Intrusion Detection/Prevention

Systems
 Objectives and Deliverable
• Understand the concept of IDS/IPS and the
two major categorizations: by
features/models, and by location. Understand
the pros and cons of each approach
• Be able to write a snort rule when given the
signature and other configuration info
• Understand the difference between exploits
and vulnerabilities
 Definitions
• Intrusion
– A set of actions aimed to compromise the security
goals, namely
• Integrity, confidentiality, or availability, of a computing and
networking resource

• Intrusion detection
– The process of identifying and responding to
intrusion activities
• Intrusion prevention
– Extension of ID with exercises of access control to
protect computers from exploitation
Elements of Intrusion Detection
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct
evidence
• Components of intrusion detection systems:
– From an algorithmic perspective:
• Features - capture intrusion evidences
• Models - piece evidences together
– From a system architecture perspective:
• Various components: audit data processor, knowledge
base, decision engine, alarm generation and responses
 Components of Intrusion
Detection System
Audit Records
system activities are
observable
Audit Data
Preprocessor

Activity Data

Detection normal and intrusive

Detection Engine activities have distinct
Models
evidence
Alarms
Action/Report
Decision Decision Engine
Table
 Intrusion Detection Approaches
• Modeling
– Features: evidences extracted from audit data
– Analysis approach: piecing the evidences
together
• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
– Network based: monitor network traffic
– Host based: monitor computer processes
 Misuse Detection
pattern
matching
Intrusion
Patterns: intrusion
Sequences of
system calls,
patterns of activities
network traffic,
etc.

Example: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”

Problems?
Can’t detect new attacks
 Anomaly Detection
probable
intrusion
activity
measures

Define a profile describing

“normal” behavior, then
detects deviations.
Any problem ?
Relatively high false positive rates
• Anomalies can just be new normal activities.
• Anomalies caused by other element faults
• E.g., router failure or misconfiguration, P2P misconfig
• Which method will detect DDoS SYN flooding ?
 Host-Based IDSs
• Use OS auditing and monitoring mechanisms to find
applications taken over by attacker
– Log all relevant system events (e.g., file/device accesses)
– Monitor shell commands and system calls executed by
user applications and system programs
• Pay a price in performance if every system call is filtered

• Problems:
– User dependent: install/update IDS on all user machines!
– If attacker takes over machine, can tamper with IDS
binaries and modify audit logs
– Only local view of the attack
The Spread of Sapphire/Slammer
Worms
Network Based IDSs
Internet Gateway routers

Our network

Host based
detection

• At the early stage of the worm, only limited worm

samples.
• Host based sensors can only cover limited IP space,
which has scalability issues. Thus they might not be
able to detect the worm in its early stage.
•
Network IDSs
Deploying sensors at strategic locations
– For example, Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual connection
patterns
– Look into the packet payload for malicious code
• Limitations
– Cannot execute the payload or do any code analysis !
– Even DPI gives limited application-level semantic information
– Record and process huge amount of traffic
– May be easily defeated by encryption, but can be mitigated
with encryption only at the gateway/proxy
Host-based vs. Network-based IDS
• Give an attack that can only be detected by
host-based IDS but not network-based IDS

• Sample qn:
– SQL injection attack

• Can you give an example only be detected by

network-based IDS but not host-based IDS ?
 Key Metrics of IDS/IPS
• Algorithm
– Alarm: A; Intrusion: I
– Detection (true alarm) rate: P(A|I)
• False negative rate P(¬A|I)
– False alarm (aka, false positive) rate: P(A|¬I)
• True negative rate P(¬A|¬I)

• Architecture
– Throughput of NIDS, targeting 10s of Gbps
• E.g., 32 nsec for 40 byte TCP SYN packet
– Resilient to attacks
Architecture of Network IDS

Signature matching
(& protocol parsing when needed)

Protocol identification

TCP reassembly

Packet capture libpcap

Packet stream
Firewall/Net IPS VS Net IDS
• Firewall/IPS
– Active filtering
– Fail-close
• Network IDS
– Passive monitoring
– Fail-open
IDS

FW
 Related Tools for Network IDS (I)

• While not an element of Snort, wireshark

(used to called Ethereal) is the best open
source GUI-based packet viewer
• www.wireshark.org offers:
– Support for various OS: windows, Mac OS.
• Included in standard packages of many
different versions of Linux and UNIX
• For both wired and wireless networks
Related Tools for Network IDS (II)

• Also not an element of Snort, tcpdump is a

well-established CLI packet capture tool
– www.tcpdump.org offers UNIX source
– http://www.winpcap.org/windump/ offers windump,
a Windows port of tcpdump
Case Study: Snort IDS
Backup Slides
 Problems with Current IDSs
• Inaccuracy for exploit based signatures
• Cannot recognize unknown anomalies/intrusions
• Cannot provide quality info for forensics or
situational-aware analysis
– Hard to differentiate malicious events with
unintentional anomalies
• Anomalies can be caused by network element faults, e.g.,
router misconfiguration, link failures, etc., or application (such
as P2P) misconfiguration

– Cannot tell the situational-aware info: attack

scope/target/strategy, attacker (botnet) size, etc.
 Limitations of Exploit Based Signature
Signature: 10.*01

1010101 Traffic
Internet Filtering
10111101
X
X
11111100 Our network

00010111

Polymorphism!
Polymorphic worm might not have
exact exploit based signature
 Vulnerability Signature

Vulnerability
signature traffic
Internet
filtering

X
X
Our network
X
X

Vulnerability

Work for polymorphic worms

Work for all the worms which target the
same vulnerability
 Example of Vulnerability Signatures

• At least 75% vulnerabilities

are due to buffer overflow
Overflow!
Sample vulnerability signature
Protocol message
• Field length corresponding to
vulnerable buffer > certain
threshold
• Intrinsic to buffer overflow Vulnerable
vulnerability and hard to buffer
evade
 Next
Generation
IDSs

• Vulnerability-based
• Adaptive
- Automatically detect & generate signatures for zero-day
attacks
• Scenario-based for forensics and being situational-aware
– Correlate (multiple sources of) audit data and attack
information
 Counting Zero-Day Attacks
Network Protocol
Tap Classifier

TCP TCP TCP TCP UDP

. . .
25 53 80 137 1434

Suspicious
Known Traffic Pool Core
Flow Signatures
Attack algorithms
Classifier
Filter

Real time
Normal traffic
Normal Policy driven
reservoir
Traffic Pool

Honeynet/darknet
, Statistical
detection
 Security Information Fusion
• Internet Storm Center (aka, DShield) has the
largest IDS log repository
• Sensors covering over 500,000 IP addresses
in over 50 countries
• More w/ DShield slides
 Requirements of Network IDS
• High-speed, large volume monitoring
– No packet filter drops
• Real-time notification
• Mechanism separate from policy
• Extensible
• Broad detection coverage
• Economy in resource usage
• Resilience to stress
• Resilience to attacks upon the IDS itself!