Foundation of Information

Security
Lecture-14
Today’s Content
• Intruders
• Intrusion Detection
• Host-Based Intrusion Detection
• Distributed Host-Based Intrusion Detection
• Network-Based Intrusion Detection
• Honeypots
Intrusion Detection System
- aims to detect attacks
Types of intruders
Cyber criminals: Individuals or members of an organized crime group
with a goal of financial reward.
Example: identity theft, theft of financial credentials, corporate espionage, data
theft, or data ransoming.
Activists/hacktivists: Individuals, usually working as insiders, or
members of a larger group of outsider attackers, who are motivated by
social or political causes.
Example: To promote and publicize their cause, typically through -
website defacement, denial of service attacks, or the theft and distribution of
data that results in negative publicity or compromise of their targets.
Types of intruders
State-sponsored organizations: Groups of hackers sponsored by
governments to conduct espionage or sabotage activities, also known as
Advanced Persistent Threats (APTs), due to the covert nature and
persistence over extended periods involved with many attacks in this class.
Example: information revealed by Edward Snowden, indicate the widespread
nature and scope of these activities by a wide range of countries and their
intelligence allies.
Others: Hackers with motivations other than those listed above,
including classic hackers or crackers who are motivated by technical
challenge or by peer-group esteem and reputation.
Example: Those responsible for discovering new categories of buffer overflow
vulnerabilities, given the wide availability of attack toolkits, there is a pool of
“hobby hackers” using them to explore system and network security.
Types of intruders based on Skill Level
Apprentice
• Hackers with minimal technical skill who primarily use existing attack toolkits.
• largest number of attackers, including many criminal and activist attackers.
• are the easiest to defend against.
Journeyman
• Hackers with sufficient technical skills to modify and extend attack toolkits to
use newly discovered vulnerabilities; or to focus on different target groups.
• The changes in attack tools make identifying and defending against such
attackers harder.
Master
• Hackers with high-level technical skills capable of discovering brand new
categories of vulnerabilities, or writing new powerful attack toolkits.
• some of those employed by some state-sponsored organizations
• Defending against these attacks of the highest difficulty.
Example of Intrusion
• Remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Intruder Behavior
• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Information gathering or system exploit
• Maintaining access
• Covering tracks
Intrusion Detection
• Security Intrusion: A security event, or a combination of multiple
security events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system (or system
resource) without having authorization to do so.
• Intrusion Detection: A security service that monitors and analyzes
system events for the purpose of finding, and providing real-time or
near real-time warning of, attempts to access system resources in an
unauthorized manner.
Intrusion Detection Systems: Types
• Host-based IDS (HIDS): Monitors the characteristics of a single host
and the events occurring within that host, such as process identifiers
and the system calls they make, for evidence of suspicious activity.
• Network-based IDS (NIDS): Monitors network traffic for particular
network segments or devices and analyzes network, transport, and
application protocols to identify suspicious activity.
• Distributed or hybrid IDS: Combines information from a number of
sensors, often both host and network-based, in a central analyzer
that is able to better identify and respond to intrusion activity.
Intrusion Detection Systems: Types
• Host-based IDS (HIDS): Monitors the characteristics of a single host
and the events occurring within that host, such as process identifiers
and the system calls they make,
Common forcomponents:
evidence of suspicious activity.
• Network-based IDS (NIDS):Sensors: for collecting
Monitors networkdata:
trafficpackets, log files, and
for particular
network segments or devices system
andcall traces tonetwork,
analyzes forward totransport,
the analyzer.
and
Analyzers:
application protocols to identify for determining
suspicious activity.if an intrusion has
occurred.
• Distributed or hybrid IDS: Combines information
User interface: from
to view output a number
from the system of or
sensors, often both host and network-based,
control the behavior ofinthe
a central
system. analyzer
that is able to better identify and respond to intrusion activity.
IDS principles
• Assumption: intruder behavior differs from legitimate users
False positives:
valid user identified as intruder
False negatives:
intruder not identified
IDS requirements
• Run continually with minimal human supervision.
• Fault tolerant: recover from system crashes and reinitializations.
• Resist subversion: monitor itself and detect if it has been modified by an
attacker.
• Impose a minimal overhead on the system where it is running.
• Configurable according to the security policies of the system that is being
monitored.
• Adapt to changes in system and user behavior over time.
• Scale to monitor a large number of hosts.
• Provide graceful degradation of service: if some components of the IDS stop
working, the rest of them should be affected as little as possible.
• Allow dynamic reconfiguration: to reconfigure the IDS without requiring restart.
Detection Techniques

