INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION...
Transcript of INTRUSION DETECTION SYSTEMS for Computer Networksgiacinto/PAPERS/IDS-Giacinto.pdf · INTRUSION...
INTRUSION
DETECTION
SYSTEMS
for Computer Networks
Giorgio GiacintoDIEE - Dip. Ing. Elettrica ed Elettronica
Università degli Studi di Cagliari
NAPOLI 21 Febbraio 2005
Giorgio Giacinto 2005 IDS 1
Outline
! What is security?
! Computer Security
! Intrusion Detection Systems - a taxonomy
! Intrusion Detection Techniques
! Actual problems in current state of IDS
! Recent research on intrusion detection
! IDS evaluation
! IDS products
What is security
and how it works
Giorgio Giacinto 2005 IDS 3
What is security?
! Bruce Schneier’s best-seller “Beyond Fear”
(2003) define what security is about:
preventing the adverse consequences from the
intentional and unwarranted actions of others
! Security requires the concept of an attacker
who performs intentional and unwarranted
actions
Giorgio Giacinto 2005 IDS 4
Security involves trade-offs
! There is no such thing as absolute security
! How much security you have depends on what you are
willing to give up in order to get it
! The trade-off is, by its very nature, subjective
! Trade-off should be evaluated according to
! Threats: potential ways in which an attacker can attack a system
! Risks: a combination of the likelihood of the threat and the
seriousness of a successful attack
! Problem: between different communities there is no
agreed-upon way in which to define threats or evaluate
risks
Giorgio Giacinto 2005 IDS 5
Evaluating security systems
! Security is a process, not a product. Security isa complex system.
! How can security systems be evaluated?
A five-step process
1. What assets are you trying to protect?
2. What are the risks to these assets?
3. How well does the security solution mitigate those risks?
4. What other risks does the security solution cause?
5. What costs and trade-offs does the security solutionimpose?
Giorgio Giacinto 2005 IDS 6
Security revolves around
trusted individuals
! By definition, you don’t want to secure assets from
everybody!
! Designing a security system requires the accurate
! Identification
! Authentication
! Authorization
of trusted individuals
This task is highly complex, but critical to security
Decisions involve trade-offs!
Giorgio Giacinto 2005 IDS 7
Security is a weakest-link
problem
! All systems have a weakest link, and attackersare more likely to attack a system at its weakpoints
! Strategies for securing a system! Defense in depth: no single vulnerability can
compromise security
! Compartimentalisation: a single vulnerability cannotcompromise security entirely
! Choke points: reduce the number of potentialvulnerabilities by allowing the defender to concentratehis defenses
Giorgio Giacinto 2005 IDS 8
Detection works where
prevention fails
! Prevention is the hardest aspect of security toimplement.
To be practical as well as effective, almost allmodern security systems combine preventionwith detection and response
! Audits (retrospective detection) and prediction(prospective attempts at detection) don’tproduce real-time results but are important inevaluating and thinking about ways to improvesecurity systems
Giorgio Giacinto 2005 IDS 9
Security is a complex system
! Security is a complex system that interacts with
! itself
! the assets being protected
! the surrounding environment
! These interactions may cause failures even in
the absence of attackers.
These failures should be carefully examined as
attackers are rarer than legitimate users.
Giorgio Giacinto 2005 IDS 10
Systems and how they fail
! Because security systems are designed toprevent attack, how the systems fail is critical! Active failures
the system fails by taking action when it shouldn’t
! Passive failuresThe system fails to take action when it should
Attackers are generally rarer than legitimate users…
…how the systems fail in the absence of attackers(active failures) is generally more important than howthe system fail in the presence of attackers (passivefailures)
Giorgio Giacinto 2005 IDS 11
Active failures
! The system signals a false alarm (false positive)
! The consequences can be merely irritating but also
horrific, too
! Detection systems frequently suffer from rarity-
based failures
! Trade-off between a high rate of false alarms or a
significant number of missed alarms
Giorgio Giacinto 2005 IDS 12
Base-Rate Fallacy
! Axelsson (ACM Trans. Information and System Security,
2000) pointed out that
the false alarm rate is the limiting factor for the
performance of an intrusion detection system
! He used Bayes theory to show the trade-offs
involved in designing an intrusion detection
system.
Giorgio Giacinto 2005 IDS 13
Base-Rate Fallacy
! Let I and ¬I denote intrusive and nonintrusivebehaviour respectively
! Let A and ¬A denote the presence or absenceof an intrusion alarm
Detection rate: P(A|I) (estimated by tests)
False Alarm Rate: P(A|¬I) (estimated by tests)
False Negative Rate: P(¬A|I) (estimated by tests)
True Negative Rate: P(¬A|¬I) (estimated by tests)
P(¬A|I) = 1 - P(A|I) P(¬A|¬I) = 1 - P(A|¬I)
Giorgio Giacinto 2005 IDS 14
Base-Rate Fallacy
! For intrusion detection to be effective, both
! P(I|A) (an alarm really indicates an intrusion)
! P(¬I|¬A) (no alarm signifies no intrusion)
should be as large as possible
! From Bayes theorem
P I | A( ) =
P(I) !P(A | I)
P(I) !P(A | I)+ P(¬I) !P(A | ¬I)
P ¬I | ¬A( ) =
P(¬I) !P(¬A | ¬I)
P(¬I) !P(¬A | ¬I)+ P(I) !P(¬A | I)
Giorgio Giacinto 2005 IDS 15
Base-Rate Fallacy
An example
! Suppose we have
! 10 audit records per intrusion
! 2 intrusions per day
! 1.000.000 audit records per day
! Then
P I( ) = 1
1!106
2 !10
= 2 !10"5
P ¬I( ) = 1"P I( ) = 0.99998
P I | A( ) =
2 !10"5!P(A | I)
2 !10"5!P(A | I)+ 0.99998 !P(A | ¬I)
Giorgio Giacinto 2005 IDS 16
Base-Rate Fallacy
An example
! If P(A|I) = 1.0 (ideal!)
and P(A|¬I) = 10-5 (very low!)
then P(I|A) = .66
! If P(A|I) = .7 (more reasonable)
and P(A|¬I) = 10-5
then P(I|A) = .58
that is, half of the alarms are not caused by intrusions!
