INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION...

66
INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto DIEE - Dip. Ing. Elettrica ed Elettronica Università degli Studi di Cagliari [email protected] NAPOLI 21 Febbraio 2005 Giorgio Giacinto 2005 IDS 1 Outline ! What is security? ! Computer Security ! Intrusion Detection Systems - a taxonomy ! Intrusion Detection Techniques ! Actual problems in current state of IDS ! Recent research on intrusion detection ! IDS evaluation ! IDS products

Transcript of INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION...

Page 1: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

INTRUSION

DETECTION

SYSTEMS

for Computer Networks

Giorgio GiacintoDIEE - Dip. Ing. Elettrica ed Elettronica

Università degli Studi di Cagliari

[email protected]

NAPOLI 21 Febbraio 2005

Giorgio Giacinto 2005 IDS 1

Outline

! What is security?

! Computer Security

! Intrusion Detection Systems - a taxonomy

! Intrusion Detection Techniques

! Actual problems in current state of IDS

! Recent research on intrusion detection

! IDS evaluation

! IDS products

Page 2: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

What is security

and how it works

Giorgio Giacinto 2005 IDS 3

What is security?

! Bruce Schneier’s best-seller “Beyond Fear”

(2003) define what security is about:

preventing the adverse consequences from the

intentional and unwarranted actions of others

! Security requires the concept of an attacker

who performs intentional and unwarranted

actions

Page 3: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 4

Security involves trade-offs

! There is no such thing as absolute security

! How much security you have depends on what you are

willing to give up in order to get it

! The trade-off is, by its very nature, subjective

! Trade-off should be evaluated according to

! Threats: potential ways in which an attacker can attack a system

! Risks: a combination of the likelihood of the threat and the

seriousness of a successful attack

! Problem: between different communities there is no

agreed-upon way in which to define threats or evaluate

risks

Giorgio Giacinto 2005 IDS 5

Evaluating security systems

! Security is a process, not a product. Security isa complex system.

! How can security systems be evaluated?

A five-step process

1. What assets are you trying to protect?

2. What are the risks to these assets?

3. How well does the security solution mitigate those risks?

4. What other risks does the security solution cause?

5. What costs and trade-offs does the security solutionimpose?

Page 4: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 6

Security revolves around

trusted individuals

! By definition, you don’t want to secure assets from

everybody!

! Designing a security system requires the accurate

! Identification

! Authentication

! Authorization

of trusted individuals

This task is highly complex, but critical to security

Decisions involve trade-offs!

Giorgio Giacinto 2005 IDS 7

Security is a weakest-link

problem

! All systems have a weakest link, and attackersare more likely to attack a system at its weakpoints

! Strategies for securing a system! Defense in depth: no single vulnerability can

compromise security

! Compartimentalisation: a single vulnerability cannotcompromise security entirely

! Choke points: reduce the number of potentialvulnerabilities by allowing the defender to concentratehis defenses

Page 5: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 8

Detection works where

prevention fails

! Prevention is the hardest aspect of security toimplement.

To be practical as well as effective, almost allmodern security systems combine preventionwith detection and response

! Audits (retrospective detection) and prediction(prospective attempts at detection) don’tproduce real-time results but are important inevaluating and thinking about ways to improvesecurity systems

Giorgio Giacinto 2005 IDS 9

Security is a complex system

! Security is a complex system that interacts with

! itself

! the assets being protected

! the surrounding environment

! These interactions may cause failures even in

the absence of attackers.

These failures should be carefully examined as

attackers are rarer than legitimate users.

Page 6: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 10

Systems and how they fail

! Because security systems are designed toprevent attack, how the systems fail is critical! Active failures

the system fails by taking action when it shouldn’t

! Passive failuresThe system fails to take action when it should

Attackers are generally rarer than legitimate users…

…how the systems fail in the absence of attackers(active failures) is generally more important than howthe system fail in the presence of attackers (passivefailures)

Giorgio Giacinto 2005 IDS 11

Active failures

! The system signals a false alarm (false positive)

! The consequences can be merely irritating but also

horrific, too

! Detection systems frequently suffer from rarity-

based failures

! Trade-off between a high rate of false alarms or a

significant number of missed alarms

Page 7: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 12

Base-Rate Fallacy

! Axelsson (ACM Trans. Information and System Security,

2000) pointed out that

the false alarm rate is the limiting factor for the

performance of an intrusion detection system

! He used Bayes theory to show the trade-offs

involved in designing an intrusion detection

system.

Giorgio Giacinto 2005 IDS 13

Base-Rate Fallacy

! Let I and ¬I denote intrusive and nonintrusivebehaviour respectively

! Let A and ¬A denote the presence or absenceof an intrusion alarm

Detection rate: P(A|I) (estimated by tests)

False Alarm Rate: P(A|¬I) (estimated by tests)

False Negative Rate: P(¬A|I) (estimated by tests)

True Negative Rate: P(¬A|¬I) (estimated by tests)

P(¬A|I) = 1 - P(A|I) P(¬A|¬I) = 1 - P(A|¬I)

Page 8: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 14

Base-Rate Fallacy

! For intrusion detection to be effective, both

! P(I|A) (an alarm really indicates an intrusion)

! P(¬I|¬A) (no alarm signifies no intrusion)

should be as large as possible

! From Bayes theorem

P I | A( ) =

P(I) !P(A | I)

P(I) !P(A | I)+ P(¬I) !P(A | ¬I)

