udp dns 3.780125 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CUAVTq1.. 192.168.1.102 137 192.168.1.255 137 udp dns 3.748647 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CYoxAZ2.. 192.168.1.103 138 192.168.1.255 138 udp - 46.725380 560 0 S0 - - 0 D 3 644 0 0 (empty) 1258531.. CvabDq2.. 192.168.1.102 138 192.168.1.255 138 udp - 2.248589 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258531.. CViJEOm.. 192.168.1.104 137 192.168.1.255 137 udp dns 3.748893 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258531.. CSC2Hd4.. 192.168.1.104 138 192.168.1.255 138 udp - 59.052898 549 0 S0 - - 0 D 3 633 0 0 (empty) 1258531.. Cd3RNm1.. 192.168.1.103 68 192.168.1.1 67 udp dhcp 0.044779 303 300 SF - - 0 Dd 1 331 1 328 (empty) 1258531.. CEwuIl2.. 192.168.1.102 138 192.168.1.255 138 udp - - - - S0 - - 0 D 1 229 0 0 (empty) 1258532.. CXxLc94.. 192.168.1.104 68 192.168.1.1 67 udp dhcp 0.002103 311 300 SF - - 0 Dd 1 339 1 328 (empty) 1258532.. CIFDQJV.. 192.168.1.102 1170 192.168.1.1 53 udp dns 0.068511 36 215 SF - - 0 Dd 1 64 1 243 (empty) 1258532.. CXFISh5.. 192.168.1.104 1174 192.168.1.1 53 udp dns 0.170962 36 215 SF - - 0 Dd 1 64 1 243 (empty) 1258532.. CQJw4C3.. 192.168.1.1 5353 224.0.0.251 5353 udp dns 0.100381 273 0 S0 - - 0 D 2 329 0 0 (empty) 1258532.. ClfEd43.. fe80::219:e3ff:fee7:5d23 5353 ff02::fb 5353 udp dns 0.100371 273 0 S0 - - 0 D 2 369 0 0 1258532.. C67zf02.. 192.168.1.103 137 192.168.1.255 137 udp dns 3.873818 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258532.. CG1FKF1.. 192.168.1.102 137 192.168.1.255 137 udp dns 3.748891 350 0 S0 - - 0 D 7 546 0 0 (empty) 1258532.. CNFkeF2.. 192.168.1.103 138 192.168.1.255 138 udp - 2.257840 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258532.. Cq4eis4.. 192.168.1.102 1173 192.168.1.1 53 udp dns 0.000267 33 497 SF - - 0 Dd 1 61 1 525 (empty) 1258532.. CHpqv31.. 192.168.1.102 138 192.168.1.255 138 udp - 2.248843 348 0 S0 - - 0 D 2 404 0 0 (empty) 1258532.. CFoJjT3.. 192.168.1.1 5353 224.0.0.251 5353 udp dns 0.099824 273 0 S0 - - 0 D 2 329 0 0 (empty) 1258532.. Cc3Ayyz.. fe80::219:e3ff:fee7:5d23 5353 ff02::fb 5353 udp dns 0.099813 273 0 S0 - - 0 D 2 369 0 0 15 / 29

  18. Example: Matching URLs Example event http_request(c: connection, method: string , path: string ) { if (method == "GET" && path == "/etc/passwd") NOTICE(SensitiveURL, c, path); } 16 / 29

  19. Example: Tracking SSH Hosts Example global ssh_hosts: set [ addr ]; event connection_established(c: connection) { local responder = c$id$resp_h; # Responder's address local service = c$id$resp_p; # Responder's port if (service != 22/tcp) return ; # Not SSH. if (responder in ssh_hosts) return ; # We already know this one. add ssh_hosts[responder]; # Found a new host. print "New SSH host found", responder; } 17 / 29

  20. Example: Kaminsky Attack 1. Issue: vulnerable resolvers do not randomize DNS source ports 2. Identify relevant data: DNS, resolver address, UDP source port 3. Jot down your analysis ideas: ◮ “For each resolver, no connection should reuse the same source port” ◮ “For each resolver, connections should use random source ports” 4. Express analysis: ◮ “Count the number of unique source ports per resolver” 5. Use your toolbox: ◮ bro-cut id.resp_p id.orig_h id.orig_p < dns.log \ | awk '$1 == 53 { print $2, $3 }' \ # Basic DNS only | sort | uniq -d \ # Duplicate source ports | awk '{ print $1 }' | uniq # Extract unique hosts 6. Know your limitations: ◮ No measure of PRNG quality (Diehard tests, Martin-Löf randomness) ◮ Port reuse occurs eventually → false positives 7. Close the loop: write a Bro script that does the same 18 / 29

  21. Example: Kaminsky Attack Detector Example const local_resolvers = { 7.7.7.7, 7.7.7.8 } global ports: table [ addr ] of set [ port ] & create_expire =1hr; event dns_request(c: connection, ...) { local resolver = c$id$orig_h; # Extract source IP address. if (resolver ! in local_resolvers) return ; # Do not consider user DNS requests. local src_port = c$id$orig_p; # Extract source port. if (src_port ! in ports[resolver]) { add ports[resolver][src_port]: return ; } # If we reach this point, we have a duplicate source port. NOTICE(...); } 19 / 29

  22. Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 19 / 29

  23. Your Turn! 20 / 29

  24. Ready, Set, Go! Running Bro Run Bro on the 2009-M57-day11-18 trace. Solution cd /tmp/berke1337 wget http://bit.ly/m57-trace zcat 2009-M57-day11-18.trace.gz | bro -r - 21 / 29

Recommend

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy

Network Intrusion Detection Using Neural Networks on FPGA SoCs Lenos Ioannou and Suhaib A. Fahmy School of Engineering, University of Warwick, UK Introduction Mainstream approaches in intrusion detection do not scale well to the embedded

936 views • 7 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E.

Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E.

Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil , A. Atya, E. Paplexakis, University of California S. Krishnamurthy, KK. Ramakrishnan Riverside T. Jaeger Penn State University P. Yu, A. Swami US Army Research Lab 1

533 views • 18 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

409 views • 25 slides
Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection Md. Shahanur Alam, B. Rasitha Fernando, Yassine Jaoudi, Chris Yakopcic, Raqibul Hasan, Tarek M. Taha, and Guru Subramanyam Dept. Of Electrical and

428 views • 19 slides
The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org UC Computing Services Conference 2007 Outline Design of the Bro NIDS Philosophy Architecture

1.14k views • 39 slides
Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor:

Network Traffic Analysis and Intrusion Detection using Packet Sniffer Guanqun Wang Supervisor: Prof. Nirmalya Roy Introduction The paper is from 2010 Second International Conference on Communication Software and Networks; Basic

517 views • 15 slides
Speeding Up Network Intrusion Detection Joo Romeiras Amado, Salvatore Signorello, Miguel Pupo

Speeding Up Network Intrusion Detection Joo Romeiras Amado, Salvatore Signorello, Miguel Pupo

Speeding Up Network Intrusion Detection Joo Romeiras Amado, Salvatore Signorello, Miguel Pupo Correia, Fernando Ramos Instituto Superior Tcnico, Universidade de Lisboa Faculdade de Cincias, Universidade de Lisboa 1 Short-lived network

297 views • 15 slides

More recommend