Assignment
Computer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie Brown
Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, by William Stallings and Lawrie Brown, Chapter 8 “Intrusion Detection”.
1
Chapter 8
Intrusion Detection
A significant security problem for networked systems is hostile, or at least
unwanted, trespass by users or software. User trespass can take the form of unauthorized
logon or other access to a machine or, in the case of an authorized user,
acquisition of privileges or performance of actions beyond those that have been
authorized. Software trespass includes a range of malware variants as we discuss
in Chapter 6.
This chapter covers the subject of intrusions. First, we examine the nature
of intruders and how they attack, then look at strategies for detecting intrusions.
2
Classes of Intruders – Cyber Criminals
Individuals or members of an organized crime group with a goal of financial reward
Their activities may include:
Identity theft
Theft of financial credentials
Corporate espionage
Data theft
Data ransoming
Typically they are young, often Eastern European, Russian, or southeast Asian hackers, who do business on the Web
They meet in underground forums to trade tips and data and coordinate attacks
3
One of the key threats to security is the use of some form of hacking by an intruder,
often referred to as a hacker or cracker. Verizon [VERI16] indicates that 92% of
the breaches they investigated were by outsiders, with 14% by insiders, and with
some breaches involving both outsiders and insiders. They also noted that insiders
were responsible for a small number of very large dataset compromises. Both
Symantec [SYMA16] and Verizon [VERI16] also comment that not only is there a
general increase in malicious hacking activity, but also an increase in attacks specifically
targeted at individuals in organizations and the IT systems they use. This trend
emphasizes the need to use defense-in-depth strategies, since such targeted attacks
may be designed to bypass perimeter defenses such as firewalls and network-based
Intrusion detection systems (IDSs).
As with any defense strategy, an understanding of possible motivations of the
attackers can assist in designing a suitable defensive strategy. Again, both Symantec
[SYMA16] and Verizon [VERI16] comment on the following broad classes of intruders:
• Cyber criminals: Are either individuals or members of an organized crime
group with a goal of financial reward. To achieve this, their activities may
include identity theft, theft of financial credentials, corporate espionage, data
theft, or data ransoming. Typically, they are young, often Eastern European,
Russian, or southeast Asian hackers, who do business on the Web [ANTE06].
They meet in underground forums with names like DarkMarket.org and
theftservices.com to trade tips and data and coordinate attacks. For some
years reports such as [SYMA16] have quoted very large and increasing costs
resulting from cyber-crime activities, and hence the need to take steps to mitigate
this threat.
Classes of Intruders – Activists
Are either individuals, usually working as insiders, or members of a larger group of outsider attackers, who are motivated by social or political causes
Also know as hacktivists
Skill level is often quite low
Aim of their attacks is often to promote and publicize their cause typically through:
Website defacement
Denial of service attacks
Theft and distribution of data that results in negative publicity or compromise of their targets
• Activists: Are either individuals, usually working as insiders, or members of
a larger group of outsider attackers, who are motivated by social or political
causes. They are also known as hacktivists, and their skill level is often quite
low. The aim of their attacks is often to promote and publicize their cause,
typically through website defacement, denial of service attacks, or the theft
and distribution of data that results in negative publicity or compromise of
their targets. Well-known recent examples include the activities of the groups
Anonymous and LulzSec, and the actions of Chelsea (born Bradley)
Manning and Edward Snowden.
4
Classes of Intruders – State-Sponsored Organizations
• State-sponsored organizations: Are groups of hackers sponsored by governments
to conduct espionage or sabotage activities. They are also known as
Advanced Persistent Threats (APTs), due to the covert nature and persistence
over extended periods involved with many attacks in this class. Recent
reports such as [MAND13], and information revealed by Edward Snowden,
indicate the widespread nature and scope of these activities by a wide range of
countries from China to the USA, UK, and their intelligence allies.