P ¬I | ¬A( ) =

P(¬I) !P(¬A | ¬I)

P(¬I) !P(¬A | ¬I)+ P(I) !P(¬A | I)

Giorgio Giacinto 2005 IDS 15

Base-Rate Fallacy

An example

! Suppose we have

! 10 audit records per intrusion

! 2 intrusions per day

! 1.000.000 audit records per day

! Then

P I( ) = 1

1!106

2 !10

= 2 !10"5

P ¬I( ) = 1"P I( ) = 0.99998

P I | A( ) =

2 !10"5!P(A | I)

2 !10"5!P(A | I)+ 0.99998 !P(A | ¬I)

Page 9: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 16

Base-Rate Fallacy

An example

! If P(A|I) = 1.0 (ideal!)

and P(A|¬I) = 10-5 (very low!)

then P(I|A) = .66

! If P(A|I) = .7 (more reasonable)

and P(A|¬I) = 10-5

then P(I|A) = .58

that is, half of the alarms are not caused by intrusions!

If the false alarm rate is not very low as supposed,

figures can get even worse!

Giorgio Giacinto 2005 IDS 17

! Analogously

! that is, we will set off the alarm too many times

in response to non-intrusions, combined with

the fact that… we do not have many intrusions!

P ¬I | ¬A( ) =0.99998 ! 1"P(A | ¬I)( )

0.99998 ! 1"P(A | ¬I)( )+ 2 !10"5! 1"P(A | I)( )

Base-Rate Fallacy

An example

Page 10: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Computer Security

Definitions and threats

Giorgio Giacinto 2005 IDS 19

Requirements for Computer

and Network Security

Stallings, Network Security Essentials - Applications and Standards, Prentice Hall, 2000

! Availability! Computer system assets resources must be always available to

authorised parties

! Confidentiality! The information in a computer system must be accessible for

reading by authorised parties

! Integrity! Computer system assets can be modified only by authorised

parties

! Authenticity! A computer system must be able to verify the identity of a user

Page 11: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 20

Types of threats

! The function of a computer system can beviewed as that of providing information! In general there is a flow of information from a source

(a file, etc.) to a destination (a file, a user, etc.)

! Four categories of threats can be defined in termsof modification of the normal flow of information

Giorgio Giacinto 2005 IDS 21

1. Interruption

! An asset of the system is destroyed or

becomes unusable

! Some examples:

Destruction of a piece of hardware

Cutting of a communication line

Disabling of the file system management

! This is an attack on availability usually called

“Denial of Service” (DoS) attack

Page 12: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 22

2. Interception

! An unauthorised party gain access to an asset

! Some examples:

Wiretapping to capture data in a network

Illecit copying of files and programs

Password spoofing

! This is an attack on confidentiality

Giorgio Giacinto 2005 IDS 23

3. Modification

! An unauthorised party not only gain access tobut also tampere with an asset! Some examples:

Changing values in a data file

Altering a program so that it performs differently

Modifying the content of messages being transmittedin a network

! This is an attack on integrity

Page 13: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 24

4. Fabrication

! An unauthorised party inserts counterfeit

objects into the systems

! Some examples:

Insertion of spurious messages in a network

Addition of records to a file

! This is an attack on authenticity

Giorgio Giacinto 2005 IDS 25

Security threats and assets

Messages are modified,

delayed, reordered, or

duplicated. False messages

are fabricated

Messages are read. The

traffic pattern of messages

is observed

Messages are destroyed or

deleted. Communication

lines or networks are

rendered unavailable

Communication lines

Existing files are modified or

new files are fabricated

An unauthorised read of

data is performed. An

analysis of statistical data

reveals underlying data

Files are deleted, denying

access to usersData

A working program is

modified, either to cause it

to fail during execution ot to

cause it to do some

unintended task

An unauthorised copy of

software is made

Programs are deleted,

denying access to usersSoftware

Equipment is stolen or

disabled, thus denying the

device

Hardware

Integrity/AuthenticityConfidentialityAvailability

Page 14: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 26

Risks and vulnerabilities

Anderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980

! Risk

! Accidental and unpredictable exposure of

information, or violation of operations integrity due to

malfunction of hardware or incorrect software design

! Vulnerability

! A known or suspected flaw in the hardware or

software design or operation of a system that

exposes the system to penetration of its information

to accidental disclosure

Giorgio Giacinto 2005 IDS 27

Prevention

Different levels of protection can be used to preventintrusions, according to the degree of sharing of theassets

! No protection

! Isolation

! Share all or share nothing

! Share via access limitation

! Share via dynamic capabilities

! Limit use of an object

For each kind of computer asset, differentimplementations of protection mechanisms

Page 15: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 28

Prevention techniques

! Physical protection for hardware

! Passwords, access tokens, biometrics, etc. forauthentication

! Access control lists for authorisation

! Cryptography for secrecy

! Backups and redundancy for availability

! Trusted operating systems for authenticity

! Firewalls for network protection

…and so on

“Absolute” security cannot be guaranteed!

