Intrusion Detection Systems

muscleblouseΤεχνίτη Νοημοσύνη και Ρομποτική

19 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

81 εμφανίσεις

Intrusion
Detection Systems



Presented By



ROHAN BHARADWAJ

02098053


MANOHAR MANTRY

02098043


Project Guide


MADHUSUDAN VELDANDA


Date of presentation


3
-
NOV
-
2011



Definitions


Intrusion


A set of actions aimed to compromise the security
goals, namely


Integrity, confidentiality, or availability, of a computing and
networking resource


Intrusion detection


The process of identifying and responding to
intrusion activities


Intrusion prevention


Extension of ID with exercises of access control to
protect computers from exploitation

Terminology



True Positive:

A legitimate attack which triggers an IDS to
produce an alarm
.


False Positive:

An event signaling an IDS to produce an alarm
when no attack has taken place.


False Negative:

A failure of an IDS to detect an actual attack.



True Negative:

When no attack has taken place and no alarm is
raised.


Noise:

Data or interference that can trigger a false positive.



Firewall
Versus Network IDS


Firewall


Active filtering


Fail
-
close


Network IDS


Passive monitoring


Fail
-
open

FW

IDS

Types of IDS

1.
Network IDS

2.
Host IDS


Network IDS


NIDS Sensors collect information from Network
Connections.


Uses Packet Sniffing on NIC in Promiscuous Mode.


No Auditing / Logging required.


Agents can introduced without affecting Data
Source at NIC level.


Detects Network Level Attacks (e.g. SYN
Atk
)


Can NOT scan Protocols or Content of Network
Traffic if encrypted.

Host IDS


HIDS Sensors collect information
reflecting the System Activity.


Based on Operating System Audit Trails,
Logs and Process Trees.


User and Application Level Analysis


Process Behaviour Analysis


Operate in Encrypted Environments.


Platform Specific, Large Overhead for OS
and Higher Management/Deployment Costs

Intrusion Detection Approaches

1.
Misuse
detection (a.k.a. signature
-
based
)

2.
Anomaly detection (a.k.a. statistical
-
based)


Signature
-
based IDS /

Misuse

Detection



Signature based IDS monitors packets
in the Network and compares with pre
-
configured and pre
-
determined attack
patterns known as signatures.

Signature
-
based IDS /

Misuse

Detection



Misuse Detection


Models
Abnormal

behaviour


E.G. HTTP request referring to the cmd.exe file


Uses Pattern Matching of system setting and
user activities against database of known
attacks. (Signature Analysis)


Highly Efficient


Tightly Defined Signature.

Signature
-
based IDS /

Misuse

Detection



Drawback :
-


There will be lag between the new threat
discovered and Signature being applied in IDS for
detecting the threat.



Vulnerable to novel attacks.


Signature
-
based IDS /

Misuse

Detection


Intrusion
Patterns

activities

pattern
matching

intrusion

Can’t detect new attacks

Example:
if

(src_ip == dst_ip)
then

“land attack”

Statistical anomaly
-
based IDS/

Anomaly Detection


Determines normal network activity like what
sort of
bandwidth

is generally used, what
protocols

are used, what
ports

and
devices

generally connect to each other
-

and alert the
administrator or user when traffic is
detected which is anomalous(not normal).

Statistical anomaly
-
based IDS/

Anomaly Detection


Anomaly Detection


Models
Normal

Behaviour


E.g. Expected System Calls, generated by User Process
(Root/Non
-
root).


Statistical profiles for system objects are created
by measuring attributes of normal use.


Detects Novel and Complex attacks.


Low Efficiency


False Positive


Legitimate action classified as Anomalous.

System Call Execution Process

User Process

Schedular

System Call

Implementation

System Call

Dispatcher

Kernel Level System Monitoring

User Process

IDS
Module

Schedular

System Call

Implementation

System Call

Dispatcher

Statistical anomaly
-
based IDS/

Anomaly Detection

activity
measures

probable
intrusion

Relatively high false positive rate
-





anomalies can just be new normal activities.