If the false alarm rate is not very low as supposed,
figures can get even worse!
Giorgio Giacinto 2005 IDS 17
! Analogously
! that is, we will set off the alarm too many times
in response to non-intrusions, combined with
the fact that… we do not have many intrusions!
P ¬I | ¬A( ) =0.99998 ! 1"P(A | ¬I)( )
0.99998 ! 1"P(A | ¬I)( )+ 2 !10"5! 1"P(A | I)( )
Base-Rate Fallacy
An example
Computer Security
Definitions and threats
Giorgio Giacinto 2005 IDS 19
Requirements for Computer
and Network Security
Stallings, Network Security Essentials - Applications and Standards, Prentice Hall, 2000
! Availability! Computer system assets resources must be always available to
authorised parties
! Confidentiality! The information in a computer system must be accessible for
reading by authorised parties
! Integrity! Computer system assets can be modified only by authorised
parties
! Authenticity! A computer system must be able to verify the identity of a user
Giorgio Giacinto 2005 IDS 20
Types of threats
! The function of a computer system can beviewed as that of providing information! In general there is a flow of information from a source
(a file, etc.) to a destination (a file, a user, etc.)
! Four categories of threats can be defined in termsof modification of the normal flow of information
Giorgio Giacinto 2005 IDS 21
1. Interruption
! An asset of the system is destroyed or
becomes unusable
! Some examples:
Destruction of a piece of hardware
Cutting of a communication line
Disabling of the file system management
! This is an attack on availability usually called
“Denial of Service” (DoS) attack
Giorgio Giacinto 2005 IDS 22
2. Interception
! An unauthorised party gain access to an asset
! Some examples:
Wiretapping to capture data in a network
Illecit copying of files and programs
Password spoofing
! This is an attack on confidentiality
Giorgio Giacinto 2005 IDS 23
3. Modification
! An unauthorised party not only gain access tobut also tampere with an asset! Some examples:
Changing values in a data file
Altering a program so that it performs differently
Modifying the content of messages being transmittedin a network
! This is an attack on integrity
Giorgio Giacinto 2005 IDS 24
4. Fabrication
! An unauthorised party inserts counterfeit
objects into the systems
! Some examples:
Insertion of spurious messages in a network
Addition of records to a file
! This is an attack on authenticity
Giorgio Giacinto 2005 IDS 25
Security threats and assets
Messages are modified,
delayed, reordered, or
duplicated. False messages
are fabricated
Messages are read. The
traffic pattern of messages
is observed
Messages are destroyed or
deleted. Communication
lines or networks are
rendered unavailable
Communication lines
Existing files are modified or
new files are fabricated
An unauthorised read of
data is performed. An
analysis of statistical data
reveals underlying data
Files are deleted, denying
access to usersData
A working program is
modified, either to cause it
to fail during execution ot to
cause it to do some
unintended task
An unauthorised copy of
software is made
Programs are deleted,
denying access to usersSoftware
Equipment is stolen or
disabled, thus denying the
device
Hardware
Integrity/AuthenticityConfidentialityAvailability
Giorgio Giacinto 2005 IDS 26
Risks and vulnerabilities
Anderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980
! Risk
! Accidental and unpredictable exposure of
information, or violation of operations integrity due to
malfunction of hardware or incorrect software design
! Vulnerability
! A known or suspected flaw in the hardware or
software design or operation of a system that
exposes the system to penetration of its information
to accidental disclosure
Giorgio Giacinto 2005 IDS 27
Prevention
Different levels of protection can be used to preventintrusions, according to the degree of sharing of theassets
! No protection
! Isolation
! Share all or share nothing
! Share via access limitation
! Share via dynamic capabilities
! Limit use of an object
For each kind of computer asset, differentimplementations of protection mechanisms
Giorgio Giacinto 2005 IDS 28
Prevention techniques
! Physical protection for hardware
! Passwords, access tokens, biometrics, etc. forauthentication
! Access control lists for authorisation
! Cryptography for secrecy
! Backups and redundancy for availability
! Trusted operating systems for authenticity
! Firewalls for network protection
…and so on
“Absolute” security cannot be guaranteed!