Giorgio Giacinto 2005 IDS 29

Intruders and protection

measuresAnderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980

Page 16: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 30

Intruders

Anderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980

! Masquerader

! An individual who is not authorised to use the computer and who penetrates a

system’s access controls to exploit a legitimate user’s account

! Misfeasor

! A legitimate user who accesses data, programs, or resources for which such

access is not authorised, or who is authorised for such access but misuses his

or her privileges

! Clandestine user

! An individual who seizes supervisory control of the system and uses the

control to evade auditing and access controls or to suppress audit collection

Giorgio Giacinto 2005 IDS 31

Beyond protection: intrusion

detection

! Computer security based only on protection was suited

when

! Internal users were trusted

! There was limited interaction with other networks

! The value of the network-available assets was limited

! Intrusion detection is now needed because

! The level of trust of internal users is declining

! Access extended to large audiences

! The number of network interactions is rapidly increasing

! Network-available assets have taken-on business-critical value

Page 17: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Intrusion Detection

Systems

A taxonomy

Giorgio Giacinto 2005 IDS 33

Organisations and Standards

! Organisations! SANS Institute

(System Administration Networking and Security)

! ICSA.net (International Computer Security Association)

! IDSC (Intrusion Detection Systems Consortium)

! SNAP (System and Network Assurance Program)

! GIAC (Global Incident Analysis Center)

! Standards! CIDF (Common Intrusion Detection Framework)

! IETF (Internet Engineering Task Force) IDWG (Intrusion Detection WorkingGroup)

! CVE (Common Vulnerabilities and Exposure)

Page 18: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 34

Definitions

! Intrusion

! Unauthorised access to, and/or activity in, an information system

(IDSG, 1997)

! Attacks originating outside the organisation (ICSA-IDSC, 1999)

! Intrusion Detection Systems (IDS)

! The process of identifying that an intrusion has been attempted,

is occurring, or has occurred (IDSG, 1997)

! Systems that collect information from a variety of system and

network sources, and then analyse the information for signs of

intrusion and misuse (ICSA-IDSC, 1999)

Giorgio Giacinto 2005 IDS 35

Benefits of intrusion detection

! Deterrence

! Detection

! Response

! Damage assessment

! Attack anticipation

! Prosecution support

Page 19: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 36

Assets

! Host-based IDS

! Aimed at detecting attacks related to a specific host

! Tailored to a particular architecture/operating system

! Detection is based on processing high level information (system

calls, events, etc.)

! Network-based

! Aimed at detecting attacks towards hosts connected to a LAN

! Detection is based on processing data at lower level of

granularity (packets)

! Common features

! Analysis of discrete time-sequenced events

Giorgio Giacinto 2005 IDS 37

Host based IDS

! Many host data sources

! Operating systems event logs (kernel, BSM security,

etc.)

! Application logs (syslog, relational databases, web

servers, etc.)

! Effective in detecting insider misuse

! Expensive, as host-based IDSs are typically

distributed agent-based architectures

Page 20: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 38

Host intrusions

! Abuse of privilege attack scenarios

! Contractors with elevated privileges

! Ex-employee utilizes old account

! Administrator creates back-door accounts

! Inadvertent privileges granted

! Change in security configuration

! Users disabling locking screen savers

! Legal notice missing

! Guest account enabled

! Open registry

! Nomadic users with compromised systems

Giorgio Giacinto 2005 IDS 39

Host intrusions

! Critical data access and modification

! Student change grades

! Employee modifies performance evaluation

! Falsification of results

! Unauthorised disclosure

! Theft of personnel/Medical records

! Web site data is modified

! Anonymous users Browsing critical files

Page 21: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 40

Network based IDS

! Network sources are unique

! Network packets are usually sniffed off the

network

! Sensors deployed throughout a network

! Most network-based attacks are directed at

vulnerabilities of the operating system or

application software

Giorgio Giacinto 2005 IDS 41

Network based intrusions

! Unauthorised access! Unauthorised login

! Jump-off for other attacks

! Data/Resource theft! Password downloads

! Bandwidth theft

! Denial of service! Malformed packets

! Packet flooding

! Distributed denial of service

Page 22: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 42

Host- and Network- based

benefits

Very weak because there is no

data source integrity

Strong Prosecution support

capabilities

Prosecution

support

NoneGood at trending and detecting

suspicious behavior patterns

Attack

anticipation

Very weak damage assessment

capabilities

Excellent for determining extent

of compromise

Damage

Assessment

Strong response against

outsider attacks

Weak real-time response

Good for long-term attacks

Response

Strong outsider detection

Weak insider detection

Strong insider detection

Weak outsider detection

Detection

Weak deterrence for insiderStrong deterrence for insidersDeterrence

NetworkHostBenefit

Proctor, Practical Intrusion Detection, 2001

Giorgio Giacinto 2005 IDS 43

Laing, Intrusion Detection Systems, 2000

Host- and Network- based

benefits

! Network-based benefits

! Cost of ownership

! Packet analysis

! Evidence removal

! Malicious intent detection

! Operating System

independence

! Host-based benefits

! Attack verification

! System specific activity

! Encrypted and switched

environments

! Monitoring key components

! No additional hardware

Page 23: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 44

Host- or Network-based?

! Today emphasis is on network IDS! Attacks are performed through the Internet

! Network IDSs allow for perimeter defence

! Network IDSs not only detect attacks that exploitvulnerabilities in the communication protocol, but alsovulnerabilities of operating systems and applications

! Last but not least… network IDSs are appliances soldby those who also sell network appliances

! … however, remember that IDS should bethought of as a component of a security strategy!

