Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (7 Week)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 40

Advanced Computer

Networks & Computer and


Network Security

Prof. Dr. Hasan Hüseyin BALIK

(7th Week)
Outline
• 2. Computer security technology and
principles
—2.1. Cryptographic Tools
—2.2. User Authentication
—2.3 Access Control
—2.4 Malicious Software
—2.5. Denial-of-Service Attacks
—2.6 Intrusion Detection
—2.7 Firewalls and Intrusion Prevention Systems
2.6 Intrusion Detection
2.6.Outline
• Intruders
• Intrusion Detection
• Analysis Approaches
• Host-Based Intrusion Detection
• Network-Based Intrusion Detection
• Distributed or Hybrid Intrusion Detection
• Intrusion Detection Exchange Format
• Honeypots
• Example System: Snort
Classes of Intruders –
Cyber Criminals
• Individuals or members of an organized crime group with a
goal of financial reward
• Their activities may include:
• Identity theft
• Theft of financial credentials
• Corporate espionage
• Data theft
• Data ransoming
• Typically they are young, often Eastern European, Russian, or
southeast Asian hackers, who do business on the Web
• They meet in underground forums to trade tips and data and
coordinate attacks
Classes of Intruders –
Activists
• Are either individuals, usually working as insiders, or
members of a larger group of outsider attackers, who are
motivated by social or political causes
• Also know as hacktivists
• Skill level is often quite low
• Aim of their attacks is often to promote and publicize their
cause typically through:
• Website defacement
• Denial of service attacks
• Theft and distribution of data that results in negative
publicity or compromise of their targets
Classes of Intruders –
State-Sponsored Organizations
Groups of hackers
sponsored by
governments to conduct
espionage or sabotage
activities

Also known as Advanced


Persistent Threats (APTs) due to
the covert nature and
persistence over extended
periods involved with any
attacks in this class

Widespread nature and


scope of these activities by a
wide range of countries from
China to the USA, UK, and
their intelligence allies
Classes of Intruders –
Others
• Hackers with motivations other than those previously listed
• Include classic hackers or crackers who are motivated by
technical challenge or by peer-group esteem and reputation
• Many of those responsible for discovering new categories of
buffer overflow vulnerabilities could be regarded as members
of this class
• Given the wide availability of attack toolkits, there is a pool of
“hobby hackers” using them to explore system and network
security
Intruder Skill Levels –
Apprentice
• Hackers with minimal technical skill who primarily use
existing attack toolkits
• They likely comprise the largest number of attackers,
including many criminal and activist attackers
• Given their use of existing known tools, these attackers are the
easiest to defend against
• Also known as “script-kiddies” due to their use of existing
scripts (tools)
Intruder Skill Levels –
Journeyman
• Hackers with sufficient technical skills to modify and
extend attack toolkits to use newly discovered, or
purchased, vulnerabilities
• They may be able to locate new vulnerabilities to exploit
that are similar to some already known
• Hackers with such skills are likely found in all intruder
classes
• Adapt tools for use by others
Intruder Skill Levels –
Master
• Hackers with high-level technical skills capable of
discovering brand new categories of vulnerabilities
• Write new powerful attack toolkits
• Some of the better known classical hackers are of this
level
• Some are employed by state-sponsored
organizations
• Defending against these attacks is of the highest
difficulty
Examples of Intrusion
• Remote root compromise
• Web server defacement
• Guessing/cracking passwords
• Copying databases containing credit
card numbers
• Viewing sensitive data without authorization
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access internal
network
• Impersonating an executive to get information
• Using an unattended workstation
Intruder Behavior

Target acquisition
Privilege
and information Initial access
escalation
gathering

Information
Maintaining
gathering or Covering tracks
access
system exploit
Examples of
Intruder Behavior
Definitions
• Security Intrusion:
Unauthorized act of bypassing the security
mechanisms of a system

• Intrusion Detection:
A hardware or software function that gathers and
analyzes information from various areas within a
computer or a network to identify possible security
intrusions
Intrusion Detection System
(IDS)
• Host-based IDS (HIDS)
• Monitors the characteristics of a Comprises three logical
single host for suspicious activity

• Network-based IDS components:


