PRESENTED BY: Manmeet Kaur 13-508

Anmol Dabra 13-515

Sapna 13-522
Agenda
Introduction to IDS Manmeet Kaur

Methodology of Intrusion Detection-
Anmol Dabra

Deployment of IDS Sapna
Brief Introduction to Intrusion
The level of seriousness and sophistication of recent cyber-attacks has
risen dramatically over the past 10 years

The availability of widespread free automated intrusion tools and
exploit scripts duplicate the known methods of attack

Attacks are getting more sophisticated and easy to copy

Increased connectivity and complexity, increased availability of
vulnerability information and attack scripts via the Internet, and
dependence on distributed network services

The nature of computer crime is that it is unpredictable, previous
threats or attacks can not be used as a metric to prepare for future
threats or attacks the basis for all todays signature-based ID products
INTRUSION
Dictionary meaning Entrance by force or without
permission or welcome.

An intrusion is a deliberate unauthorized attempt,
successful or not, to break into, access, manipulate, or
misuse some valuable property and where the misuse
may render the property unreliable or unusable.

The person who intrudes is an intruder.
Types of Intruders :



Attack and Intrusion
Attack and intrusion can be viewed from a number of perspectives;
the intruder and the victim
Each perspective brings with it a criterion for judging the success
of the attack
An intrusion has taken place if the attack is considered successful
from the victims point of view (the victim has experienced some
loss or consequences)
Vulnerability in the victims system that is exploited by the intruder
with an objective enables a successful attack
The intrusion process ends when some or all objectives of the
intruder are realized or the intruder gives up
Because multiple perspectives are involved in a single attack,
defining what constitutes an attack is difficult

Intrusion is a significant security problem for
networked systems and this trespass can be either:

User Trespass 1. in form of unauthorized logon to a
machine or
2. authorized user acquiring privileges beyond those
that have been authorized.

Software Trespass in the form of Virus , Worm or
Trojan horses.
Consequences of Intrusion
If an intrusion has occurred without the user knowing/reacting to it, the
danger exists that the intruder gets control over all of the resources and
thus over the whole computer/network
Once accessing the network, the intruders main focus is to get control of
the system and to erase signs of entry.
The intruder may operate on stealth mode an secretly spread from system
to system, using the compromised network as a springboard
The intruder has various kinds of scripts; parking, cleanup of log files;
system, event files, file integrity checker files, and ID systems files (Wipe
1.0, Wzap.c, Zap.c), etc. that he can use to strengthen his position and
making it almost impossible to get control over the computer/network
again.
Loss of reputation
Loss of confidentiality
Loss of valuable data
Intrusion Techniques
Password Guessing
It is the most common attack.
Following techniques are used to guess
try default password shipped with system
exhaustively try all short passwords (1-3 characters long)
try all words in systems online dictionary
trying users personal info (full name , spouse , children
etc.)
try all legitimate license plates no. for the state
try users phone no , social security no , room no etc.
tap line between user and host system.

Password Capture
watching over shoulder as password is entered
monitoring an insecure network login (e.g. telnet, FTP,
web, email)
extracting recorded info after successful login (web
history/cache, last number dialled etc.)
using Trojan horse to bypass restriction on access
Ex -A game invited system operators to use it in spare time. It did
play a game , but in the background it copied the password file.