Giorgio Giacinto 2005 IDS 45

Host- vs. Network-based

detection

Proctor, Practical Intrusion Detection, 2001

Page 24: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Intrusion Detection

Techniques

The Pattern Recognition basis of

intrusion detection

Giorgio Giacinto 2005 IDS 47

Pattern Recognition

Measurement

Feature

Extraction

Classification/

Detection

Pattern

(Data collection)

Label

Page 25: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 48

Patterns of intrusion

! Definition of the events should be considered as

“intrusions”

! Extraction of the most suitable set of features

that can better discriminate between normal and

anomalous activities

! Detection problem formulation

! Statistical approaches

! Pattern matching

Giorgio Giacinto 2005 IDS 49

Feature extraction

! Which available measures are suited to

distinguish intrusions from legitimate activities?

! The definition of pattern, and the related generating

process guide the human expert in devising the most

suited measures

! Which features can be extracted from the

measures so that intrusions can be easily

separated from normal activities?

Page 26: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 50

Measurements and features

for IDS

! Example of measurements

! Logs of network connections

! System-call audit trail

! Example of features

! Values of some fields of TCP/IP packets

! Number of connections from a specified host in a

predefined time window

! Duration of a predefined number of connections from

a specified host

! Number of system calls in a predefined time window…

Giorgio Giacinto 2005 IDS 51

Feature extraction &

Classification

! In the statistical approach to pattern recognition, apattern is thought as a point in the features space

! Classification is then formulated as the task of findingthe optimal separating surface between normal activitiesand intrusions! Optimal in the sense of error minimisation

! The estimation of the separating surface requires atraining set of examples! The more representative the training set, the more effective the

detection

! An independent test set is used to estimate theperformance on new patterns

Page 27: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 52

Decision surfacesA simple model

A complex model that

“overfits” the training set

A tradeoff between

complexity of the classifier

and classification accuracy

Giorgio Giacinto 2005 IDS 53

Bayesian decision theory

! Helps quantifying the tradeoffs between various

classification decisions using

! Probability

! Cost that accompany such decisions

! It is assumed that the problem is posed in

probabilistic terms

! Let us denote

! !i the data classes (i = 1,..,M)

! x the feature vector associated with a pattern

Page 28: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 54

Bayesian decision theory

! The classification problem is formulated in terms of

estimating the posterior probability that pattern x

belongs to one of the M data classes

! Posterior depends on

! The prior P(!i), i.e. the likelihood that a random selected pattern belong to

class !i

! The class-conditional probability density function p(x | !i), i.e., the distribution

of patterns of class !i in the selected feature space

P !i| x( ) =

p x |!i( )!P !i( )

p x( )=

p x |!i( )!P !i( )

p x |!j( )!P ! j( )

j =1

M

"

Giorgio Giacinto 2005 IDS 55

Bayesian decision theory

! Which decision leads to minimum error?

Decide !k if P(!k|x) > P(!i|x) i = 1,..,M

It is easy to see that, if we decide !j,

P(error | x) = 1 - P(!j|x)

thus, the probability of error is minimised by

deciding for the class with the highest posterior

Page 29: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 56

Risk

! Let "i i = 1,..,c a set of possible actions

! Let #("i | !j) be the loss incurred for takingaction "i when the class is !j.

The expected risk of taking action "i is

Risk is minimised by taking the action "i forwhich R("i | x) is minimum

R !i| x( ) = " !

i|#

j( )P #j| x( )

j =1

M

!

Giorgio Giacinto 2005 IDS 57

Statistical Detection

Techniques

! Probabilistic classifiers

! A pattern is assigned to the class that is most probable, given

the observed features, i.e., a point x of feature space is

assigned to the class that maximise P(Cj|x)

! Training set is used to estimate posterior probabilities

(parametric and non-parametric techniques)

! Template matching

! The observed pattern is compared to templates that represent

each class, and are assigned according to the best match,

according to a suitable distance function.

Page 30: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 58

Nonmetric detection

techniques

! When features are represented by nominal data

! e.g., descriptions that are discrete and without any natural

notion of similarity or ordering

patterns are represented by lists of attributes or

variable-length strings

! The problem cannot be modelled by continuous

probability distributions and metrics

The problem can be addressed by rule-based or

syntactic pattern recognition methods

! Rules are usually referred to as “signatures”

! Pattern matching or regular expression techniques

Giorgio Giacinto 2005 IDS 59

Stateless and Stateful

approaches

! Stateless approaches treat each eventindependently of others! Simple system design

! High processing speed

! Stateful approaches maintain information aboutpast events

The effect of a certain event depends on itsposition in the event stream! Complex system design compared to stateless

approaches

Page 31: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 60

Intrusion Detection techniques

! Probabilistic classifiers are used in anomaly-

based IDS

! They exhibit some generalisation capability as they

can, in principle, detect attacks not in the training set

! Rule-based approaches are used in misuse-

based IDS

! They are implemented by a set of deterministic rules,

so that only perfect matches are detected with no

generalisation capability

Giorgio Giacinto 2005 IDS 61

Misuse- and Anomaly-based

IDS

! Misuse-based! Patterns of known misuse are stored in a set of rules

! When a rule is matched, an alarms is raised

! Very good in detecting copycats attacks

! Anomaly-based! Statistical description of “normal” computer activities

! All activities deviating from the normal profile arelabelled as being anomalous

! Can detect “zero-day” attacks

! Tends to produce high rates of false alarms

Page 32: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 62

A conceptual model

Proctor, Practical Intrusion Detection, 2001

! Approaches to Intrusion Detection can be describedconceptually

! Let us represent a 2-dimensional feature space definedby a circle, representing all possible types of userbehaviour and actions

