INTRUSION DETECTION

AND
INTRUSION DETECTION SYSYEM
PRESENTATION OUTLINE
 Introduction
 What ?
 Why ?
 Typical Intrusion Scenario
 Types of Attacks
 What IDS does ?
 Types of IDS
 Based on detection approach
 Advantages/ Disadvantages
 Based on protected system
 Network / Host based detection
 Evaluation of IDS
2
 Commercially available IDS
 Snort
 INTRUDERS
 One of the two most publicized threats to security is the
intruder (the other is viruses), often referred to as a hacker or
cracker.
 There are three identified classes of intruders:

Masquerader: An individual who is not authorized to use the

computer and who penetrates a system’s access controls to
exploit a legitimate user’s account. The masquerader is likely to
be an outsider.

Misfeasor: A legitimate user who accesses data, programs, or

resources for which such access is not authorized, or who is
authorized for such access but misuses his or her privileges. The
misfeasor generally is an insider
3
Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access
WHAT IS INTRUSION DETECTION
SYSTEM?
 Intrusion
 Any unauthorized access, not permitted attempt to
access/damage or malicious use of information
resources.
 Intrusion Detection
 Detectionof break-ins and break-in attempts via
automated software systems

 Intrusion Detection Systems(IDS)

 Defense systems, which detect and possibly
4
prevent intrusion detection activities
WHAT IS NOT AN IDS ?
 Network logging systems
 Security Scanners
 vulnerability assessment tools to check flaws in
OS,N/W
 Antivirus products
 Security/Cryptographic systems
 E.g. VPN,SSL, Kerberos
 Firewalls

5
WHY IDS ?
Straight Forward Reason
to protect data and system integrity.
Fact :
can not be done with ordinary password and file
security
Misconception :
 A network firewall will keep the bad guys off my network, right?
 My anti-virus will recognize and get rid of any virus I might catch,
right?
 And my password-protected access control will stop the office
cleaner trawling through my network after I've gone home, right?

So that's it – “I'm fully protected”

6
 HERE IS THE REALITY
 Anti-virus systems are only good at detecting viruses
they already know about.
 Passwords can be hacked or stolen or changed by
other.
 Firewalls DO NOT recognize attacks and block them.
 Simply a fence around your network
 no capacity to detect someone is trying to break-in(digging a
hole underneath it.)
 Can’t determine whether somebody coming through gate is
allowed to enter or not.
 Roughly 80% of financial losses occur hacking from inside
the network.
“BEWARE OF INTERNAL INTRUDERS”
 Example :
7
In April 1999, many sites were hacked via a bug in ColdFusion. All had firewalls
to block other access except port 80. But it was the Web Server that was hacked.
TYPICAL INTRUSION SCENARIO
-Findas much as info. As possible
Information Gathering -whois lookup and DNS Zone transfers
-Normal browsing ; gather important info.

-ping sweeps, port scanning

Further Information -web server vulnerabilities
Gathering -version of application/services

-start trying out different attacks

Attack ! - UNICODE attack if has IIS installed
-try to find misconfigured running
services
-Passive Attack / Active Attack
-install own backdoors and delete log
Successful files
Intrusion -replace existing services with own
Trojan horses that have backdoor
passwords or create own user accounts
- Steal confidential information
- Use compromised host to launch 8
Fun and Profit further attacks
- Change the web-site for FUN
EXAMPLE OF HACKED WEBSITE

9
TYPES OF ATTACK
 Unauthorized access to the resources
 Password cracking
 Spoofing e.g. DNS spoofing
 Scanning ports & services
 Network packet listening
 Stealing information
 Unauthorized network access
 Uses of IT resources for private purpose
 Unauthorized alternation of resources
 Falsification
of identity
 Information altering and deletion
 Unauthorized transmission and creation of data
10
 Configuration changes to systems and n/w services
TYPES OF ATTACK CONTD..
 Denial of Service
 Flooding
 Ping flood
 Mail flood

 Compromising system
 Buffer overflow
 Remote system shutdown

 Web application attack

“Most attacks are not a single attack but a series of

individual events developed in coordinated
manner”
11
12
WHAT AN IDEAL IDS IS SUPPOSED TO DO ?
 Identify possible incidents
 detect an attacker has compromised system
 Report administrator
 Log information
 keep log of suspicious activities
 Can be configured to
 Recognize violations of security policies
 Monitor file transfers
 Copying a large database onto a user’s laptop
 Identify reconnaissance activity
 Attack tools and worms perform reconnaissance
activity like : host and port scans
13
 IDS
CLASSIFICATION

