(CS161 FA23) Lecture 24 - Intrusion Detection
(CS161 FA23) Lecture 24 - Intrusion Detection
Intrusion Detection
CS 161 Fall 2023 - Lecture 24
Last Time: Denial of Service
Computer Science 161
● SYN flooding: A type of DoS that causes a server to allocate state for
unfinished TCP connections, upon receiving a SYN packet
○ SYN cookies: Instead of allocating state when receiving a SYN, send the state back to the
client in the sequence number
○ The client returns the state back to the server, which it only then allocates state for
3
Last Time: Firewalls
Computer Science 161
4
Today: Intrusion Detection
Computer Science 161
5
Today: Intrusion Detection
Computer Science 161
6
Computer Science 161
7
Top 25 Most Dangerous Software Weaknesses (2020)
Computer Science 161
9
Unix File Paths
Computer Science 161
/home/public/evanbot.jpg
home
public private
home
public private
/home/public/../private/passwords.txt
home
public private
Frontend Backend
Backend Filesystem
home
public private
Frontend Backend
Backend Filesystem
home
public private
15
Computer Science 161
Types of Detectors
16
Types of Detectors
Computer Science 161
17
Structure of a Network
Computer Science 161
Server
Internet Border
Router
Employee
Computer
Employee
Computer
18
Network Intrusion Detection System (NIDS)
Computer Science 161
Server
Internet Border
Router
Employee
Computer
● Operation:
○ NIDS has a table of all active connections and maintains state for each connection
○ If the NIDS sees a packet not associated with any known connection, create a new entry in
the table
■ Example: A connection that started before the NIDS started running
○ NIDS can be used for more sophisticated network monitoring: not only detect attacks, but
analyze and understand all the network traffic
20
NIDS: Benefits
Computer Science 161
21
NIDS: Drawbacks
Computer Science 161
22
Drawback: Inconsistent Interpretation
Computer Science 161
23
Drawback: Inconsistent Interpretation
Computer Science 161
24
Drawback: Inconsistent Interpretation
Computer Science 161
25
Evasion Attacks
Computer Science 161
26
Evasion Attacks: Defenses
Computer Science 161
● Make sure that the NIDS and the end host are using the same interpretations
○ This can be very challenging
○ How do we detect the URL-encoded attack %2e%2e%2f%2e%2e%2f?
Now the NIDS has to parse URL encodings!
○ How do we detect a more complicated path traversal attack ..///.///..////?
Now the NIDS has to parse Unix file paths!
● Impose a canonical (“normalized”) form for all inputs
○ Example: Force all URLs to expand all URL encodings or not expand all URL encodings
● Analyze all possible interpretations instead of assuming one
● Flag potential evasions so they can be investigated further
27
Drawback: Encrypted Traffic
Computer Science 161
● Recall: TLS is end-to-end secure, so a NIDS can’t read any encrypted traffic
● One possible solution: Give the NIDS access to all the network’s private keys
○ Now the NIDS can decrypt messages to inspect them for attacks
○ Problem: Users have to share their private key with someone else
28
Recall: Structure of a Network
Computer Science 161
Server
Internet Border
Router
Employee
Computer
Employee
Computer
29
Host-Based Intrusion Detection System (HIDS)
Computer Science 161
Server
Internet Border
Router HIDS: put
Employee
detectors
Computer
here
Employee
Computer
30
Host-Based Intrusion Detection System (HIDS)
Computer Science 161
● Benefits
○ Fewer problems with inconsistencies or ambiguities: The HIDS is on the end host, so it will
interpret packets exactly the same as the end host!
○ Works for encrypted messages
○ Can protect against non-network threats too (e.g. malicious user inside the network)
○ Performance scales better than NIDS: one NIDS is more vulnerable to being overwhelmed
than many HIDS
● Drawbacks
○ Expensive: Need to install one detector for every end host
○ Evasion attacks are still possible (consider Unix file name parsing)
31
Logging
Computer Science 161
32
Computer Science 161
Detection Accuracy
33
Detection Errors
Computer Science 161
34
Perfect Detectors
Computer Science 161
● Can we build a detector with a false positive rate of 0%? How about a
detector with a false negative rate of 0%?
○ Recall false positive rate: The probability the detector alerts, given there is no attack
○ Recall false negative rate: The probability the detector does not alert, given there is an attack
36
Detection Tradeoffs
Computer Science 161
37
Detection Tradeoffs
Computer Science 161
5
950
95
38
Base Rate Fallacy
Computer Science 161
39
Combining Detectors
Computer Science 161
Styles of Detection
41
Styles of Detection
Computer Science 161
● So far we’ve talked about types of detectors: what the detector is scanning
● Now we’ll talk about styles of detection: how the detector scans data to find
attacks
● Four main styles of detection
○ Signature-based detection
○ Specification-based detection
○ Anomaly-based detection
○ Behavioral detection
42
Signature-based Detection
Computer Science 161
43
Signature-based Detection: Examples
Computer Science 161
44
Signature-based Detection: Tradeoffs
Computer Science 161
● Benefits
○ Conceptually simple
○ Very good at detecting known attacks
○ Easy to share signatures and build up shared libraries of attacks
● Drawbacks
○ Won’t catch new attacks without a known signature
○ Might not catch variants of known attacks if the variant doesn’t match the signature
○ The attacker can modify their attack to avoid matching a signature
○ Simpler versions only look at raw bytes, without parsing them in context
■ May miss variants
■ May generate lots of false positives
45
Specification-based Detection
Computer Science 161
46
Specification-based Detection: Examples
Computer Science 161
47
Specification-based Detection: Tradeoffs
Computer Science 161
● Benefits
○ Can detect new attacks we’ve never seen before
○ If we properly specify all allowed behavior, can have low false positive rate
● Drawbacks
○ Takes a lot of time and effort to manually specify all allowed behavior
○ May need to update specifications as things change
48
Anomaly-based Detection
Computer Science 161
49
Anomaly-based Detection: Examples
Computer Science 161
50
Anomaly-based Detection: Tradeoffs
Computer Science 161
● Benefits
○ Can detect attacks we haven’t seen before
● Drawbacks
○ Can fail to detect known attacks
○ Can fail to detect new attacks if they don’t look unusual to our model
○ What if our model is trained on bad data (e.g. data with a lot of attacks)?
