PowerPoint Presentation
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 6
Deakin University CRICOS Provider Code: 00113B
Intrusion Detection and Prevention Systems
2
Topics,
Deakin University CRICOS Provider Code: 00113B
Principles of Intrusion Detection
• Characteristics of systems not under attack:
1. User/process actions conform to statistically predictable pattern
2. User/process actions do not include sequences of actions that subvert the security policy
(remember Week 1?)
3. Process actions correspond to a set of specifications describing what the processes are
allowed to do
-> Systems under attack do not meet at least one of these (see Example on the next page).
3
Deakin University CRICOS Provider Code: 00113B
Example
• Intruder’s Goal: insert a “back door” into a system (remember Task 4.4HD?)
• Nonprivileged user may not normally acquire privilege (violates #1)
• Attacker may break in using sequence of commandsthat violate security policy
(violates #2)
• Attacker may cause program to act in ways thatviolate program’s specification
(violated #3)
– Intruder will modify system configuration file or program
– Requires privilege; attacker enters system as an unprivileged user and
must acquire privilege
4
Deakin University CRICOS Provider Code: 00113B
Intrusion Detection Process
OBSERVABLE ACTIVITIES
(e.g., Network traffic)
Detection Engine
Decision Engine
Detection Models
ACTION
(e.g., Alarm, Block)
The observable activities are forwarded to the Detection Engine that uses Detection models. This
information is then forwarded to the Decision Engine to instruct the action to be taken.
5
Deakin University CRICOS Provider Code: 00113B
What is Monitored? (Observable Activities)
Monitoring activities sensitive to occurrences of any events that are deemed to be security concerns.
Network traffic:
Users/processes:
• Unauthorized access to resources and data (remember Week 3/the WikiLeaks story?)
• Command and program execution (e.g., Malware)
• Mouse, keyboard, CPU, disks, I/O patterns
• Programs/system calls/processes execution frequencies, resource access (exhaustion), denied
executions
• File/database access activity
• Read/write/create/delete frequency; records read/written; failed reads, writes, creates, deletes;
resource exhaustion
• Client application, protocol and port, volume, and duration
• Rate and burst length distributions for traffic (e.g., DoS Attacks)
OBSERVABLE ACTIVITIES
6
Deakin University CRICOS Provider Code: 00113B
Intrusion Detection Approaches (Detection Engine)
2. Anomaly-based
Approaches
1. Signature-based
Approaches
Detection Engine
7
Deakin University CRICOS Provider Code: 00113B
Signature-based Approaches
– Misuse Modelling
– Specification-based
• Misuse Detection
– What is bad, is known
– What is not bad, is good
• Specification-based Detection
– What is good, is known
– What is not good, is bad
8
Deakin University CRICOS Provider Code: 00113B
Misuse Detection
• Determines whether a sequence of instructions being executed is known to violate the
security policy (remember Week 1?)
• Descriptions of known or potential exploits grouped into rule sets
(i.e., what are bad are included in the rules)
• Intrusion Detection System (IDS) matches data against rule sets;
on success (i.e., match found) -> potential intrusion
• Vulnerability-based signatures:
• Once a new vulnerability is disclosed, researchers develop signatures that anticipate
the nature of yet-to-be-created threats.
• Challenge: cannot detect attacks unknown to developers of rule sets
• No rules to cover them
9
Deakin University CRICOS Provider Code: 00113B
Misuse Detection – Example
Intrusion Patterns:
Sequences of system
calls, patterns of
network traffic, etc.
activities
pattern
matching
intrusion
Example: if (traffic contains “x90+de[^\r\n]{30}”) then “attack detected”
10
Deakin University CRICOS Provider Code: 00113B
Specification-based Detection
• Define a sequence of instructions (rules) that if followed, security policy is not violated
(i.e., what are good are included in the rules)
• If any deviations from the rules, IDS detects a potential intrusion.
• Challenge: Defining all possible rules for a system! (costly, but some believe is doable)
Home reading (extra, if interested): http://seclab.cs.sunysb.edu/seclab/pubs/raid01.pdf
11
http://seclab.cs.sunysb.edu/seclab/pubs/raid01.pdf
Deakin University CRICOS Provider Code: 00113B
Anomaly-based Approaches
• Anomaly Detection
– What is usual, is known
– What is unusual, is bad
– Threshold metrics
– Statistical moments (1st moment: mean, 2nd moment: variance, 3rd moment : skewness, etc…)
12
Deakin University CRICOS Provider Code: 00113B
Threshold Metrics
• Counts number of events that occur
– Between m and n events expected to occur
– If number falls outside this range -> anomalous
• Example
– Apple iOS: lock user out after k failed sequential login attempts. Range is (0, k–1).
• k or more failed logins deemed anomalous
13
Deakin University CRICOS Provider Code: 00113B
Threshold Metrics – Challenges
• Appropriate threshold may depend on non-obvious factors.
