Intrusion Detection
Dr. Gregory Vert
Intrusion Detection
• Definition:
– Detection of an attack
• While it is going on
• Shortly after it has occurred
Intrusion Detection
• Goal:
– To thwart the attack
– Conduct forensic investigation
– Minimize damage
– Learn how attack was conducted and improve
system security
Intrusion Detection
• General Theory behind ID
– Actions of normal system processes and users
conform to a pattern that can be defined
mathematically
– Users and processes are not trying to break the
system
– Users and processes have a set of defined
privileges and actions
Intrusion Detection
• In order to do intrusion detection build a system
that monitors for changes in the previous
assumptions
• Example
– 90 % of cpu usage occurs between 8-5pm
– Users don’t usually browse the password files
– More than 3 failed login attempts my be an attack
because users usually log in on the first time
Intrusion Detection
• Attack tools are
– How systems are usually attacked
– Are usually a piece of existing software
– Are generally automated
• Want volume in an attack
• Want to look at many computers and find a few that
are not secure
• Want the computer to do the bulk of the work on the
attack
Intrusion Detection
• Example of Attack Tool
– Root kits
• Replace existing operating system file
• Sniff passwords and network connections
• Run with root privilege
• E.g. ls, du, netstat, ifconfig (network device
configurations)
• Run concealed
• Allow access to the hacker through a back door
Intrusion Detection
• Denning
– Hypothesis that exploitation of vulnerabilities
requires abnormal use of existing commands
– Therefore look for abnormality in command
usage on system
– Key idea behind detection
Intrusion Detection
• Intrusion Detection Systems (IDS)
– An automated system that looks for abnormal
patterns in:
• system commands,
• usages
• Volumes
• Access to locations in system
• Failures
Intrusion Detection
• An IDS must be automated because
– System logs contain tons and tons of
information
– Often looking for 5-20 abnormal changes in
5000 lines of data
– Slow attacks even worse to detect because
• Actions happen over extended period of times
• Logs don’t show adjacent sequences of activities
Intrusion Detection
• Good IDS has 4 characteristics (Bishop)
– Detects a wide variety of attacks
• Not as simple as it sounds
• How can you detect an attack if you don’t know
how it works and have never seen one before
• Class Ideas ?
Intrusion Detection
• Good IDS’s have 4 characteristics
– Detect attacks in timely fashion
• How fast is fast enough
• Discussion ?
• Real time systems may bog down processing
– Which is an attack in its own right
– A denial of service attack
Intrusion Detection
• Good ID’s have 4 characteristics
– Must present analysis in a clear simple format
• Problems:
• False Positives
– Thinks an attack is going on when it really is not
• False Negatives
– Does not think an attack is going on when it really is
Intrusion Detection
• Good ID’s have 4 characteristics
– Must be accurate
• The false X problem previous slide
– We only want to respond to the real stuff because:
• Time consuming
• May lead to actions that damage system without cause
• Draws resources away from dealing with a real attack that
could start as you are investigating
Intrusion Detection
• Three systems models for an IDS
– Anomaly detection
– Misuse detection
– Specification detection
• new
Intrusion Detection
• Anomaly detection
– Assumes that unexpected behavior is evidence
of an attack
– Compare set of variables and their values to a
known set of variables
– Tries to reason about an attack based on data
does not match
– Usually done with statistics but could be done
with other variable techniques also
Intrusion Detection
• Anomaly Detection
– Threshold approach
• When an variable(s) are above a certain level
determine an attack
• Example:
– number of failed logins for a given user id in 10 minutes
– disk usage
– # of packets on port x in time period n
Anomaly Detection
• Threshold approach problems
– Users have different skill levels
• Example an asian user of an english comptur system
• Class ?
– One threshold generally applied to all
– However approach can penalize new users by
locking them out of the system
Anomaly Detection
• Statistical Moment Approach
– Instead of setting a threshold, calculate:
• Average
• Means
• Standard deviations
– Look for deviations from these variable
Anomaly Detection
• Statistical Moment Approach
– Problems
• Data may change over time in unexpected ways
– New users
– Users become smarter
• Need to age data somehow to show how system is
changing
• How do we do this ?