5
Groups of hackers sponsored by governments to conduct espionage or sabotage activities
Also known as Advanced Persistent Threats (APTs) due to the covert nature and persistence over extended periods involved with any attacks in this class
Widespread nature and scope of these activities by a wide range of countries from China to the USA, UK, and their intelligence allies
Classes of Intruders – Others
Hackers with motivations other than those previously listed
Include classic hackers or crackers who are motivated by technical challenge or by peer-group esteem and reputation
Many of those responsible for discovering new categories of buffer overflow vulnerabilities could be regarded as members of this class
Given the wide availability of attack toolkits, there is a pool of “hobby hackers” using them to explore system and network security
• Others: Are hackers with motivations other than those listed above, including
classic hackers or crackers who are motivated by technical challenge or
by peer-group esteem and reputation. Many of those responsible for discovering
new categories of buffer overflow vulnerabilities [MEER10] could be
regarded as members of this class. Also, given the wide availability of attack
toolkits, there is a pool of “hobby hackers” using them to explore system and
network security, who could potentially become recruits for the above classes.
6
Intruder Skill Levels – Apprentice
Hackers with minimal technical skill who primarily use existing attack toolkits
They likely comprise the largest number of attackers, including many criminal and activist attackers
Given their use of existing known tools, these attackers are the easiest to defend against
Also known as “script-kiddies” due to their use of existing scripts (tools)
Across these classes of intruders, there is also a range of skill levels seen.
These can be broadly classified as:
• Apprentice: Hackers with minimal technical skill who primarily use existing
attack toolkits. They likely comprise the largest number of attackers, including
many criminal and activist attackers. Given their use of existing known
tools, these attackers are the easiest to defend against. They are also known as
“script-kiddies” due to their use of existing scripts (tools).
7
Intruder Skill Levels – Journeyman
Hackers with sufficient technical skills to modify and extend attack toolkits to use newly discovered, or purchased, vulnerabilities
They may be able to locate new vulnerabilities to exploit that are similar to some already known
Hackers with such skills are likely found in all intruder classes
Adapt tools for use by others
• Journeyman: Hackers with sufficient technical skills to modify and extend
attack toolkits to use newly discovered, or purchased, vulnerabilities; or to
focus on different target groups. They may also be able to locate new vulnerabilities
to exploit that are similar to some already known. A number of
hackers with such skills are likely found in all intruder classes listed above,
adapting tools for use by others. The changes in attack tools make identifying
and defending against such attacks harder.
8
Intruder Skill Levels – Master
Hackers with high-level technical skills capable of discovering brand new categories of vulnerabilities
Write new powerful attack toolkits
Some of the better known classical hackers are of this level
Some are employed by state-sponsored organizations
Defending against these attacks is of the highest difficulty
Hackers with high-level technical skills capable of discovering brand
new categories of vulnerabilities, or writing new powerful attack toolkits.
Some of the better-known classical hackers are of this level, as clearly are
some of those employed by some state-sponsored organizations, as the designation
APT suggests. This makes defending against these attacks of the highest
difficulty.
9
Examples of Intrusion
Remote root compromise
Web server defacement
Guessing/cracking passwords
Copying databases containing credit card numbers
Viewing sensitive data without authorization
Running a packet sniffer
Distributing pirated software
Using an unsecured modem to access internal network
Impersonating an executive to get information
Using an unattended workstation
10
Intruder attacks range from the benign to the serious. At the benign end of
the scale, there are people who simply wish to explore internets and see what is out
there. At the serious end are individuals or groups that attempt to read privileged
data, perform unauthorized modifications to data, or disrupt systems.
NIST SP 800-61 (Computer Security Incident Handling Guide , August 2012)
lists the following examples of intrusion:
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information,
without authorization
• Running a packet sniffer on a workstation to capture usernames and passwords
• Using a permission error on an anonymous FTP server to distribute pirated
software and music files
• Dialing into an unsecured modem and gaining internal network access
• Posing as an executive, calling the help desk, resetting the executive’s e-mail
password, and learning the new password
• Using an unattended, logged-in workstation without permission
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs),
of the type described in this chapter and Chapter 9, respectively, are designed to aid
countering these types of threats. They can be reasonably effective against known,
less sophisticated attacks, such as those by activist groups or large-scale email
scams. They are likely less effective against the more sophisticated, targeted attacks
by some criminal or state-sponsored intruders, since these attackers are more likely
to use new, zero-day exploits, and to better obscure their activities on the targeted
system. Hence they need to be part of a defense-in-depth strategy that may also
include encryption of sensitive information, detailed audit trails, strong authentication
and authorization controls, and active management of operating system and
application security.