• In our example, all of the following could lead to False Positives:
• Typing skill of users (age, languages, …)
• If keyboards are US keyboards, and most users are French, typing errors very
common
• In Android: Different keyboard apps, may lead to different rate of typing errors
14
Deakin University CRICOS Provider Code: 00113B
Statistical Moments
• Analyzer first computes expected using statistics including standard deviation, and other
measures of correlation
• Then, if measured values fall outside expected interval for particular moments ->
anomalous
activity
measures
0.
22.5
45.
67.5
90.
normal profile
abnormalCPU
Page Fault
Process size
probable
intrusion
I/O
15
Deakin University CRICOS Provider Code: 00113B
Statistical Moments – Challenges
• Statistical complexities leading to False Positive and Negatives. For example: profile
evolving over time, unknown sudden events (recession, system breakdown, etc that
affects user and system activities), …
• Real-time computation is also a challenge.
16
Deakin University CRICOS Provider Code: 00113B
Intrusion Detection – Pros and Cons
Anomaly-based Signature-based
Pro: Usually lower false positive rate
(depends on the signature database
though ☺)
Con: May not detect zero-day attacks
Pro: May detect zero-day attacks
Con: Usually higher false positive rate
17
Deakin University CRICOS Provider Code: 00113B
Architecture of Intrusion Detection Systems (IDS)
• Agent (Sensors) acts as logger; it gathers data for analysis
• Director (Detection Engine) acts as analyser; it analyses data obtained from the agents
according to its internal rules
• Usually runs on a separate system and does not impact performance of the monitored
systems.
• Notifier (Decision Engine) obtains results from director, and takes some action
• May simply notify security officer
• May reconfigure agents, director to altercollection, analysis methods
• May activate response mechanism
Basically, IDS is a sophisticated audit system composed of 3 key elements:
Agent, Director, and Notifier.
18
Deakin University CRICOS Provider Code: 00113B
Architecture of Intrusion Detection Systems (IDS)
OBSERVABLE ACTIVITIES
(e.g., Network traffic)
Detection Engine
Decision Engine ACTION
(e.g., Alarm, Block)
Agents/Sensors
Director
Notifier
19
Deakin University CRICOS Provider Code: 00113B
Host-based Agents ->Host-based IDS (HIDS)
Host-based IDS (HIDS)
Monitor activities on a single host.
Obtain information from logs
– May use many logs as sources
– May be security-related or not
Advantage: better visibility into behavior of
individual applications running on the host
20
Deakin University CRICOS Provider Code: 00113B
Network-based Agents -> Network-based IDS (NIDS)
• Often placed behind a router or firewall that is the
entrance of a critical asset
• Monitor traffic and examine packet headers and
payloads
• Detects network-oriented attacks
Advantage: single NIDS/NIPS can protect many hosts and
detect global patterns
IPS: Intrusion Prevention System
Network-based IDS (NIDS)
21
Deakin University CRICOS Provider Code: 00113B
NIDS vs. Firewall
Web server,
DNS server
Internal
network
Public
Internet
Firewall
DMZ
DMZ: Remember Week 5?
Does Deep Packet Inspection (DPI) – reads Packet Payload
(Remember Week 4?)
Router
Users/Hosts
22
Deakin University CRICOS Provider Code: 00113B
Intrusion Detection System (IDS)
External
network
internal
network
IDS
Wire tap
• IDS aims to REPORT intrusions (ACTION is to report
intrusion/threat)
• IDS is performed through a wire tap, and is clearly an
out-of-band operation
23
Deakin University CRICOS Provider Code: 00113B
Goals of Intrusion Detection Systems
1. Detect wide variety of intrusions
– Previously known and unknown attacks (would it work against Zero-Day*?)
2. Detect intrusions in timely fashion (consider a large organization network with many connected hosts)
– Depends:
– May need to be be real-time, especially when system responds to intrusion
• Problem: analysing commands may impact response time of system
– May suffice to report intrusion occurred a few minutes or hours ago
*Sophos: https://www.sophos.com/en-us/security-news-trends/security-trends/zeroday-threats.aspx
*McAffee: https://www.networkcomputing.com/networking/mcafee-releases-intrusion-protection-system-against-zero-
day-and-known-attacks
24
https://www.sophos.com/en-us/security-news-trends/security-trends/zeroday-threats.aspx
https://www.networkcomputing.com/networking/mcafee-releases-intrusion-protection-system-against-zero-day-and-known-attacks
Deakin University CRICOS Provider Code: 00113B
Goals of Intrusion Detection Systems
3. Present analysis in simple, easy-to-understand format
– Ideally a binary indicator
– Usually more complex, allowing analyst to examine suspected attack
– User interface critical, especially when monitoring many systems
4. Be accurate
• If too few intrusions detected (false negatives) -> consequence: no security
• If too many false alarms (false positives) -> consequence: alarms ignored
Watch: https://www.youtube.com/watch?v=ZrENaoNlIJg (Darktrace).
– Can you spot them emphasizing the goals we highlight here when advertising their product ☺?
25
Deakin University CRICOS Provider Code: 00113B
Intrusion Prevention System (IPS)
• IPS aims to BLOCK intrusions (ACTION is to respond to
intrusion/threat)
• IPS is performed in-line/in-band
• One more goal added: Automatically, efficiently, and
effectively block the detected intrusions.
