Security Technology: Intrusion

Detection
Access Control and Other Security Tools
Intrusion
• Intrusion is a type of attack on
information assets in which the
instigator (intruder) attempts to gain
entry into a system or disrupt the
normal operation of system with,
almost always, the intent to do
malicious harm
Example of intrusion
• Remote root compromise
• Web server defacement (spoiling)
• Guessing/cracking passwords
• Copying databases containing credit card numbers/ password files
• Viewing sensitive data without authorization
• Running a packet sniffer
• Distributing pirated software
• Using an unsecured modem to access internal network
• Impersonating an executive to get information
• Using an unattended workstation
Intrusion behavior
• Target acquisition and information gathering
• Initial access
• Privilege escalation
• Information gathering or system exploit
• Maintaining access
• Covering tracks (escape security personnel)
Hacker Behavior Example
1. Select target using IP lookup tools
2. Map network for accessible services
– study physical connectivity (via NMAP)
3. Identify potentially vulnerable services
4. Brute force (guess) passwords
5. Install remote administration tool
6. Wait for admin to log on and capture password
7. Use password to access remainder of network
Criminal intruder behavior
1. Act quickly and precisely to make their activities
harder to detect
2. Exploit perimeter via vulnerable ports
3. Use Trojan horses (hidden software) to leave
back doors for re-entry
4. Use sniffers to capture passwords
5. Do not stick around until noticed
6. Make few or no mistakes
Insider intruder behavior
1. Create network accounts for themselves and their
friends
2. Access accounts and applications they wouldn't
normally use for their daily jobs
3. E-mail former and prospective employers
4. Conduct furtive (covert) instant-messaging chats
5. Visit web sites that cater to disgruntled employees,
such as f*dcompany.com
6. Perform large downloads and file copying
7. Access the network during off hours
Insider attacks
• Among most difficult to detect and prevent
• Employees have access & systems knowledge
• May be motivated by revenge/entitlement
• When employment terminated
• Taking customer data when move to competitor
• IDS/IPS may help but also need
• Least privilege, monitor logs, strong authentication,
termination process to block access & take mirror image
of employee’s HD (for future purposes)
Security intrusion & detection
• Security intrusion: a security event, or combination of
multiple security events, that constitutes a security
incident in which an intruder gains, or attempts to gain,
access to a system (or system resource) without having
authorization to do so.
• Intrusion detection: a security service that monitors and
analyzes system events for the purpose of finding, and
providing real-time or near real-time warning of
attempts to access system resources in an unauthorized
manner.
Intrusion techniques
• Objective to gain access or increase privileges
• Initial attacks often exploit system or software
vulnerabilities to execute code that opens a
backdoor into the system
– e.g. buffer overflow on the program that runs with
certain privileges
• Or to gain protected information
– Password guessing or acquisition (or via social
engineering)
 Intrusion detection systems (IDS)
• Host-based IDS: : monitors the characteristics of a single host and the events
occurring within that host for suspicious activity
• Network-based IDS: monitors network traffic for particular network segments or
devices and analyzes network, transport, and application protocols to identify
suspicious activity
• Distributed or hybrid: Combines information from a number of sensors, often both
host and network based, in a central analyzer that is able to better identify and
respond to intrusion activity
• Commercially available in late 1990
• Works like a burglar alarm
• Detects a violation and sounds alarm
• Extension – Intrusion prevention systems
• Detect and prevent intrusion
• Generally accepted combination
• Intrusion detection and prevention system
(IDPS)
Input examples
• Examples of inputs into the sensor are
• network packets, log files, and system call trace
• Sensor collect this information and forward to the
analyzer
• What is the output of the analyzer
• The output of this component is an indication that an
intrusion has occurred
• may include evidence supporting the conclusion that an
intrusion occurred.
• The analyzer may provide guidance about what actions
to take as a result of the intrusion.
IDS principles
• Assumption: intruder behavior differs from legitimate users,
in ways that can be quantified.
– Expect overlap as shown
– Patterns for legit users can be established by :
Observing past history and
major deviations from that patterns can be detected
Problems of:
• false positives (i.e., authorized users identified as intruders)
• false negatives (i.e., intruders are not recognized as a intruders )
• must compromise
Why Use an IDS
• Prevent problem behaviors by increasing the
perceived risk of discovery and punishment
• Detect attacks and other security violations
• Detect and deal with preambles to attacks
• Document existing threat to an organization
• Act as quality control for security design &
administration
• Provide useful information about intrusions that take
place
Detection Techniques
(Methodologies)
• Anomaly (behavior) detection
(statistical approach)
• Signature/heuristic detection
(knowledge-based)
IDS: anomaly (behavior) detection
• Involves the collection of data relating to the behavior of
