Computer Security and Intrusion Detection(IDS/IPS)

IDS/IPSComputer Security and Intrusion Detection

• Communication

•Any communication requires 4 entities

•Source

•Destination

•Medium

•Protocol – Rule


• Communication – Flow of Information


• Various types of attacks

•Interruption

•Interception

•Modification

•Fabrication


• Interruption - state where the asset of a system gets

destroyed or becomes un-available

• targets the source or the communication channel

• prevents the information from reaching the destination


• Interruption - Examples

• Cutting the physical cable medium

• Overload the carrying medium

• Types of Denial of Service (DoS) Attacks


• Interception – un-authorized party gets illegal access to

the information traversing through the communication

channel.

• Examples

•Wiretapping


• Modification – information is intercepted and modified .

• Examples

•MITM Attacks


• Fabrication – attacker inserts forged objects into the

system without the senders knowledge and involvement .


• Fabrication – 2 types

• Replaying

• previously intercepted entity is inserted

• Example – Replaying an authentication message.

• Masquerading

• attacker pretends to be the legitimate source

• inserts his / her desired information

• Example – Adding new records to a file or database


• Security Property

•Desired feature of a system with regard to certaintype of attacks.

•The four attacks discussed in the previous sectionviolates the various security properties of aninformation system

•Core qualities of any information system


• Security Property

•Confidentiality

•Integrity

•Availability

•Authentication

•Non Repudiation


• Traffic Analysis - Process of intercepting andexamining messages in order to deduce informationfrom patterns in communication. Information collectedinclude:

•Source

•Destination

•Timing of the data

•Frequency of a particular message

•Type of data / communication


• Non-repudiationConcept of ensuring that a contract cannot later bedenied by one of the parties involved.

• Describes the mechanism that prevents either senderor receiver from denying a transmitted message.

•Non-repudiation of origin – proves data has been sent

•Non-repudiation of delivery – proves data has beenreceived


•Security MechanismsThe various actions and countermeasuresemployed to safeguard the security properties of aninformation system.

•Security Mechanisms – 3 Types

•Attack Prevention

•Attack Avoidance

•Attack Detection


• Attack PreventionSeries of security mechanisms implemented toprevent or defend against various kinds of attacksbefore they can actually reach and affect the targetsystem.

•Examples

•Access Control

•Firewall


• Attack AvoidanceTechniques in which the information is modified in away that makes it unusable for the attacker.

•Assumption – Attacker may / has access to thesubject information.

•Examples

• Cryptography


• Attack DetectionProcess / Technique of reporting that something isable to bypass the security measures (if available),and identifying the type of attack.

• Counter measures are initiated to recover from theimpact of the attack.

•Examples

• IDS / IPS


• Intrusion Detection System

Intrusion detection encompasses a range ofsecurity techniques designed to detect (and reporton) malicious system and network activity or torecord evidence of intrusion.

IDS/IPSAttack Framework

• Types of Events – 2

• Attributable

Event can be traced to an authenticated user

•Non-attributable

Event cannot be traced to an authenticated user.

Ex: Any event that occur before authentication in

the login process – bad password attempts.


Vulnerability

•Existence of a weakness, design, or implementationerror that can lead to an unexpected, undesirableevent compromising the security of the system,network, application, or protocol involved

•Pen Testers Point of View - From a penetrationtester’s point of view, vulnerability is defined as asecurity weakness in a Target of Evaluation.


Threat

• Any possible event, action, process or phenomenonthat can potentially inflict damage on system resources


Relation between Vulnerability and Threat


Real Life Case Study – European Space Agency

•Ariane 5 Rocket – 10 years and $ 7 million

•Capable of placing a pair of three-ton satellites intothe orbit.

•Launched on 04 Jun 1996


Immediately after launch, Ariane 5exploded

Case of the explosiona very small computer programtrying to stuff a 64-bit number into a16-bit space

See it: http://s.freissinet.free.fr/videos/ariane5.wmv


Vulnerability Classification

Vulnerabilities can be classified as follows:

• Design Vulnerabilities

• Implementation Vulnerabilities

• Configuration or Operational Vulnerabilities


Design Vulnerability

• When the vulnerability is said to be inherent to theproject or design

• Very difficult to detect and eliminate as it isinherent to the project

• Proper implementation of the product will not getrid of the flaw

• Example - TCP/IP protocol stack vulnerability


Implementation Vulnerability

• When an error is introduced into the componentsof a system, during the implementation stage of aproject or algorithm, they are termed asImplementation Vulnerabilities.

