![(JJJLOLJI c_a^j dil^.
(j-® ^ r j ^A
Ajjul^^jl jl 4J^JJUO jl 4^O^JU0 4-ll<<i'^il
tlil£dJUdll a
<- q
^Ja
Aii
.}^)]
|j L-
fljlut
iJj
.lJ.l
aJ
<LlL
aC.
Cj'j^
V'
6^-^.l](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-7-320.jpg)
![1. MISUSE DETECTION
Intrusion
Patterns:
Sequences of
system calls,
patterns of
network traffic,
,etc.
pattern
matching
intrusion
activities
Example: if (traffic contains “x90+de[Arn]{30}”) then “attack detected”
Problems?
Disadvantage: Can't detect new attacks](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-13-320.jpg)
![oUljd] AJ]^.IA]|
AJ A^J]I V ^AjJl^aj ^1 .wn H^I &jui ^jc jl ^A3J]I ^JSJJJIJ i _^^J' J^XJ
Misuse or Signature-based Detection
1. Contains a database of recognized (known) attacks
2. Activity is compared with signature database
3. Send alarm for suspicious activities
4. Can not detect new attacks
.(Aijjx^]l) Igj AIUUJ SJelS Je. n
AiJJ*^]' ol*JajJ]') oULu SAe-la (AJ^SJ!' J]') .LLAi]' Ajj-Li n
AAJ^I jiijj juj n
SJJJ^]I _^^]l ^S^J v n](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-14-320.jpg)
![Anomaly or Behavior-based Detection
JJC. jC ^
1. Looks for usage anomalies
2. Sometimes called an expert system
3. Mostly result in more false positive than signature-based
4. Can detect new attacks
(je. n
n
j]| ^1C i^li j* JJSI 4-plS 4JJUJ) gj/jj ^Ul ^ n
Behaviour-based intrusion detection systems mostly result in more false positive than
signature-based IDS. (Ture -False)](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-17-320.jpg)
![HOST-BASED IDS q^l^JI
^^3 A^hjl
Use OS auditing and monitoring mechanisms to find applications taken over by attacker
■ Log all relevant system events (e.g., file/device accesses)
■ Monitor shell commands and system calls executed by user applications and system
programs ■ Pay a price in performance if every system call is filtered
IgjJo ^JjJ^il I t^'/ajjUjJl 10^1 Jji^u]| ^l^j ^j^AJ ^)U]| ^A^J^il
) j j ^ ^ j J i ^IA ^)IA^.I j
^^Ijjj ^A^J^I^II ^/QJJUJ lA^jijj ^Jj shell j^ij! Ajiij^
g.loAJml j£ 4ji^aJ l^uJ IA] ^IA^I £iA
Problems:
■ User dependent: install/update IDS on all user machines!
■ If attacker takes over machine, can tamper with IDS binaries and modify audit logs
j Only local view of the attack
I^AVUHJI ojg^J JojDS ^JA^J/( Jl Jo AA!*J
^J^ajJ( ^jiAjJi JjA*JjjDS ^O^jJi Aj£^ji cjlg^Jl ^Jo ^/g^Jl ^JjJ^i IAJ
.^j^Vi ^l^j^llj ^AIJ^JI -«
. 4jjo ^JJI j/g^JJ oAljjJlj ojAl^aJl ^)Uljj]| ^laljJ](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-19-320.jpg)
![NETWORK IDS
oS+AJb O*l*JI ^Ijj^l <*bJI
Deploying sensors at strategic locations
■ For example, Packet sniffing via tcpdump at
routers
Inspecting network traffic
■ Watch for violations of protocols and unusual
connection patterns
■ Look into the packet payload for malicious code
Limitations
■ Cannot execute the payload or do any code
analysis !