Giorgio Giacinto 2005 IDS 29
Intruders and protection
measuresAnderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980
Giorgio Giacinto 2005 IDS 30
Intruders
Anderson, Computer Security Threat Monitoring and Surveillance, Tech Rep, 1980
! Masquerader
! An individual who is not authorised to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account
! Misfeasor
! A legitimate user who accesses data, programs, or resources for which such
access is not authorised, or who is authorised for such access but misuses his
or her privileges
! Clandestine user
! An individual who seizes supervisory control of the system and uses the
control to evade auditing and access controls or to suppress audit collection
Giorgio Giacinto 2005 IDS 31
Beyond protection: intrusion
detection
! Computer security based only on protection was suited
when
! Internal users were trusted
! There was limited interaction with other networks
! The value of the network-available assets was limited
! Intrusion detection is now needed because
! The level of trust of internal users is declining
! Access extended to large audiences
! The number of network interactions is rapidly increasing
! Network-available assets have taken-on business-critical value
Intrusion Detection
Systems
A taxonomy
Giorgio Giacinto 2005 IDS 33
Organisations and Standards
! Organisations! SANS Institute
(System Administration Networking and Security)
! ICSA.net (International Computer Security Association)
! IDSC (Intrusion Detection Systems Consortium)
! SNAP (System and Network Assurance Program)
! GIAC (Global Incident Analysis Center)
! Standards! CIDF (Common Intrusion Detection Framework)
! IETF (Internet Engineering Task Force) IDWG (Intrusion Detection WorkingGroup)
! CVE (Common Vulnerabilities and Exposure)
Giorgio Giacinto 2005 IDS 34
Definitions
! Intrusion
! Unauthorised access to, and/or activity in, an information system
(IDSG, 1997)
! Attacks originating outside the organisation (ICSA-IDSC, 1999)
! Intrusion Detection Systems (IDS)
! The process of identifying that an intrusion has been attempted,
is occurring, or has occurred (IDSG, 1997)
! Systems that collect information from a variety of system and
network sources, and then analyse the information for signs of
intrusion and misuse (ICSA-IDSC, 1999)
Giorgio Giacinto 2005 IDS 35
Benefits of intrusion detection
! Deterrence
! Detection
! Response
! Damage assessment
! Attack anticipation
! Prosecution support
Giorgio Giacinto 2005 IDS 36
Assets
! Host-based IDS
! Aimed at detecting attacks related to a specific host
! Tailored to a particular architecture/operating system
! Detection is based on processing high level information (system
calls, events, etc.)
! Network-based
! Aimed at detecting attacks towards hosts connected to a LAN
! Detection is based on processing data at lower level of
granularity (packets)
! Common features
! Analysis of discrete time-sequenced events
Giorgio Giacinto 2005 IDS 37
Host based IDS
! Many host data sources
! Operating systems event logs (kernel, BSM security,
etc.)
! Application logs (syslog, relational databases, web
servers, etc.)
! Effective in detecting insider misuse
! Expensive, as host-based IDSs are typically
distributed agent-based architectures
Giorgio Giacinto 2005 IDS 38
Host intrusions
! Abuse of privilege attack scenarios
! Contractors with elevated privileges
! Ex-employee utilizes old account
! Administrator creates back-door accounts
! Inadvertent privileges granted
! Change in security configuration
! Users disabling locking screen savers
! Legal notice missing
! Guest account enabled
! Open registry
! Nomadic users with compromised systems
Giorgio Giacinto 2005 IDS 39
Host intrusions
! Critical data access and modification
! Student change grades
! Employee modifies performance evaluation
! Falsification of results
! Unauthorised disclosure
! Theft of personnel/Medical records
! Web site data is modified
! Anonymous users Browsing critical files
Giorgio Giacinto 2005 IDS 40
Network based IDS
! Network sources are unique
! Network packets are usually sniffed off the
network
! Sensors deployed throughout a network
! Most network-based attacks are directed at
vulnerabilities of the operating system or
application software
Giorgio Giacinto 2005 IDS 41
Network based intrusions
! Unauthorised access! Unauthorised login
! Jump-off for other attacks
! Data/Resource theft! Password downloads
! Bandwidth theft
! Denial of service! Malformed packets
! Packet flooding
! Distributed denial of service
Giorgio Giacinto 2005 IDS 42
Host- and Network- based
benefits
Very weak because there is no
data source integrity
Strong Prosecution support
capabilities
Prosecution
support
NoneGood at trending and detecting
suspicious behavior patterns
Attack
anticipation
Very weak damage assessment
capabilities
Excellent for determining extent
of compromise
Damage
Assessment
Strong response against
outsider attacks
Weak real-time response
Good for long-term attacks
Response
Strong outsider detection
Weak insider detection
Strong insider detection
Weak outsider detection
Detection
Weak deterrence for insiderStrong deterrence for insidersDeterrence
NetworkHostBenefit
Proctor, Practical Intrusion Detection, 2001
Giorgio Giacinto 2005 IDS 43
Laing, Intrusion Detection Systems, 2000
Host- and Network- based
benefits
! Network-based benefits
! Cost of ownership
! Packet analysis
! Evidence removal
! Malicious intent detection
! Operating System
independence
! Host-based benefits
! Attack verification
! System specific activity
! Encrypted and switched
environments
! Monitoring key components
! No additional hardware
Giorgio Giacinto 2005 IDS 44
Host- or Network-based?
! Today emphasis is on network IDS! Attacks are performed through the Internet
! Network IDSs allow for perimeter defence
! Network IDSs not only detect attacks that exploitvulnerabilities in the communication protocol, but alsovulnerabilities of operating systems and applications
! Last but not least… network IDSs are appliances soldby those who also sell network appliances
! … however, remember that IDS should bethought of as a component of a security strategy!
Giorgio Giacinto 2005 IDS 45
Host- vs. Network-based
detection
Proctor, Practical Intrusion Detection, 2001
Intrusion Detection
Techniques
The Pattern Recognition basis of
intrusion detection
Giorgio Giacinto 2005 IDS 47
Pattern Recognition
Measurement
Feature
Extraction
Classification/
Detection
Pattern
(Data collection)
Label
Giorgio Giacinto 2005 IDS 48
Patterns of intrusion
! Definition of the events should be considered as
“intrusions”
! Extraction of the most suitable set of features
that can better discriminate between normal and
anomalous activities
! Detection problem formulation
! Statistical approaches
! Pattern matching
Giorgio Giacinto 2005 IDS 49
Feature extraction
! Which available measures are suited to
distinguish intrusions from legitimate activities?