• Error could be hardware based or software based.

• Example – Buffer Overflows


Configuration Vulnerability

• Also known as Operational Vulnerability.

• Introduced into the system when the administratorresponsible does not perform the properconfiguration or sometimes leaving the defaultconfiguration on.

•Example - Not disabling unwanted services,allowing weak passwords


Attacks

• an assault on system security that derives from anintelligent threat.

• an intelligent act that is a deliberate attempt toevade security services and violate the securitypolicy of a system

•Example - denial of service attacks, penetrationand sabotage


Difference between Attack and Security Event

• Attack - the intruder aims at achieving a particularresult which could be against the implied securitypolicy

• Event – No rules are violated or broken


Attack Components

• Attack realization tool – Example - PortScanner• Vulnerability – Exploit a known vulnerability• Security Event – actions on target system• Result of the Attack - When an attacker isable to exploit vulnerability and has generated asecurity event

The results of an attack may vary depending uponthe security event and vulnerability chosen.


ATTACKER

TARGET

PERFORMS ATTACK

General Attack Model


The attacker and target represent the same entity

ATTACKER AND TARGET

ARE ON THE SAME

ENTITY


Attack Model Categories

• Traditional Attack Model

• One-to-one Attack Model

• One-to-many Attack Model

• Distribution Attack Model

• Many-to-one Attack Model

• Many-to-many Attack Model


Traditional Attack Model

• Attack always originate from a single point.

• Single – tier architecture

• There is only a single layer between the attackerand the target.


One-to-one (traditional attack model)

• The attacker and target is having a one-to-onerelationship.•Attack originates from a single machine.


One-to-many (traditional attack model)

• The attacker and target is having a one-to-manyrelationship.

•Attack originates from a single machine, but morethan one target is there


One-to-many (traditional attack model)


Distributed Attack Model

• Based on many-to-one and many-to-manyrelationship.

• Source of the attack is more than one entity.

• The attack packets originate from intermediatesystems compromised by the attacker.


Many-to-one (Distributed attack model)

• The attacker and target is having a Many-to-onerelationship.

•Attack originates from more than one machine.

•There is only one target


Many-to-one (Distributed attack model)


Many-to-many (Distributed attack model)

• The attacker and target is having a Many-to-manyrelationship.

•Attack originates from more than one machine.

•There are more than one target


Many-to-many (Distributed attack model)


Distributed attack

• Reconnaissance – searching for suitable host.

• Compromise the system – installing backdoors

• Attack Initiation – start the attack using thecompromised system.


Distributed attack - Agents

• Two types of special agents•Masters / Servers•Daemons / Clients

•Zombie – compromised systems where agents areinstalled.

•Distributed attacks implement a three tierarchitecture


Distributed attack - Advantages

• Attack Effect – devastating effect as attackoriginates from multiple locations.

• Anonymity – provides high level of anonymity tothe attacker.

• Hard-to-stop attacks – Very difficult to stop theattack without bringing down or disconnecting thetarget system


Intruder

• Also known as attacker – first element in theattack model.

•person who attempts to gain unauthorized accessto a system, to damage that system, or to disturbdata on that system

•attempts to violate Security by interfering withsystem Availability, data Integrity or dataConfidentialit


Intruder Types

•Black Hat Hacker

•Hacker spies support by Govt

•Cyber Terrorist

•Corporate Spies

•Professional Criminals

•Vandals


Incidents

•violation or imminent threat of violation that

could or results in

•a loss of data confidentiality,

•disruption of data or system integrity, or

disruption or denial of availability

•An incident must clearly be a breach of network

security.


Examples of Incidents

• DoS

• Malicious Code

• Unauthorized Access

• Inappropriate Usage

IDS/IPSIntroduction to IDS and IPS

Intrusion - any unauthorized system or network

activity on one (or more of) computer(s) or

network(s)

Intrusion detection systems (IDSs) are software

or/and hardware based systems that detect

intrusions to your network / host based on a number

of telltale signs.