External
network
internal
network
IPS
26
Deakin University CRICOS Provider Code: 00113B
NIDS vs. NIPS
NIPS (in-line/in-band)NIDS (out-of-band)
27
Deakin University CRICOS Provider Code: 00113B
IPS may also Counterattack ..
Technical attack:
Goal is to damage attacker seriously enough to stop current attack and deter future attacks.
1. May harm innocent party
• Attacker may have broken into source of attack or may be
impersonating innocent party (remember zombie?)
2. May have side effects
• If counterattack is flooding, may block legitimate use of network!!
3. Antithetical to shared use of network
• Counterattack absorbs network resources
4. May be legally actionable ….
28
Deakin University CRICOS Provider Code: 00113B
HIDS/HIPS or Antivirus?
Q: Should you use Antivirus or HIDS as the last line of defence on your end-host ?!
Simplified answer: https://cybersecurity.att.com/blogs/security-essentials/antivirus-or-host-ids-your-last-line-of-defense
29
https://cybersecurity.att.com/blogs/security-essentials/antivirus-or-host-ids-your-last-line-of-defense
Deakin University CRICOS Provider Code: 00113B
NIDS/NIPS or HIDS/HIPS?
Q: Should you use NIDS/NIPS or HIDS/HIPS?
What about joining forces?!
30
Deakin University CRICOS Provider Code: 00113B
NIDS/NIPS + HIPS/HIDS: Distributed Intrusion Detection/Hybrid
• Extend focus from single systems to information infrastructure
• More effective defense has these working together to detect intrusions
Challenge: Intrusion Detection Systems need to be able to talk to each other.
• Solution: Intrusion Detection Exchange Protocol (IDXP): RFC 4767
• An application-level protocol for exchanging data between IDS’s.
31
Deakin University CRICOS Provider Code: 00113B
NIDS/NIPS + HIPS/HIDS: Distributed Intrusion Detection
Web, DNS
servers
Internal
network
public
Internet
firewall
DMZ
: IDS/IPS sensor
HIDS in each host
central manager for
IDS/IPS
router
32
Deakin University CRICOS Provider Code: 00113B
Honeypots
• Filled with fabricated/counter-intelligence
information
• Decoy systems to trap attackers or counter
spammers
• Collect forensic information on attackers’
activities
• Signature extraction for IDS/IPS
• To encourage an attacker to stay on system so
an administrator can respond
33
Deakin University CRICOS Provider Code: 00113B
Snort: An Opensource
NIDS/NIPS
Deakin University CRICOS Provider Code: 00113B
Snort
• Snort is a free and open source ☺
The most widely deployed intrusion detection and prevention technology worldwide
• Uses a rule-driven language
• Combining the benefits of signature, protocol and anomaly-based inspection methods.
• Snort can be combined with other software such as SnortSnarf, Sguil, OSSIM, and the Basic
Analysis and Security Engine (BASE) to provide a visual console
• Emerging Threats: Community maintained Snort rule sets are evolving
• Large rule sets for known vulnerabilities
35
Deakin University CRICOS Provider Code: 00113B
Snort – Rule Structure
ACTION PROTOCOL SOURCE_IP SOURCE_PORT
Rule Header
Rule Payload
“Content:” search for a pattern in the
packet’s payload – here is searching for the
word “GET”. “msg: “ prints a message in alerts and packet
logs
36
Deakin University CRICOS Provider Code: 00113B
Snort – A Simple Rule
• Snort provides a long set of rules but allows users to define their own.
• The action is ’alert’. The source is defined for any TCP flow with any address. The destination is
defined as 192.168.5.7/24 at port 80. The rule is defined to check whether the packet contains a
’GET’ string and then generate an alert. The ’sid’ or SnortIdentifier identifies to the Snort rule
used (allowing to reference it and find it later).
37
Deakin University CRICOS Provider Code: 00113B
Snort Report Example
Detect remote shell’s DIR command:
38
Deakin University CRICOS Provider Code: 00113B
Snort Report Example 2
Detect remote shell code execution
39
Deakin University CRICOS Provider Code: 00113B
Snort – more than Alert …
Action Description
alert Generate an alert using the selected alert method, and then log the packet.
log Log the packet.
pass Ignore the packet.
drop Drop the packet and log.
reject
Drop the packet, log it, and then send a TCP reset if the protocol is TCP or an
ICMP port unreachable message if the protocol is UDP.
sdrop Silently drop the packet but do not log.
Best place to explore and learn more about Snort? https://www.snort.org/documents
40
https://www.snort.org/documents
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
[Chapter 19] Introduction to Computer Networks and Cybersecurity, J. Irwin, CRC Press.
Extra:
– https://www.cs.colostate.edu/~cs656/reading/ieee-se-13-2.pdf
– [Chapter 3] CISSP Study Guide, https://www.sciencedirect.com/science/article/pii/B9781597499613000030
– https://www.cybok.org/media/downloads/Network_Security_KA_-_Issue_1.0_January_2019.pdf
41
https://www.sciencedirect.com/science/article/pii/B9781597499613000030
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Prof. Murat Kantarcioglu (University of Texas at Dallas).
42