! The definition of pattern, and the related generating
process guide the human expert in devising the most
suited measures
! Which features can be extracted from the
measures so that intrusions can be easily
separated from normal activities?
Giorgio Giacinto 2005 IDS 50
Measurements and features
for IDS
! Example of measurements
! Logs of network connections
! System-call audit trail
! Example of features
! Values of some fields of TCP/IP packets
! Number of connections from a specified host in a
predefined time window
! Duration of a predefined number of connections from
a specified host
! Number of system calls in a predefined time window…
Giorgio Giacinto 2005 IDS 51
Feature extraction &
Classification
! In the statistical approach to pattern recognition, apattern is thought as a point in the features space
! Classification is then formulated as the task of findingthe optimal separating surface between normal activitiesand intrusions! Optimal in the sense of error minimisation
! The estimation of the separating surface requires atraining set of examples! The more representative the training set, the more effective the
detection
! An independent test set is used to estimate theperformance on new patterns
Giorgio Giacinto 2005 IDS 52
Decision surfacesA simple model
A complex model that
“overfits” the training set
A tradeoff between
complexity of the classifier
and classification accuracy
Giorgio Giacinto 2005 IDS 53
Bayesian decision theory
! Helps quantifying the tradeoffs between various
classification decisions using
! Probability
! Cost that accompany such decisions
! It is assumed that the problem is posed in
probabilistic terms
! Let us denote
! !i the data classes (i = 1,..,M)
! x the feature vector associated with a pattern
Giorgio Giacinto 2005 IDS 54
Bayesian decision theory
! The classification problem is formulated in terms of
estimating the posterior probability that pattern x
belongs to one of the M data classes
! Posterior depends on
! The prior P(!i), i.e. the likelihood that a random selected pattern belong to
class !i
! The class-conditional probability density function p(x | !i), i.e., the distribution
of patterns of class !i in the selected feature space
P !i| x( ) =
p x |!i( )!P !i( )
p x( )=
p x |!i( )!P !i( )
p x |!j( )!P ! j( )
j =1
M
"
Giorgio Giacinto 2005 IDS 55
Bayesian decision theory
! Which decision leads to minimum error?
Decide !k if P(!k|x) > P(!i|x) i = 1,..,M
It is easy to see that, if we decide !j,
P(error | x) = 1 - P(!j|x)
thus, the probability of error is minimised by
deciding for the class with the highest posterior
Giorgio Giacinto 2005 IDS 56
Risk
! Let "i i = 1,..,c a set of possible actions
! Let #("i | !j) be the loss incurred for takingaction "i when the class is !j.
The expected risk of taking action "i is
Risk is minimised by taking the action "i forwhich R("i | x) is minimum
R !i| x( ) = " !
i|#
j( )P #j| x( )
j =1
M
!
Giorgio Giacinto 2005 IDS 57
Statistical Detection
Techniques
! Probabilistic classifiers
! A pattern is assigned to the class that is most probable, given
the observed features, i.e., a point x of feature space is
assigned to the class that maximise P(Cj|x)
! Training set is used to estimate posterior probabilities
(parametric and non-parametric techniques)
! Template matching
! The observed pattern is compared to templates that represent
each class, and are assigned according to the best match,
according to a suitable distance function.
Giorgio Giacinto 2005 IDS 58
Nonmetric detection
techniques
! When features are represented by nominal data
! e.g., descriptions that are discrete and without any natural
notion of similarity or ordering
patterns are represented by lists of attributes or
variable-length strings
! The problem cannot be modelled by continuous
probability distributions and metrics
The problem can be addressed by rule-based or
syntactic pattern recognition methods
! Rules are usually referred to as “signatures”
! Pattern matching or regular expression techniques
Giorgio Giacinto 2005 IDS 59
Stateless and Stateful
approaches
! Stateless approaches treat each eventindependently of others! Simple system design
! High processing speed
! Stateful approaches maintain information aboutpast events
The effect of a certain event depends on itsposition in the event stream! Complex system design compared to stateless
approaches
Giorgio Giacinto 2005 IDS 60
Intrusion Detection techniques
! Probabilistic classifiers are used in anomaly-
based IDS
! They exhibit some generalisation capability as they
can, in principle, detect attacks not in the training set
! Rule-based approaches are used in misuse-
based IDS
! They are implemented by a set of deterministic rules,
so that only perfect matches are detected with no
generalisation capability
Giorgio Giacinto 2005 IDS 61
Misuse- and Anomaly-based
IDS
! Misuse-based! Patterns of known misuse are stored in a set of rules
! When a rule is matched, an alarms is raised
! Very good in detecting copycats attacks
! Anomaly-based! Statistical description of “normal” computer activities
! All activities deviating from the normal profile arelabelled as being anomalous
! Can detect “zero-day” attacks
! Tends to produce high rates of false alarms
Giorgio Giacinto 2005 IDS 62
A conceptual model
Proctor, Practical Intrusion Detection, 2001
! Approaches to Intrusion Detection can be describedconceptually
! Let us represent a 2-dimensional feature space definedby a circle, representing all possible types of userbehaviour and actions
Giorgio Giacinto 2005 IDS 63
A conceptual model
! We would like to define a feature space suchthat we can draw a line separating acceptablebehaviour from unacceptable behaviour
! Unfortunately, it is quite difficult to define such afeature space…
Giorgio Giacinto 2005 IDS 64
Anomaly detection
! If we could define everything that wasacceptable, then everything that wasn’tacceptable would be misuse! Historical data are used to define acceptable
! Unfortunately, it is very difficult to represent allpossible acceptable activities
! When an acceptable action arises that has not beenseen before, an alarm will be raised
! Additionally, unacceptable actions may exists inhistorical data so that unacceptable actions areconsidered acceptable
Giorgio Giacinto 2005 IDS 65
! Ideally…
! Real-World Behaviour Models
Anomaly detection,
conceptually
Giorgio Giacinto 2005 IDS 66
Misuse detection
! Conversely, if we could define all unacceptable
behaviour, then everything that matched that behaviour
would result in an alarm
! A priori rule-based mechanisms
! These predefined threat scenarios are very deterministic
and significantly reduce the number of false-positives
! There can be numerous missed alarms
! To reduce missed alarms, rules must be updated frequently
with the most recent observed threats
! Actual alarms are very robust because they are focused on
misuse activities
Giorgio Giacinto 2005 IDS 67
Misuse detection, conceptually
! Ideally…
! Real-World Models (Signatures)
Giorgio Giacinto 2005 IDS 68
Anomaly- or Misuse-based
IDS?
