Outline • Introduction Intrusion Detection • Characteristics of intrusion detection CS 239 systems Computer Software • Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005 CS 239, Winter 2005 Introduction Intrusion Detection • Many mechanisms exist for protecting • Work from the assumption that sooner systems from intruders or later your security measures will fail –Access control, firewalls, • Try to detect the improper behavior of authentication, etc. the intruder who has defeated your security • They all have one common characteristic: • Inform the system or system administrators to take action –They don’t always work Lecture 15 Lecture 15 Page 3 Page 4 CS 239, Winter 2005 CS 239, Winter 2005 Why Intrusion Detection? For Example, • If we can detect bad things, can’t we • Your intrusion detection system regards simply prevent them? setting uid on root executables as suspicious • Possibly not: – Yet the system must allow the system administrator to do so –May be too expensive • If the system detects several such events, it –May involve many separate becomes suspicious operations – And reports the problem –May involve things we didn’t foresee Lecture 15 Lecture 15 Page 5 Page 6 CS 239, Winter 2005 CS 239, Winter 2005 1
Couldn’t the System Just Have Intrusions Stopped This? • Perhaps, but - • “any set of actions that attempt to compromise the integrity, • The real problem was that someone got confidentiality, or availability of a root access resource” 1 –The changing of setuid bits was just • Which covers a lot of ground a symptom –Implying they’re hard to stop • And under some circumstances the behavior is legitimate 1 Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990. Lecture 15 Lecture 15 Page 7 Page 8 CS 239, Winter 2005 CS 239, Winter 2005 Is Intrusion Really a Problem? The NetRanger Data • Is intrusion detection worth the • Gathered during 5 months of 1997 trouble? • From all of NetRanger’s licensed • Yes, at least for some installations customers • Consider the experience of NetRanger • A reliable figure, since the software intrusion detection users reports incidents to the company Lecture 15 Lecture 15 Page 9 Page 10 CS 239, Winter 2005 CS 239, Winter 2005 NetRanger’s Results Kinds of Attacks Seen • 556,464 security alarms in 5 months • Often occurred in waves • Some serious, some not –When someone published code for a – “Serious” defined as attempting to gain particular attack, it happened a lot unauthorized access –Because of “Script Kiddies” • For NetRanger customers, serious attacks • 100% of web attacks were on web occurred .5 to 5 times per month commerce sites – Electronic commerce sites hit most Lecture 15 Lecture 15 Page 11 Page 12 CS 239, Winter 2005 CS 239, Winter 2005 2
Where Did Attacks Come From? Kinds of Intrusions • Just about everywhere • External intrusions • 48% from ISPs • Internal intrusions • But also attacks from major companies, business partners, government sites, universities, etc. • 39% from outside US –Only based on IP address, though Lecture 15 Lecture 15 Page 13 Page 14 CS 239, Winter 2005 CS 239, Winter 2005 External Intrusions Internal Intrusions • An authorized user trying to gain • What most people think of privileges beyond those he is entitled • An unauthorized (usually remote) user to trying to illicitly access your system • No longer the majority of problems • Using various security vulnerabilities –But often the most serious ones to break in • More dangerous, because insiders have • The typical case of a hacker attack a foothold and know more Lecture 15 Lecture 15 Page 15 Page 16 CS 239, Winter 2005 CS 239, Winter 2005 Basics of Intrusion Detection Intrusion Detection and Logging • A natural match • Watch what’s going on in the system • The intrusion detection system • Try to detect behavior that examines the log characterizes intruders –Which is being kept, anyway • While avoiding improper detection of • Secondary benefits of using the legitimate access intrusion detection system to reduce • Hopefully all at a reasonable cost the log Lecture 15 Lecture 15 Page 17 Page 18 CS 239, Winter 2005 CS 239, Winter 2005 3