• Generally a better system than thresholds
• May use an expert system (Haystack, IDES)
Anomaly Detection
• State Machine Model
– Series of events occur in regular sequences
– Certain events are more like to follow other events –
state transitions
– When a low probability transition occurs then it is
probably anomalous
– Draw: login, cd home dir -> open word processor
– Can be utilized in system calls: open, read, write, close
Anomaly Detection
• State Machine
– Problems
• Need to know the events and sequences ahead of
time
• Need training data
• System may change based on addition of new
software
• Can only be run on the computer from which the
training data is derived
Anomaly Detection
• What features and data variables to watch is
critical in the success of AD
• Frank demonstrated that selection of the “best”
features for a network activity classification
program could be based on eliminating features
based on the error rate they induce in classification
of activity
– He found that about 5 features was right for his study
Anomaly Detection
• Generally assumes a gaussian distribution
– A bell curve that shows what is normal
• Some systems may cluster data by related values
such as “read time” for a file and “cpu usage” for
the read
– Outliers – values that don’t fit into a cluster then can be
an attack
– Draw
Misuse Detection
• An attack by an insider who generally has
authorized access
• Is rule based
• Looks for sequences of commands that
knowing violate policy
• Example
Misuse Detection
• Rules are placed into a rule set
• Ids processes rules against system logs
looking for violations of the rules
• Often involve expert systems because rules
can be ambigous
Misuse Detection
• Cant detect attacks that are unknown
– the attacks sequence of rule violations is not
known
• Can enhance systems to make them
adaptive via petri nets
Misuse Detection
• IDIOT – Spafford, uses petri nets
• Defines
– events – a change in system state
• a record of the event
– transitions from one state to another on an event
– transitions may have tests (guards) that check for
existence of variables in certain states and / or make
assignments
– Can have separate transition branches that merge
– Draw
Misuse Detection
• IDIOT classified attacks by categories:
– existence – attack creates a file
– sequence – attack causes several events to
occur sequentially
– partial order – attack causes two or more
sequences of events that form an ordering over
time
– interval – two events occur exactly n units of
time apart
Misuse Detection
• IDIOT
– monitors audit trail logs
– STAT a similar system
• Ilgun
• No guards
• uses state tables
• looks at the sequence of command to e.g. get a
forbidden priveledge
Specification Modeling
• Misuse detection looks for states known to
be bad
• Specification modeling looks for states
known to not be good – a possible intrusion
• Builds specifications for how a program
should run
• Examines program for deviations from good
states
Specification Modeling
• Ko developed a specification based IDS
• Monitored 15 security related programs
• Monitored on things like:
– object access
– synchronization of data
– sequences of commands
– race conditions
Specification Modeling
• They looked at rdist (remote distribution)
• Rdist updates programs on remote systems
• Problem is that rdist modifies permissions
on files
– replacing a file with a symbolic link to another
file, can get rdist to change permissions on that
file
Specification Modeling
• SM
– utilizes grammars to specify actions
– grammars define acceptable activities
– is a relatively new field
– because it specifies what should happen
• unknown attacks can be detected
– Class drawbacks ?
Summary
• Misuse detection
– detects violations of policy, implicit or explicit
– need to develop rules, states, actions etc.
– must have in a rule base
– only detects attacks that are known
Summary
• Anomaly Detection
– detects policy violations also
– little more generalized than Misuse detection
– uses statistics to find deviations
Summary
• Specification Modeling
– must have rules for how a good program is
operating
– need experts to define rules
– can detect unknown attacks
Architecture
• IDS works off of audit trails
• Audit trails found in logs
• Best to collect log data from all over the
system due to distributed attacks
• Generally constructed in 3 subsystems
Architecture
• Agent
– an relatively autonomous piece of software that
collects data from a local machine
– may format the data
• why ?