Intruder Behavior
The techniques and behavior patterns of intruders are constantly shifting, to exploit
newly discovered weaknesses and to evade detection and countermeasures. However,
intruders typically use steps from a common attack methodology. [VERI16] in their
“Wrap up” section illustrate a typical sequence of actions, starting with a phishing attack
that results in the installation of malware that steals login credentials that eventually
result in the compromise of a Point-of-Sale terminal. They note that while this is one specific
incident scenario, the components are commonly seen in many attacks.
[MCCL12] discuss in detail activities associated with the following steps:
• Target Acquisition and Information Gathering: Where the attacker identifies
and characterizes the target systems using publicly available information, both
technical and non-technical, and the use network exploration tools to map target
resources.
Initial Access: The initial access to a target system, typically by exploiting a
remote network vulnerability as we discuss in Chapters 10 and 11, by guessing
weak authentication credentials used in a remote service as we discussed in
Chapter 3, or via the installation of malware on the system using some form of
social engineering or drive-by-download attack as we discuss in Chapter 6.
• Privilege Escalation: Actions taken on the system, typically via a local access
vulnerability as discussed in Chapters 10 and 11, to increase the privileges
available to the attacker to enable their desired goals on the target system.
• Information Gathering or System Exploit: Actions by the attacker to access
or modify information or resources on the system, or to navigate to another
target system.
• Maintaining Access: Actions such as the installation of backdoors or other
malicious software as we discuss in Chapter 6, or through the addition of covert
authentication credentials or other configuration changes to the system, to
enable continued access by the attacker after the initial attack.
• Covering Tracks: Where the attacker disables or edits audit logs such as we discuss
in Chapter 18, to remove evidence of attack activity, and uses rootkits and
other measures to hide covertly installed files or code as we discuss in Chapter 6.
11
Target acquisition and information gathering
Initial access
Privilege escalation
Information gathering or system exploit
Maintaining access
Covering tracks
Table 8.1
Examples of
Intruder Behavior
(Table can be found on pages 255-256 in the textbook.)
Table 8.1 lists examples of activities associated with the above steps.
12
Security Intrusion:
Unauthorized act of bypassing the security mechanisms of a system
Intrusion Detection:
A hardware or software function that gathers and analyzes information from various areas within a computer or a network to identify possible security intrusions
Definitions
13
security intrusion: Unauthorized act of bypassing the security mechanisms of a
system.
intrusion detection: A hardware or software function that gathers and analyzes
information from various areas within a computer or a network to identify possible
security intrusions.
Intrusion Detection System (IDS)
Host-based IDS (HIDS)
Monitors the characteristics of a single host for suspicious activity
Network-based IDS (NIDS)
Monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity
Distributed or hybrid IDS
Combines information from a number of sensors, often both host and network based, in a central analyzer that is able to better identify and respond to intrusion activity
14
An IDS comprises three logical components:
• Sensors : Sensors are responsible for collecting data. The input for a sensor
may be any part of a system that could contain evidence of an intrusion. Types
of input to a sensor includes network packets, log files, and system call traces.
Sensors collect and forward this information to the analyzer.
• Analyzers : Analyzers receive input from one or more sensors or from other
analyzers. The analyzer is responsible for determining if an intrusion has
occurred. The output of this component is an indication that an intrusion has
occurred. The output may include evidence supporting the conclusion that an
intrusion occurred. The analyzer may provide guidance about what actions
to take as a result of the intrusion. The sensor inputs may also be stored for
future analysis and review in a storage or database component.
• User interface: The user interface to an IDS enables a user to view output
from the system or control the behavior of the system. In some systems, the
user interface may equate to a manager, director, or console component.
An IDS may use a single sensor and analyzer, such as a classic HIDS on a host
or NIDS in a firewall device. More sophisticated IDSs can use multiple sensors,
across a range of host and network devices, sending information to a centralized
analyzer and user interface in a distributed architecture.
IDSs are often classified based on the source and type of data analyzed, as:
• Host-based IDS (HIDS): Monitors the characteristics of a single host and the
events occurring within that host, such as process identifiers and the system
calls they make, for evidence of suspicious activity.
• Network-based IDS (NIDS): Monitors network traffic for particular network
segments or devices and analyzes network, transport, and application protocols
to identify suspicious activity.