Approaches to analyze sensor data to detect intrusions:

1. Anomaly (behavior) detection
2. Signature or Heuristic detection
Detection Techniques
1. Anomaly (behavior) detection
• First developing a model of legitimate user behavior by collecting and
processing sensor data from the normal operation of the monitored system in a
training phase over a period of time.
• Once the model exists, current observed behavior is compared with the model
in order to classify it legitimate or anomalous activity in a detection phase.
• Threshold detection: checks frequency of occurrence of events over time,
determine both thresholds and time intervals, lots of false positive/false
negative may be possible
• Profile based: characterize past behavior of users/groups then detect significant
deviations based on analysis of audit records
Example
• Login frequency during an hour, day
• Frequency of login from different locations or devices
• Frequency of use of different commands
• The number of outgoing messages
• The length of time between two events, e.g., two successive logins
• Session resource utilization
Detection Techniques
2. Signature or Heuristic detection
• Signature approaches:
• Uses a large collection of known patterns (signatures)of malicious data against data
stored on a system or in transit over a network that are compared with current
behavior to decide if an intruder, also known as misuse detection.
• It is widely used in antivirus products and NIDS

• Rule-based anomaly detection: Define rules based on past observed

normal behaviour.

Disadvantage: Only identify known attacks for which it has patterns or

rules.
Example
• Users should not be logged in more than one session
• Users do not make copies of system, password files
• Users should not read in other users’ directories
• Users must not write other users’ files
• Users who log after hours often access the same files they used
earlier
• Number of attempts for unauthorized access of a file
Host-based IDS (HIDS)

• Specialized software to monitor system activity to detect suspicious behavior

– primary purpose is to detect intrusions, log suspicious events, and send alerts
– can detect both external and internal intrusions
– May halt an attack before any damage is done
• Two approaches, often used in combination:
– Anomaly detection: consider normal/expected behavior over a period of
time; apply statistical tests to detect intruder
• threshold detection: for various events (#/volume of copying)
• profile based (time/duration of login)
– Signature detection: defines proper (or bad) behavior (rules)
What we Monitor?
Audit Records

• Native audit records: provided by Operating systems, logs of software and

user activity
Advantage: no additional collection software is needed
Disadvantage: audit records may not contain all needed information or in
convenient form
• Detection-specific audit records: IDS specific
• Additional overhead but specific to IDS task
• Often log individual elementary actions e.g. may contain fields for:
subject, action, object, exception-condition, resource-usage, time-stamp
Advantage: may work on different systems
Disadvantage: extra overhead in collecting information
Common Data Sources
• System call traces
• Audit (log file) records
• File integrity checksums
• Registry access (specific to Windows Systems)
Distributed Host-based IDS (Distributed HIDS)
Distributed Host-based IDS (Distributed HIDS)
• Host-based IDS on multiple computers connected with LAN
• Effective defense by coordination and cooperation among IDSs across the network.
• Host agent collect and analyse audit records on individual hosts
• LAN monitor agent analyses LAN traffic
• Host and LAN monitor agents send alert to central manager
• Central manager combines data to detect intrusion, may request data from specific
hosts
Issues in the design of a distributed IDS:
• To deal with different sensor data formats
• data transmitted across the network by agents should assure the integrity and
confidentiality of these data.
• With a centralized architecture, creates a potential bottleneck and single point of
failure.
• With a decentralized architecture, complex coordination required.
Network-Based IDS
– Monitor traffic at selected points on a network by the sensors
– In (near) real time to detect intrusion patterns
– May examine network, transport and/or application-level
protocol activity directed toward systems
• Comprises a number of sensors
– Inline (possibly as part of other net device) – traffic passes
through it, runs as software on Routers/Switches
– Passive (monitors copy of traffic)
Network-Based IDS
Honeypots
• Decoy systems
– Filled with fabricated info and instrumented with monitors/event loggers
– Lure a potential attacker away from critical systems
– Collect information about the attacker’s activity
– Encourage the attacker to stay on the system long enough for administrators
to respond
• Systems not accessible to legitimate user, a resource that has no production
value.
• Any attempt to communicate with the system is most likely a probe, scan, or attack.
• If initiates outbound communication, the system has probably been compromised.
• Once hackers are within the network, administrators can observe their behavior
in detail and figure out defenses.
Example of Honeypot Deployment
Summary
• Introduced intruders & intrusion detection
• Intrusion Detection: To distinguish normal behaviour from intruders
• Intrusion detection approaches
– Host-based (single and distributed)
– Distributed Host-based
– Network
• Honeypots