! The choice is governed by the trade-off
between detection accuracy and false alarm rate
P I | A( ) =
P(I) !P(A | I)
P(I) !P(A | I)+ P(¬I) !P(A | ¬I)
P ¬I | ¬A( ) =
P(¬I) !P(¬A | ¬I)
P(¬I) !P(¬A | ¬I)+ P(I) !P(¬A | I)
Giorgio Giacinto 2005 IDS 69
Attack sophistication and
evolution of attacker skill
CERT/CC
Giorgio Giacinto 2005 IDS 70
State-of-the-art IDS are
misuse based
! A large number of attack tools are publicly
available on the Internet (so-called “script-kids”)
! Many attacks are copycats
! Client and server applications are rapidly
evolving, thus making it difficult to establish a
model of legitimate behaviour
! Misuse-based techniques allow attaining large
P(A|I) and small P(A|¬I)
Giorgio Giacinto 2005 IDS 71
State-of-the-art IDS are
misuse based
! Very effective in detecting known attacks
! Patterns of misuse are defined in terms of features
that uniquely identify that kind of misuse
! Requires teams of experts that produce attack
signatures
! As soon as a new attack is observed
! Before a vulnerability is exploited
! Cannot detect new, unpredictable attacks
Giorgio Giacinto 2005 IDS 72
Stateless or stateful
techniques
! Attacks are best described by a sequence of related
events
! Surveillance
! Exploitation
! Masquerading
! Stateful approaches may seem appropriate… but they
are more difficult to design
! Individual events can be more easily codified into a set of rules
! Buffer overflows
! Malformed packets
! Exploitation of vulnerabilities of server applications
Giorgio Giacinto 2005 IDS 73
Stateless or stateful
techniques
! Stateless and stateful approaches can be
implemented both by misuse- and anomaly-
based IDS
! State-of-the-art misuse-based IDS implement
both techniques for different categories of attack
! Anomaly based techniques can take into
account the state model of attacks
! By using suitable features computed on past events
! By using stateful approaches as HMMs
Giorgio Giacinto 2005 IDS 74
Which IDS solution?
! Choosing a solution requires computing trade-offs! The five-step evaluation process
! However, current IDS are far to be matureproducts! Lack of evaluation protocols
! Customisation is not trivial
! Need of frequent updates
! Produce a large number of low-level alerts and littleinsight about the actual attacker’s goal
Actual problems in
current state of IDS
Allen et al., “State of the Practice of Intrusion
Detection Technologies”, TR, CMU/SEI 2000
Giorgio Giacinto 2005 IDS 76
Sophistication of attack
strategies
! Attacker continue to improve their ability topenetrate systems
Attacks are usually carried out in seven phases! Reconnaissance
! Vulnerability identification
! Penetration
! Control
! Embedding
! Data extraction
! Attack relay
Giorgio Giacinto 2005 IDS 77
Sophistication of attack tools
! Tools to support attackers continue to improve,and are an increasing challenge to IDS! Scanning tools
! Remote management tools
! Reasons! Much of the released software (especially OS) have
not been adequately tested for security
! Rapid increase in connectivity and data sharing leaveOS more open to exploitation
Giorgio Giacinto 2005 IDS 78
Issues that future IDS should
address
! The increasing frequency and changing nature
of attacks
! Message encryption
! Attack strategies targeting ID systems
! Vulnerability to modem use
! Vulnerability to mobile code
Giorgio Giacinto 2005 IDS 79
Network Issues
! Network size and complexity (scalability)
! Lack of inherent security in operating
environment
! Need for interoperability and standards
! Inherent limits of network-based IDS
! network-based IDS may not see all traffic
Giorgio Giacinto 2005 IDS 80
Human and Organizational
Factors
! Need for greater human-computer interaction
! Human skills are not adequately used to support
diagnosis of intrusions and to determine resulting
actions
! Identifying intruders through profiling
! IDS are unable to identify attackers and their goals
Giorgio Giacinto 2005 IDS 81
Functional issues
! Sensing an attack before damage occurs
! Automatic response to intrusion
! Post intrusion activities - recovery and reprisal
! Performance
! Traffic load
! Intruders can starve IDS
! Identifying unknown modes of attack
! Assessment of the accuracy of IDS signatures
! Characterising IDS performance
! Real network traffic is not well behaved
Recent research on
Intrusion Detection
“Zero-day” attack detection is the
ultimate goal of researchers on IDS
Giorgio Giacinto 2005 IDS 83
Seminal work
! Denning, “An Intrusion-Detection Model”, IEEETrans. On SE 1987! Host-based detection
! Analysis of system’s audit records
! Activity profiles characterise the behaviour of asubject with respect to a given object
! Behaviours are characterised in terms of a statisticalmetric and model
! Metrics: a random variable x representing a quantitativemeasure accumulated over a period
! Model: no assumption about the underlying distribution
Giorgio Giacinto 2005 IDS 84