Any problem ?

Components of Intrusion
Detection System


Audit Data
Preprocessor

Audit Records

Activity Data

Detection


Models

Detection Engine

Alarms

Decision


Table

Decision Engine

Action/Report

system activities are
observable

normal and intrusive
activities have distinct
evidence

Implementation of a HIDS


Detection Methods


Pattern matching


BP Neural Networks


The HIDS uses log files as its primary sources of
information, and through three steps of pre
-
decoding
log file, decoding log file, and analysis log file, it can
effectively identify various intrusions
.

Implementation of a HIDS(contd.)


Based on BP neural network analysis
technology and through establishment of
system behavior characteristics profile in
advance, the HIDS can identify intrusions by
comparison with threshold.

Log File Analysis


Log files record the behavior of computer system and
aim at recording the action of operating system,
applications, and use behaviors.



Log system is particularly important in intrusion
detection and log file analysis tool have become an
indispensable tools for daily inspection and
maintenance of the system running.

Log File Analysis(contd..)


log analysis
-
based HIDS includes the
following several parts:


collection of log file data,


predecoding

of log file,


decoding of log file,


analysis of log file and


report events.

Log File Analysis(contd..)

1.
Collection of Log File

System and application level logs are collected using own log
tools or third party log tools.

2.
Pre
-
decoding of log file


The purpose of the log file pre
-
decoding is to extract
general information from the log. For example, suppose
a new SSHD log produced a SSHD message:


Log File Analysis(contd..)


After pre
-
decoding the message, the date “Apr 14
17:32:06”, the host name “
linying
”, and the program name

sshd
” are extracted. The extracted messages will be
recorded as follows:


Time/date
-
>Apr 14 17:32:06


Host name
-
>
linying






Program name
-
>
SSHD



Apr 14 17:32 :06
liying

sshd

[1025]: Accepted password

172.16.29.26 port 1618 ssh2

SSHD message

Log File Analysis(contd..)

3.
Decoding of log file


Log file decoding is the process to identify key
information from logs. In the HIDS, we use regular
expressions to identify certain keywords.


The extracted messages will be recorded as
follows:


Source IP address
-
>172.16.29.26


User name
-
>root



Log
-
>accepted password for root form 172.16.29.26


Log File Analysis(contd..)

4.
Anslysis

of Log file


After the three stages of log collection, log
pre
-
decoding and log decoding, all the
contents are read into the rules tree. we
construct the rules tree based on more than
400 rules of the OSSEC.















101

RULE TREE

Log File Analysis(contd..)


After we got the decoded sequence of
events, we will traverse the rules tree to do
the matching process.


If found matching rules, then the first thing
is to determine whether to do the ignore
operations, if not, then perform the audit to
effectively track the attacks.


Then to determine what instructions should
be implemented.

BP Neural Network


Back propagation(BP) algorithm is an approximate
steepest descent algorithm, in which the performance
index is mean square error.


It can be used to train multilayer neural networks and
it is used widely in practice.


There are many measures that can be used to be
input value of BP network algorithm.

Some possible inputs to BP network
algorithm


We can use these
measures as input value
of BP neural network
algorithm, through adjust
the network parameters
to minimize the mean
square error.


The training phase may take
days or weeks of computer
time.