Password File Protection
To protect the file that relates ids to passwords , one of
the two ways can be employed:
1. One-way function System stores only the value of a
function based on users password. When user presents
a password , system transforms the password and
compares it with stored value
2.Access Control Access to password file be limited to
one or a very few accounts.
Examples of Intrusion
remote root compromise
web server defacement
guessing / cracking passwords
copying databases containing credit card numbers
viewing sensitive data without authorization
running a packet sniffer
distributing pirated software
using an unsecured modem to access internal
network
impersonating an executive to get information
using an unattended workstation
Intrusion Detection
What Is Intrusion Detection
E. Amoroso: Intrusion Detection is the process of
identifying and responding to malicious activity targeted to
computing and network resources
Analogy: security cameras and burglar alarms in a house;
Intrusion detection in Information systems
Categories: Attack detection and Intrusion detection
The goal of intrusion detection is to positively identify all
true attacks and negatively identify all non-attacks
Characteristics of ID
ID monitors a whole System or just a part of it
Intrusion Detection occurs either during an intrusion or
after it
ID can be stealth or openly advertised
If suspicious activity occurs it produces an alarm and keeps
logs that can be used for reports on long term development
Human (Administrator) needed for alarm processing
ID systems can produce an alarm and/or produce an
automated response
Motivation of ID
The motivation for intrusion detection
varies for different sites:
Some use IDS for tracking, tracing, and prosecution of
intruders
Some use IDS as a mechanism for protecting computing
resources
Some use IDS for identifying and correcting vulnerabilities
Why Intrusion Detection
Detecting and reacting to an attack:
Possible to stop the attack before anything serious happens and do
damage control
Knowledge of the attack and managing the damage
Information gathering of the attack and trying to stop it from
happening again
Information gathering of attacks against the ID system;
useful data for the security administration
Timely and correct response is imperative in IDS
IDS
An intrusion detection system (IDS) is a system used
to detect unauthorized intrusions into computer
systems and networks. Intrusion detection as a
technology is not new, it has been used for
generations to defend valuable resources.
If an intrusion is detected quickly enough , intruder
can be identified and ejected from the system before
any damage is done.
Basis of IDS
assumes intruder behavior differs from legitimate
users in ways that can be quantified.
cant expect to have a crisp , exact distinction.
there will be some overlap , which causes problems
false +ves loose interpretation of intruder behaviour;
auth. users identified as intruders
false ves tight interpretation of intruder behaviour;
intruders not identified as intruders
Behavior Profiles
Approaches to Intrusion Detection
Detection Method
It describes the characteristics of the analyzer. Detection can be performed
according to two complementary strategies:
Knowledge based intrusion detection (misuse detection)
When the intrusion-detection system uses information about the attacks, we
qualify it as knowledge-based.




Behaviour based intrusion detection (anomaly detection)
When the intrusion-detection system uses information about the normal
behavior of the system it monitors, we qualify it as behavior-based

Looking for events or sets of events that match a predefined
pattern of events that describe a known attack. The patterns are
called signatures.
Rule-based systems: encoding intrusion scenarios as a set of
rules.
State-based intrusion scenario representations.
Advantages:
Very effective at detecting attacks without generating an
overwhelming number of
false alarms.
Disadvantages
Can only detect those attacks they know abouttherefore they
must be constanly
updated with signatures of new attacks.
Many misuse detectors are designed to use tighly defined
signatures that prevent them
from detecting variants of common attacks.
Misuse detection(Signature based ID)
Anomaly Detection

Identify abnormal unusual behavior (anomalies) on a host
or network.
They function on the assumption that attacks are different
from normal (legitimate) activity and can therefore
be detected by systems that identify these differences.

METHODS FOR ANOMALY DETECTION:
Statistical measures
Rule-based measures
Machine learning
Data mining
Neural networks

Anomaly Detection Techniques
Statistical measures
Data related to behavior of legit users collected over a
period of time.
Statistical tests applied on observed behavior to
determine whether that is not legit user behavior.
Two types:
1. Threshold detection
2. Profile based
1.Threshold Detection
involves counting the number of occurrences of a
specific event type over an interval of time
if the count surpasses what is considered a reasonable
number that one might expect to occur , intrusion is
assumed.
its a crude and ineffective detector of even slightly
sophisticated attacks.
hence it generates either a lot of false +ves or false ves.

2.Profile Based Anomaly Detection
characterizes past behavior of individual users or
group of users.
detects significant deviation from that behavior.
a profile may contain a set of parameters , so that
deviation on just a single parameter may not be
sufficient to signal an alert
foundation of this approach is an analysis of audit
records.
Metrics for Profile Based Anomaly
Detection
Counter non negative integer , only incremented. Ex
no of logins in an hour by a user
Gauge non negative integer , may be inc or dec , used
to measure current value of some entity. Ex no of
outgoing messages
Interval timer length of time between two related
events. Ex time between successive logins to an
account
Resource utilization qty of res consumed during a
specific perios. Ex no of pages printed
ADVANTAGES
Prior knowledge of security flaws not required
Detector program learns what is normal behavior
and then looks for deviations
This approach is not based on system dependent
characteristics and vulnerabilities. Thus it is readily
portable amongst a variety of systems.
DISADVANTAGES
Usually produce a large number of false alarms due to
the unpredictable behaviors of users and networks.
Often require extensive training sets of system event
records in order to characterize normal behavior
patterns
Rule Based Intrusion Detection
It involves an attempt to define a set of rules that can
be used to decide that a given behavior is that of an
intruder.
Two types:
1. Anomaly detection
2. Penetration identification
Rule-based Anomaly Detection
historical records analyzed to identify usage patterns
automatically rules are generated that describe those
patterns
current behavior is then observed and matched
against the above set of rules to determine if it
conforms to any historically observed pattern of
behavior.
different from statistical anomaly detection as this
doesnt require knowledge of security vulnerabilities.
Its based on observing past behavior.
Rule-based Penetration
Identification
based on Expert System technology
rules generated here are specific to machine and
operating system
rules are generated by experts rather than automated
analysis of audit
system administrators and security analysts are
interviewed to collect a suite of known penetration
scenarios and key events that threaten the security of
the target system.
ADVANTAGES
effective at detecting attacks without generating an
overwhelming number of false alarms.
DISADVANTAGES
lack of flexibility
can only detect those attacks they know about
therefore they must be constanly updated with rules
for new attacks.

