Upload
whitney-bryan
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Background
Why are they used?
Movement towards more secured computing systems
Management is becoming cognizant of growing cyber-threats
Where are they used?
Medium to Large Businesses
Anyone than can afford them
Open-source solutions (SNORT)
Types of Attacks
Code Obfuscation
Polymorphism
Shell-code is constantly mutating
Characterized by:
Execution of GetPC code
Read operations from input stream
Port Scans
Denial of Service (DoS)
Types of NIDS
HIDS (Host Intrusion Detection System)
Operates on a single host
Uses host’s computation resources
NIDS (Network Intrusion Detection System)
Stand-alone hardware
Expensive
Methods of Detection
Signature Based
Compares packets to database of known threats
Heuristics Based
Analyzes and categorizes packets into groups
Normal, Hostile
Many different techniques being developed
Pro’s and Con’s
Signature Based
Require constant updates by administrators
Can only detect currently known threats
Heuristics
Have the ability to identify new/unknown threats
Can easily mistake infrequent normal traffic as hostile
Heuristic Detection Techniques
Cellular Automata
Genetic Algorithms
Neural Networks
Bioinformatics
Network‐Level Emulation
Measured:
Cellular Automata
Solves problems in an evolutionary way
Consists of number of cells organized in the form of a lattice
Each cell is considered independent
Its states only depends on its two adjacent cells
Fuzzy States are generally used
Categorizations are done using membership functions
As data is passed and classified each cell mutates randomly
Neural Networks In general model multivariate non-linear
functions using nodes called neurons
Good at classification problems
Separated in 5 categories for experiment
Normal Connections
DoS (Denial of Service)
R2L (Remote to Local), U2R (User to Remote)
Probe/Surveillance
Best Results came from Over-Sampling Training data
Network-Level Emulation Inspects client-initiated data of each network
flow
Server-initiated data is ignored
Reconstructs the application-level stream using TCP stream reassembly
Emulator repeats execution of code from each possible entry point in the stream
Execution of polymorphic shell-code is identified by two runtime behavioral characteristics
Execution of GetPC code
Several Read operations from within the stream
Statistics Collected
Real World Deployment of nemu (Network-Level Emulation)
Sensors in Europe have been operating since March 9th, 2007
Collected from National Research Networks and one Educational Network
As of February 13th, 2008
1,053,332 attacks targeting 21 different ports
31% were launched from 8981 unique Ips
68% (Rest) were from 204 infected hosts
Ports Attacked 25 - SMTP
42 – WINS, Nameserver
80 - HTTP
110 – POP3
135 – Microsoft EPMAP
also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS
139 – Netbios Session Service
143 - IMAP
445 – Microsoft Active Directory, Windows Shares, SMB File Sharing
1025 – NFS or IIS
2967 – Symantec Antivirus Corporate Edition
Evading NIDS Insertion Attacks
Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.
Evading Attacks
Sends packets which the IDS rejects but target accepts
Both end up giving different streams to the IDS and End-Host
Fragmentation is used in both – we all should know this by now
Methods of Evading NIDS Case 1: The IDS fragmentation reassembly
timeout is less than fragmentation reassembly timeout of the Victim.
Methods of Evading NIDS cont. Case 2: The IDS fragmentation reassembly
timeout is more than the fragmentation reassembly timeout of the operating system.
Methods of Evading NIDS cont. Overlapping Fragments
Exploits differences in Operating System Behavior