legitimate users over a period of time
• Current observed behavior is analyzed to determine whether this
behavior is that of a legitimate user or that of an intruder
• Based on frequency on which network activities take place
• Collect statistical summaries of “normal” traffic to form baseline
• Measure current traffic against baseline
• Traffic outside baseline will generate alert
• Can detect new type of attacks
• Requires much more overhead and processing capacity
• May not detect minor changes to baseline
Anomaly detection
• Threshold detection
– checks excessive event occurrences over time
– alone a crude and ineffective intruder detector
– must determine both thresholds and time intervals
– lots of false positive/false negative may be possible
• Profile based (consists of set of parameters)
– characterize past behavior of users and/ related groups
– then detect significant deviations
– a single parameter may not be sufficient in itself to signal an alert
– based on analysis of audit records: gather metrics
– various statistical tests can be performed to determine whether
current activity fits within acceptable limits
Example of metrics
⚫ Counters: e.g., number of logins during an hour,
number of times a cmd executed
⚫ Gauge: e.g., the number of outgoing messages [pkts]
⚫ Interval time: the length of time between two events,
e.g., two successive logins
⚫ Resource utilization: quantity of resources used (e.g.,
number of pages printed)
⚫ Mean and standard deviations
Signature/heuristic detection
• Uses a set of known malicious data patterns or
attack rules that are compared with current
behavior
• Can only identify known attacks for which it has
patterns or rules (signature)
• Very similar to anti-virus (requires frequent updates)
• Rule-based penetration identification
• rules identify known penetrations/weaknesses
• often by analyzing attack scripts from Internet Cybersecurity
Emergency Respond Teams (CERTs)
Example of rules in a signature
detection IDS
⚫ Users should not be logged in more than one session
⚫ Users do not make copies of system, password files
⚫ Users should not read in other users’ directories
⚫ Users must not write other users’ files
⚫ Users who log after hours often access the same files
they used earlier
⚫ Users do not generally open disk devices but rely on
high-level OS utilities
signature vs anomaly detection
⚫ Connection attempt from a reserved IP address
⚫ Attempt to copy the password file
⚫ Email containing a particular virus
⚫ File access attack on an FTP server by issuing file
and directory commands to it without first
logging in
Host-based IDS
⚫ Specialized software to monitor system activity to detect
suspicious behavior
− primary purpose is to detect intrusions, log suspicious events, and send
alerts
− can detect both external and internal intrusions
⚫ Two approaches, often used in combination:
⚫ Anomaly detection: consider normal/expected behavior over a period of
time; apply statistical tests to detect intruder
− threshold detection: for various events (#/volume of copying)
− profile based (time/duration of login)
⚫ Signature detection: defines proper (or bad) behavior (rules)
Network-based Intrusion
• Network-based IDS (NIDS)
• Monitor traffic at selected points on a network (e.g.,
rlogins to disabled accounts)
• In (near) real time to detect intrusion patterns
• May examine network, transport and/or application
level protocol activity directed toward systems
• Comprises a number of sensors
• Inline (possibly as part of other net device) – traffic
passes through it
• Passive (monitors copy of traffic)
NIDS intrusion detection
techniques
⚫ Signature detection
− at application (FTP), transport (port scans), network layers (ICMP);
unexpected application services (host running unexpected app), policy
violations (website use)
⚫ Anomaly detection
− of denial of service attacks, scanning, worms (significant traffic
increase)
⚫ When potential violation detected, sensor sends an
alert and logs information
− Used by analysis module to refine intrusion detection parameters and
algorithms
− by security admin to improve protection
NIDS intrusion detection
techniques
• Application layer reconnaissance and attacks: analyze several dozen application
protocols looking for attack patterns identified as targeting these protocols.
• Transport layer reconnaissance and attacks: analyze TCP / UDP / other transport-
layer protocols for unusual packet fragmentation, port scans, TCP-specific attacks etc
• Network layer reconnaissance and attacks: typically analyze IPv4, ICMP, and IGMP
for spoofed IP addresses, illegal IP header values, etc
• Unexpected application services: to determine if activity consistent with protocol
• Policy violations: such as use of inappropriate Web sites, use forbidden protocols etc
• Some examples of types of attacks suitable for anomaly detection are:
• Denial of service (DoS) attacks: involve either significantly increased packet traffic or
significantly increase connection attempts, to overwhelm the target system.
• Scanning: occurs when an attacker probes a target network or system by sending
different kinds of packets to learn many of the system’s
characteristics/vulnerabilities.
• Worms: detected because of use of large amounts of bandwidth, or because they
can cause hosts to communicate with other hosts/ports not typically seen.
• When a sensor detects a potential violation it sends an alert and logs information
related to the event. The NIDS analysis module uses this to refine intrusion
 Distributed hybrid intrusion detection
(host-based, NIDS, distributed host-based)