Giorgio Giacinto 2005 IDS 63

A conceptual model

! We would like to define a feature space suchthat we can draw a line separating acceptablebehaviour from unacceptable behaviour

! Unfortunately, it is quite difficult to define such afeature space…

Page 33: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 64

Anomaly detection

! If we could define everything that wasacceptable, then everything that wasn’tacceptable would be misuse! Historical data are used to define acceptable

! Unfortunately, it is very difficult to represent allpossible acceptable activities

! When an acceptable action arises that has not beenseen before, an alarm will be raised

! Additionally, unacceptable actions may exists inhistorical data so that unacceptable actions areconsidered acceptable

Giorgio Giacinto 2005 IDS 65

! Ideally…

! Real-World Behaviour Models

Anomaly detection,

conceptually

Page 34: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 66

Misuse detection

! Conversely, if we could define all unacceptable

behaviour, then everything that matched that behaviour

would result in an alarm

! A priori rule-based mechanisms

! These predefined threat scenarios are very deterministic

and significantly reduce the number of false-positives

! There can be numerous missed alarms

! To reduce missed alarms, rules must be updated frequently

with the most recent observed threats

! Actual alarms are very robust because they are focused on

misuse activities

Giorgio Giacinto 2005 IDS 67

Misuse detection, conceptually

! Ideally…

! Real-World Models (Signatures)

Page 35: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 68

Anomaly- or Misuse-based

IDS?

! The choice is governed by the trade-off

between detection accuracy and false alarm rate

P I | A( ) =

P(I) !P(A | I)

P(I) !P(A | I)+ P(¬I) !P(A | ¬I)

P ¬I | ¬A( ) =

P(¬I) !P(¬A | ¬I)

P(¬I) !P(¬A | ¬I)+ P(I) !P(¬A | I)

Giorgio Giacinto 2005 IDS 69

Attack sophistication and

evolution of attacker skill

CERT/CC

Page 36: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 70

State-of-the-art IDS are

misuse based

! A large number of attack tools are publicly

available on the Internet (so-called “script-kids”)

! Many attacks are copycats

! Client and server applications are rapidly

evolving, thus making it difficult to establish a

model of legitimate behaviour

! Misuse-based techniques allow attaining large

P(A|I) and small P(A|¬I)

Giorgio Giacinto 2005 IDS 71

State-of-the-art IDS are

misuse based

! Very effective in detecting known attacks

! Patterns of misuse are defined in terms of features

that uniquely identify that kind of misuse

! Requires teams of experts that produce attack

signatures

! As soon as a new attack is observed

! Before a vulnerability is exploited

! Cannot detect new, unpredictable attacks

Page 37: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 72

Stateless or stateful

techniques

! Attacks are best described by a sequence of related

events

! Surveillance

! Exploitation

! Masquerading

! Stateful approaches may seem appropriate… but they

are more difficult to design

! Individual events can be more easily codified into a set of rules

! Buffer overflows

! Malformed packets

! Exploitation of vulnerabilities of server applications

Giorgio Giacinto 2005 IDS 73

Stateless or stateful

techniques

! Stateless and stateful approaches can be

implemented both by misuse- and anomaly-

based IDS

! State-of-the-art misuse-based IDS implement

both techniques for different categories of attack

! Anomaly based techniques can take into

account the state model of attacks

! By using suitable features computed on past events

! By using stateful approaches as HMMs

Page 38: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 74

Which IDS solution?

! Choosing a solution requires computing trade-offs! The five-step evaluation process

! However, current IDS are far to be matureproducts! Lack of evaluation protocols

! Customisation is not trivial

! Need of frequent updates

! Produce a large number of low-level alerts and littleinsight about the actual attacker’s goal

Actual problems in

current state of IDS

Allen et al., “State of the Practice of Intrusion

Detection Technologies”, TR, CMU/SEI 2000

Page 39: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 76

Sophistication of attack

strategies

! Attacker continue to improve their ability topenetrate systems

Attacks are usually carried out in seven phases! Reconnaissance

! Vulnerability identification

! Penetration

! Control

! Embedding

! Data extraction

! Attack relay

Giorgio Giacinto 2005 IDS 77

Sophistication of attack tools

! Tools to support attackers continue to improve,and are an increasing challenge to IDS! Scanning tools

! Remote management tools

! Reasons! Much of the released software (especially OS) have

not been adequately tested for security

! Rapid increase in connectivity and data sharing leaveOS more open to exploitation

Page 40: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 78

Issues that future IDS should

address

! The increasing frequency and changing nature

of attacks

! Message encryption

! Attack strategies targeting ID systems

! Vulnerability to modem use

! Vulnerability to mobile code

Giorgio Giacinto 2005 IDS 79

Network Issues

! Network size and complexity (scalability)

! Lack of inherent security in operating

environment

! Need for interoperability and standards

! Inherent limits of network-based IDS

! network-based IDS may not see all traffic

Page 41: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 80

Human and Organizational

Factors

! Need for greater human-computer interaction

! Human skills are not adequately used to support

diagnosis of intrusions and to determine resulting

actions

! Identifying intruders through profiling

! IDS are unable to identify attackers and their goals

Giorgio Giacinto 2005 IDS 81

Functional issues

! Sensing an attack before damage occurs

! Automatic response to intrusion

! Post intrusion activities - recovery and reprisal

! Performance

! Traffic load

! Intruders can starve IDS

! Identifying unknown modes of attack

! Assessment of the accuracy of IDS signatures

! Characterising IDS performance

! Real network traffic is not well behaved

Page 42: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Recent research on

Intrusion Detection

“Zero-day” attack detection is the

ultimate goal of researchers on IDS

Giorgio Giacinto 2005 IDS 83

Seminal work

! Denning, “An Intrusion-Detection Model”, IEEETrans. On SE 1987! Host-based detection

