Computer Security and Intrusion Detection(IDS/IPS)

IDS/IPSComputer Security and Intrusion Detection

• Communication

•Any communication requires 4 entities

•Source

•Destination

•Medium

•Protocol – Rule

• Communication – Flow of Information

• Various types of attacks

•Interruption

•Interception

•Modification

•Fabrication

• Interruption - state where the asset of a system gets

destroyed or becomes un-available

• targets the source or the communication channel

• prevents the information from reaching the destination

• Interruption - Examples

• Cutting the physical cable medium

• Overload the carrying medium

• Types of Denial of Service (DoS) Attacks

• Interception – un-authorized party gets illegal access to

the information traversing through the communication

channel.

• Examples

•Wiretapping

• Modification – information is intercepted and modified .

• Examples

•MITM Attacks

• Fabrication – attacker inserts forged objects into the

system without the senders knowledge and involvement .

• Fabrication – 2 types

• Replaying

• previously intercepted entity is inserted

• Example – Replaying an authentication message.

• Masquerading

• attacker pretends to be the legitimate source

• inserts his / her desired information

• Example – Adding new records to a file or database

• Security Property

•Desired feature of a system with regard to certaintype of attacks.

•The four attacks discussed in the previous sectionviolates the various security properties of aninformation system

•Core qualities of any information system

• Security Property

•Confidentiality

•Integrity

•Availability

•Authentication

•Non Repudiation

• Traffic Analysis - Process of intercepting andexamining messages in order to deduce informationfrom patterns in communication. Information collectedinclude:

•Source

•Destination

•Timing of the data

•Frequency of a particular message

•Type of data / communication

• Non-repudiationConcept of ensuring that a contract cannot later bedenied by one of the parties involved.

• Describes the mechanism that prevents either senderor receiver from denying a transmitted message.

•Non-repudiation of origin – proves data has been sent

•Non-repudiation of delivery – proves data has beenreceived

•Security MechanismsThe various actions and countermeasuresemployed to safeguard the security properties of aninformation system.

•Security Mechanisms – 3 Types

•Attack Prevention

•Attack Avoidance

•Attack Detection

• Attack PreventionSeries of security mechanisms implemented toprevent or defend against various kinds of attacksbefore they can actually reach and affect the targetsystem.

•Examples

•Access Control

•Firewall

• Attack AvoidanceTechniques in which the information is modified in away that makes it unusable for the attacker.

•Assumption – Attacker may / has access to thesubject information.

•Examples

• Cryptography

• Attack DetectionProcess / Technique of reporting that something isable to bypass the security measures (if available),and identifying the type of attack.

• Counter measures are initiated to recover from theimpact of the attack.

•Examples

• IDS / IPS

• Intrusion Detection System

Intrusion detection encompasses a range ofsecurity techniques designed to detect (and reporton) malicious system and network activity or torecord evidence of intrusion.

IDS/IPSAttack Framework

• Types of Events – 2

• Attributable

Event can be traced to an authenticated user

•Non-attributable

Event cannot be traced to an authenticated user.

Ex: Any event that occur before authentication in

the login process – bad password attempts.

Vulnerability

•Existence of a weakness, design, or implementationerror that can lead to an unexpected, undesirableevent compromising the security of the system,network, application, or protocol involved

•Pen Testers Point of View - From a penetrationtester’s point of view, vulnerability is defined as asecurity weakness in a Target of Evaluation.

Threat

• Any possible event, action, process or phenomenonthat can potentially inflict damage on system resources

Relation between Vulnerability and Threat

Real Life Case Study – European Space Agency

•Ariane 5 Rocket – 10 years and $ 7 million

•Capable of placing a pair of three-ton satellites intothe orbit.