• Distributed or hybrid IDS: Combines information from a number of sensors,
often both host and network-based, in a central analyzer that is able to better
identify and respond to intrusion activity.
Comprises three logical components:
Sensors - collect data
Analyzers - determine if intrusion has occurred
User interface - view output or control system behavior
15
Authentication facilities, access control facilities, and firewalls all play a role in
countering intrusions. Another line of defense is intrusion detection, and this has
been the focus of much research in recent years. This interest is motivated by a
number of considerations, including the following:
1. If an intrusion is detected quickly enough, the intruder can be identified and
ejected from the system before any damage is done or any data are compromised.
Even if the detection is not sufficiently timely to preempt the intruder,
the sooner that the intrusion is detected, the less the amount of damage and
the more quickly that recovery can be achieved.
2. An effective IDS can serve as a deterrent, thus acting to prevent intrusions.
3. Intrusion detection enables the collection of information about intrusion techniques
that can be used to strengthen intrusion prevention measures.
Intrusion detection is based on the assumption that the behavior of the intruder
differs from that of a legitimate user in ways that can be quantified. Of course, we
cannot expect that there will be a crisp, exact distinction between an attack by an
intruder and the normal use of resources by an authorized user. Rather, we must
expect that there will be some overlap.
Figure 8.1 suggests, in abstract terms, the nature of the task confronting the
designer of an IDS. Although the typical behavior of an intruder differs from the
typical behavior of an authorized user, there is an overlap in these behaviors. Thus,
a loose interpretation of intruder behavior, which will catch more intruders, will
also lead to a number of false positives , or false alarms, where authorized users are
identified as intruders. On the other hand, an attempt to limit false positives by a
tight interpretation of intruder behavior will lead to an increase in false negatives ,
or intruders not identified as intruders. Thus, there is an element of compromise
and art in the practice of intrusion detection. Ideally you want an IDS to have a high
detection rate, that is, the ratio of detected to total attacks, while minimizing the
false alarm rate, the ratio of incorrectly classified to total normal usage [LAZA05].
In an important early study of intrusion [ANDE80], Anderson postulated
that one could, with reasonable confidence, distinguish between an outside attacker
and a legitimate user. Patterns of legitimate user behavior can be established by
observing past history, and significant deviation from such patterns can be detected.
Anderson suggests that the task of detecting an inside attacker (a legitimate user
acting in an unauthorized fashion) is more difficult, in that the distinction between
abnormal and normal behavior may be small. Anderson concluded that such violations
would be undetectable solely through the search for anomalous behavior.
However, insider behavior might nevertheless be detectable by intelligent definition
of the class of conditions that suggest unauthorized use. These observations,
which were made in 1980, remain true today.
IDS Requirements
16
To be of practical use, an IDS should detect a substantial percentage of intrusions
while keeping the false alarm rate at an acceptable level. If only a modest
percentage of actual intrusions are detected, the system provides a false sense of
security. On the other hand, if the system frequently triggers an alert when there
is no intrusion (a false alarm), then either system managers will begin to ignore the
alarms, or much time will be wasted analyzing the false alarms.
Unfortunately, because of the nature of the probabilities involved, it is very
difficult to meet the standard of high rate of detections with a low rate of false
alarms. In general, if the actual numbers of intrusions is low compared to the number
of legitimate uses of a system, then the false alarm rate will be high unless the
test is extremely discriminating. This is an example of a phenomenon known as
the base-rate fallacy . A study of existing IDSs, reported in [AXEL00], indicated
that current systems have not overcome the problem of the base-rate fallacy. See
Appendix I for a brief background on the mathematics of this problem.
[BALA98] lists the following as desirable for an IDS. It must
• Run continually with minimal human supervision.
• Be fault tolerant in the sense that it must be able to recover from system
crashes and reinitializations.
• Resist subversion. The IDS must be able to monitor itself and detect if it has
been modified by an attacker.
• Impose a minimal overhead on the system where it is running.
• Be able to be configured according to the security policies of the system that is
being monitored.
• Be able to adapt to changes in system and user behavior over time.
• Be able to scale to monitor a large number of hosts.
• Provide graceful degradation of service in the sense that if some components
of the IDS stop working for any reason, the rest of them should be affected as
little as possible.