⚫ Issues:
− Tools may not recognize new
threats
− Difficult to deal with rapidly
spreading attacks
⚫ Solution:
− Distributed Adaptive IDS through
− Peer-to-peer gossip and
cooperation
− One developed by Intel
Logging of alerts (for all types)
• Typical information logged by a NIDS sensor includes:
• Timestamp
• Connection or session ID
• Event or alert type
• Rating
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types
and codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and
responses
• State-related information
Honeypots
⚫ Decoy systems
− Filled with fabricated information and instrumented with
monitors/event loggers
− Lure a potential attacker away from critical systems
− Collect information about the attacker’s activity
− Encourage the attacker to stay on the system long enough for
administrators to respond
− Divert and hold attacker to collect activity information without
exposing production systems
⚫ Initially were single systems
⚫ More recently are/emulate entire networks
Honeypot deployment
1. Tracks attempts to connect
to an unused IP address; can’t
help with inside attackers

3. Full internal honeypot;

can detect internal
attacks

2. In DMZ; must make sure the other

systems in the DMZ are secure; firewalls
may block traffic to the honeypot
Snort IDS
⚫ Lightweight IDS
− Open source (rule-based)
− Real-time packet capture and rule analysis
− Passive or inline
− Components: decoder, detector, logger, alerter

intrusion
processes captured
detection
packets to identify
work
and isolate
SNORT Rules

⚫ Use a simple, flexible rule definition language

⚫ Fixed header and zero or more options
⚫ Deader includes: action, protocol, source IP, source port,
direction, dest IP, dest port
⚫ Many options
⚫ Example rule to detect TCP SYN-FIN attack:
•

• alert tcp $EXTERNAL_NET any -> $HOME_NET any \

• (msg: "SCAN SYN FIN"; flags: SF, 12; \
• reference: arachnids, 198; classtype: attempted-recon;)
•

• detects an attack at the TCP level; $strings are variables with defined values;
any source or dest port is considered; checks to see if SYN and FIN bits are set
Access control & Scanning
⚫ Scanning and Analysis Tools
− Help find vulnerabilities in system, holes in security
components, and unsecure aspects of the network
− Allow system admin to see what the attacker sees
− May run into problems with ISP
− Port scanners – what is active on computer
− Firewall analysis tools
− Operating system detection tools
− Vulnerability scanners
− Packet sniffers
⚫ Access Control Tools
− Authentication – validation of users identity
− 4 general ways carried out