A Survey of Intrusion Detection Systemsdaniele/publications/ids-survey.pdf · A Survey of Intrusion...

IntroductionIDSes

Example of HIDS

A Survey of Intrusion Detection Systems

Daniele Sgandurra1

1Istituto di Informatica e Telematica, CNR, Pisa, Italy

1/64 Daniele Sgandurra A Survey of Intrusion Detection Systems

IntroductionIDSes

Example of HIDS

Outline

1 IntroductionAttacks and Threats

2 IDSesCharacteristics of IDSesCommon Detection MethodologiesTypical ComponentsLimitationsProducts and Standards

3 Example of HIDSStatic AnalysisRun-Time Support


IntroductionIDSes

Example of HIDSAttacks and Threats

Broad New Hacking Attack Detected

Wall Street Journal (18/02/2010):

“Hackers in Europe and China successfully broke into computers at nearly2.500 companies and government agencies over the last 18 months in acoordinated global attack that exposed vast amounts of personal and corporatesecrets to theft.”

“[...] infiltrating some 75.000 computers and touching 196 countries.”

“The highest concentrations of infected computers are in Egypt, Mexico, SaudiArabia, Turkey and the U.S.”


IntroductionIDSes


Broad New Hacking Attack Detected


IntroductionIDSes


Mariposa Botnet

It is considered the largest botnet, consisting of 12,7 million hosts comprised ofsystems in businesses, universities, government agencies, and in homes ofmore than 190 countries. Now it’s dead.The stolen data included bank account details, credit card numbers, usernames, passwords, etc., belonging to more than 800.000 users.


IntroductionIDSes


The Top Cyber Security Risks

Featuring attack data from TippingPoint intrusion prevention systemsprotecting 6.000 organizations.Vulnerability data from 9.000.000 systems compiled by Qualys.Additional analysis and tutorial by the Internet Storm Center and keySANS faculty members.September 2009.


IntroductionIDSes



Priority One: client-side software that remains unpatched.Priority Two: Internet-facing web sites that are vulnerable.Operating systems continue to have fewer remotely-exploitablevulnerabilities that lead to massive Internet worms.Rising numbers of zero-day vulnerabilities.


IntroductionIDSes



“The number of vulnerabilities being discovered in applications is far greaterthan the number of vulnerabilities discovered in OS”.


IntroductionIDSes


IBM’s annual X-Force Trend and Risk Report

The number of software vulnerabilities fell overall in 2009, but thenumber of bugs in document readers and multimedia applicationsincreased by 50 %.Of the 5 most prevalent Web site exploits, 3 involved PDF files.The other two exploits involved Flash and an ActiveX control.


IntroductionIDSes


IBM’s annual X-Force Trend and Risk Report

Browsers had the most client-side vulnerabilities:Firefox had twice the number of critical/high vulnerabilities as IE.

More than half of the critical/high client-side vulnerabilities affectedjust 4 vendors: Microsoft, Adobe, Mozilla and Apple:

while on average most vendors patch 66 % of those outstandingvulnerabilities, Apple proved the worst, patching just 38%.


IntroductionIDSes


Targeted Attacks 2008/2009/2010


IntroductionIDSes


Application Patching is Much Slower than OperatingSystem Patching


IntroductionIDSes


Key Predictions for 2010 and Beyond

Trend Micro 2010 Annual Threat Roundup:

No global outbreaks, but localized and targeted attacks.

It’s all about money, so cybercrime will not go away:

mobile devices will become greater targets for cybercrime.

Windows 7 will have an impact since it is less secure than Vista in thedefault configuration.

Risk mitigation is not as viable an option anymore even withalternative browsers/alternative operating systems.


IntroductionIDSes


Key Predictions for 2010 and Beyond

Malware is changing its shape every few hours.

Drive-by infections are the norm: one Web visit is enough to getinfected.

New attack vectors will arise for virtualized/cloud environments.

Bots cannot be stopped anymore, and will be around forever.

Company/Social networks will continue to be shaken by data breaches.


IntroductionIDSes


Types of Threats

Two types of threats: insider and outsider.

Insider threat:hard to detect and quantify.