L
o
g
in

a
n
d
s
essi
o
n

a
cti
v
ity




L
o
g
in

f
r
e
q
u
e
n
cy



L
o
g
in

f
r
e
q
u
e
n
cy

at

d
i
ff
e
r
e
n
t

p
o
s
i
t
i
o
n
s



T
i
m
e
c
o
nsu
m
ed
b
y

e
a
ch

s
e
s
s
i
on



W
e
b
s
i
t
e

o
u
t
p
u
t



Res
o
ur
ces

u
ti
l
iz
a
t
i
o
n




P
ass
w
o
r
d
f
ail
e
d

ti
m
es

w
h
en

l
og
in



T
h
e

i
m
ple
m
e
n
tatio
n

o
f

c
o
m
m
a
n
d
s

a
n
d

pr
o
c
ed
u
res



Op
e
r
a
ti
n
g

fr
e
q
u
e
n
cy



Util
i
za
t
i
o
n

o
f

pr
o
c
e
d
u
r
e

re
s
o
ur
ces



File

op
e
r
ati
n
g

ac
t
i
v
ity




T
h
e

f
r
e
q
u
e
n
cy

o
f

f
i
le

r
e
a
d
,

w
r
ite,

c
r
e
at
e
,

a
n
d

d
e
le
t
e



R
ec
or
d
s

r
e
a
d

a
n
d

w
r
ite



Rea
d
,

w
r
ite,

c
r
e
ate

a
n
d

d
ele
t
e
f
ile

Structure of HIDS


HIDS combines two approaches of misuse
detection and anomaly detection.


The structure of the HIDS

Structure of HIDS(contd..)


1) Log monitor


Monitoring the log file, once the log change, log
monitor will send events to the log analyzer
immediately.



we need to monitor three kinds of event logs:
application log, security log and system log. We can
add three XML nodes in the following configuration
file.


Structure of HIDS(contd..)

2)System resources monitor



Monitoring the use of system resources, and sends
the status of the system resources utilization to
the system resources analyzer at regular time.


3) Connector



The connector is responsible for receiving messages
from log monitor and system resources monitor, and
sending these messages to log analyzer and system
resources analyzer.



Structure of HIDS(contd..)

4) Log analyzer


Receiving events from the log monitor, match with the
rule base to determine whether there is invasion, if
there is invasion occurrence, report to the active
response unit.

5) System resources analyzer


Receiving events form the system resources monitor, to

calculate whether the abnormal state of current
resources use and thus to determine whether the
status is invaded, if it find there is invasion, report to
the active response unit.



Structure of HIDS(contd..)

6) Active response


Receiving events from the log analyzer and system
resources analyzer, decided to perform what kind of
operation. Usually, the normal operations include
notifying users, auditing, disconnecting from network
and so on.



7) Audit database

Recording the entire process of intrusion detection, and
the attack situation, prepare for use when necessary.


Conclusion


IDS will merge all Network components and
tools which exist today, into a complete
and cooperative system, dedicated to
keeping networks Stable and Secure.


Distributed elements performing specific
jobs.


Hierarchical correlation and analysis.


Novel approaches like AI, Data
-
Mining etc.

REFERENCES




[1] J.P Anderson, “Computer Security Threat Monitoring and Surveillance”, Technical report, James P Anderson
Co., Fort Washington, Pennsylvania, April 1980.


[2] Dorothy Denning, “An Intrusion Detection Model”, IEEE Transactions on Software Engineering, February
1987, pp.2
-

222.


[3] G.
Vigna

and C.
Kruegel
, “Host
-
based Intrusion Detection Systems,” in The Handbook of Information
Security, Volume III, John Wiley & Sons, December 2005.


[4]
Sandeep

Kumar, Eugene H.
Spaffor
, “An application of Pattern Matching in Intrusion Detection”, Technical
report 94
-
013,Purdue University, Department of computer sciences, March 1994.


[5] Daniel B. Cid, OSSEC[OL] , 2008,
http://www.ossec.net
.


[6] Andrew
Hay,Daniel

Cid, Rory Bray, Log Analysis using OSSEC[M],
Syngress
, 2007.

[7] Russell, S. and P.
Norvig
, 2003, Artificial Intelligence: A Modern Approach[M], 2nd
Edn
, Prentice Hall, Inc.


[8] Yen, J.C. and J.I.
Guo
, 2002, “The design and realization of a chaotic neural signal security system”, Pattern
Recognition and Image Analysis (Advances in Mathematical Theory and Applications), 12,pp. 70
-
79.



Thank You!!


Questions

?