• Allow dynamic reconfiguration; that is, the ability to reconfigure the IDS
without having to restart it.
Run continually
Be fault tolerant
Resist subversion
Impose a minimal overhead on system
Configured according to system security policies
Adapt to changes in systems and users
Scale to monitor large numbers of systems
Provide graceful degradation of service
Allow dynamic reconfiguration
Analysis Approaches
Anomaly detection
Signature/Heuristic detection
Involves the collection of data relating to the behavior of legitimate users over a period of time
Current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
Also known as misuse detection
Can only identify known attacks for which it has patterns or rules
IDSs typically use one of the following alternative approaches to analyze sensor
data to detect intrusions:
1. Anomaly detection: Involves the collection of data relating to the behavior
of legitimate users over a period of time. Then current observed behavior is
analyzed to determine with a high level of confidence whether this behavior is
that of a legitimate user or alternatively that of an intruder.
2. Signature or Heuristic detection: Uses a set of known malicious data patterns
(signatures) or attack rules (heuristics) that are compared with current behavior
to decide if is that of an intruder. It is also known as misuse detection. This
approach can only identify known attacks for which it has patterns or rules.
In essence, anomaly approaches aim to define normal, or expected, behavior, in
order to identify malicious or unauthorized behavior. Signature or heuristic-based
approaches directly define malicious or unauthorized behavior. They can quickly
and efficiently identify known attacks. However only anomaly detection is able to
detect unknown, zero-day attacks, as it starts with known good behavior and identifies
anomalies to it. Given this advantage, clearly anomaly detection would be the
preferred approach, were it not for the difficulty in collecting and analyzing the data
required, and the high level of false alarms, as we discuss in the following sections.
17
Anomaly Detection
A variety of classification approaches are used:
The anomaly detection approach involves first developing a model of legitimate
user behavior by collecting and processing sensor data from the normal operation
of the monitored system in a training phase. This may occur at distinct times, or
there may be a continuous process of monitoring and evolving the model over time.
Once this model exists, current observed behavior is compared with the model in
order to classify it as either legitimate or anomalous activity in a detection phase.
A variety of classification approaches are used, which [GARC09] broadly categorized
as:
• Statistical: Analysis of the observed behavior using univariate, multivariate,
or time-series models of observed metrics.
• Knowledge based: Approaches use an expert system that classifies observed
behavior according to a set of rules that model legitimate behavior.
• Machine-learning: Approaches automatically determine a suitable classification
model from the training data using data mining techniques.
They also note two key issues that affect the relative performance of these alternatives,
being the efficiency and cost of the detection process.
The monitored data is first parameterized into desired standard metrics that
will then be analyzed. This step ensures that data gathered from a variety of possible
sources is provided in standard form for analysis.
Statistical approaches use the captured sensor data to develop a statistical
profile of the observed metrics. The earliest approaches used univariate models,
where each metric was treated as an independent random variable. However this
was too crude to effectively identify intruder behavior. Later, multivariate models
considered correlations between the metrics, which better levels of discrimination
observed. Time-series models use the order and time between observed events to
better classify the behavior. The advantages of these statistical approaches include
their relative simplicity and low computation cost, and lack of assumptions about
behavior expected. Their disadvantages include the difficulty in selecting suitable
metrics to obtain a reasonable balance between false positives and false negatives,
and that not all behaviors can be modeled using these approaches.
Knowledge based approaches classify the observed data using a set of rules.
These rules are developed during the training phase, usually manually, to characterize
the observed training data into distinct classes. Formal tools may be used to
describe these rules, such as a finite-state machine or a standard description language.
They are then used to classify the observed data in the detection phase. The
advantages of knowledge-based approaches include their robustness and flexibility.
Their main disadvantage is the difficulty and time required to develop high-quality
knowledge from the data, and the need for human experts to assist with this process.
Machine-learning approaches use data mining techniques to automatically
develop a model using the labeled normal training data. This model is then able
to classify subsequently observed data as either normal or anomalous. A key disadvantage
is that this process typically requires significant time and computational
resources. Once the model is generated however, subsequent analysis is generally
fairly efficient.
A variety of machine-learning approaches have been tried, with varying success.
These include:
• Bayesian networks: Encode probabilistic relationships among observed metrics.
