P2L4 Intrusion Detection Flashcards
Defense in Depth
Need multiple layers of defense mechanisms. Prevent, Detect, Survive
Firewall
Prevention Mechanism
Intrusion Examples
- Remote root compromise
- Web Server Defacement
- Packet Sniffer
- Copying database containing CC numbers
etc
Intrusions Steps
- Target Acquisition & Info gathering
- Initial Access
- Privilege Escalation
- Info Gathering or system exploit
- Maintain access (backdoors etc)
- Cover tracks (remove evidence of attack or install root kit
Backdoor inserts backdoors into other programs during compilation
Compiler Backdoor
Backdoor can only be used by person who created it , even if discovered by others
Asymmetric Backdoor
Backdoor hard to detect because it modifies machine code
Object Code Backdoor
Primary Assumptions design of IDS
System activities are observable
Normal and intrusive activities have distinct evidence
Components of IDS
Algorithmic: - Features - capture intrusion evidence - Models - piece evidence together System Architecture: - Several components: data processor, knowledge base, decision engine, alarm generation, and responses
IDS modeling and analysis approaches
- Misuse detection (aka signature-based)
- Anomaly detection
IDS deployment approaches
- Host-based
- Network-based
IDS development and maintenance
- Hand-coding of “expert knowledge”
- Learning based on data
Anomaly Detection
- Collect data relating to behavior of legitimate users over a period of time. Build a model on this.
- Analyze current observed data to determine whether is legitimate (fits model)
- Statistical Approach
Misuse / Signature Detection
- Use set of known malicious data patterns relating to legitimate users over time
- Current behavior is analyzed to determine if it is legitimate.
*Can only detect known attacks/intrusions
Example: Virus scanner
-Knowledge Based Approach
Machine Learning Approaches
- Detects attacks similar to past attacks.
- Flexible and adaptable.
- Training data must normal, otherwise false alarms.
Types:
Bayesian Networks - Conditional probabilities (ex how likely this happens when this other thing happens)
Markov Models - Model of states (ex: real website names vs random botnet names)
Neural Network - Simulates how human brain operates.
Clustering - Group data into similar clusters to identify common characteristics
Network Based IDS
Passively monitors traffic at selected points
May examine network, transport, and/or app level protocol activity
Comprised of sensors, servers, and mgmt console
Analysis of traffic patterns done at sensor, mgmt server or combo of two
Misuse Signature Intruder Detection
Run through a signature mapping to identify and flag intrusion attempts.
Rule Based Detection
SNORT.
Set of specific rules that identify known penetrations or suspicious behavior.
Host based IDS
Sits on the hosts, monitors activity on the host.
ptrace - traces operating system events
Inline Sensors
Type of NIDS
Performs both intrusion detection and prevention.
Must be placed a network point where traffic passes through it
Can be standalone, or combination of firewall and NIDS
Passive Sensor
Monitors copy of traffic
More efficient
Firewall vs Network IDS
Firewall
- Active Filtering
- Fail-close (when firewall fails external network is closed to internal network, internal network is safe)
Network IDS
- Passive Monitoring
- Requires CPU intensive analysis
- Fail-open (fails to protect network and network is open to intrusion)
Common place for NDIS Sensor and why?
Just inside the external firewall
- Sees attack from outside
- Highlights issues with external firewall performance
- Sees attack on web server or ftp in DMZ
- Can also see outgoing traffic and analyze for detection
Alternative place for NDIS sensor and why?
Outside external firewall
- Detects all attacks originated from internet
- Does not rely on firewall, so can see attacks that firewall misses or drops
Yet another place for NDIS sensor and why?
Inside Internal firewall
- Monitors all internal traffic increasing possibility of detecting attack
- Detected unauthorized activity by authorized users
One more option for NDIS sensor and why
In front of particular system or subnet
- Detects targeted attacks against sensitive systems
- Allows focusing limited resources on assets of greatest value
SNORT
- Open source
- Highly configurable
- Lightweight
- Can be deployed on most nodes
- Performs real time packet analysis and detects attacks/probes based on rules
SNORT 4 components
Decoder - Decodes network/transport/app layer packets
Detection Engine - Compares decoded packet against a rule
Log - Log if packet matches rule, logs packet in human readable format
Alert - send alert
Snort Configuration
In passive mode:
Monitors traffic
Not in transmission path
Not an inline sensor
Honeypots
Decoy systems designed to lure attackers away from critical systems.
Observer what attackers are trying to do
Develop strategy to respond to attack
Types of Honeypots
High or Low interaction
Low interaction honeypot
Does not execute full version of all services
Less realistic
Sufficient for use as a component in a distributed IDS to warn of attack
High interaction honeypot
- Replicates real system and full operating system
- More realistic target, attacker can’t tell
- Challenging to emulate a real system
Honey Pot Deployment options
- Outside external firewall (less risk for internal network, but cannot trap internal attackers)
- In DMZ inside external firewall ( DMZ is not fully accessible, can’t attract interesting attacks )
- Inside internal network (catch internal attacks or misconfigured firewall, but compromised honeypot can attack internal systems also must open up internal firewall huge risk)
Ways to evaluate IDS
True Positive Rate (correct alert)
False Negative Rate (intrusions we missed)
False Positive Rate (false alert but no intrusion)
True Negative Rate (correctly classify normal actives)
Bayesian Detection Rate (Given an IDS alert, how likely is it not an intrusion?)
