Intrusion Detection Flashcards
Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. (T/F)
True
o be of practical use an IDS should detect a substantial percentage of intrusions while keeping the false alarm rate at an acceptable level. (T/F)
True
An inline sensor monitors a copy of network traffic; the actual traffic does not pass through the device.(T/F)
False
A common location for a NIDS sensor is just inside the external firewall.(T/F)
True
Network-based intrusion detection makes use of signature detection and anomaly detection.(T/F)
True
A _______ monitors the characteristics of a single host and the events occurring within that host for suspicious activity.
host-based IDS
_______ involves an attempt to define a set of rules or attack patterns that can be used to decide if a given behavior is that of an intruder.
Signature detection
_______ involves the collection of data relating to the behavior of legitimate users over a period of time.
Anomaly detection
A(n) ______ is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
inline sensor
The ______ is the IDS component that examines the data collected by the sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security administrator.
analyzer
Intrusion Defined
any attack that aims to compromise the security goals of an organization
Intrusion Examples
• Performing a remote root compromise of an e-mail server
• Defacing a Web server with inappropriate web contents
• Guessing and cracking passwords
• Stealing a database containing credit card numbers
• Reading sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Firewalls distinguished from IDS
Firewalls and IDS’s are both part of a network security system. A firewall is designed to prevent an intrusion and an IDS is designed to detect an intrusion.
F - tries to stop intrusion from happening
I - tries to evaluate an intrusion after it has happened
I -watches for intrusions that start within the system
F -limits access between networks to prevent intrusion
Classes of Intruders
Cyber criminals
Activists
State-sponsored organizations
Other
Intruder skill levels
Apprentice
Journeyman (sfficient to modify and extend attack toolkits)
Master (high level skill, discovering new categories of vulnerabilities, writing new attack toolkits)
intruders typically use steps from a common attack methodology
Target Acquisition and Information Gathering:
- -that is, the attacker identifies and characterizes the target systems using publicly available information, both technical and non-technical, and use network exploration tools to map target resources.
- -Initial Access: this is typically accomplished by exploiting a remote network vulnerability, e.g., by guessing weak authentication credentials used in a remote service, or via the installation of malware on the system using some form of social engineering or drive-by-download.
• Privilege Escalation:
–Actions taken on the system, typically via a local access vulnerability, to increase the privileges available to the attacker to enable their more powerful attacks on the target system.
• Information Gathering or System Exploit:
–Actions by the attacker to access or modify information or resources on the system, or to navigate to another target system.
• Maintaining Access:
–Actions such as the installation of backdoors or other malicious software, or through the addition of covert authentication credentials or other configuration changes to the system, to enable continued access by the attacker after the initial attack.
• Covering Tracks:
–Where the attacker disables or edits audit logs, to remove evidence of attack activity, and uses rootkits and other measures to hide covertly installed files or code.
Components of Intrusion Detection
Sensors
Analyzers
User Interface
Intrusion Detection Primary assumptions
System activities are observable
Normal and intrusive activities have distinct evidence
IDS Classification
Host-based IDS
-monitors single host and events occurring within the host
Network-based IDS
-monitors network traffic for particular network segments or devices
Distributed or Hybrid IDS
-combines info from many sensors
Analysis Approaches
Anomaly detection
Signature or heuristic-based detection
Anomaly detection
Involves the collection of data relating to the behavior of legitimate users over a period of time. Then current observed behavior is analyzed to determine with a high level of confidence whether this behavior is that of a legitimate user or that of an intruder.
anomaly approaches aim to define or characterize normal, or expected, behaviors, in order to identify malicious or unauthorized behavior.
Signature or heuristic-based detection
Signature or heuristic-based approaches directly define malicious or unauthorized behavior. They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.
Signature or heuristic-based detection
Signature or heuristic-based approaches directly define malicious or unauthorized behavior.
They can quickly and efficiently identify known attacks. However only anomaly detection is able to detect unknown, zero-day attacks, because it starts with known good behavior and identifies anomalies to it.
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Also known as misuse detection
Can only identify known attacks for which it has patterns or rules
Rule based heuristic identification
Types of Host based intrusion detection
Anomaly HIDS
Signature or Heuristic HIDS
Distributed HIDS
Network Based Intrusion Detection
Monitors traffic at selected points on a network or interconnected set of networks
Typically in perimeter security infrastructure
2 Types/Modes of Network Sensors
Inline sensor
– inserted into network segment so traffic that it is monitors must pass through the sensor
Passive sensor
–monitors a copy of network traffic, so actual traffic does not pass through it
Anomaly Detection Classification of Approaches
- Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
- Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
- Machine-learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.
4 Locations of NIDS sensor and advantages
Place NIDS sensor just inside external firewall. Advantages:
- -sees attacks originating from outside world that penetrate perimeter defenses
- -highlights problems
- -sees attacks targeting web or ftp server
- -can recognize outgoing traffic that results from compromised server
sensor between external firewall and internet or WAN.
