Network Security: Intrusion Detection Systems potx

They are available in two varieties:  network IDS: can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic  host IDS: is a server-sp

Network Security :

Intrusion Detection Systems

Vo Viet Minh Nhat

Information Technology Dept.

Faculty of Sciences

 On completing this section, you will be able to

 Explain the main differences between the various IDSs

 Describe host-based IDSs in detail

 Describe network-based IDSs in detail

 Explain how IDS management communication

works

 Describe IDS tuning

 Explain how IDS maintenance works

Introduction

 to defend company resources: not only

passively by using firewalls, virtual private

networks (VPNs), encryption techniques, and whatever other tricks, but also by deploying proactive tools and devices throughout the

network => IDS

or exploit a system => security policy defines

what and who constitutes attempts to break into, abuse, or exploit a system.

Introduction

 Two types of potential intruders exist:

 Outside intruders: referred to as crackers

 Inside intruders: occur from within the organization

 IDSs are effective solutions to detect both

types of intrusions continuously These

systems run constantly in a network, notifying network security personnel when they detect

an attempt they consider suspicious.

Introduction

 IDSs have two main components:

 IDS sensors: they can be software and hardware based

used to collect and analyze the network traffic They are available in two varieties:

 network IDS: can be embedded in a networking device, a standalone appliance, or a module monitoring the network traffic

 host IDS: is a server-specific agent running on a server with

a minimum of overhead to monitor the operating system

 IDS management: acts as the collection point for alerts and performs configuration and deployment services for the

IDS sensors in the network

Notification Alarms

 The overall purpose of IDSs is to trigger

alarms when a given packet or sequence of packets seems to represent suspicious

activity that violates the defined network

security policy

 However, it is critical for network security

personnel to configure the IDS to minimize the occurrence of false negative and false positive alarms

Notification Alarms

 A false positive is a condition in which valid traffic or

a benign action causes the signature to fire.

 A signature is a set of events and patterns that is

recognized from a protocol-decoded packet This set

defines an alarm-firing condition when offending network traffic is seen

 A false negative is a condition in which a signature

is not fired when offending traffic is transmitted

 when the IDS sensor does not detect and report a

malicious activity, and the system allows it to pass as

nonintrusive behavior

Notification Alarms

 two main reasons for a false negative:

 from the sensor lacking the latest signatures.

 because of a software defect in the sensor.

 => The IDS configuration should be

continuously updated with new exploits and hacking techniques upon their discovery

Notification Alarms

 False positive alarms occur when the IDS sensor classifies an action or transaction as anomalous

although it is actually legitimate traffic

 A false alarm requires an unnecessary intervention

to analyze and diagnose the event

 => try to avoid this type of situation because a large number of false positives can significantly drain

resources, and the specialized skills required for

analysis are scarce and costly

Signature-Based IDS

 The signature-based IDS monitors the

network traffic or observes the system and

sends an alarm if a known malicious event is happening

 It does so by comparing the data flow against

a database of known attack patterns

 These signatures explicitly define what traffic

or activity should be considered as malicious

Signature-Based IDS

 Various types of signature-based IDSs:

 Simple and stateful pattern matching

 Protocol decode-based analysis

 Heuristic-based analysis

 The pattern-matching systems look for a fixed

sequence of bytes in a single packet

 simple, generates reliable alerts, applicable to all protocols

 any slightly modified attack leads to false negatives

 multiple signatures may be required to deal with a single vulnerability

Signature-Based IDS

 Protocol decode-based systems decode very specific protocol elements, such as header and payload size and field content and size, and analyze for Request for Comment (RFC) violations

 highly specific and minimize the chance for false positives.