•Launched on 04 Jun 1996

Immediately after launch, Ariane 5exploded

Case of the explosiona very small computer programtrying to stuff a 64-bit number into a16-bit space

See it: http://s.freissinet.free.fr/videos/ariane5.wmv

Vulnerability Classification

Vulnerabilities can be classified as follows:

• Design Vulnerabilities

• Implementation Vulnerabilities

• Configuration or Operational Vulnerabilities

Design Vulnerability

• When the vulnerability is said to be inherent to theproject or design

• Very difficult to detect and eliminate as it isinherent to the project

• Proper implementation of the product will not getrid of the flaw

• Example - TCP/IP protocol stack vulnerability

Implementation Vulnerability

• When an error is introduced into the componentsof a system, during the implementation stage of aproject or algorithm, they are termed asImplementation Vulnerabilities.

• Error could be hardware based or software based.

• Example – Buffer Overflows

Configuration Vulnerability

• Also known as Operational Vulnerability.

• Introduced into the system when the administratorresponsible does not perform the properconfiguration or sometimes leaving the defaultconfiguration on.

•Example - Not disabling unwanted services,allowing weak passwords

Attacks

• an assault on system security that derives from anintelligent threat.

• an intelligent act that is a deliberate attempt toevade security services and violate the securitypolicy of a system

•Example - denial of service attacks, penetrationand sabotage

Difference between Attack and Security Event

• Attack - the intruder aims at achieving a particularresult which could be against the implied securitypolicy

• Event – No rules are violated or broken

Attack Components

• Attack realization tool – Example - PortScanner• Vulnerability – Exploit a known vulnerability• Security Event – actions on target system• Result of the Attack - When an attacker isable to exploit vulnerability and has generated asecurity event

The results of an attack may vary depending uponthe security event and vulnerability chosen.

ATTACKER

TARGET

PERFORMS ATTACK

General Attack Model

The attacker and target represent the same entity

ATTACKER AND TARGET

ARE ON THE SAME

ENTITY

Attack Model Categories

• Traditional Attack Model

• One-to-one Attack Model

• One-to-many Attack Model

• Distribution Attack Model

• Many-to-one Attack Model

• Many-to-many Attack Model

Traditional Attack Model

• Attack always originate from a single point.

• Single – tier architecture

• There is only a single layer between the attackerand the target.

One-to-one (traditional attack model)

• The attacker and target is having a one-to-onerelationship.•Attack originates from a single machine.

One-to-many (traditional attack model)

• The attacker and target is having a one-to-manyrelationship.

•Attack originates from a single machine, but morethan one target is there

One-to-many (traditional attack model)

Distributed Attack Model

• Based on many-to-one and many-to-manyrelationship.

• Source of the attack is more than one entity.

• The attack packets originate from intermediatesystems compromised by the attacker.

Many-to-one (Distributed attack model)

• The attacker and target is having a Many-to-onerelationship.

•Attack originates from more than one machine.

•There is only one target

Many-to-one (Distributed attack model)

Many-to-many (Distributed attack model)

• The attacker and target is having a Many-to-manyrelationship.

•Attack originates from more than one machine.

•There are more than one target

Many-to-many (Distributed attack model)

Distributed attack

• Reconnaissance – searching for suitable host.

• Compromise the system – installing backdoors

• Attack Initiation – start the attack using thecompromised system.

Distributed attack - Agents

• Two types of special agents•Masters / Servers•Daemons / Clients

•Zombie – compromised systems where agents areinstalled.

•Distributed attacks implement a three tierarchitecture

Distributed attack - Advantages

• Attack Effect – devastating effect as attackoriginates from multiple locations.

• Anonymity – provides high level of anonymity tothe attacker.

• Hard-to-stop attacks – Very difficult to stop theattack without bringing down or disconnecting thetarget system

Intruder

• Also known as attacker – first element in theattack model.

•person who attempts to gain unauthorized accessto a system, to damage that system, or to disturbdata on that system

•attempts to violate Security by interfering withsystem Availability, data Integrity or dataConfidentialit

Intruder Types

•Black Hat Hacker

•Hacker spies support by Govt

•Cyber Terrorist

•Corporate Spies

•Professional Criminals

•Vandals

Incidents

•violation or imminent threat of violation that

could or results in

•a loss of data confidentiality,

•disruption of data or system integrity, or

disruption or denial of availability

•An incident must clearly be a breach of network

security.