Misuse Detection vs. Anomaly Detection
Methodology

Advantage Disadvantage
Misuse
Detection
Accurately and
generate much
fewer false alarm
Cannot detect
novel or unknown
attacks
Anomaly
Detection
Is able to detect
unknown attacks
based on audit
High false-alarm
and limited by
training data.
AUDIT RECORDS
Its a fundamental tool for intrusion detection
Record of ongoing activity by users maintained as
input to IDS
Two plans:
1. Native Audit Records All OS include accounting
software that collects info of user activity.
Adv. no additional collection s/w needed
Disadv. might not contain needed info or not in
convenient form.
2. Detection-specific Audit Records A collection
facility that generates audit records containing info
required by IDS.
Advantage - can be made vendor independent and
ported to variety of systems .
Disadvantage extra overhead of additional accounting
package.
Audit Record Format
Each audit record has following fields:
Subject- Initiator of action
Action- Operation performed by subject on object
Object- Receptor of action
Exception-condition- Which, if any , exception
condition is raised on return
Resource Usage- amount used of some resources
Time stamp- unique time and date stamp identifying
when the action took place
Base-Rate Fallacy
Practically an intrusion detection system needs to
detect a substantial percentage of intrusions with few
false alarms
if too few intrusions detected -> false security
if too many false alarms -> ignore / waste time

This is very hard to do
Existing systems seem not to have a good record

Distributed Intrusion Detection
Major design issues:
Different Audit Formats - diff systems employ diff
native audit collection systems
Integrity prevent intruder to mask his activities by
altering transmitted audit data
Confidentiality because transmitted audit info can
be valuable
Architecture Centralized: single central point of
collection
Decentralized: more than 1 analysis centres
Distributed Intrusion Detection -
Architecture
Main Components
Host Agent Module: Audit collection module on a
single system. It collects data on security related events
and transmits it to central manager
LAN monitor Agent Module: Same as host agent
module but it analyzes LAN traffic and transmits it to
central manager
Central Manager Module: Gets data from above two
and processes and correlates it to detect intrusion
Agent Architecture
HONEYPOTS
A honeypot is a system designed to look like
something that an intruder can hack. They are built
for many purposes but the overriding one is to deceive
attackers and learn about their tools and methods.
Decoy systems to lure attackers
away from accessing critical systems
to collect information of their activities
to encourage attacker to stay on system so administrator
can respond
They are filled with fabricated information


DEPLOYMENT OF
IDS
AUDIT SOURCE LOCATION
Intrusion Detection Systems can be characterized
according to the source of the events they analyze.
Typical system classes include
host-based IDSs
application-based IDSs
network-based IDSs
correlation systems
HIDS
Host-based IDSs (HIDS) detect attacks against a
specific host by analyzing audit data produced by the
host operating systems.





HOST IDS
NETWORK
HIDS contd.
Audit sources include:
1. System information(Accounting) :
Operating systems make available to processes in user space, information
about their internal working and security-relevant events.
It provides information on the consumption of shared resources, such
as processor time, memory, disk or network usage, and applications
launched, by the users of the system.
There exist programs that collect and show this information, e.g., ps,
vmstat, top, netstat.
The information provided is usually very complete and reliable because
it is retrieved directly from the kernel.
Unfortunately, few operating systems provide mechanism to
systematically and continuously collect this information.
Accounting pros and cons
Pros
Accounting is found almost everywhere, in network equipment, in
mainframes as well as in UNIX workstations. This omnipresence has
led some designers of intrusion-detection prototypes to try to use it as an
audit source.
The format of the accounting record is the same on all UNIXes, the
information is compressed to gain disk space, and the overhead
introduced by the recording process is very small.
It is well integrated in modern operating systems, and
easy to set up and exploit
Cons
the information identifying the command launched as well as the time
stamps are too imprecise to allow efficient detection of attacks

2. Syslog facility [Lonvick, 2001] :
Syslog is an audit facility provided by many UNIX-like operating systems.
It allows programmers to specify a text message describing an event to be
logged.
Additional information, like the time when the event happened and the
host where the program is running,is automatically added.