• Markov models: Develop a model with sets of states, some possibly hidden,
interconnected by transition probabilities.
• Neural networks: Simulate human brain operation with neurons and synapse
between them, that classify observed data.
• Fuzzy logic: Uses fuzzy set theory where reasoning is approximate, and can
accommodate uncertainty.
• Genetic algorithms: Uses techniques inspired by evolutionary biology, including
inheritance, mutation, selection and recombination, to develop classification
rules.
• Clustering and outlier detection: Group the observed data into clusters based
on some similarity or distance measure, and then identify subsequent data as
either belonging to a cluster or as an outlier.
The advantages of the machine-learning approaches include their flexibility, adaptability,
and ability to capture interdependencies between the observed metrics.
Their disadvantages include their dependency on assumptions about accepted
behavior for a system, their currently unacceptably high false alarm rate, and their
high resource cost.
A key limitation of anomaly detection approaches used by IDSs, particularly
the machine-learning approaches, is that they are generally only trained with legitimate
data, unlike many of the other applications surveyed in [CHAN09] where
both legitimate and anomalous training data is used. The lack of anomalous training
data, which occurs given the desire to detect currently unknown future attacks,
limits the effectiveness of some of the techniques listed above.
18
Statistical
Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics
Knowledge based
Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior
Machine-learning
Approaches automatically determine a suitable classification model from the training data using data mining techniques
Signature or Heuristic Detection
Signature or heuristic techniques detect intrusion by observing events in the system
and applying either a set of signature patterns to the data, or a set of rules that
characterize the data, leading to a decision regarding whether the observed data
indicates normal or anomalous behavior.
Signature approaches match a large collection of known patterns of malicious
data against data stored on a system or in transit over a network. The signatures
need to be large enough to minimize the false alarm rate, while still detecting a
sufficiently large fraction of malicious data. This approach is widely used in antivirus
products, in network traffic scanning proxies, and in NIDS. The advantages
of this approach include the relatively low cost in time and resource use, and its
wide acceptance. Disadvantages include the significant effort required to constantly
identify and review new malware to create signatures able to identify it, and the
inability to detect zero-day attacks for which no signatures exist.
Rule-based heuristic identification involves the use of rules for identifying
known penetrations or penetrations that would exploit known weaknesses. Rules
can also be defined that identify suspicious behavior, even when the behavior is
within the bounds of established patterns of usage. Typically, the rules used in
these systems are specific to the machine and operating system. The most fruitful
approach to developing such rules is to analyze attack tools and scripts collected on
the Internet. These rules can be supplemented with rules generated by knowledgeable
security personnel. In this latter case, the normal procedure is to interview
system administrators and security analysts to collect a suite of known penetration
scenarios and key events that threaten the security of the target system.
The SNORT system, which we discuss later in Section 8.9 is an example of a
rule-based NIDS. A large collection of rules exists for it to detect a wide variety of
network attacks.
19
Signature approaches
Match a large collection of known patterns of malicious data against data stored on a system or in transit over a network
The signatures need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
Widely used in anti-virus products, network traffic scanning proxies, and in NIDS
Rule-based heuristic identification
Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses
Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage
Typically rules used are specific
SNORT is an example of a rule-based NIDS
Host-Based Intrusion Detection (HIDS)
Adds a specialized layer of security software to vulnerable or sensitive systems
Can use either anomaly or signature and heuristic approaches
Monitors activity to detect suspicious behavior
Primary purpose is to detect intrusions, log suspicious events, and send alerts
Can detect both external and internal intrusions
20
Host-based IDSs (HIDSs) add a specialized layer of security software to vulnerable
or sensitive systems; such as database servers and administrative systems. The HIDS
monitors activity on the system in a variety of ways to detect suspicious behavior.
In some cases, an IDS can halt an attack before any damage is done, as we discuss
in Section 9.6, but its main purpose is to detect intrusions, log suspicious events, and
send alerts.
The primary benefit of a HIDS is that it can detect both external and internal
intrusions, something that is not possible either with network-based IDSs or firewalls.
As we discuss in the previous section, host-based IDSs can use either anomaly
or signature and heuristic approaches to detect unauthorized behavior on the monitored
host. We now review some common data sources and sensors used in HIDS,
and then continue with a discussion of how the anomaly, signature and heuristic
approaches are used in HIDS, and then consider distributed HIDS.