Examples of Incidents

• DoS

• Malicious Code

• Unauthorized Access

• Inappropriate Usage

IDS/IPSIntroduction to IDS and IPS

Intrusion - any unauthorized system or network

activity on one (or more of) computer(s) or

network(s)

Intrusion detection systems (IDSs) are software

or/and hardware based systems that detect

intrusions to your network / host based on a number

of telltale signs.

Two types of IDS:

•Active IDS –

•attempt to block attacks

•respond with countermeasures

•alert administrators

•Passive IDS –

•merely log the intrusion

•create audit trails

IDS can provide the following information onattempted or actual security events

•Data destruction

•Denial-of-service

•Hostile Code

•Network or system eavesdropping

•System or network mapping and intrusion

•Unauthorized access

Types of IDS

•Host - based Intrusion detection system (HIDS)

•Network-based intrusion detection system

(NIDS)

•Hybrid Intrusion Detection Systems

•Resides on the host

•They scan log files – OS log files, application

log files etc

•If the log files are corrupt, HIDS is not effective.

•The scan output is logged into secure database

and compared to detect any intrusion.

Types of HIDS

• Operating System Level – Works on OS log

files.

•Application Level – Works on application level

log files.

• Network Level – works on packets addressed

to or sent from a host.

Advantages of HIDS

• Cost Effective

• Additional Layer of Protection.

• Direct control over system entities – works on

packets addressed to or sent from a host.

• IDS responsible for detecting in-appropriate,

anomalous, or any other kind of data which may

be considered unauthorized or inappropriate for

a subject network

• Pattern based

HIDS – Combination of HIDS and NIDS

• Sophisticated class of network security

implementation that not only has the ability to detect

the presence of intruders and their actions, but also

to prevent them from successfully launching any

attack.

• Incorporate the security features of firewall

technology and that of intrusion detection systems

IPS Categories

• Host IPS (HIPS)

•Loaded on each PC and server

• Network IPS (NIPS)

•Component that effectively integrates into your

overall network security framework.

Benefits of HIPS

• Attack Prevention

• Patch Relief

• Internal Attack propagation prevention

• Policy enforcement

• Regulatory requirements

NIPS - Places sensors as L2 forwarding devices.

Main difference between IDS and IPS – packet

dropping.

Dropping of packets – Categories

•Dropping a single packet

•Dropping all packets for a connection

•Dropping all traffic from a source IP.

Defense in Depth.

• Also known as Elastic defense.

• Military strategy that seeks to delay rather than

prevent the advance of an attacker.

• Represents the use of multiple computer security

techniques to help mitigate the risk of one

component of the defense being compromised or

circumvented.

Defense in Depth

•Attacker has to penetrate a series of layered

defenses

• Each layer is equipped with the suitable defense

• The delay provides the security staff with the time

to respond to the attack.

Defense in Depth

IDS & IPS Analysis Scheme

•A baseline is first set.

•Baseline - known value or quantity with which an

unknown is compared when measured or assessed

•A group of network activities / characteristics are

categorized as baseline for an IDS system

•Anything outside baseline - malicious

Network Activity Baseline

Variance from

the Baseline

activities

IDS Analysis

• Process of organizing the various elements of

data related to IDS and their inter-relationships to

identify any irregular activity of interest.

IDS Analysis

Divided into 4 phases:

• Preprocessing

• Analysis

• Response

• Refinement

Detection Methodologies

• Rule based Detection

• Also known as Misuse Detection or Signature

detection or pattern matching.

• First scheme used in earlier IDS

• process of attempting to identify instances of

network attacks by comparing current activity

against the expected actions of an intruder

• Anomaly Detection

• Also known as profile-based detection

•A profile is created for each user group on the

system.