PROS
Syslog is very easy to use.

CONS
Applications usually log information valuable for debugging purposes that
is not necessarily tailored to the needs of intrusion detection.
Furthermore, a specific audit format is not imposed by the facility but
changes according to the program that uses it.
Thus, it may be difficult to extract audit data from logs and perform
sophisticated analysis.
Finally, the logged information can be easily polluted by messages crafted
by an attacker to cover her tracks.



3. C2 audit trail
Some operating systems comply with the C2 level of the TCSEC
standard and thus monitor the execution of system calls.
The data obtained is accurate because it comes directly from within the
kernel.
PROS
a strong identification of the user, its login identity, its real (current)
identity, its effective (set-user-id
bit) identity, its real and effective (set-group-id bit) group identities;
a repartition of audit events into classes to facilitate the configuration
of the audit system;
a fine-grained parameterization of the information gathered according
to user, class, audit event, and failure or success of the system call, and
a shutdown of the machine if the audit system encounters an error
status (usually a running out of
disk space).
CONS
a heavy use of system resources when detailed monitoring is requested.
Processor performance could potentially be reduced by as much as
20%, and requirements for local disk space storage and archiving are
high;
a possible denial-of-service attack by filling the audit file system;
difficulty to set up the audit service owing to the number of parameters
involved.
difficulty to exploit the information obtained owing to its size and
complexity. This is compounded by the heterogeneity of audit-system
interfaces and audit record formats in the various operating systems,
the parameterization of the audit system involving subjects (users) and
actions (system calls or events), and only very rarely objects (on which
the action is performed). Important objects should be monitored by an
intrusion-detection tool, and this is done primarily by scanning the
entire trail

NIDS
Network-based IDSs (NIDSs) detect attacks by
analyzing the network traffic exchanged on a network
link.
Network-based information sources

1. SNMP information
The Simple Network Management Protocol (SNMP)
Management Information Base (MIB) is a repository of
information used for network management purposes.

It contains
configuration information (routing tables,addresses,
names)
performance/accounting data (counters to measure
the traffic at various network interfaces and at different
layers of the network).
2. Network packets

Low level analysis- on the header and/or the payload of a packet.
By performing pattern matching, signature analysis, or some other kind
of analysis of the raw content of the TCP or IP packet
The intrusion-detection system can perform its analysis quickly.
This is a stateless approach that does not take session information into
account because the latter could span several
network packets.

Higher-level analysis- exploiting knowledge about the protocol followed
by the communication.
the intrusion-detection system acts as an application gateway and
analyzes each packet with respect to the application or protocol being
followed,
the analysis is more thorough, but also much more costly.
This is a stateful analysis.
This analysis of the higher levels of the protocol also depends on the
particular machine being protected, as implementations of the
protocols are not identical
from one network stack to another.
Higher-level analysis supports more sophisticated analysis of the data,
but it is usually slower and requires more resources.




NIDS contd.
Network-based IDSs employ sensors that listen to the
network segments of the network and report to a central
management console which is typically used for analysis
and reporting.
Network sensors can also be implemented on some
routers. One sensor will be needed for each network
segment if the packets are routed to the segments by a
switch (unless the switch allows traffic on the same virtual
local area network to be copied to a mirror Switch Port
Analyser port).



Disadvantages of Network-Based IDSs:

NIDS may have difficult processing all packets in a large or
busy network and therefore, may fail to recognize an attack
launched during periods of high traffic.
Modern switch-based networks make NIDS more difficult:
Switches subdivide networks into many small segments
and provide dedicated links between hosts serviced by the
same switch. Most switches do not provide universal
monitoring ports
NIDS cannot analyze encrypted information.
Most NIDS cannot tell whether or not an attack was
successful
HIDS vs NIDS
HIDS vs NIDS
The Future of IDS
IDS is a quite new area in security engineering
The current solution does not work very well in real
life
There are still many things to complement
The future and the potential of IDS are really bright
and attractive
References
http://www.springer.com/978-0-387-23398-7
CPNI -TECHNICAL NOTE 09/03UNDERSTANDING INTRUSION
DETECTION SYSTEMS
IBM Research, Zurich Research Laboratory,Saumerstrasse 4, CH8803
Ruschlikon, Switzerland ,[email protected]

THANK YOU!