Denning’s Intrusion Detection
Model
! A sample profile! Measures the quantity of output to user Smith’s
terminal on a session basis
Variable-name: SessionOutput
Action-pattern: ‘logout’
Exception-Pattern: 0
Resource-Usage-Pattern: ‘SessionOutput =‘ #$Amount
Period:
Variable-Type: resourceByActivity
Threshold: 4
Subject-Pattern: ‘Smith’
Object-Pattern: *
Value: record of
Giorgio Giacinto 2005 IDS 85
Denning’s Intrusion Detection
Model
! Whenever the intrusion-detection system
receives an audit record that matches a
variable’s patterns
! It updates the variable’s distribution
! Check for abnormality (threshold value)
! This IDS has been named IDES (Intrusion
Detection Expert System)
Giorgio Giacinto 2005 IDS 86
Some observations
! The event monitored are those logged by the
operating system
! The choice of the ‘patterns’ to be classified
depends on past knowledge of misuse
! The extracted features depends on past
knowledge of misuse
! The model and the threshold are chosen by
experiments
Giorgio Giacinto 2005 IDS 87
NIDES and EMERALD
SRI International (www.sdl.sri.com)
! NIDES (Next generation Intrusion Detection System)! Evolution of IDES
! Statistical anomaly detection
! Rule-based misuse detection (P-BEST)
! EMERALD (Event Monitoring Enabling Responses toAnomalous Live Disturbances)! Evolution of NIDES
! Statistical anomaly detection
! Rule-based misuse detection (P-BEST)
Giorgio Giacinto 2005 IDS 88
EMERALD
Monitor Architecture
Giorgio Giacinto 2005 IDS 89
STAT approaches
University of California at Santa Barbara (www.cs.ucsb.edu/~rsg/STAT/)
! State-transition analysis applied to host- and network-
based intrusion detection
! Components
! A preprocessor
! A knowledge base (that included a fact base and rule base)
! The state-transition model of attacks
" Attacks can be recognized before the system reaches the
compromised state
! An inference engine
! A decision engine
Giorgio Giacinto 2005 IDS 90
BRO
Lawrence Berkeley National Laboratory (www. bro-ids.org)
! BRO is a network-based IDS based on attack
signatures
! The goals of BRO are
! High-load monitoring
! Real-time notification
! Decoupling mechanism from policy
! System extensibility
! Ability to ward off attacks
Giorgio Giacinto 2005 IDS 91
Neural Networks for Intrusion
Detection
! A number of papers in the ‘90s have addressed the useof neural networks for intrusion detection! Goal: to design an anomaly/misuse detector based on normal
activities as well as on malicious activities
! Attained results
" Neural networks use their internal representation to learn thedistribution of data, thus avoiding the explicit formulation of models
" Neural networks can generalise from the knowledge of knownattacks, thus allowing the recognition of variations of knownattacks
! Shortcomings
" Limited scope of the performed experiments
" Long training time
" Neural networks provide no insight into the learned logic
Giorgio Giacinto 2005 IDS 92
Neural Networks
Input Layer
Hidden Layer
Output Layer
Neuron
! The weights of the connections, wij, and the bias bi are optimised
according to the backpropagation algorithm
! Given a labelled training set, weights and biases are iteratively adjusted
in order to minimise the overall classification error
Giorgio Giacinto 2005 IDS 93
Current research on anomaly
detection
! The difficulties in modelling normal network
data, and the difficulties of extracting real-world
normal traffic is driving the research into
unsupervised methods
! The traffic is collected as is
! Under the hypothesis that attacks are rare, all the
collected traffic is modelled. Outliers are likely to be
anomalous activities
! Problem: which is the most suitable feature space
where traffic has to be represented?
Giorgio Giacinto 2005 IDS 94
Current research on anomaly
detection
! A number of computer activities follow a protocol
! System calls
! TCP connections
! State-transition models are proposed to model this kind
of activities
! Finite-state automata
! Petri nets
! Hidden Markov Models
! Please note, however, that it is not true that all
behaviours deviating from the model are necessary an
intrusion!
Giorgio Giacinto 2005 IDS 95
PRIDE: Pattern Recognition
for Intrusion DEtection
Snort
Giorgio Giacinto 2005 IDS 96
PRIDE: Pattern Recognition
for Intrusion DEtection
TCP
Connection Records
Service
Selector
web
services
services
ftp
servicesprivate & othermisc ICMP
Feature
Extraction
Classifier
Decision
Fusion
Feature of
type 1
Feature of
type 2
Feature of
type n
Classifier
Classifier
Giorgio Giacinto 2005 IDS 97
Modelling Internet Traffic
Floyd and Paxson, “Difficulties in Simulating the Internet”, IEEE Trans. On Networking, 2000
! Simulating the Internet is an immensely
challenging undertaking because of the
network’s great heterogeneity and rapid change
! The paper proposes the search for invariants
and the judiciously exploration of the simulation
parameter space.