(NIDS)
• Monitors network traffic and
• Sensors - collect data
analyzes network, transport, and
application protocols to identify • Analyzers - determine if
suspicious activity
intrusion has occurred
• Distributed or hybrid IDS
• Combines information from a
• User interface - view
number of sensors, often both output or control system
host and network based, in a
central analyzer that is able to behavior
better identify and respond to
intrusion activity
Probability
density function
profile of
profile of authorized user
intruder behavior behavior

overlap in observed
or expected behavior

Measurable behavior
average behavior average behavior
parameter
of intruder of authorized user

Figure 8.1 Profiles of Behavior of Intruders and Authorized Users


IDS Requirements

Run continually Be fault tolerant Resist subversion

Impose a Configured Adapt to


minimal according to changes in
overhead on system security systems and
system policies users

Scale to monitor Provide graceful


Allow dynamic
large numbers degradation of
reconfiguration
of systems service
Analysis Approaches
Signature/Heuristic
Anomaly detection detection

• Involves the collection of • Uses a set of known


data relating to the malicious data patterns or
behavior of legitimate attack rules that are
users over a period of time compared with current
behavior
• Current observed behavior
is analyzed to determine • Also known as misuse
whether this behavior is detection
that of a legitimate user or • Can only identify known
that of an intruder attacks for which it has
patterns or rules
Anomaly Detection
A variety of classification approaches are used:

Statistical Knowledge based Machine-learning

• Analysis of the • Approaches use • Approaches


observed an expert system automatically
behavior using that classifies determine a
univariate, observed suitable
multivariate, or behavior classification
time-series according to a model from the
models of set of rules that training data
observed metrics model legitimate using data
behavior mining
techniques
Signature or Heuristic Detection
Rule-based heuristic
Signature approaches
identification

Match a large collection of known patterns of Involves the use of rules for identifying known
malicious data against data stored on a system penetrations or penetrations that would exploit
or in transit over a network known weaknesses

The signatures need to be large enough to Rules can also be defined that identify
minimize the false alarm rate, while still suspicious behavior, even when the behavior is
detecting a sufficiently large fraction of within the bounds of established patterns of
malicious data usage

Widely used in anti-virus products, network


Typically rules used are specific
traffic scanning proxies, and in NIDS

SNORT is an example of a rule-based NIDS


Host-Based Intrusion
Detection (HIDS)
• Adds a specialized layer of security software to
vulnerable or sensitive systems
• Can use either anomaly or signature and
heuristic approaches
• Monitors activity to detect suspicious behavior
• Primary purpose is to detect intrusions, log suspicious events,
and send alerts
• Can detect both external and internal intrusions
Data Sources and Sensors

Common data
sources include:
A fundamental • System call traces
component of • Audit (log file) records
• File integrity checksums
intrusion detection
• Registry access
is the sensor that
collects data
LAN Monitor Host Host

Agent
module

Router

Internet
Central Manager

Manager
module

Figure 8.2 Architecture for Distributed Intrusion Detection


OS audit
OS audit information Filter for Reformat
function security function
interest
Host audit record (HAR)

Alerts
Logic Analysis Central
module Notable
module manager
activity; Query/
Signatures; response
Noteworthy
sessions

Templates
Modifications

Figure 8.3 Agent Architecture


Network-Based IDS
(NIDS)

May examine network,


Examines traffic packet by
Monitors traffic at selected transport, and/or
packet in real or close to
points on a network application-level protocol
real time
activity

Comprised of a number of
sensors, one or more servers Analysis of traffic patterns
for NIDS management may be done at the sensor,
functions, and one or more the management server or a
management consoles for combination of the two
the human interface
Network traffic

Monitoring interface
(no IP, promiscuous mode)

NIDS
sensor

Management interface
(with IP)

Figure 8.4 Passive NIDS Sensor


internal server
and data resource Internet
networks

3 LAN switch internal


or router firewall 2

LAN switch
or router external
firewall
1
workstation
networks
service network
(Web, Mail, DNS, etc.)
4 LAN switch internal
or router firewall

Figure 8.5 Example of NIDS Sensor Deployment


Intrusion Detection
Techniques
Attacks suitable for Attacks suitable for
Signature detection Anomaly detection