Outsider threat:

attacks from over the Internet: ubiquitous:

background radiation: on average, hosts are probed every 90 sec.medium-size site: 10.000 of remote scanners each day;what do they scan for? A wide and changing set of services/vulnerabilities,attacked via auto-rooters or worms;what are they after? They seek zombies for DDOS slaves, spamming,bots-for-sale, ...


IntroductionIDSes

Example of HIDS

Characteristics of IDSesCommon Detection MethodologiesTypical ComponentsLimitationsProducts and Standards

Definitions

Intrusion: a set of actions aimed to compromise:

integrity, confidentiality, or availability, of a computing and networkingresource.

Intrusion detection (ID): the process of identifying and responding to intrusionactivities, i.e. entities attempting to subvert in-place security control:

Intrusion Detection Systems (IDSes) are SW and/or HW componentsthat monitor the events in a computer or in a network and analyze theactivities for signs of possible violations of computer security policies.

Intrusion prevention: extension of ID with access control to protect computersfrom exploitation. Intrusion Detection and Prevention Systems (IDPS).


IntroductionIDSes

Example of HIDS


Intrusion Detection

An intrusion detection system (IDS) finds anomalies.

“The IDS approach to security is based on the assumption that a system willnot be secure, but that violations of security policy (intrusions) can be detectedby monitoring and analyzing system behavior.” (Forrest 98)

The IDS requires:training the IDS (training);looking for anomalies (detection).


IntroductionIDSes

Example of HIDS


Intrusion Detection Systems

A Network IDS (NIDS) attempts to identify unauthorized, illicit andanomalous behaviors based on network traffic

A Host IDS (HIDS) attempts to identify violations of the security policies on aspecific device.

A signature-based IDS examines the activities for predetermined attackpatterns known as signatures.

An anomaly based-IDS firstly builds a model of the normal usage of themonitored system and, based on this model, it then monitors the system’sactivities by classifying them as either normal or anomalous.


IntroductionIDSes

Example of HIDS


Characteristics of IDSes


IntroductionIDSes

Example of HIDS


Key Functions IDS Technologies

Monitor and analyze events to identify incidents.

Record information related to observed events.

Notify security administrators of important observed events.

Producing reports.

IPS also attempt to prevent a threat from succeeding:stop the attack itself;change the security environment;change the attack content.


IntroductionIDSes

Example of HIDS


Network IDS (NIDS)

Network IDS attempts to identify unauthorized, illicit, and anomalousbehavior based solely on network traffic:

using either a network tap, span port, or hub collects packets.

Using the captured data, the IDS system processes and flags anysuspicious traffic.

The role of a network IDS is passive, only gathering, identifying,logging and alerting.


IntroductionIDSes

Example of HIDS


NIDS Placement


IntroductionIDSes

Example of HIDS


NIDS Example: SNORT

Open source IDS.Snort rules.

Sample: alert tcp any any -> 192.168.1.0/24 111 (content:"|00 0186 a5|"; msg: "mountd access";)Rule Header: Action, Protocol, Src+Port -> Dest+PortRule Options: Alert messages and Packet Content


IntroductionIDSes

Example of HIDS


Host Based (HIDS)

Host-based intrusion detection attempts to identify unauthorized, illicit,and anomalous behavior on a specific device.HIDS generally involves an agent installed on each system, monitoringand alerting on local OS and application activity.The installed agent uses a combination of signatures, rules, andheuristics to identify unauthorized activity.


IntroductionIDSes

Example of HIDS


HIDS Block Diagram


IntroductionIDSes

Example of HIDS


HIDS Example: OSSEC

OSSEC is an Open Source Host-based IDS.

Log analysis.

File integrity checking.

Policy monitoring.

Rootkit detection.

Real-time alerting.

Active response.