On-Line Vs. Off-Line Intrusion Failures In Intrusion Detection Detection • False positives • Intrusion detection mechanisms can be – Legitimate activity identified as an complicated and heavy-weight intrusion • Perhaps better to run them off-line • False negatives –E.g., at nighttime – An intrusion not noticed • Subversion errors • Disadvantage is that you don’t catch – Attacks on the intrusion detection system intrusions as they happen Lecture 15 Lecture 15 Page 19 Page 20 CS 239, Winter 2005 CS 239, Winter 2005 Desired Characteristics in Host Intrusion Detection Intrusion Detection • Continuously running • Run the intrusion detection system on a • Fault tolerant single computer • Subversion resistant • Look for problems only on that • Minimal overhead computer • Must observe deviations • Easily tailorable • Often by examining the logs of the • Evolving computer • Difficult to fool Lecture 15 Lecture 15 Page 21 Page 22 CS 239, Winter 2005 CS 239, Winter 2005 Advantages of the Host Network Intrusion Detection Approach • Lots of information to work with • Do the same for a local (or wide) area network • Only need to deal with problems on one machine • Either by using distributed systems techniques • Can get information in readily understandable form • Or (more commonly) by sniffing network traffic Lecture 15 Lecture 15 Page 23 Page 24 CS 239, Winter 2005 CS 239, Winter 2005 4
Advantages of Network Network Intrusion Detection and Approach Data Volume • Need not use up any resources on • Lots of information passes on the users’ machines network • Easier to properly configure for large • If you grab it all, you will produce vast installations amounts of data • Can observe things affecting multiple • Which will require vast amounts of machines time to process Lecture 15 Lecture 15 Page 25 Page 26 CS 239, Winter 2005 CS 239, Winter 2005 Network Intrusion Detection and Styles of Intrusion Detection Sensors • Misuse intrusion detection • Use programs called sensors to grab only relevant data – Try to detect things known to be bad • Anomaly intrusion detection • Sensors quickly examine network traffic – Try to detect deviations from normal – Record the relevant stuff behavior – Discard the rest • Specification intrusion detection • If you design sensors right, greatly reduces – Try to detect deviations from defined the problem of data volume “good states” Lecture 15 Lecture 15 Page 27 Page 28 CS 239, Winter 2005 CS 239, Winter 2005 Misuse Detection Level of Misuse Detection • Could look for specific attacks • Determine what actions are undesirable – E.g., Syn attacks or IP spoofing • Watch for those to occur • But that only detects already-known attacks • Signal an alert when they happen • Better to also look for known suspicious behavior • Often referred to as signature detection – Like trying to become root – Or changing file permissions Lecture 15 Lecture 15 Page 29 Page 30 CS 239, Winter 2005 CS 239, Winter 2005 5
Pluses and Minuses of Misuse How Is Misuse Detected? Detection • By examining logs + Few false positives – Only works after the fact + Simple technology • By monitoring system activities + Hard to fool – Often hard to trap what you need to see – Only detects known problems • By scanning the state of the system – Gradually becomes less useful if not – Can’t trap actions that don’t leave traces updated • By sniffing the network – Sometimes signatures are hard to generate – For network intrusion detection systems Lecture 15 Lecture 15 Page 31 Page 32 CS 239, Winter 2005 CS 239, Winter 2005 Misuse Detection and Anomaly Detection Commercial Systems • Essentially all commercial intrusion • Misuse detection can only detect detection systems detect misuse known problems – Primarily using signatures of attacks • And many potential misuses can also • Many of these systems are very similar be perfectly legitimate – With only different details • Anomaly detection instead builds a • Differentiated primarily by quality of their model of valid behavior signature library –And watches for deviations – How large, how quickly updated Lecture 15 Lecture 15 Page 33 Page 34 CS 239, Winter 2005 CS 239, Winter 2005 Pluses and Minuses of Anomaly Methods of Anomaly Detection Detection • Statistical models + Can detect previously unknown attacks –User behavior – Hard to identify and diagnose nature of attacks –Program behavior – Unless careful, may be prone to many –Overall system/network behavior false positives • Expert systems – Depending on method, can be • Misuse detection and anomaly expensive and complex detection sometimes blur together Lecture 15 Lecture 15 Page 35 Page 36 CS 239, Winter 2005 CS 239, Winter 2005 6
Recommend
More recommend