– sends the data to a centralized system
– may weed data that is not deemed to be
important
Architecture
• Agents can be:
– host based
• utilize system and application logs
• may be security logs or accounting logs
• a virtual agent can be in the kernel and write data to
logs it finds interesting
• logs can be very large
Architecture
• Agents can be
– networked based
• use devices and software to monitor network traffic
• used to detect network based attacks
• utilize sniffing
• monitor contents of packets
• must be arranged in a way to provide full network
coverage
• encipherment makes this task a problem
Architecture
• Agents send formatted information to the
director software
• Directors
– eliminate unnecessary log entries
– utilize an analysis engine to find attacks
– usually are run on a separate system
– adaptive directors may alter search rules (neural
network)
Architecture
• Notifier
– accepts information from the director and takes
appropriate action
– may notify a security officer via a gui
– may be proactive in combating an attack
Systems to Look At
• Courtney – monitors for use of SATAN
• SATAN – system for finding weaknesses in
Unix
• IDIP – coordinates IDS’s on firewalls to
block attacks
• NSM – develops profiles of system usage
and compares against profiles e.g. repeated
telnet connections of short duration
Systems to Look At
• DIDS – distributed IDS based on NSM and
works in conjunction with host based IDS’s
– NSM is network based only
• AAFID – autonomous agents that report
data, distributes components of IDS into
pieces
– eliminates a single point of failure, director is
distributed
Incident Response
• Ideally you want to
– detect attack as it starts
– take defensive measures
– work automatically
– can be very system resource intensive
• why ?
Incident Response
• Definition:
– Jailing
• placing an attacker in a confined area of the system
• letting them think that they are inside the system
• allows one to observe the hacker
• sometimes referred to as a honey pot
• usually has a faked file system
• may intercept system calls and do something
(kernel)
Incident Response
• Goal
– to restore system to comply with security policy
– replace / fix damaged resources
Incident Response
• Six phases:
– preparation
• procedures and methods for detection
• backups
– identification
• id the attack
• trigger for following phases
Incident Response
• Containment
– limits the damage as much as possible
– may not be possible if you have a real time
system
– attacks generally probe for a while and then do
damage
– you can get a chance to contain if you detect
probing
Incident Response
• Eradication
– stops attack if done in real time
– puts mechanisms in place to thwart other
attacks
• Recovery
– restores system to pre atttack configuration
– must detect what has been modified
Incident Response
• Response – Follow up
– taking action against the attacker
• forensic investigation
• counter attack
• law enforcement
– fixing holes in your system
– documentation of lessons learned
– documentation of attack details
Details
• Containment
– approaches
• passive monitoring
– meant to record actions for later use
– examine goals and techniques of hacker
– a honeypot
• constraining actions of hacker
– goal to prevent hacker from accomplishing aims
– problem, may not know what the goal is
Details
• Eradication
– goal to stop the attack
– must insure it does not resume immediately
– my block attacks by placing wrappers around a
suspected target
– wrappers control access
– want to embed wrappers in the kernel to make them
hard to bypass
– Example
Details
• Eradication
– good to place wrappers at the firewall
– firewalls filter network traffic
– example
– IDIP – intrusion detection and isolation
protocol
• are firewalls
• work to communicate directly with each other
• coordinate a response to an attack
Details
• Follow up
– most common is to follow up with legal action
– how to trace the attack for follow up
• thumb printing
– monitor connections between any two host
– check for similar content moving across the connections
– method allows you to trace back to the source of the attack
– hackers may move through multiple hosts before attacking
– software needs to be small, effective and fast
Details
• Follow Up
– may use IP header marking
• examine and mark contents of headers to trace an
attack back to source
• don’t want to do this for every packet
• deterministic marking – marks every n packets using
an algorithm
• marking is done in extra bits that are not utilized in
ip headers
Details
• Follow Up
– counter attacking
• filing criminal complaints
– requires good chain of evidence to establish that attack
was real – not an accident or error
• technical attack
– goal is to damage their system
– problems
» may harm innocent parties
» may have side effects – denial of service
» may get you in trouble legally