! Analysis of system’s audit records

! Activity profiles characterise the behaviour of asubject with respect to a given object

! Behaviours are characterised in terms of a statisticalmetric and model

! Metrics: a random variable x representing a quantitativemeasure accumulated over a period

! Model: no assumption about the underlying distribution

Page 43: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 84

Denning’s Intrusion Detection

Model

! A sample profile! Measures the quantity of output to user Smith’s

terminal on a session basis

Variable-name: SessionOutput

Action-pattern: ‘logout’

Exception-Pattern: 0

Resource-Usage-Pattern: ‘SessionOutput =‘ #$Amount

Period:

Variable-Type: resourceByActivity

Threshold: 4

Subject-Pattern: ‘Smith’

Object-Pattern: *

Value: record of

Giorgio Giacinto 2005 IDS 85

Denning’s Intrusion Detection

Model

! Whenever the intrusion-detection system

receives an audit record that matches a

variable’s patterns

! It updates the variable’s distribution

! Check for abnormality (threshold value)

! This IDS has been named IDES (Intrusion

Detection Expert System)

Page 44: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 86

Some observations

! The event monitored are those logged by the

operating system

! The choice of the ‘patterns’ to be classified

depends on past knowledge of misuse

! The extracted features depends on past

knowledge of misuse

! The model and the threshold are chosen by

experiments

Giorgio Giacinto 2005 IDS 87

NIDES and EMERALD

SRI International (www.sdl.sri.com)

! NIDES (Next generation Intrusion Detection System)! Evolution of IDES

! Statistical anomaly detection

! Rule-based misuse detection (P-BEST)

! EMERALD (Event Monitoring Enabling Responses toAnomalous Live Disturbances)! Evolution of NIDES

! Statistical anomaly detection

! Rule-based misuse detection (P-BEST)

Page 45: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 88

EMERALD

Monitor Architecture

Giorgio Giacinto 2005 IDS 89

STAT approaches

University of California at Santa Barbara (www.cs.ucsb.edu/~rsg/STAT/)

! State-transition analysis applied to host- and network-

based intrusion detection

! Components

! A preprocessor

! A knowledge base (that included a fact base and rule base)

! The state-transition model of attacks

" Attacks can be recognized before the system reaches the

compromised state

! An inference engine

! A decision engine

Page 46: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 90

BRO

Lawrence Berkeley National Laboratory (www. bro-ids.org)

! BRO is a network-based IDS based on attack

signatures

! The goals of BRO are

! High-load monitoring

! Real-time notification

! Decoupling mechanism from policy

! System extensibility

! Ability to ward off attacks

Giorgio Giacinto 2005 IDS 91

Neural Networks for Intrusion

Detection

! A number of papers in the ‘90s have addressed the useof neural networks for intrusion detection! Goal: to design an anomaly/misuse detector based on normal

activities as well as on malicious activities

! Attained results

" Neural networks use their internal representation to learn thedistribution of data, thus avoiding the explicit formulation of models

" Neural networks can generalise from the knowledge of knownattacks, thus allowing the recognition of variations of knownattacks

! Shortcomings

" Limited scope of the performed experiments

" Long training time

" Neural networks provide no insight into the learned logic

Page 47: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 92

Neural Networks

Input Layer

Hidden Layer

Output Layer

Neuron

! The weights of the connections, wij, and the bias bi are optimised

according to the backpropagation algorithm

! Given a labelled training set, weights and biases are iteratively adjusted

in order to minimise the overall classification error

Giorgio Giacinto 2005 IDS 93

Current research on anomaly

detection

! The difficulties in modelling normal network

data, and the difficulties of extracting real-world

normal traffic is driving the research into

unsupervised methods

! The traffic is collected as is

! Under the hypothesis that attacks are rare, all the

collected traffic is modelled. Outliers are likely to be

anomalous activities

! Problem: which is the most suitable feature space

where traffic has to be represented?

Page 48: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 94

Current research on anomaly

detection

! A number of computer activities follow a protocol

! System calls

! TCP connections

! State-transition models are proposed to model this kind

of activities

! Finite-state automata

! Petri nets

! Hidden Markov Models

! Please note, however, that it is not true that all

behaviours deviating from the model are necessary an

intrusion!

Giorgio Giacinto 2005 IDS 95

PRIDE: Pattern Recognition

for Intrusion DEtection

Snort

Page 49: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 96

PRIDE: Pattern Recognition

for Intrusion DEtection

TCP

Connection Records

Service

Selector

web

services

mail

services

ftp

servicesprivate & othermisc ICMP

Feature

Extraction

Classifier

Decision

Fusion

Feature of

type 1

Feature of

type 2

Feature of

type n

Classifier

Classifier

Giorgio Giacinto 2005 IDS 97

Modelling Internet Traffic

Floyd and Paxson, “Difficulties in Simulating the Internet”, IEEE Trans. On Networking, 2000

! Simulating the Internet is an immensely

challenging undertaking because of the

network’s great heterogeneity and rapid change

! The paper proposes the search for invariants

and the judiciously exploration of the simulation

parameter space.