• Application layer
• Denial-of-service (DoS)
reconnaissance and attacks
attacks
• Transport layer reconnaissance
• Scanning
and attacks
• Network layer reconnaissance
• Worms
and attacks
• Unexpected application
services
• Policy violations
Stateful Protocol Analysis
(SPA)
• Subset of anomaly detection that compares observed
network traffic against predetermined universal vendor
supplied profiles of benign protocol traffic
• This distinguishes it from anomaly techniques trained with
organization specific traffic protocols
• Understands and tracks network, transport, and
application protocol states to ensure they progress as
expected
• A key disadvantage is the high resource use it requires
Logging of Alerts
• Typical information logged by a NIDS sensor includes:
• Timestamp
• Connection or session ID
• Event or alert type
• Rating
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types and codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and responses
• State-related information
IETF Intrusion Detection
Working Group
• Purpose is to define data formats and exchange procedures for sharing
information of interest to intrusion detection and response systems and to
management systems that may need to interact with them
• The working group issued the following RFCs in 2007:
Intrusion Detection Message Exchange Requirements (RFC 4766)

• Document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF)
• Also specifies requirements for a communication protocol for communicating IDMEF

The Intrusion Detection Message Exchange Format (RFC 4765)

• Document describes a data model to represent information exported by intrusion detection systems and
explains the rationale for using this model
• An implementation of the data model in the Extensible Markup Language (XML) is presented, and XML
Document Type Definition is developed, and examples are provided

The Intrusion Detection Exchange Protocol (RFC 4767)

• Document describes the Intrusion Detection Exchange Protocol (IDXP), an application level protocol for
exchanging data between intrusion detection entities
• IDXP supports mutual authentication, integrity, and confidentiality over a connection oriented protocol
Operator

a
Dat e Activity
c sor
sou
r Sen

Event

sor
Sen Notification

Alert Response
r
lyze
Event Ana

Security
policy

er
nag
Ma
Security
policy

Administrator

Figure 8.7 Model For Intrusion Detection Message Exchange


Honeypots
• Decoy systems designed to:
• Lure a potential attacker away from critical systems
• Collect information about the attacker’s activity
• Encourage the attacker to stay on the system long enough for administrators
to respond
• Systems are filled with fabricated information that a
legitimate user of the system wouldn’t access
• Resources that have no production value
• Therefore incoming communication is most likely a probe, scan, or attack
• Initiated outbound communication suggests that the system has probably
been compromised
Honeypot
Classifications
• Low interaction honeypot
• Consists of a software package that emulates particular IT services or
systems well enough to provide a realistic initial interaction, but does not
execute a full version of those services or systems
• Provides a less realistic target
• Often sufficient for use as a component of a distributed IDS to warn of
imminent attack
• High interaction honeypot
• A real system, with a full operating system, services and applications, which
are instrumented and deployed where they can be accessed by attackers
• Is a more realistic target that may occupy an attacker for an extended period
• However, it requires significantly more resources
• If compromised could be used to initiate attacks on other systems
Internet

Honeypot

3 External
LAN switch firewall
or router

Honeypot
LAN switch
or router

Internal
network Honeypot
Service network
(Web, Mail, DNS, etc.)

Figure 8.8 Example of Honeypot Deployment


Log

Detection
Packet Decoder Engine

Alert

Figure 8.9 Snort Architecture

• Snort is an open source, highly configurable and portable host-based or network-based IDS
• Snort is referred to as a lightweight IDS
• Easily deployed on most nodes (host, server, router) of a network
• Efficient operation that uses small amount of memory and processor time
• Easily configured by system administrators who need to implement a specific security
solution in a short amount of time
• Snort can perform real-time packet capture, protocol analysis, and content searching and
matching
Source Source Dest Dest
Action Protocol Direction
I P address Port I P address Port

(a) Rule Header

Option Option
• • •
Keyword Arguments

(b) Options

Figure 8.10 Snort Rule Formats


Snort Rule Actions

Action Description
alert Generate an alert using the selected alert method, and then log the packet.
log Log the packet.
pass Ignore the packet.
activate Alert and then turn on another dynamic rule.
dynamic Remain idle until activated by an activate rule , then act as a log rule.
drop Make iptables drop the packet and log the packet.
Make iptables drop the packet, log it, and then send a TCP reset if the
reject protocol is TCP or an ICMP port unreachable message if the protocol is
UDP.
sdrop Make iptables drop the packet but does not log it.
Examples of
Snort Rule
Options

You might also like