Signature-Based IDS

Overview of Signature-Based IDSs

Low false positive rate (reliable

alerts) Single vulnerability may require multiple signatures Simple to customize Continuous updates required

Applicable for all protocols Modifications lead to misses

(false negatives) Cannot detect unknown attacks

Example of an attack against a web server

Policy-Based IDS

 The policy-based IDSs (mainly host IDSs) trigger an alarm whenever a violation occurs against the configured policy

 For instance, a network access policy defined in terms of access permissions

Policy-Based IDS

Overview of Policy-Based IDS

Low false positive rate

from scratch

Anomaly-Based IDS

 The anomaly-based IDS looks for traffic that

deviates from the normal.

 but the definition of what is a normal network traffic pattern is the tricky part

 The anomaly-based IDS can monitor the system or network and trigger an alarm if an event outside

known normal behavior is detected

 Example: the detection of specific data packets that

originate from a user device rather than from a network router

Anomaly-Based IDS

Overview of Anomaly-Based IDS

Unknown attack detection High false positive rate

Easy deployment for

networks with well-defined

traffic patterns

Interpretation of generated alarms is difficult

Anomaly-Based IDS

 Two types of anomaly-based IDS exist:

 Statistical: Statistical anomaly detection learns the traffic patterns interactively over a period of time

 Nonstatistical: In the nonstatistical approach, the IDS has a predefined configuration of the

supposedly acceptable and valid traffic patterns

Network IDS versus Host IDS

 Host IDSs and network IDSs are currently the most popular approaches to implement analysis

technologies

 A host IDS can be described as a distributed agent residing

on each server of the network that needs protection

 Network IDSs can be described as intelligent sniffing

devices

 Data (raw packets) is captured from the network by a

network IDS, whereas host IDSs capture the data from the host on which they are installed

 This raw data can then be compared against well-known attacks and attack patterns that are used for packet and

protocol validation

Host IDS

Network IDS

Comparison of Host IDS and Network IDS

• Not limited by bandwidth restrictions or data encryption.

• Operating system/platform dependent Not available for all operating systems.

• Impact on the available resources of the host system.

• Expensive to deploy one agent per host.

• Especially useful for low-level attacks (network probes and DoS attacks).

• Deployment is very challenging in switched environment.

• Network traffic may overload the NIDS (CPU intensive).

• Not effective for single packet attacks, and hidden attacks in encrypted packets.

Network IDS versus Host IDS

 The most efficient approach is to implement network-based IDS first

 It is much easier to scale and provides a broad coverage of the network

 less organizational coordination is required, with

no or reduced host and network impact

 If only a few servers need to be protected, a network administrator may want to start with host-based IDS

Evasion and Anti-Evasion

Techniques

 Network IDSs have a fundamental problem whereby

a skilled attacker can evade the detection

mechanism by exploiting ambiguities in the traffic

patterns, network topology, and the IDS

architecture

 The attacker can try to evade the detection mechanism in the sensor The attacker can try to convince the network IDS by masking the traffic as legitimate The attacker can also try to generate lots of false positives to overwhelm the operator and the sensor hardware that is monitoring the

logs and events In this way, real threats to the network are not visible because the IDS is unable to capture and

analyze all the traffic

Evasion and Anti-Evasion

Techniques

 Anti-evasion techniques can range from

fragmentation alarms, packet loss alarms,

and protocol decodes to tunable TCP stream reassembly options, alarm summarization, and others

Host-Based IDSs

 Network security should be seen as a

continuous process of four steps: secure the system, monitor the network, test the

effectiveness of the solution, and improve the security implementation

 Testing the effectiveness of the IDS host

sensor is an integral part of the monitoring

step

Host-Based IDSs

 A host IDS can be described as a distributed agent residing on each server of the network that monitors the network activity in real time

 The host IDS detects the security violations and can be configured so that an automatic response prevents the attack from causing

any damage before it hits the system

Host Sensor Components and

Secure Agent

 The Secure Agent is a software package that runs on each individual server or workstation

to protect these hosts against attacks

 The IDS sensor provides real-time analysis and reaction to intrusion attempts The host sensor processes and analyzes each and

every request to the operating system and

application programming interface (API) and proactively protects the host if necessary

Architecture of the Host Sensor Agent