14
 I.D.S

I.D Protected
Approach System

Anomaly Signature HIDS NIDS

Detection Detection

Hybrids

Data
Structure
Source

Distributed Centralized Network

Audit Trail
System System Packets
System
State
Analysis

Behavior
Analysis
After an
Timing
Attack 15
On-The-
Passive Fly Interval
Active IDS
IDS Processin Based IDS
g
IDS TYPES : BASED ON DETECTION APPROACH

 Knowledge-based or Signature-based
 Behavior-based or Anomaly-based

 Knowledge-based
 Matching signature of well-known attacks against
state-change in systems or stream of packets
flowing through network
 Example of signatures :
 A telnet attempt with username “root” which is violation of an
organization’s security policy
 An e-mail with a subject “Free Pictures” and an attachment
“freepics.exe” -characteristics of a malware

16
ADVANTAGE / DISADVANTAGES OF KB-
IDS

 Very few false alarm

 Very effective to detect previously known threats
 Ineffective to detect new threats
 Threats disguised by use of evasion techniques
 Compares a current unit of activity (e.g. a n/w
packet or a log entry) to a list of signatures using
string comparisons operations
 Little understanding of n/w or application protocol
and can’t track the state of complex
communication
 e.g. can’t pair request with the corresponding
response
17
 Cant remember a previous request while
processing the current request
BEHAVIOR-BASED IDS
 Compares normal event against observed
events to identify significant deviation
 Has profiles to represent normal behavior of
 Users, hosts, network connections or applications
 Developed by monitoring the characteristics of
typical activity over a period of time
 Profiles can be for behavioral attributes like:
 Number of email sent by a user, number of failed
logins for a host, level of processor usage etc.
 Example
A profile for a network might show that in an average, 13% of network
bandwidth are due to Web activities during typical workday hours. Then
IDS can use statistical methods to compare current Web activity 18
bandwidth with expected one and alert administrator if high bandwidth is
being occupied by web activities
STATIC VS. DYNAMIC PROFILES
 Profiles are generated over a period of time
(days or sometimes weeks)
 Static profile is unchanged unless required to

generate new profile

 Change in systems and/or networks

inaccurate static profile (Generate Again)

 Dynamic profile defect : susceptible to

evasion attempts from attackers

 Frequently performing malicious activity

19
ADVANTAGES / DISADVANTAGES OF BBIDS

 Very effective to detect unknown threats

 Example :
Suppose computer is infected with a new type of malware. The
malware consumes large computer’s processor resources and send
large number of emails, initiating large number of network
connections. This is definitely a significantly different behavior from
established profiles.
 High false alarm rate
 All activities excluded during training phase
 Making a profile is very challenging

20
NETWORK BASED INTRUSION
DETECTION
 IDS are placed on the network, nearby
system(s) being monitored
 Monitors n/w traffic for particular n/w

segments or devices
 The network interface card placed in

promiscuous mode to capture all n/w traffic

 Sensors placed on n/w segment to check the

packets
 Primary types of signatures are
 String signature
 Port Signature

 Header Condition Signature 21

NETWORK BASED INTRUSION
DETECTION CONTD..
 String Signature
 Look text/string that may indicate possible attack
 Example: UNIX system “cat” “+ +” > /.rhosts”
 Port Signature
 Watch for connection attempts to well-known, frequently attacked
ports
 Example : telnet (TCP port 23) , FTP (TCP port 21/20)
 Ports are not used but packets are coming that port.
 Header Signature
 Watch for dangerous or illogical combination of packet headers
 Example : TCP packet with both SYN and FIN flags set
 Request wished to start and stop the connection at the same time.

 Limitations
 Can not detect attacks on encrypted n/w traffic (E.g. HTPS, VPN)
 IDS sensors are susceptible to various attacks 22
 Large volume of traffic can crash IDS sensor itself
23
HOST BASED IDS
 Piece or pieces of software on the system to
be monitored
 Uses log files and network traffic in/out of

that host as data source

 Monitors:
 Incoming packets
 Login activities
 Root activities
 File systems
 Host based IDS might monitor
 Wired and wireless network traffic ;Systems logs
24
 Running process; file access/modification
25
EVALUATION OF IDS’S

26
CURRENTLY AVAILABLE IDSS
Network Based IDS Host Based IDS
Internet Security Systems Real Internet Security Systems Real
Secure Secure
Symantec Net Prowler Symantec Intruder Alert
Network Ice Black Ice Tripwire
Defender
CyberSafe Centrax Cyber Safe Centrax
Detection Appliance

Snort, Fragroute /Fragrouter, OSSEC HIDS, are some of

the most popular Open Source IDS.

27
SNORT
 Open source NIDS developed by SourceFire.
 It combines the benefits of signature based

and behavior based intrusion detection

techniques.
 It has 300,000+ registered users.

28
29
QUESTIONS / COMMENTS

30