Chapter 8 Flashcards
intrusion detection
Class of intruders
- cyber criminals
- activists
- state-sponsored organizations
- others
cyber criminals
- member of organized crime group with goal of financial reward
activists
motivated by social/political reasons
1. hacktivists - skill level quite low
state sponsored organizations
group of hackers sponsored by state to conduct espionage /sabotage activities
(APT’s)
others
technical challenges motivation - discover new categories of buffer overflow vulnerabilities
skill level
- apprentice
- journeyman
- master
apprentice
minimal technical skills
criminal + activists
script-kiddies
journeyman
sufficient skills to modify + extend attack toolkits to use newly discovered /purchased vulnerabilities
may locate new vulnerabilities
all intruder classes
master
high-level skills - discover brand new categories of vulnerabilities
write new powerful attack toolkits
some employed by state
difficulty defending
Intrusion example
- remote root compromise
- web server defacement
- cracking passwords
- copying database containing credit card numbers
- view sensitive data without authorization
- running packet sniffer
- distributing pirated software
- using unsecured modem/access point to access internal network
- impersonating executive to get info
- using unattended workstation
Intruder behavior
- target acquisition + info gathering
- initial access
- privilege escalation
- info gathering
- maintaining access covering tracks
intrusion detection
hardware/software function gathers + analyzes info from various areas within computer/network to identify possible security intrusions
Intrusion detection system (IDS)
- Host-based - monitors characteristics of single host for suspicious activity
- Network-based - monitor network traffic + analyzes network protocols to identify suspicious behavior
- distributed / hybrid - combine info from number of sensors often both host + network in central analyzer that is able to better identify + respond
logical components of IDS
- sensor - collect data
- analyzers - determine if intrusion has occurred
- user interface - view output/control system behaviour
IDS requirement
- run continually
- be fault tolerant
- resist subversion
- impose minimal overhead on system
- configured according to system security policies
- adapt to changes in systems + users
- scale to monitor large number of systems
- provide graceful degradation of services
- allow dynamic reconfiguration
analysis approach
- anomaly detection - collect data relating to behavior of legitimate users over period of time - analyze to determine if behavior = legitimate
- signature/heuristic detection - use set of known malicious data patterns /attack rules compared with current behavior - only identify known attacks
Anomaly detection
- statistical - analysis of observed behavior using univariant /time-series model of observed metrics
- knowledge based - expert system that classifies behavior according to set of rules that model legitimate behavior
- Machine learning - automatically determine suitable classification model from training data using data mining techniques
Signature/heuristic detection
- Signature - match large collection of known patterns of malicious data against data stored/in transit
- need to be large enough to avoid false positives - rule based/heuristics - involves use of rules for identifying known penetrations /would exploit known weaknesses
SNORT - rule based NIDS
HIDS
add specialized layer of security software to vulnerable /sensitive systems - either anomaly/signature
both internal + external
data sources + sensors
- intrusion - sensor collecting data
- system call traces
- audit records
- file integrity checksums
- registry access
NIDS
- monitor traffic at selected points in network
- examine traffic packet by packet in real time
- NIDS management functions sensor + management console sensors
- sensor analyses traffic
signature detection attacks
- application layer reconnaissance
- transport layer
- network layer
- unexpected application services
- policy violations
anomaly detection attacks
- DOS
- scanning
- worms
stateful protocol analysis
subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic - high resource use
logging of alerts
- timestamp
- connection/session ID
- event/alert type
- rating
- network, transport, application layer protocols
- source + destination IP addresses
- source + destination TCP/UDP ports /ICMP types + codes
- number of bytes transmitted over connection
- decoded payload data
- state-related data
IETF intrusion detection working group
define data formats + exchange procedures for sharing info of interest to intrusion detection + response systems + management systems that may need to interact with them
IETF RFC
- Intrusion detection message exchange requirements - IDMEF (intrusion detection message exchange format)
- Intrusion detection message exchange format - describe data model to represent info exported by intrusion detection system
- Intrusion detection exchange protocol - IDXP application level protocol for exchanging data between intrusion detection entities
honeypot classification
- low interaction - provide realistic initial interaction
- high interaction - real system , occupy attacker for extended period