IntroductionIDSes

Example of HIDS


OSSEC Example Logs

SSH:May 21 20:22:28 slacker sshd[21487]: Failed password for root from 192.168.20.185

port 1045 ssh2

ProFTPD:May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]):

no such user ’dcid-inv’

Bind:Aug 29 15:33:13 ns3 named[464]: client 217.148.39.4#32769: query (cache) denied

Apache:127.0.0.1 - - [28/Jul/2006:10:27:32 -0300] "GET /hidden/ HTTP/1.0" 404 7218

Windows:Nov 2 17:23:16 192.168.1.100 security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure:

Reason:Unknown user name or bad password User Name:Jeremy Lee Domain:IBM17MLogon Type:2 Logon Process:User32Authentication Package:Negotiate Workstation Name:IBM17M

Cisco IOS:Sep 6 09:20:44 RouterName 86: Sep 6 14:20:35.991:%SYS-5-CONFIG_I: Configured from console by admin on vty0 (1.1.1.1)


IntroductionIDSes

Example of HIDS


Host vs Network IDS


IntroductionIDSes

Example of HIDS


Physical (Physical IDS)

Physical intrusion detection is the act of identifying threats to physicalsystems.Examples of:

security Guards;security Cameras;access control systems (card, biometric);firewalls;man traps;motion sensors.


IntroductionIDSes

Example of HIDS


Network Behavior Analysis (NBA)

Network Behavior Analysis (NBA) examines network traffic toidentify threats that generate unusual traffic flows:

distributed denial of service (DDoS) attacks;certain forms of malware (e.g., worms, backdoors);policy violations (e.g., a client system providing network servicesto other systems).

Monitor flows on an organization’s internal networks.Monitor flows between internal networks and external networks.


IntroductionIDSes

Example of HIDS


NBA Sensor Architecture Example


IntroductionIDSes

Example of HIDS


Wireless IDS

Wireless IDS monitors wireless network traffic and analyzes itsprotocols to identify suspicious activity in the protocols.

It cannot identify suspicious activity in the application or higher-layernetwork protocols (e.g., TCP) that the wireless traffic is transferring.

Deployed within range of an organization’s wireless network, but alsoto locations where unauthorized wireless networking could occur.


IntroductionIDSes

Example of HIDS


Wireless IDS Placement


IntroductionIDSes

Example of HIDS


Comparison of IDPS Technology Types


IntroductionIDSes

Example of HIDS


Honeypot

Honeypot Systems are decoy servers or systems setup to gatherinformation regarding an attacker or intruder into your system.Can be setup outside or in the DMZ although they are most oftendeployed inside of a firewall for control purposes.In a sense, they are variants of standard IDS but with more of a focuson information gathering and deception.


IntroductionIDSes

Example of HIDS


Honeypot


IntroductionIDSes

Example of HIDS


Honeypot

1 Learn how intruders probe and attempt to gain access to your systems:gain insight into attack methodologies to better protect your realproduction systems.

2 Gather forensic information to aid in the prosecution of intruders:to provide law enforcement officials with the details to prosecute.


IntroductionIDSes

Example of HIDS


Signature-Based Detection

A signature is a pattern that corresponds to a known threat.

Signature-Based Detection is the process of comparing signatures againstobserved events to identify possible incidents.

Examples:

a telnet attempt with a username of “root”, which is a violation of anorganization’s security policyan e-mail with a subject of “Free pictures!” and an attachment filenameof “freepics.exe”, which are characteristics of a malwarean operating system log entry with a status code value of 645, whichindicates that the host’s auditing has been disabled.


IntroductionIDSes

Example of HIDS


Signature-Based Detection

Very effective at detecting known threats but largely ineffective at:detecting previously unknown threats,threats disguised by the use of evasion techniques,variants of known threats.

If an attacker modified the previous malware to attach “freepics2.exe”,a signature looking for “freepics.exe” would not match it.


IntroductionIDSes

Example of HIDS


Anomaly-Based Detection

Anomaly-based detection is the process of comparing definitionsof what activity is considered normal against observed events toidentify significant deviations.

An IDS using anomaly-based detection has profiles thatrepresent the normal behavior.

The profiles are developed by monitoring the characteristics oftypical activity over a period of time.


IntroductionIDSes

Example of HIDS


Anomaly-Based Detection

The IDS uses statistical methods to compare the characteristicsof current activity to thresholds related to a profile.

They can be very effective at detecting previously unknownthreats.

An initial profile is generated over a period of time (training).