Page 50: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 98

Heterogeneity of network

traffic

! Topology and link properties

! Protocol differences

! Traffic generation

Giorgio Giacinto 2005 IDS 99

Sources of network’s change

! Pricing structure of network connections

! Router scheduling

! Wireless access

! Impoverished devices (handhelds, etc.)

! Native multicast

! Differentiated services

! Ubiquitous web-caching

! A new “killer app”

Page 51: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 100

Invariants in Internet traffic

! Diurnal patterns of activity

! For more than 30 years it has been recognised that network activity follow daily

patterns, with human-related activities

! Self-similarity

! Longer-term (hundreds of ms to tens of s) correlations in the packet arrivals

seen in aggregated Internet traffic are well described in terms of "self-similar"

(fractal) processes

! Poisson session arrivals

! A user session arrival corresponds to the time when a human decides to use

the network for a specific task. Examples are remote logins, the initiation of a

file transfer (FTP) dialog, and the beginning of Web-surfing sessions

Giorgio Giacinto 2005 IDS 101

Invariants in Internet traffic

! Log-normal connection sizes

! The distribution of the logarithm of the sizes or durations of connections is well-

approximated with a Gaussian distribution.

! Heavy-tailed distributions

! Heavy tail means a Pareto distribution with shape parameter " < 2. These tails

are surprising because for " < 2 the Pareto distribution has infinite variance.

The evidence for heavy tails is widespread, including CPU time consumed by

Unix processes; sizes of Unix files, compressed video frames, and World Wide

Web items; and bursts of Ethernet and FTP activity.

! Invariant distribution for Telnet packet-generation

! Invariant characteristics of the global topology

Page 52: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 102

Alarm Correlation

! For a given attack, IDS produce a huge volumeof low level alarms

! For a given alarm, it may have been caused bydifferent attacks

! If sequences of alarms are analysed, they canbe fused to provide higher-level alarms! Spurious alarms can be filtered out

! The use of different IDS may improve theresults of alarm fusion as, for a given attack,different IDS may provide different alarms

Giorgio Giacinto 2005 IDS 103

Aggregation and Correlation

of Intrusion-Detection Alerts

Debar and Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, RAID 2001

Page 53: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 104

A Toolkit for Intrusion Alert

Analysis

Peng, Cui, Reeves, and Xu,

“Techniques and Tools for Analyzing

Intrusion Alerts”,

ACM TISSEC 7(2), 2004

Giorgio Giacinto 2005 IDS 105

An hyper-alert correlation

graph

Peng, Cui, Reeves, and Xu,

“Techniques and Tools for Analyzing

Intrusion Alerts”,

ACM TISSEC 7(2), 2004

Page 54: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 106

Alarm Correlation @DIEE

AMIAlert

ManagementInterface

Elementary

alarms Pre-processed

alarms

Classification

Module

Clustering/Fusion

Module

Labeled

alarms

Sensor

1

Sensor

2

Sensor

N

meta-alert

attack class 1

meta-alert

attack class 2

meta-alert

attack class M

Clustered

alarms

Giorgio Giacinto 2005 IDS 107

Information fusion

! IDS detect elementary actions of attackers

! The attack itself is made up of a sequence ofactions

! The elementary alerts produced by IDS must befused with information from other sources inorder to attain an evaluation of the riskassociated with the attack! Audit log of server OS

! Firewall logs

! Environment

Page 55: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 108

Information fusion for

intrusion detection

Tim Bass.

“Intrusion Detection Systems and

Multisensor Data Fusion”,

Communications of the ACM, 2000

Giorgio Giacinto 2005 IDS 109

Information fusion for

intrusion detection

! Decision support systems can be used to help

the administrator recognise scenarios,

especially scenarios used in the past…

! Rule-based

! Probabilistic models

…but the detection of new, unpredicted attack

scenarios depends on the intuition, expertise,

and creativeness of humans!

Page 56: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

IDS Evaluation

The 1998/1999

DARPA/Lincoln Lab Programhttp://www.ll.mit.edu/IST/ideval

Giorgio Giacinto 2005 IDS 111

The goal

! The 1998/1999 DARPA/MIT IDS evaluation program arethe most comprehensive evaluations performed to datethat produced a corpus of data for the development,improvement and evaluation of IDS.

! A network and scripted actors was used to looselymodel the network traffic measured between a US AirForce base and the internet.

! 1998 data includes normal network traffic for manydifferent Unix services and protocols

! 1999 data addresses networks populated with a mix ofUnix and Windows/NT machines.

Page 57: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 112

The three components

Giorgio Giacinto 2005 IDS 113

Testbed network used in the

1998 evaluation

Page 58: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 114

Testbed network used in the

1999 evaluation

Giorgio Giacinto 2005 IDS 115

Changes included in the 1999

evaluation

Identification

Error AnalysisDetection + False Alarm ROCsMetrics

Inside Attacks

Data Attacks

>50 Attack Types

Novel NT, UNIX Attacks

Stealthy Against

1998 ID Systems

Outside Attacks

38 Attack Types

Stealthy Against

Simple Keyword Systems

Novel UNIX Attacks

Attacks

NT Background Traffic

Two Weeks No-Attack Train

False Alarm Analysis for Top

System on Actual AF traffic

UNIX background trafficBackground traffic

Windows/NTUNIXNetwork

Added in 19991998 Baseline

Page 59: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 116

Main operational features

Giorgio Giacinto 2005 IDS 117

Adversary model

! Two types of adversaries on 1999 evaluation

! A relatively unsophisticated amateur hacker

! The ultimate goal is to test his or her skill using attack

programs and scripts found on the Internet

! A more sophisticated, professional, or nation-state

attacker

! The ultimate goal is to gain access to some particular

piece of information or deny service during a precise

period of time

! The attacker hide his/her actions by creating variations

of known attacks ore creating new attacks form scratch

Page 60: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 118

Attack classes

! Denial of Service (DoS)