–documents number and types attacks originating on internet targeting the network
sensor at major backbone networks (eg supporting internal servers/DBs)
- -monitors large amount of traffic
- -detects unauthorized activity within org
sensor at critical subsystems (personal or financial system)
- -detects attacks targeting critical systems/resources
- -focuses limited resources
Signature Approach
Advantages & Disadvantages
Advantages:
- -Low cost in time and resource use
- -Wide Acceptance
Disadvantages:
- -Significant effort to identify and review new malware to create signatures
- -inability to detect zero-day attacks
Rule-Based Detection
Instead of using only signatures of known attacks, a misuse detection systems can also use a more sophisticated, rule-based approach.
Rule-based detection involves the use of rules for identifying known penetrations or penetrations that would exploit known vulnerabilities.
Rules are specified to process and analyze activity data and match multiple signatures or patterns.
Typically, the rules used in these systems are specific to the machine and operating system.
The most fruitful approach to developing such rules is to analyze attack tools and scripts collected on the Internet.
These rules can be supplemented with rules generated by knowledgeable security personnel. In this latter case, the normal procedure is to interview system administrators and security analysts to collect a suite of known penetration scenarios and key events that threaten the security of the target system.
The SNORT system is an example of a
rule-based NIDS. A large collection of rules exists for it to detect a wide variety of
network attacks.
Network Based IDS
A network-based IDS (NIDS) monitors traffic at selected points on a network or interconnected set of networks. The NIDS examines the traffic packet by packet in real time, or close to real time, to attempt to detect intrusion patterns. The NIDS may examine network-, transport-, and/or application-level protocol activities. Note the contrast with a host-based IDS; a NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network.
A typical NIDS facility includes a number of sensors to monitor packet traffic, one or more servers for NIDS management functions, and one or more management consoles for the human interface. The analysis of traffic patterns to detect intrusions may be done at the sensor, at the management server, or some combination of the two
Inline Sensors
Used to block an attack when one is detected, performing both intrusion detection and prevention functions
An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
Can be achieved by:
- -Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
- -Using a stand-alone inline NIDS sensor
Passive Sensors
A passive sensor monitors a copy of network traffic; the actual traffic does not pass through the device
Passive sensors are more efficient
Firewall Versus Network IDS
Firewall
- -Active filtering
- -Fail-close
Network IDS
- -Passive monitoring
- -Fail-open
SNORT
Open source
Highly configurable
Lightweight IDS
Characteristics:
- -Easily deployed on most nodes
- -Efficient operation
- -Easily configured by system administrators
Performs real-time packet capture
Detects a variety of attacks and probes
Types of attacks suitable for signature detection
Application layer reconnaissance and attacks
Transport layer reconnaissance and attacks
Network layer reconnaissance and attacks
Unexpected application services
Policy violations
Anomaly detection suitable for these types of attacks
Denial of service attacks
Scanning
Worms
SNORT logical components
Packet decoder: The packet decoder processes each captured packet to identify and isolate protocol headers at the data link, network, transport, and application layers.
–The decoder is designed to be as efficient as possible and its primary work consists of setting pointers so that the various protocol headers can be easily extracted.
• Detection engine: The detection engine does the actual work of intrusion detection. This module analyzes each packet based on a set of rules defined for this configuration of Snort by the security administrator. In essence, each packet is checked against all the rules to determine if the packet matches the characteristics defined by a rule. -- The first rule that matches the decoded packet triggers the action specified by the rule. If no rule matches the packet, the detection engine discards the packet.
• Logger: For each packet that matches a rule, the rule specifies what logging and alerting options are to be taken. When a logger option is selected, the logger stores the detected packet in human readable format or in a more compact binary format in a designated log file. The security administrator can then use the log file for later analysis.
• Alerter: For each detected packet, an alert can be sent. The alert option in the matching rule determines what information is included in the event notification.
The event notification can be sent to a file, to a UNIX socket, or to a database. Alerting may also be turned off during testing or penetration studies.
Using the UNIX socket, t
Intrusion Detection Exchange Format
define data formats and exchange procedures for info on intrusion detection and response
Functional components:
Data source
Sensor
Analyzer
Administrator
Manager
Operator
Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems.
Honeypots are designed to:
- -divert an attacker
- -collect information about an attacker
- -encourage an attacker to stay long enough for administrators to respond
Honeypots are filled with fabricated information
Any accesses to a honeypot trigger monitors and event loggers
An attack against a honeypot is made to seem successful
A honeypot has no production value
There is no legitimate reason to access a honeypot
Any attempt to communicate with a honeypot is most likely a probe, scan, or attack
If a honeypot initiates outbound traffic, the system is most likely compromised
Honeypot Classifications
Low interaction
High interaction
Low interaction honeypot:
Emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems
Provides a less realistic target
Often sufficient for use as a component of a distributed IDS to warn of imminent attack
High interaction honeypot
A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers
More realistic target that may occupy an attacker for an extended period
However, it requires significantly more resources