Giorgio Giacinto 2005 IDS 98
Heterogeneity of network
traffic
! Topology and link properties
! Protocol differences
! Traffic generation
Giorgio Giacinto 2005 IDS 99
Sources of network’s change
! Pricing structure of network connections
! Router scheduling
! Wireless access
! Impoverished devices (handhelds, etc.)
! Native multicast
! Differentiated services
! Ubiquitous web-caching
! A new “killer app”
Giorgio Giacinto 2005 IDS 100
Invariants in Internet traffic
! Diurnal patterns of activity
! For more than 30 years it has been recognised that network activity follow daily
patterns, with human-related activities
! Self-similarity
! Longer-term (hundreds of ms to tens of s) correlations in the packet arrivals
seen in aggregated Internet traffic are well described in terms of "self-similar"
(fractal) processes
! Poisson session arrivals
! A user session arrival corresponds to the time when a human decides to use
the network for a specific task. Examples are remote logins, the initiation of a
file transfer (FTP) dialog, and the beginning of Web-surfing sessions
Giorgio Giacinto 2005 IDS 101
Invariants in Internet traffic
! Log-normal connection sizes
! The distribution of the logarithm of the sizes or durations of connections is well-
approximated with a Gaussian distribution.
! Heavy-tailed distributions
! Heavy tail means a Pareto distribution with shape parameter " < 2. These tails
are surprising because for " < 2 the Pareto distribution has infinite variance.
The evidence for heavy tails is widespread, including CPU time consumed by
Unix processes; sizes of Unix files, compressed video frames, and World Wide
Web items; and bursts of Ethernet and FTP activity.
! Invariant distribution for Telnet packet-generation
! Invariant characteristics of the global topology
Giorgio Giacinto 2005 IDS 102
Alarm Correlation
! For a given attack, IDS produce a huge volumeof low level alarms
! For a given alarm, it may have been caused bydifferent attacks
! If sequences of alarms are analysed, they canbe fused to provide higher-level alarms! Spurious alarms can be filtered out
! The use of different IDS may improve theresults of alarm fusion as, for a given attack,different IDS may provide different alarms
Giorgio Giacinto 2005 IDS 103
Aggregation and Correlation
of Intrusion-Detection Alerts
Debar and Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, RAID 2001
Giorgio Giacinto 2005 IDS 104
A Toolkit for Intrusion Alert
Analysis
Peng, Cui, Reeves, and Xu,
“Techniques and Tools for Analyzing
Intrusion Alerts”,
ACM TISSEC 7(2), 2004
Giorgio Giacinto 2005 IDS 105
An hyper-alert correlation
graph
Peng, Cui, Reeves, and Xu,
“Techniques and Tools for Analyzing
Intrusion Alerts”,
ACM TISSEC 7(2), 2004
Giorgio Giacinto 2005 IDS 106
Alarm Correlation @DIEE
AMIAlert
ManagementInterface
Elementary
alarms Pre-processed
alarms
Classification
Module
Clustering/Fusion
Module
Labeled
alarms
Sensor
1
Sensor
2
Sensor
N
meta-alert
attack class 1
meta-alert
attack class 2
meta-alert
attack class M
Clustered
alarms
Giorgio Giacinto 2005 IDS 107
Information fusion
! IDS detect elementary actions of attackers
! The attack itself is made up of a sequence ofactions
! The elementary alerts produced by IDS must befused with information from other sources inorder to attain an evaluation of the riskassociated with the attack! Audit log of server OS
! Firewall logs
! Environment
Giorgio Giacinto 2005 IDS 108
Information fusion for
intrusion detection
Tim Bass.
“Intrusion Detection Systems and
Multisensor Data Fusion”,
Communications of the ACM, 2000
Giorgio Giacinto 2005 IDS 109
Information fusion for
intrusion detection
! Decision support systems can be used to help
the administrator recognise scenarios,
especially scenarios used in the past…
! Rule-based
! Probabilistic models
…but the detection of new, unpredicted attack
scenarios depends on the intuition, expertise,
and creativeness of humans!
IDS Evaluation
The 1998/1999
DARPA/Lincoln Lab Programhttp://www.ll.mit.edu/IST/ideval
Giorgio Giacinto 2005 IDS 111
The goal
! The 1998/1999 DARPA/MIT IDS evaluation program arethe most comprehensive evaluations performed to datethat produced a corpus of data for the development,improvement and evaluation of IDS.
! A network and scripted actors was used to looselymodel the network traffic measured between a US AirForce base and the internet.
! 1998 data includes normal network traffic for manydifferent Unix services and protocols
! 1999 data addresses networks populated with a mix ofUnix and Windows/NT machines.
