Intrusion Detection/Prevention Systems
Intrusion Detection/Prevention Systems
Systems
Objectives and Deliverable
• Understand the concept of IDS/IPS and the
two major categorizations: by
features/models, and by location. Understand
the pros and cons of each approach
• Be able to write a snort rule when given the
signature and other configuration info
• Understand the difference between exploits
and vulnerabilities
Definitions
• Intrusion
– A set of actions aimed to compromise the security
goals, namely
• Integrity, confidentiality, or availability, of a computing and
networking resource
• Intrusion detection
– The process of identifying and responding to
intrusion activities
• Intrusion prevention
– Extension of ID with exercises of access control to
protect computers from exploitation
Elements of Intrusion Detection
• Primary assumptions:
– System activities are observable
– Normal and intrusive activities have distinct
evidence
• Components of intrusion detection systems:
– From an algorithmic perspective:
• Features - capture intrusion evidences
• Models - piece evidences together
– From a system architecture perspective:
• Various components: audit data processor, knowledge
base, decision engine, alarm generation and responses
Components of Intrusion
Detection System
Audit Records
system activities are
observable
Audit Data
Preprocessor
Activity Data
• Problems:
– User dependent: install/update IDS on all user machines!
– If attacker takes over machine, can tamper with IDS
binaries and modify audit logs
– Only local view of the attack
The Spread of Sapphire/Slammer
Worms
Network Based IDSs
Internet Gateway routers
Our network
Host based
detection
• Sample qn:
– SQL injection attack
• Architecture
– Throughput of NIDS, targeting 10s of Gbps
• E.g., 32 nsec for 40 byte TCP SYN packet
– Resilient to attacks
Architecture of Network IDS
Signature matching
(& protocol parsing when needed)
Protocol identification
TCP reassembly
Packet stream
Firewall/Net IPS VS Net IDS
• Firewall/IPS
– Active filtering
– Fail-close
• Network IDS
– Passive monitoring
– Fail-open
IDS
FW
Related Tools for Network IDS (I)
1010101 Traffic
Internet Filtering
10111101
X
X
11111100 Our network
00010111
Polymorphism!
Polymorphic worm might not have
exact exploit based signature
Vulnerability Signature
Vulnerability
signature traffic
Internet
filtering
X
X
Our network
X
X
Vulnerability
• Vulnerability-based
• Adaptive
- Automatically detect & generate signatures for zero-day
attacks
• Scenario-based for forensics and being situational-aware
– Correlate (multiple sources of) audit data and attack
information
Counting Zero-Day Attacks
Network Protocol
Tap Classifier
Suspicious
Known Traffic Pool Core
Flow Signatures
Attack algorithms
Classifier
Filter
Real time
Normal traffic
Normal Policy driven
reservoir
Traffic Pool
Honeynet/darknet
, Statistical
detection
Security Information Fusion
• Internet Storm Center (aka, DShield) has the
largest IDS log repository
• Sensors covering over 500,000 IP addresses
in over 50 countries
• More w/ DShield slides
Requirements of Network IDS
• High-speed, large volume monitoring
– No packet filter drops
• Real-time notification
• Mechanism separate from policy
• Extensible
• Broad detection coverage
• Economy in resource usage
• Resilience to stress
• Resilience to attacks upon the IDS itself!