Data Sources and Sensors
As noted previously, a fundamental component of intrusion detection is the sensor
that collects data. Some record of ongoing activity by users must be provided as
input to the analysis component of the IDS. Common data sources include:
• System call traces: A record of the sequence of systems calls by processes on
a system, is widely acknowledged as the preferred data source for HIDS since
the pioneering work of Forrest [CREE13]. While these work well on Unix and
Linux systems, they are problematic on Windows systems due to the extensive
use of DLLs that obscure which processes use specific system calls.
• Audit (log file) records: Most modern operating systems include accounting
software that collects information on user activity. The advantage of using this
information is that no additional collection software is needed. The disadvantages
are that the audit records may not contain the needed information or may not
contain it in a convenient form, and that intruders may attempt to manipulate
these records to hide their actions.
• File integrity checksums: A common approach to detecting intruder activity
on a system is to periodically scan critical files for changes from the desired
baseline, by comparing a current cryptographic checksums for these files, with
a record of known good values. Disadvantages include the need to generate
and protect the checksums using known good files, and the difficulty monitoring
changing files. Tripwire is a well-known system using this approach.
• Registry access: An approach used on Windows systems is to monitor access
to the registry, given the amount of information and access to it used by programs
on these systems. However this source is very Windows specific, and
has recorded limited success.
The sensor gathers data from the chosen source, filters the gathered data to
remove any unwanted information and to standardize the information format, and
forwards the result to the IDS analyzer, which may be local or remote.
21
A fundamental component of intrusion detection is the sensor that collects data
Common data sources include:
System call traces
Audit (log file) records
File integrity checksums
Registry access
Table 8.2
Linux System Calls and Windows DLLs Monitored
(Table can be found on page 264 in the textbook)
The majority of work on anomaly-based HIDS has been done on UNIX and Linux
systems, given the ease of gathering suitable data for this work. While some earlier
work used audit or accounting records, the majority is based on system call traces.
System calls are the means by which programs access core kernel functions, providing
a wide range of interactions with the low-level operating system functions.
Hence they provide detailed information on process activity that can be used to
classify it as normal or anomalous. Table 8.2 (a) lists the system calls used in current
Ubuntu Linux systems as an example. This data is typically gathered using an OS
hook, such as the BSM audit module. Most modern operating systems have highly
reliable options for collecting this type of information.
The system call traces are then analyzed by a suitable decision engine.
[CREE13] notes that the original work by Forrest et al introduced the Sequence
Time-Delay Embedding (STIDE) algorithm, based on artificial immune system
approaches, that compares observed sequences of system calls with sequences from
the training phase to obtain a mismatch ratio that determines whether the sequence
is normal or not. Later work has used other alternatives, such as Hidden Markov
Models (HMM), Artificial Neural Networks (ANN), Support Vector Machines
(SVM), or Extreme Learning Machines (ELM) to make this classification.
[CREE13] notes that these approaches all report providing reasonable
intruder detection rates of 95-99% while having false positive rates of less than 5%,
though on older test datasets. He updates these results using recent contemporary
data and example attacks, with a more extensive feature extraction process from the
system call traces and an ELM decision engine capable of a very high detection rate
while maintaining reasonable false positive rates. This approach should lead to even
more effective production HIDS products in the near future.
Windows systems have traditionally not used anomaly based HIDS, as the
wide usage of Dynamic Link Libraries (DLLs) as an intermediary between process
requests for operating system functions and the actual system call interface, has
hindered the effective use of system call traces to classify process behavior. Some
work was done using either audit log entries, or registry file updates as a data source,
but neither approach was very successful. [CREE13] reports a new approach that
uses traces of key DLL function calls as an alternative data source, with results comparable
to that found with Linux system call trace HIDS. Table 8.2 (b) lists the key
DLLs and executables monitored. Note that all of the distinct functions within these
DLLs, numbering in their thousands, are monitored, forming the equivalent to the
system call list presented in Table 8.2a. The adoption of this approach should
lead to the development of more effective Windows HIDS, capable of detecting
zero-day attacks, unlike the current generation of signature and heuristic Windows
HIDS that we discuss later.