Giorgio Giacinto 2005 IDS 112
The three components
Giorgio Giacinto 2005 IDS 113
Testbed network used in the
1998 evaluation
Giorgio Giacinto 2005 IDS 114
Testbed network used in the
1999 evaluation
Giorgio Giacinto 2005 IDS 115
Changes included in the 1999
evaluation
Identification
Error AnalysisDetection + False Alarm ROCsMetrics
Inside Attacks
Data Attacks
>50 Attack Types
Novel NT, UNIX Attacks
Stealthy Against
1998 ID Systems
Outside Attacks
38 Attack Types
Stealthy Against
Simple Keyword Systems
Novel UNIX Attacks
Attacks
NT Background Traffic
Two Weeks No-Attack Train
False Alarm Analysis for Top
System on Actual AF traffic
UNIX background trafficBackground traffic
Windows/NTUNIXNetwork
Added in 19991998 Baseline
Giorgio Giacinto 2005 IDS 116
Main operational features
Giorgio Giacinto 2005 IDS 117
Adversary model
! Two types of adversaries on 1999 evaluation
! A relatively unsophisticated amateur hacker
! The ultimate goal is to test his or her skill using attack
programs and scripts found on the Internet
! A more sophisticated, professional, or nation-state
attacker
! The ultimate goal is to gain access to some particular
piece of information or deny service during a precise
period of time
! The attacker hide his/her actions by creating variations
of known attacks ore creating new attacks form scratch
Giorgio Giacinto 2005 IDS 118
Attack classes
! Denial of Service (DoS)
! Probe
! Remote-to-Local (R2L)
! A remote user gain access as a local user
! User-to-Root (U2R)
! Data
! Attacks have the goal of gaining access to some
piece of information to which attacker is not allowed
access
Giorgio Giacinto 2005 IDS 119
Data Set Content
10.04.1999 6 p.m.5.04.1999 8 a.m.Testing dataWeek 5
3.04.1999 6 p.m.29.03.1999 8 a.m.Testing dataWeek 4
20.03.1999 6 p.m.15.03.1999 8 a.m.Training data,
without attacksWeek 3
13.03.1999 6 p.m.8.03.1999 8 a.m.Training data,
with attacksWeek 2
6.03.1999 6 p.m.1.03.1999 8 a.m.Training data,
without attacksWeek 1
EndStartDescriptionWeek
Giorgio Giacinto 2005 IDS 120
Feature extraction
! MADAM ID (Mining Audit Data for AutomatedModels for Intrusion Detection)! Lee, and Stolfo “A Framework for Constructing Features and Models for Intrusion
Detection Systems”, ACM Trans on Information and System Security, 2000
! Labelled audit data (network- and host-based)are analysed in order to extract the mostsuitable features for classification! Expert knowledge is used to guide the extraction
process
! Classification, association rules, and frequentepisodes are used to compute features
Giorgio Giacinto 2005 IDS 121
Extracted features (1998
DARPA evaluation)
! Intrinsic! Duration of service, source, destination, etc.
! Traffic! Statistics on past connections that have the same
destination host as the current connection
! Statistics on past connections that have the sameservice as the current connection
! Content! Failed login attempts, root-shell, su, etc.
The data set is part of the KDD-UCI archive
Giorgio Giacinto 2005 IDS 122
Critique of the 1998/1999
DARPA/Lincoln Lab IDS eval
J. McHugh, ACM Trans on Information and System Security, 2000
! He clearly pointed out that! This is the most comprehensive evaluation of
research on IDS, thus providing with a basis formaking a comparison of IDS
! At the same time, this dataset is flawed
! Statistics used to generate background traffic are notstated, and may not reflect real-world traffic
! There is no agreed upon what kind of network traffic hasto be considered as “normal”
Bellovin, “Packets found on an Internet”, 1993
Floyd and Paxson, “Difficulties in simulating the Internet”, 2001
Giorgio Giacinto 2005 IDS 123
Critique of the 1998/1999
DARPA/Lincoln Lab IDS eval
J. McHugh, ACM Trans on Information and System Security, 2000
! Other flaws! Data rates not discussed or specified
! The distribution of attacks in the background noisedoes not seem to be realistic
! The distribution of attacked systems is biased
! The architecture of the network itself is not realistic
! The distribution of data in the training and testingdata set does not follow any assumption about theamount of data needed by an anomaly detector
! The taxonomy of attacks is questionable
IDS products
A short list of products
Giorgio Giacinto 2005 IDS 125
Snort
www.snort.org
! Snort is a freeware, lightweight system
developed by Marty Roesch
! It is becoming the tool of choice for intrusion detection
! It is a network-based, signature-based IDS
! Signatures are contributed by the developer
community
Example
alert tcp 10.179.0.0/17 any -> 192.0.0.0/16 666 (msg:”It is an omen!!!”;)
Giorgio Giacinto 2005 IDS 126
ISS Proventia
http://www.iss.net
! The preentive approach to Internet Security is
enforced by a R&D task force whose mission is to
discover, research, and test system vulnerabilities
Giorgio Giacinto 2005 IDS 127
Symantec
! Combines multiple detection technologies,
including protocol anomaly detection and
vulnerability attack interception
! Integrated expertise from Symantec Security
Response and Services provides early
knowledge of threats to enable proactive
security
Giorgio Giacinto 2005 IDS 128
CISCO
! Detection techniques employed
! Pattern matching
! Looking for a fixed sequence of bytes in a packet
! Stateful pattern matching
! The match is made in context within the state of the
stream
! Protocol decodes
! Rules based on RFC verification
! Heuristic-based signatures
! Allow for the detection of zero-day attacks
Giorgio Giacinto 2005 IDS 129
References
Fundamentals on IDS
! Proctor, Practical Intrusion Detection, Prentice Hall, 2001
! Publications of the SANS institute (http://www.sans.org)
! Network Intrusion Detection
! Intrusion Signatures and Analysis
! Allen et al., State of the practice of intrusion detection
Technologies, Tech Rep CMU/SEI, 2000
! RAID (Recent Advances in Intrusion Detection)
symposiums
! http://www.raid-symposium.org
Giorgio Giacinto 2005 IDS 130
References
Research and practice on IDS
! Research links! Wenke Lee
http://www.cc.gatech.edu/~wenke/ids-readings.html
! http://citeseer.ist.psu.edu/Security/IntrusionDetection/
! Focus on the most recent computer threats! http://www.cert.org/
! http://www.securityfocus.com
! Consultants! http://www.netforensics.com/
! http://www.counterpane.com