Lec 8.pptx

Full Transcript

CYB236 Chapter 7 Specification –based Intrusion Detection Types of IDS Attacks & Behaviors 02 Lecture Objectives 01Intrusion Concept. 04 03 06 0 5 IDS Basic Components & Requirements IDS Exchange Format IDS & Functions. IDS Classification & Techniques 2 What is an intrusion? An intrusion can be defined as “any set of actions that attempt to compromise the: –Integrity –confidentiality, or – availability of a resource” 3 Intruders  Insider : abuse by a person with authorized access to the system.  Generally referred to as a hacker or cracker. Hacker : attack the via communication links (e.g. Internet). Cracker: Malicious software (`MalWare`, Trojan horse, Virus) which is attack on the system by software running on it.  Insider classes: identified three classes 4 Intruders Classes  three classes:  Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account  Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges  Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection 5 Intruders Examples remote root compromise.  web server defacement.  guessing / cracking passwords.  copying databases containing credit card numbers.  viewing sensitive data without authorization. running a packet sniffer.  distributing pirated software.  using an unsecured modem to access internal network.  impersonating an executive to get information.  using an unattended workstation 6 Intruders Examples  Virus  Buffer-overflows 2000 Outlook Express vulnerability.  Denial of Service (DOS) explicit attempt by attackers to prevent legitimate users of a service from using that service.  Address spoofing a malicious user uses a fake IP address to send malicious packets to a target.  Many others 7 Hacker  Hackers motivated by thrill of access and/or status – hacking community is a strong meritocracy – status is determined by level of competence  benign intruders consume resources and slow performance for legitimate users.  intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to counter hacker threats – can restrict remote logons to specific IP addresses – can use virtual private network technology (VPN) intruder problem led to establishment of computer 8 Hacker Patterns of Behavior 9 Criminals organized groups of hackers now a threat. corporation / government / loosely affiliated gangs – typically young – – meet in underground forums – common target is credit card files on e-commerce servers criminal hackers usually have specific targets - once penetrated act quickly and get out IDS / IPS can be used but less effective  sensitive data should be encrypted 10 Criminal Enterprise patterns Of Behavior 11 Insider Attacks among most difficult to detect and prevent.  employees have access and systems knowledge.  may be motivated by revenge/entitlement – employment was terminated. – taking customer data when moving to a competitor.  IDS / IPS can be useful but also need enforcement of least privilege, monitor logs, strong authentication, termination process – 12 Internal Threat Patterns of Behavior 13 Intrusion Detection  Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.  Intrusion Detection : A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner. 14 Intrusion Detection System IDS Systems that detect attacks on computer systems But not prevent. 15 Intrusion Detection Systems IDS  Firewalls are typically placed on the network perimeter protecting against external attacks  Firewalls allow traffic only to legitimate hosts and services  Traffic to the legitimate hosts/services can have attacks  Solution? Intrusion Detection Systems Monitor data and behavior Report when identify attacks 16 IDS Basic Functions Monitoring Collect the information from the network Analyzing Determine what, if any thing, is of interest Reporting Generate conclusions and otherwise act on analysis results 17 IDS components comprises three logical components: Sensors : collect data  The input for a sensor may be any part of a system that could contain evidence of an intrusion.  Types of input to a sensor includes network packets, log files, and system call traces.  Sensors collect and forward this information to the analyzer.  Analyzers: determine if intrusion has occurred  Analyzers receive input from one or more sensors or from other analyzers.  The analyzer is responsible for determining if an intrusion has occurred.  The output of this component is an indication that an intrusion has occurred.  The output may include evidence supporting the conclusion that an intrusion occurred.  The analyzer may provide guidance about what actions to take as a result of the intrusion.  User interface:  The user interface to an IDS enables a user to view output from the system or control the behavior of the system.  In some systems, the user interface may equate to a manager, director, or console component. 18 IDS Requirements IDS must :  Run continually with minimal human supervision.  Be fault tolerant in the sense that it must be able to recover from system crashes and re-initializations.  Resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker.  Impose a minimal overhead on the system where it is running.  Be able to be configured according to the security policies of the system that is being monitored.  Be able to adapt to changes in system and user behavior over time.  Be able to scale to monitor a large number of hosts.  Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible.  Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without19 having to restart it IDS Classification 20 Intrusion Detection Systems  Traditional IDS response tends to be passive response Secondary investigation required because IDS is still imperfect These days, IDS can be set up to respond to events automatically – “active response” 21 Intrusion Detection Systems  Active response dropping connection, reconfiguring networking devices (firewalls, routers Alarm investigation resource would affect the delays in response in both active and passive response If multiple alarm types involved, which alarm to investigate is an issue Intrusion Detection Systems 22 Intrusion Detection Systems  Passive response potential damage cost - resulting from alarmed events not investigated immediately low false alarm costs since alarmed events are not disrupted Intrusion Detection Systems 23 Intrusion Detection Techniques signature detection  at application, transport, network layers;  unexpected application services, policy violations anomaly detection  denial of service attacks, scanning, worms  when a sensor detects a potential violation it sends an alert and logs event related info  used by analysis module to refine intrusion detection parameters and algorithms  security administration can use this information to design prevention techniques. 24 Intrusion Detection Exchange Format 25 THANKS! Best Regards!