■ Record and process huge amount of traffic
■ May be easily defeated by encryption, but can be
mitigated with encryption only at the gateway/proxy
Aj^JjIjJ“VI ^i jlxjl3“]VI j^j
tcpdump jjo ^j^JI 3 ‘‘‘'"'“’i tJ/J^JI Jjj“ ^-io
^Jo A^j^ ^^^i
jjo ^Uj jSjJjJjJl ^laIjJ
A^UJI
**
^l^jlxjJl jo A^j^JI AJJ^^ ^i ^I^JI
6jl^tiJl
^jJxJl
j^j^J] Jjl^j jj^j jl AJJ^^JI j^^j V jjj^JlA^j^
j^ AJJ/A AJ^£ 4^Il»^j “J jUj t jji^jJI jjjL jo
AJj^“j Ai^jjA j£^j Jj£jJI/AjIjjJI V'Q Wai
jji^jJlj Aa <aAJ](https://image.slidesharecdn.com/chapter-3-intrusion-detection-systems-part-1-240303122819-5d09b5eb/85/Chapter-3-Intrusion-Detection-Systems-part-1-ppt-20-320.jpg)
Chapter-3-Intrusion-Detection-Systems-part-1.ppt
- 2. CST255: INTRUSION DETECTION AND PREVENTION
- 3. Chapter Outline 1.0 Intrusion Detection Systems 1.1 Types of IDS 1.2 Technical Bypass of IDS 1.3 Fragmentation 1.4 Related Tools for Network IDS 1.5 Next Generation IDS 1.6 Zero-day Attack
- 4. OBJECTIVES AND DELIVERABLE • Understand the concept of IDS and the two major categorizations: by features/models, and by location. • Understand the pros and cons of each approach • Understand the difference between exploits and vulnerabilities
- 6. DEFINITIONS Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying, classifying and responding to intrusion activities Intrusion prevention Extension of ID with exercises of access control to protect computers from exploitation
- 7. (JJJLOLJI c_a^j dil^. (j-® ^ r j ^A Ajjul^^jl jl 4J^JJUO jl 4^O^JU0 4-ll<<i'^il tlil£dJUdll a <- q ^Ja Aii .}^)] |j L- fljlut iJj .lJ.l aJ <LlL aC. Cj'j^ V' 6^-^.l
- 8. INTRUSION DETECTION SYSTEM (IDS) An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. viljj JA(IDS) flkj jA^aJj 0jlulA il^iJ jjj^ , J UjlSlU ** •* What is intrusion detection? - Passive in design
- 9. MONITOR (DETECT) FOR ATTACKS Advantages of an IDS: • Works passively • Requires traffic to be mirrored in order to reach it • Network traffic does not pass through the IDS unless it is mirrored IDS: y> jjj^l A^j^ Q W! Jj^jJl '^JVJIDS ^ A^I jjj^ A£j^ V Intrusion Detection System Operation Switch IDS-enabled Target Management Console
- 10. ELEMENTS OF INTRUSION DETECTION Primary assumptions: ■ System activities are observable ■ Normal and intrusive activities have distinct evidence ;AjJjVl i*iK^lj3iVI A^^lj ALl l*J ApUJl Components of intrusion detection systems: ■ From an algorithmic perspective: ■ Features - capture intrusion evidences ■ Models - piece evidences together Algorithm ;JLuJl _ ^ljj£^ ;^jj'jA jj^J* j* JLuJl ALl .LM -AJ^VI From a system architecture perspective: ■ Various components: audit data processor, knowledge base, decision engine, alarm id responses System architecture Ajjj jj^J^ j^ ^lUljJ ^Jl*^; ^ljj£^ ^j^jJlj jljj^l cjljSJl ^J^^ cAij^^Jl
- 11. COMPONENTS OF INTRUSION DETECTION SYSTEM system activities are observable Audit Records Activity Data normal and intrusive activities have distinct evidence Action/Report 0 0 0
- 12. INTRUSION DETECTION APPROACHES Modeling ■ Features: evidences extracted from audit data (dataset) ■ Analysis approach: piecing the evidences together ■ Misuse detection (a.k.a. signature-based) ■ Anomaly detection (a.k.a. behavior-based) Deployment: Network-based or Host-based ■ Network based: monitor network traffic ■ Host based: monitor computer processes (^ULnJl (^ja jjJl ILk/l _jkj( £j-^ l (^jl^iJl ^Jo ^l l^iajl _ ajkjj(AjAuJl Qo _ aU£^l aj" ^^Jl ,^i»j jl A^JUJI ^Jo ,^i»j ; jUdJl A^JUJI JJJA A^j^. AjaljA ;A<JUJI ^Jo AAA*J jjjjj^^Jl ^/jJ^o Ajalj^ ;_j^AJl ^Jo A^A*J
- 13. 1. MISUSE DETECTION Intrusion Patterns: Sequences of system calls, patterns of network traffic, ,etc. pattern matching intrusion activities Example: if (traffic contains “x90+de[Arn]{30}”) then “attack detected” Problems? Disadvantage: Can't detect new attacks