! Probe

! Remote-to-Local (R2L)

! A remote user gain access as a local user

! User-to-Root (U2R)

! Data

! Attacks have the goal of gaining access to some

piece of information to which attacker is not allowed

access

Giorgio Giacinto 2005 IDS 119

Data Set Content

10.04.1999 6 p.m.5.04.1999 8 a.m.Testing dataWeek 5

3.04.1999 6 p.m.29.03.1999 8 a.m.Testing dataWeek 4

20.03.1999 6 p.m.15.03.1999 8 a.m.Training data,

without attacksWeek 3

13.03.1999 6 p.m.8.03.1999 8 a.m.Training data,

with attacksWeek 2

6.03.1999 6 p.m.1.03.1999 8 a.m.Training data,

without attacksWeek 1

EndStartDescriptionWeek

Page 61: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 120

Feature extraction

! MADAM ID (Mining Audit Data for AutomatedModels for Intrusion Detection)! Lee, and Stolfo “A Framework for Constructing Features and Models for Intrusion

Detection Systems”, ACM Trans on Information and System Security, 2000

! Labelled audit data (network- and host-based)are analysed in order to extract the mostsuitable features for classification! Expert knowledge is used to guide the extraction

process

! Classification, association rules, and frequentepisodes are used to compute features

Giorgio Giacinto 2005 IDS 121

Extracted features (1998

DARPA evaluation)

! Intrinsic! Duration of service, source, destination, etc.

! Traffic! Statistics on past connections that have the same

destination host as the current connection

! Statistics on past connections that have the sameservice as the current connection

! Content! Failed login attempts, root-shell, su, etc.

The data set is part of the KDD-UCI archive

Page 62: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 122

Critique of the 1998/1999

DARPA/Lincoln Lab IDS eval

J. McHugh, ACM Trans on Information and System Security, 2000

! He clearly pointed out that! This is the most comprehensive evaluation of

research on IDS, thus providing with a basis formaking a comparison of IDS

! At the same time, this dataset is flawed

! Statistics used to generate background traffic are notstated, and may not reflect real-world traffic

! There is no agreed upon what kind of network traffic hasto be considered as “normal”

Bellovin, “Packets found on an Internet”, 1993

Floyd and Paxson, “Difficulties in simulating the Internet”, 2001

Giorgio Giacinto 2005 IDS 123

Critique of the 1998/1999

DARPA/Lincoln Lab IDS eval

J. McHugh, ACM Trans on Information and System Security, 2000

! Other flaws! Data rates not discussed or specified

! The distribution of attacks in the background noisedoes not seem to be realistic

! The distribution of attacked systems is biased

! The architecture of the network itself is not realistic

! The distribution of data in the training and testingdata set does not follow any assumption about theamount of data needed by an anomaly detector

! The taxonomy of attacks is questionable

Page 63: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

IDS products

A short list of products

Giorgio Giacinto 2005 IDS 125

Snort

www.snort.org

! Snort is a freeware, lightweight system

developed by Marty Roesch

! It is becoming the tool of choice for intrusion detection

! It is a network-based, signature-based IDS

! Signatures are contributed by the developer

community

Example

alert tcp 10.179.0.0/17 any -> 192.0.0.0/16 666 (msg:”It is an omen!!!”;)

Page 64: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 126

ISS Proventia

http://www.iss.net

! The preentive approach to Internet Security is

enforced by a R&D task force whose mission is to

discover, research, and test system vulnerabilities

Giorgio Giacinto 2005 IDS 127

Symantec

! Combines multiple detection technologies,

including protocol anomaly detection and

vulnerability attack interception

! Integrated expertise from Symantec Security

Response and Services provides early

knowledge of threats to enable proactive

security

Page 65: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 128

CISCO

! Detection techniques employed

! Pattern matching

! Looking for a fixed sequence of bytes in a packet

! Stateful pattern matching

! The match is made in context within the state of the

stream

! Protocol decodes

! Rules based on RFC verification

! Heuristic-based signatures

! Allow for the detection of zero-day attacks

Giorgio Giacinto 2005 IDS 129

References

Fundamentals on IDS

! Proctor, Practical Intrusion Detection, Prentice Hall, 2001

! Publications of the SANS institute (http://www.sans.org)

! Network Intrusion Detection

! Intrusion Signatures and Analysis

! Allen et al., State of the practice of intrusion detection

Technologies, Tech Rep CMU/SEI, 2000

! RAID (Recent Advances in Intrusion Detection)

symposiums

! http://www.raid-symposium.org

Page 66: INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION DETECTION SYSTEMS for Computer Networks Giorgio Giacinto ... Stallings, Network Security

Giorgio Giacinto 2005 IDS 130

References

Research and practice on IDS

! Research links! Wenke Lee

http://www.cc.gatech.edu/~wenke/ids-readings.html

! http://citeseer.ist.psu.edu/Security/IntrusionDetection/

! Focus on the most recent computer threats! http://www.cert.org/

! http://www.securityfocus.com

! Consultants! http://www.netforensics.com/

! http://www.counterpane.com