Ex.: “user Joe only logs in from host ABC, usually at night.”


IntroductionIDSes

Example of HIDS


Specification-Based Detection

Core idea: codify a specification of what a sites policy permits; lookfor patterns of activity that deviate.

Example: “user Joe is only allowed to log in from host ABC”.

Pro:

potentially detects wide range of attacks, including novel;framework can accommodate signatures, anomalies;directly supports implementing a site’s policy.

Con:

specifications require significant development & maintenance;hard to construct attack libraries.


IntroductionIDSes

Example of HIDS


Stateful Protocol Analysis

Stateful protocol analysis is the process of comparing predeterminedprofiles of generally accepted definitions of benign protocol activity foreach protocol state against observed events to identify deviations.Relies on vendor-developed universal profiles that specify howparticular protocols should and should not be used.The “stateful” in stateful protocol analysis means that the IDS iscapable of understanding and tracking the state of network, transport,and application protocols that have a notion of state.


IntroductionIDSes

Example of HIDS


Sensor or Agent

Sensors and agents monitor and analyze activities.

The term sensor is typically used for IDSes that monitornetworks, including network-based, wireless, and networkbehavior analysis technologies.

The term agent is typically used for host-based IDS technologies


IntroductionIDSes

Example of HIDS


Management Server

A management server is a centralized device that receives informationfrom the sensors or agents and manages them.Sometimes perform analysis on the events provided by sensors/agentsto identify events that the individual sensors or agents cannot:

matching event information from multiple sensors/agents, such asfinding events triggered by the same IP, is known as correlation.


IntroductionIDSes

Example of HIDS


Database Server and Console

A database server is a repository for event information recordedby sensors, agents, and/or management servers.

A console is a program that provides an interface for the IDS’susers and administrators.


IntroductionIDSes

Example of HIDS


False Positives/Negatives

All IDSes suffer from the twin problems of false positives and false negatives:not minor, but an Achilles heel.

False positives occur when the IDS erroneously detects a problem with benigntraffic.

False negatives occur when unwanted traffic is undetected.

Both create problems for security administrators and may require that thesystem be calibrated.

False positives can burden administrator with cumbersome amounts of data.

False negatives do not afford administrators an opportunity to review the data.


IntroductionIDSes

Example of HIDS


Base-rate Fallacy

Suppose that your doctor performs a test that is 99% accurate:

when the test was administered to a test population all of whom had thedisease, 99% of the tests indicated disease;when the test population was known to be 100% free of the disease, 99%of the test results were negative.

Upon visiting your doctor to learn the results he has good and bad news:

the bad news is that you tested positive for the disease;the good news is that out of the entire population the rate of incidence isonly 1/10.000 (only 1 in 10.000 people have this ailment).

What is the probability of you having the disease?


IntroductionIDSes

Example of HIDS


The Problem of Evasion

Consider the following attack URL:http://./c/winnt/system32/cmd.exe?/c+dir

Easy enough to scan for “cmd.exe”, right?

What if you consider:http://./c/winnt/system32/cm%64.exe?/c+dir

Okay, we need to handle % escapes.

What about:http://./c/winnt/system32/cm%25%54%52.exe?/c+dir


IntroductionIDSes

Example of HIDS


The Problem of Evasion

Consider passive measurement: scanning traffic for a particular string(“USER root”)

Easiest: scan for the text in each packet:

not good: text might be split across multiple packets.

Okay, remember text from previous packet:

not good: out-of-order delivery.

Okay, fully reassemble byte stream:

costs state and still evadable.