- 14. oUljd] AJ]^.IA]| AJ A^J]I V ^AjJl^aj ^1 .wn H^I &jui ^jc jl ^A3J]I ^JSJJJIJ i _^^J' J^XJ Misuse or Signature-based Detection 1. Contains a database of recognized (known) attacks 2. Activity is compared with signature database 3. Send alarm for suspicious activities 4. Can not detect new attacks .(Aijjx^]l) Igj AIUUJ SJelS Je. n AiJJ*^]' ol*JajJ]') oULu SAe-la (AJ^SJ!' J]') .LLAi]' Ajj-Li n AAJ^I jiijj juj n SJJJ^]I _^^]l ^S^J v n
- 15. All the following are functions of Misuse or Signature-based Detection in IDS except one: (a) Contains a database of recognized (known) attacks (b) Activity is compared with signature database (c) Can detect new attacks (d) Cannot detect new attacks (e) Sound alarm for suspicious activities
- 16. 2. ANOMALY DETECTION Define a profile describin “normal” behavior, th detects deviations. Any problem ? actlvlty measure s __alxs 90 80 70 btr 50 40 30 20 10 0 / 71 CPU i r Process Size probable intrusion □ normal pi ofile □ abnormal Relatively high false positive rates ^ • Anomalies can just be new normal activities. • 4jale QpjQj| aii • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfig • Which method will detect DDoS SYN flooding ?
- 17. Anomaly or Behavior-based Detection JJC. jC ^ 1. Looks for usage anomalies 2. Sometimes called an expert system 3. Mostly result in more false positive than signature-based 4. Can detect new attacks (je. n n j]| ^1C i^li j* JJSI 4-plS 4JJUJ) gj/jj ^Ul ^ n Behaviour-based intrusion detection systems mostly result in more false positive than signature-based IDS. (Ture -False)
- 18. TYPES OF IDS • Host-Based IDS Implementations • Network-Based IDS Implementations
- 19. HOST-BASED IDS q^l^JI ^^3 A^hjl Use OS auditing and monitoring mechanisms to find applications taken over by attacker ■ Log all relevant system events (e.g., file/device accesses) ■ Monitor shell commands and system calls executed by user applications and system programs ■ Pay a price in performance if every system call is filtered IgjJo ^JjJ^il I t^'/ajjUjJl 10^1 Jji^u]| ^l^j ^j^AJ ^)U]| ^A^J^il ) j j ^ ^ j J i ^IA ^)IA^.I j ^^Ijjj ^A^J^I^II ^/QJJUJ lA^jijj ^Jj shell j^ij! Ajiij^ g.loAJml j£ 4ji^aJ l^uJ IA] ^IA^I £iA Problems: ■ User dependent: install/update IDS on all user machines! ■ If attacker takes over machine, can tamper with IDS binaries and modify audit logs j Only local view of the attack I^AVUHJI ojg^J JojDS ^JA^J/( Jl Jo AA!*J ^J^ajJ( ^jiAjJi JjA*JjjDS ^O^jJi Aj£^ji cjlg^Jl ^Jo ^/g^Jl ^JjJ^i IAJ .^j^Vi ^l^j^llj ^AIJ^JI -« . 4jjo ^JJI j/g^JJ oAljjJlj ojAl^aJl ^)Uljj]| ^laljJ
- 20. NETWORK IDS oS+AJb O*l*JI ^Ijj^l <*bJI Deploying sensors at strategic locations ■ For example, Packet sniffing via tcpdump at routers Inspecting network traffic ■ Watch for violations of protocols and unusual connection patterns ■ Look into the packet payload for malicious code Limitations ■ Cannot execute the payload or do any code analysis ! ■ Record and process huge amount of traffic ■ May be easily defeated by encryption, but can be mitigated with encryption only at the gateway/proxy Aj^JjIjJ“VI ^i jlxjl3“]VI j^j tcpdump jjo ^j^JI 3 ‘‘‘'"'“’i tJ/J^JI Jjj“ ^-io ^Jo A^j^ ^^^i jjo ^Uj jSjJjJjJl ^laIjJ A^UJI ** ^l^jlxjJl jo A^j^JI AJJ^^ ^i ^I^JI 6jl^tiJl ^jJxJl j^j^J] Jjl^j jj^j jl AJJ^^JI j^^j V jjj^JlA^j^ j^ AJJ/A AJ^£ 4^Il»^j “J jUj t jji^jJI jjjL jo AJj^“j Ai^jjA j£^j Jj£jJI/AjIjjJI V'Q Wai jji^jJlj Aa <aAJ
- 22. NETWORK BASED IDS Internet Gateway routers At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which has scalability issues. Thus they might not be able to detect the worm in its early stage.