•The profile created is then used as a baseline

to define user activity.

•If network activity deviates from baseline, alarm

is generated.

• Behavior Anomaly Detection

• Looks for anomalies in user behavior.

• Characteristics dependent rather than

statistical.

• Network Behavior Anomaly Detection (NMAD)

• Also known as traffic anomaly systems

• Process of continuously monitoring a

proprietary network for unusual events or trends

• Basically statistical rather than characteristics.

• Protocol Anomaly Systems

• Look for deviations from the set protocol

standards.

• Primarily characteristics based.

• Not very reliable and generates false positives.

• Target Monitoring Systems

• Look for modification of specified files or

objects.

• More of a corrective control.

•Creates crypto checksum for each file.

•This checksum is compared at regular intervals

to detect any changes.

Heuristics

• Still in its initial stages

• Refers to the use of AI in detecting Intrusions.

• AI scripting language is used to apply the

analysis to the incoming data.

Hybrid Approach

• Any system that uses a combination of the

above mentioned analysis

Some Myths

•IDS and IPS are two separate solutions

•IDSs and IPSs will catch or stop all network

intrusions

•IDS give too many false positives

•IDS will eventually replace firewalls.

•Few Security Admins are required if you deploy

an IDS

Computer Security and Intrusion Detection(IDS/IPS)

Engineering

Intrusion Detection System (IDS)

Intrusion Detection System(IDS)

IPS-1 key benefitSCheck Point IPS-1™ is a dedicated intrusion detection and prevention system (IDS/IPS) that helps organizations secure their enterprise network, and protect servers

IDS/IPS Definition and Classification. Contents Overview of IDS/IPS Components of an IDS/IPS IDS/IPS classification –By scope of protection –By detection

Intrusion Detection Systems (IDS)

Firewalls, IDS and IPS - Temple MIS...Firewalls, IDS and IPS - Unit #6 – MIS5214. Agenda •Firewalls •Intrusion Detection Systems •Intrusion Prevention Systems •Defense in

Ids Ips Mikrotik

Intrusion Detection and Intrusion Preventionit666/reading_list/Defense/ids_vs_idp.pdfPivot Group, LLC. Presentation Goals • Describe IDS and IPS • Why They Are Important • Deployment

Snort IPS · Snort IPS TheSnortIPSfeatureenablesIntrusionPreventionSystem(IPS)orIntrusionDetectionSystem(IDS)for

IDS (Intrusion Detection System)

Installing IDS 4235 and IDS 4250 - Cisco · 3-3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 6.0 OL-8823-01 Chapter 3 Installing IDS 4235 and

Intrusion Detection Systems CS391. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion

C HAPTER 16 C ISCO IOS IPS. S ECURING N ETWORKS WITH IDS AND IPS Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect

UNIVERSIDAD DE GUAYAQUIL FACULTAD DE CIENCIAS …repositorio.ug.edu.ec/bitstream/redug/27039/1/B-CINT-PTG-N.259 Ce… · IPS Intrusion Prevention System IDS Intrusion Detection System

IDS/IPS Definition and Classification. 2/57 Contents Overview of IDS/IPS Components of an IDS/IPS IDS/IPS classification –By scope of protection –By detection

IDS/IPS - WordPress.com · SNORT IDS/IPS By: Darryl Akeung daakeung@gmail.com daakeung.wordpress.com. WHAT IS AN IDS? • An Intrusion detection system (IDS) is software and/or hardware

IDS ( Intrusion Detection System )

IDS and IPS

OmniVista 2500 Network Management System...• Provides an open approach by integrating with third-party intrusion detection/ protection solutions (IDS/IPS), or any other intrusion

E-Guidedocs.media.bitpipe.com/io_25x/io_25953/item_405237...E-Guide IDS vs. IPS When it comes to intrusion detection systems (IDS) and intrusion prevention systems (IPS) it’s not