8 Week
8 Week
8 Week
Security
(Securty of Computer Systems)
(8th Week)
Outline
• 2. Computer security technology and
principles
—2.1. Cryptographic Tools
—2.2. User Authentication
—2.3 Access Control
—2.4 Database and Data Center Security
—2.5 Malicious Software
—2.6. Denial-of-Service Attacks
—2.7 Intrusion Detection
—2.8 Firewalls and Intrusion Prevention Systems
2.7 Intrusion Detection
2.7.Outline
• Intruders
• Intrusion Detection
• Analysis Approaches
• Host-Based Intrusion Detection
• Network-Based Intrusion Detection
• Distributed or Hybrid Intrusion Detection
• Intrusion Detection Exchange Format
• Honeypots
• Example System: Snort
Classes of Intruders –
Cyber Criminals
• Individuals or members of an organized crime group with a
goal of financial reward
• Their activities may include:
• Identity theft
• Theft of financial credentials
• Corporate espionage
• Data theft
• Data ransoming
• Typically they are young, often Eastern European, Russian, or
southeast Asian hackers, who do business on the Web
• They meet in underground forums to trade tips and data and
coordinate attacks
Classes of Intruders –
Activists
• Are either individuals, usually working as insiders, or
members of a larger group of outsider attackers, who are
motivated by social or political causes
• Also know as hacktivists
• Skill level is often quite low
• Aim of their attacks is often to promote and publicize their
cause typically through:
• Website defacement
• Denial of service attacks
• Theft and distribution of data that results in negative
publicity or compromise of their targets
• ie. Anonymous and LulzSec
Classes of Intruders –
State-Sponsored Organizations
Groups of hackers
sponsored by
governments to conduct
espionage or sabotage
activities
Target acquisition
Privilege
and information Initial access
escalation
gathering
Information
Maintaining
gathering or Covering tracks
access
system exploit
Examples of
Intruder Behavior
Definitions
• Security Intrusion:
Unauthorized act of bypassing the security
mechanisms of a system
• Intrusion Detection:
A hardware or software function that gathers and
analyzes information from various areas within a
computer or a network to identify possible security
intrusions
Intrusion Detection System
(IDS)
• Host-based IDS (HIDS)
• Monitors the characteristics of a Comprises three logical
single host for suspicious activity
overlap in observed
or expected behavior
Measurable behavior
average behavior average behavior
parameter
of intruder of authorized user
Provide graceful
degradation of service. if Allow dynamic
Scale to monitor large some components of the IDS reconfiguration. the ability to
numbers of systems stop working for any reason, reconfigure the IDS without
the rest of them should be having to restart it.
affected as little as possible.
Analysis Approaches
Signature/Heuristic
Anomaly detection detection
Match a large collection of known patterns of Involves the use of rules for identifying known
malicious data against data stored on a system penetrations or penetrations that would exploit
or in transit over a network known weaknesses
The signatures need to be large enough to Rules can also be defined that identify
minimize the false alarm rate, while still suspicious behavior, even when the behavior is
detecting a sufficiently large fraction of within the bounds of established patterns of
malicious data usage
Common data
sources include:
A fundamental • System call traces
component of • Audit (log file) records
• File integrity checksums
intrusion detection
• Registry access
is the sensor that
collects data
LAN Monitor Host Host
Agent
module
Router
Internet
Central Manager
Manager
module
Alerts
Logic Analysis Central
module Notable
module manager
activity; Query/
Signatures; response
Noteworthy
sessions
Templates
Modifications
Comprised of a number of
sensors, one or more servers Analysis of traffic patterns
for NIDS management may be done at the sensor,
functions, and one or more the management server or a
management consoles for combination of the two
the human interface
Network traffic
Monitoring interface
(no IP, promiscuous mode)
NIDS
sensor
Management interface
(with IP)
LAN switch
or router external
firewall
1
workstation
networks
service network
(Web, Mail, DNS, etc.)
4 LAN switch internal
or router firewall
• Application layer
• Denial-of-service (DoS)
reconnaissance and attacks
attacks
(DNS, FTP, HTTP etc.)
• Transport layer reconnaissance
• Scanning
and attacks (TCP, UDP ) • Worms
• Network layer reconnaissance
and attacks (IP v4/v6, ICMP)
• Unexpected application
services
• Policy violations
Stateful Protocol Analysis
(SPA)
• NIST SP 800-94 details this subset of anomaly detection
that compares observed network traffic against
predetermined universal vendor supplied profiles of
benign protocol traffic
• This distinguishes it from anomaly techniques trained with
organization specific traffic protocols
• Understands and tracks network, transport, and
application protocol states to ensure they progress as
expected
• A key disadvantage is the high resource use it requires
Logging of Alerts
• Typical information logged by a NIDS sensor includes:
• Timestamp
• Connection or session ID
• Event or alert type
• Rating
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types and
codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and
responses
• State-related information
IETF Intrusion Detection
Working Group
• Purpose is to define data formats and exchange procedures for sharing
information of interest to intrusion detection and response systems and to
management systems that may need to interact with them
• The working group issued the following RFCs in 2007:
Intrusion Detection Message Exchange Requirements (RFC 4766)
• Document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF)
• Also specifies requirements for a communication protocol for communicating IDMEF
• Document describes a data model to represent information exported by intrusion detection systems and
explains the rationale for using this model
• An implementation of the data model in the Extensible Markup Language (XML) is presented, and XML
Document Type Definition is developed, and examples are provided
• Document describes the Intrusion Detection Exchange Protocol (IDXP), an application level protocol for
exchanging data between intrusion detection entities
• IDXP supports mutual authentication, integrity, and confidentiality over a connection oriented protocol
Operator
a
Dat e Activity
c sor
sou
r Sen
Event
sor
Sen Notification
Alert Response
r
lyze
Event Ana
Security
policy
er
nag
Ma
Security
policy
Administrator
Honeypot
3 External
LAN switch firewall
or router
Honeypot
LAN switch
or router
Internal
network Honeypot
Service network
(Web, Mail, DNS, etc.)
Detection
Packet Decoder Engine
Alert
• Snort is an open source, highly configurable and portable host-based or network-based IDS
• Snort is referred to as a lightweight IDS
• Easily deployed on most nodes (host, server, router) of a network
• Efficient operation that uses small amount of memory and processor time
• Easily configured by system administrators who need to implement a specific security
solution in a short amount of time
• Snort can perform real-time packet capture, protocol analysis, and content searching and
matching
Source Source Dest Dest
Action Protocol Direction
I P address Port I P address Port
Option Option
• • •
Keyword Arguments
(b) Options
Action Description
alert Generate an alert using the selected alert method, and then log the packet.
log Log the packet.
pass Ignore the packet.
activate Alert and then turn on another dynamic rule.
dynamic Remain idle until activated by an activate rule , then act as a log rule.
drop Make iptables drop the packet and log the packet.
Make iptables drop the packet, log it, and then send a TCP reset if the
reject protocol is TCP or an ICMP port unreachable message if the protocol is
UDP.
sdrop Make iptables drop the packet but does not log it.
Examples of
Snort Rule
Options