Network Intrusion Detection Systems

glibdoadingΤεχνίτη Νοημοσύνη και Ρομποτική

20 Οκτ 2013 (πριν από 4 χρόνια και 2 μήνες)

76 εμφανίσεις

Network Intrusion
Detection Systems

Presented by Keith Elliott

Background


Why are they used?


Movement towards more secured computing systems


Management is becoming cognizant of growing
cyber
-
threats


Where are they used?


Medium to Large Businesses


Anyone than can afford them


Open
-
source solutions (SNORT)


Types of Attacks


Code Obfuscation


Polymorphism


Shell
-
code is constantly mutating


Characterized by:


Execution of
GetPC

code


Read operations from input stream


Port Scans


Denial of Service (
DoS
)


Types of NIDS


HIDS (Host Intrusion Detection System)


Operates on a single host


Uses host’s computation resources


NIDS (Network Intrusion Detection System)


Stand
-
alone hardware


Expensive


Methods of Detection


Signature Based


Compares packets to database of known threats



Heuristics Based


Analyzes and categorizes packets into groups


Normal, Hostile


Many different techniques being developed

Pro’s and Con’s


Signature Based


Require constant updates by administrators


Can only detect currently known threats


Heuristics


Have the ability to identify new/unknown threats


Can easily mistake infrequent normal traffic as hostile

Heuristic Detection Techniques


Cellular Automata


Genetic Algorithms


Neural Networks


Bioinformatics


Network‐Level Emulation


Measured:

Cellular Automata


Solves problems in an evolutionary way


Consists of number of cells organized in the form of a
lattice


Each cell is considered independent


Its states only depends on its two adjacent cells


Fuzzy States are generally used


Categorizations are done using membership functions


As data is passed and classified each cell mutates
randomly


Neural Networks


In general model multivariate non
-
linear functions
using nodes called
neurons


Good at classification problems


Separated in 5 categories for experiment


Normal Connections


DoS

(Denial of Service)


R2L (Remote to Local), U2R (User to Remote)


Probe/Surveillance


Best Results came from Over
-
Sampling Training
data

Network
-
Level Emulation


Inspects client
-
initiated data of each network flow


Server
-
initiated data is ignored


Reconstructs the application
-
level stream using TCP stream
reassembly


Emulator repeats execution of code from each possible
entry point in the stream


Execution of polymorphic shell
-
code is identified by two
runtime behavioral characteristics


Execution of
GetPC

code


Several Read operations from within the stream

Statistics Collected


Real World Deployment of
nemu

(Network
-
Level
Emulation)


Sensors in Europe have been operating since March
9
th
, 2007


Collected from National Research Networks and one
Educational Network


As of February 13
th
, 2008


1,053,332 attacks targeting 21 different ports


31% were launched from 8981 unique
Ips


68% (Rest) were from 204 infected hosts

Ports Attacked


25
-

SMTP


42


WINS,
Nameserver


80
-

HTTP


110


POP3


135


Microsoft EPMAP


also known as DCE/RPC

Locator service, used to remotely manage services
including

DHCP server,

DNS

server and

WINS


139


Netbios

Session Service


143
-

IMAP


445


Microsoft Active Directory, Windows Shares, SMB File Sharing


1025


NFS or IIS


2967


Symantec Antivirus Corporate Edition


Evading NIDS


Insertion Attacks


Send packets to end
-
system (victim) that will reject, but that
the IDS thinks are valid.


Evading Attacks


Sends packets which the IDS rejects but target accepts


Both end up giving different streams to the IDS and End
-
Host


Fragmentation is used in both


we all should know this by
now

Methods of Evading NIDS


Case 1:
The IDS fragmentation reassembly timeout is less
than fragmentation reassembly timeout of the Victim.


Methods of Evading NIDS cont.


Case 2:
The IDS fragmentation reassembly timeout is
more than the fragmentation reassembly timeout of the
operating system.

Methods of Evading NIDS cont.


Case 2:
TTL Based Attacks


Topology of victims network must be know

Methods of Evading NIDS cont.


Overlapping Fragments


Exploits differences in Operating System Behavior


Conclusion


Network Threats are on the rise


Better to have Heuristic based system


Tons of research being performed which is
uncovering new and more efficient methods


SNORT can handle all mentioned methods
of
evasion.



Any questions?