IntroductionIDSes

Example of HIDS


Evading Detection Via Ambiguous TCP Retransmission


IntroductionIDSes

Example of HIDS


List of Host IDSes

AIDE-Advanced Intrusion Detection Environment

CSP Alert-Plus

eEye Retina

eEye SecureIIS Web Server Protection

GFI EventsManager

Hewlett Packard-Unix (HP-UX) 11i Host Intrusion

Detection System (HIDS)

IBM RealSecure Server Sensor

integrit

Lumension Application Control

McAfee Host Intrusion Prevention

NetIQ Security Manager iSeries

Osiris

OSSEC HIDS

PivX preEmpt

Samhain

Tripwire Enterprise

Tripwire for Servers


IntroductionIDSes

Example of HIDS


List of Network IDSes

Arbor Networks Peakflow

ArcSight

Bro

Check Point IPS Software Blade

Check Point VPN-1 Power

Check Point VPN-1 Power VSX

Cisco ASA 5500 Series IPS Edition

Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2)

Cisco Guard XT

Cisco Intrusion Detection System

Appliance IDS-4200

Cisco IOS IPS

Cisco Security Agent

Enterasys Dragon Network Defense

ForeScout CounterAct Edge

IBM Proventia SiteProtector

Imperva SecureSphere

Intrusion SecureNet IDS/IPS

iPolicy Intrusion Prevention Firewall Family


IntroductionIDSes

Example of HIDS


List of Network IDSes (cont.)

Juniper Networks IDP

Lancope StealthWatch

McAfee IntruShield Network IPS Appliances

NIKSUN NetDetector

NitroSecurity NitroGuard Intrusion Prevention System

PreludeIDS Technologies

Q1 Labs QRadar

Radware DefensePro

SecurityMetrics Appliance

Snort

snort_inline

Sourcefire 3D Sensor

Sourcefire Intrusion Prevention System

StillSecure Strata Guard

Symantec Critical System Protection

TippingPoint Intrusion Prevention System

Top Layer IPS

Webscreen


IntroductionIDSes

Example of HIDS


List of Wireless IDSes

AirMagnet

AirSnare

AirTight Networks SpectraGuard Enterprise

Aruba Wireless Intrusion Detection & Prevention (WIDP)

Kismet

Motorola AirDefense Enterprise

Newbury Networks WiFi Watchdog


IntroductionIDSes

Example of HIDS


Standard

The Internet Engineering Task Force (IETF) has a working group todevelop a common format for IDS alerts:

the design involves sending XML based alerts over an HTTP likecommunications format;a lot of attention has been paid to the needs of IDS analysis, andto making the protocol work through firewalls.

http://www.ietf.org/old/2009/ids.by.wg/idwg.htmlIntrusion Detection Exchange Format Working Group (IDWG)Intrusion Detection Message Exchange Format (IDMEF)Intrusion Detection Exchange Protocol (IDXP)


IntroductionIDSes

Example of HIDS

Static AnalysisRun-Time Support

Static Analysis

An example of a HIDS based on the expected behavior of the program (staticanalysis) and virtualization (run-time monitoring):

Process self: valid sequences of system calls (traces) and invariants forthe process executing the program to be protected:

traces are statically deduced from the program.invariant on program variables at system call invocations areinferred from the semantics of the program.


IntroductionIDSes

Example of HIDS


Grammar of System Call Sequences

A tool computes a context-free grammar that models the legal systemcall traces that the process can issue:

the tool automatically generates the grammar by linearlyscanning each function defined in the program’s source code.

At run-time, a sequence of system calls is valid only if it is a prefix ofat least one string generated by the grammar.


IntroductionIDSes

Example of HIDS


Run-Time Architecture

Exploiting virtual machines (VMs):

transparency;visibility;robustness.


IntroductionIDSes

Example of HIDS


Run-Time Architecture

The Monitored VM executes the process to be monitored;

The Introspection VM monitors the protected process through introspection:stream-oriented parser;assertion checker;introspection library.


IntroductionIDSes

Example of HIDS


Run-Time Checks

Each time the monitored process invokes a system call, theMonitored VM is suspended.The Introspection VM checks that:

1 the system call trace is coherent with the grammar;2 the assertions paired with the system call are verified.

If the trace is not coherent with the grammar, or an assertion isfalse→ attack.


IntroductionIDSes

Example of HIDS


Example of Invariant Evaluation


IntroductionIDSes

Example of HIDS


Questions?


A Survey of Intrusion Detection Systemsdaniele/publications/ids-survey.pdf · A Survey of Intrusion...

Documents

Transcript of A Survey of Intrusion Detection Systemsdaniele/publications/ids-survey.pdf · A Survey of Intrusion...