○ The false positive rate might be high (lots of non-attacks look unusual)
○ If we try to reduce false positives by only flagging the most unusual inputs, the false negative
rate might be high (we miss slightly unusual attacks)
● Great subject for academic research papers, but not used in practice
51
Behavioral Detection
Computer Science 161
52
Behavioral Detection: Examples
Computer Science 161
53
Behavioral Detection: Tradeoffs
Computer Science 161
● Benefits
○ Can detect attacks we haven’t seen before
○ Can have low false positive rates if we’re looking for behavior that rarely occurs in normal
programs (e.g. in the exec example, there are probably no false positives!)
○ Can be cheap to implement (e.g. existing tools to monitor system calls for a program)
● Drawbacks
○ Legitimate processes could perform the behavior as well (e.g. accessing a password file)
○ Only detects attacks after they’ve already happened
○ Only detects successful attacks (maybe we want to detect failed attacks as well)
○ The attacker can modify their attack to avoid triggering some behavior
54
Computer Science 161
55
Vulnerability Scanning
Computer Science 161
● Idea: Instead of detecting attacks, launch attacks on your own system first,
and add defenses against any attacks that worked
● Vulnerability scanning: Use a tool that probes your own system with a wide
range of attacks (and fix any successful attacks)
● Widely used in practice today
○ Often used to complement an intrusion detection system
56
Vulnerability Scanning: Tradeoffs
Computer Science 161
● Benefits
○ Accuracy: If your scanning tool is good, it will find real vulnerabilities
○ Proactive: Prevents attacks before they happen
○ Intelligence: If your intrusion detection system alerts on an attack you know you already fixed,
you can safely ignore the alert
● Drawbacks
○ Can take a lot of work
○ Not helpful for systems you can't modify
○ Dangerous for disruptive attacks (you might not know which attacks are dangerous before
you run the scanning tool)
57
Honeypots
Computer Science 161
58
Honeypots: Examples
Computer Science 161
● Example: Hospitals
○ Employees should not read patient records
○ The hospital enters a honeypot record with a celebrity name
○ Catch any staff member who reads the honeypot record
● Example: Unsecured Bitcoin wallet
○ Leave an unsecured Bitcoin wallet on your system with a small amount of money in it
○ If the money is stolen, you know that someone has attacked your system!
● Example: Spamtrap
○ Create a fake email address that is never used for legitimate emails
○ If email gets sent to the address, it's probably spam!
59
Honeypots: Tradeoffs
Computer Science 161
● Benefits
○ Can detect attacks we haven’t seen before
○ Can analyze the attacker's actions
■ Who is the attacker?
■ What are they doing to the system?
○ Can distract the attacker from legitimate targets
● Drawbacks
○ Can be difficult to trick the attacker into accessing the honeypot
○ Building a convincing honeypot might take a lot of work
○ These drawbacks matter less if the honeypot is aimed at automated attacks (e.g. the spam
detection honeypot)
60
Forensics
Computer Science 161
61
Blocking: Intrusion Prevention Systems
Computer Science 161
62
Building the Perfect IPS?
Computer Science 161
Takeaway: You must always have tradeoffs between false positive and false negative rates 63
Attacks on Intrusion Detection Systems (IDS)
Computer Science 161
64
Inside A Modern IDS
Computer Science 161
66
Path Traversal Attacks: Summary
Computer Science 161
67
Types of Detectors: Summary
Computer Science 161
68
Detection Accuracy: Summary
Computer Science 161
● Signature-based
○ Flag any activity that matches the structure of a known attack (blacklisting)
○ Good at detecting known attacks, but bad at detecting unknown attacks
● Specification-based
○ Specify allowed behavior and flag any behavior that isn’t allowed behavior (whitelisting)
○ Can detect unknown attacks, but requires work to manually write specifications
● Anomaly-based
○ Develop a model of what normal activity looks like. Alert on any activity that deviates from
normal activity.
○ Mostly seen in research papers, not in practice
● Behavioral
○ Look for evidence of compromise
○ Can cheaply detect new attacks with few false positives, but only detects after the attack
70
Other Intrusion Detection Strategies: Summary
Computer Science 161
● Vulnerability scanning: Use a tool that probes your own system with a wide
range of attacks (and fix any successful attacks)
○ Can accurately prevent attacks before they happen, but can be expensive
● Honeypot: a sacrificial system with no real purpose
○ Can detect attackers and analyze their actions, but may take work to trick the attacker into
using the honeypot
● Forensics: Analyzing what happened after a successful attack
● Intrusion Prevention System (IPS): An intrusion detection system that also
blocks attacks
71