Two types of IDS:

•Active IDS –

•attempt to block attacks

•respond with countermeasures

•alert administrators

•Passive IDS –

•merely log the intrusion

•create audit trails


IDS can provide the following information onattempted or actual security events

•Data destruction

•Denial-of-service

•Hostile Code

•Network or system eavesdropping

•System or network mapping and intrusion

•Unauthorized access


Types of IDS

•Host - based Intrusion detection system (HIDS)

•Network-based intrusion detection system

(NIDS)

•Hybrid Intrusion Detection Systems


HIDS

•Resides on the host

•They scan log files – OS log files, application

log files etc

•If the log files are corrupt, HIDS is not effective.

•The scan output is logged into secure database

and compared to detect any intrusion.


Types of HIDS

• Operating System Level – Works on OS log

files.

•Application Level – Works on application level

log files.

• Network Level – works on packets addressed

to or sent from a host.


Advantages of HIDS

• Cost Effective

• Additional Layer of Protection.

• Direct control over system entities – works on

packets addressed to or sent from a host.


NIDS

• IDS responsible for detecting in-appropriate,

anomalous, or any other kind of data which may

be considered unauthorized or inappropriate for

a subject network

• Pattern based

HIDS – Combination of HIDS and NIDS


IPS

• Sophisticated class of network security

implementation that not only has the ability to detect

the presence of intruders and their actions, but also

to prevent them from successfully launching any

attack.

• Incorporate the security features of firewall

technology and that of intrusion detection systems


IPS Categories

• Host IPS (HIPS)

•Loaded on each PC and server

• Network IPS (NIPS)

•Component that effectively integrates into your

overall network security framework.


Benefits of HIPS

• Attack Prevention

• Patch Relief

• Internal Attack propagation prevention

• Policy enforcement

• Regulatory requirements


NIPS - Places sensors as L2 forwarding devices.


Main difference between IDS and IPS – packet

dropping.

Dropping of packets – Categories

•Dropping a single packet

•Dropping all packets for a connection

•Dropping all traffic from a source IP.



Defense in Depth.

• Also known as Elastic defense.

• Military strategy that seeks to delay rather than

prevent the advance of an attacker.

• Represents the use of multiple computer security

techniques to help mitigate the risk of one

component of the defense being compromised or

circumvented.


Defense in Depth

•Attacker has to penetrate a series of layered

defenses

• Each layer is equipped with the suitable defense

• The delay provides the security staff with the time

to respond to the attack.


Defense in Depth


IDS & IPS Analysis Scheme

•A baseline is first set.

•Baseline - known value or quantity with which an

unknown is compared when measured or assessed

•A group of network activities / characteristics are

categorized as baseline for an IDS system

•Anything outside baseline - malicious


Network Activity Baseline

Variance from

the Baseline

activities


IDS Analysis

• Process of organizing the various elements of

data related to IDS and their inter-relationships to

identify any irregular activity of interest.


IDS Analysis

Divided into 4 phases:

• Preprocessing

• Analysis

• Response

• Refinement


Detection Methodologies

• Rule based Detection

• Also known as Misuse Detection or Signature

detection or pattern matching.

• First scheme used in earlier IDS

• process of attempting to identify instances of

network attacks by comparing current activity

against the expected actions of an intruder


• Anomaly Detection

• Also known as profile-based detection

•A profile is created for each user group on the

system.

•The profile created is then used as a baseline

to define user activity.

•If network activity deviates from baseline, alarm

is generated.


• Behavior Anomaly Detection

• Looks for anomalies in user behavior.

• Characteristics dependent rather than

statistical.


• Network Behavior Anomaly Detection (NMAD)

• Also known as traffic anomaly systems

• Process of continuously monitoring a

proprietary network for unusual events or trends

• Basically statistical rather than characteristics.


• Protocol Anomaly Systems

• Look for deviations from the set protocol

standards.

• Primarily characteristics based.

• Not very reliable and generates false positives.


• Target Monitoring Systems

• Look for modification of specified files or

objects.

• More of a corrective control.

•Creates crypto checksum for each file.

•This checksum is compared at regular intervals

to detect any changes.


Heuristics

• Still in its initial stages

• Refers to the use of AI in detecting Intrusions.

• AI scripting language is used to apply the

analysis to the incoming data.


Hybrid Approach

• Any system that uses a combination of the

above mentioned analysis


Some Myths

•IDS and IPS are two separate solutions

•IDSs and IPSs will catch or stop all network

intrusions

•IDS give too many false positives

•IDS will eventually replace firewalls.

•Few Security Admins are required if you deploy

an IDS

Engineering

Computer Security and Intrusion Detection(IDS/IPS)