- 23. HOST-BASED VS. NETWORK-BASED IDS Give an attack that can only be detected by host-based IDS but not network-based IDS Sample qn: ■ SQL injection attack Can you give an example only be detected by network-based IDS but not host-based IDS ? IDS j^Jj _ aJ‘^Jl IDS jo VI 4ilA£l j^^j V ~J^A qni^jo SQLj*^
- 24. KEY METRICS OF IDS/IPS Algorithm ■ Alarm: A; Intrusion: ■ Detection (true alarm) rate ■ False negative rate ■ False alarm (aka, false positive) rate ■ True negative rate Architecture ■ Throughput of NIDS, targeting 10s of Gbps ■ E.g., 32 nsec for 40 byte TCP SYN packet ■ Resilient to attacks
- 25. ALARM TRIGGERING MECHANISMS Understanding Alarm Types: Alarm Type Network Activity IPS Activity Outcome False positive Normal user traffic Alarm generated Tune alarm False negative Attack traffic No alarm generated Tune alarm True positive Attack traffic Alarm generated Ideal setting True negative Normal user traffic No alarm generated Ideal setting
- 26. QUESTIONS 2. An intrusion detection system did not notify the network administrator of any threat in the network, but on a close inspection, the administrator found that indeed there was malicious threats in the network. Which of the following metric best describes the situation. (a) True positive (b) False negative (c) True negative (d) False positive (e) None of the above
- 27. ARCHITECTURE OF NETWORK IDS Detection rules
- 28. FIREWALL/NET IPS VS NET IDS Firewall/IPS ■ Active filtering ■ Fail-close ^ A^^Jl Network IDS ■ Passive monitoring ■ Fail-open ^W$Jl V
- 29. TECHNICAL BYPASS TECHNIQUES NIDS ■ fragmentation ■ TCP un-sync (ATM: hi. data rate) Low TTL (Time To live) ‘Max' MTU (maximum Transmission unit) ■ HTTP Protocol ■ Telnet Protocol ■ ■ HIDS ■ Kernel Hacks ■ Bypassing stack protection ■ Library Hacks ■ HTTP Logging insertion techniques
- 30. ZERO-DAY ATTACKS
- 31. ZERO-DAY ATTACKS WHAT IS ZERO-DAY ATTACK? A zero-day vulnerability is a network vulnerability that is unknown before, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network
- 32. COUNTING ZERO-DAY ATTACKS Network W Protocol Tap W Classifier TCP TCP TCP TCP UDP 25 53 80 137 1434 Honeynet/darknet Statistical detection
- 33. PROBLEMS WITH CURRENT IDS 1. Inaccuracy for exploit based signatures 2. Cannot recognize unknown anomalies/intrusions 3. Cannot provide quality info for forensics or situational-aware analysis 4. Hard to differentiate malicious events with unintentional anomalies 5. Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration 6. Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
- 34. Thank you for your attention!