While using system call traces provides arguably the richest information source
for a HIDS, it does impose a moderate load on the monitored system to gather and
classify this data. And as we noted earlier, the training phase for many of the decision
engines requires very significant time and computational resources. Hence others
have trialed approaches based on audit (log) records. However these both have
a lower detection rate than the system call trace approaches (80% reported), and
are more susceptible to intruder manipulation.
A further alternative to examining current process behavior, is to look for
changes to important files on the monitored host. This uses a cryptographic checksum
to check for any changes from the known good baseline for the monitored files.
Typically all program binaries, scripts, and configuration files are monitored, either
on each access, or on a periodic scan of the file system. The tripwire system is a
widely used implementation of this approach, and is available for all major operating
systems including Linux, Mac OS, and Windows. This approach is very sensitive
to changes in the monitored files, as a result of intruder activity or for any other
reason. However it cannot detect changes made to processes once they are running
on the system. Other difficulties include determining which files to monitor, since
a surprising number of files change in an operational system, having access to a
known good copy of each monitored file to establish the baseline value, and protecting
the database of file signatures.
22
23
Traditionally, work on host-based IDSs focused on single-system stand-alone operation.
The typical organization, however, needs to defend a distributed collection
of hosts supported by a LAN or internetwork. Although it is possible to mount a
defense by using stand-alone IDSs on each host, a more effective defense can be
achieved by coordination and cooperation among IDSs across the network.
Porras points out the following major issues in the design of a distributed IDS
[PORR92]:
• A distributed IDS may need to deal with different sensor data formats. In a
heterogeneous environment, different systems may use different sensors and
approaches to gathering data for intrusion detection use.
• One or more nodes in the network will serve as collection and analysis points
for the data from the systems on the network. Thus, either raw sensor data or
summary data must be transmitted across the network. Therefore, there is a
requirement to assure the integrity and confidentiality of these data. Integrity
is required to prevent an intruder from masking his or her activities by altering
the transmitted audit information. Confidentiality is required because the
transmitted audit information could be valuable.
• Either a centralized or decentralized architecture can be used. With a centralized
architecture, there is a single central point of collection and analysis of all
sensor data. This eases the task of correlating incoming reports but creates a
potential bottleneck and single point of failure. With a decentralized architecture,
there is more than one analysis center, but these must coordinate their
activities and exchange information.
A good example of a distributed IDS is one developed at the University of
California at Davis [HEBE92, SNAP91]; a similar approach has been taken for a
project at Purdue [SPAF00, BALA98]. Figure 8.2 shows the overall architecture,
which consists of three main components:
1. Host agent module: An audit collection module operating as a background
process on a monitored system. Its purpose is to collect data on security-related
events on the host and transmit these to the central manager. Figure 8.3
shows details of the agent module architecture.
2. LAN monitor agent module: Operates in the same fashion as a host agent
module except that it analyzes LAN traffic and reports the results to the central
manager.
3. Central manager module: Receives reports from LAN monitor and host
agents and processes and correlates these reports to detect intrusion.
24
The scheme is designed to be independent of any operating system or system
auditing implementation. Figure 8.3 shows the general approach that is taken. The
agent captures each audit record produced by the native audit collection system. A
filter is applied that retains only those records that are of security interest. These
records are then reformatted into a standardized format referred to as the host
audit record (HAR). Next, a template-driven logic module analyzes the records for
suspicious activity. At the lowest level, the agent scans for notable events that are
of interest independent of any past events. Examples include failed files, accessing
system files, and changing a file’s access control. At the next higher level, the agent
looks for sequences of events, such as known attack patterns (signatures). Finally,
the agent looks for anomalous behavior of an individual user based on a historical
profile of that user, such as number of programs executed, number of files accessed,
and the like.
When suspicious activity is detected, an alert is sent to the central manager.
The central manager includes an expert system that can draw inferences from
received data. The manager may also query individual systems for copies of HARs
to correlate with those from other agents.
The LAN monitor agent also supplies information to the central manager.
The LAN monitor agent audits host-host connections, services used, and volume of
traffic. It searches for significant events, such as sudden changes in network load,
the use of security-related services, and suspicious network activities.
The architecture depicted in Figures 8.2 and 8.3 is quite general and flexible.
It offers a foundation for a machine-independent approach that can expand from
stand-alone intrusion detection to a system that is able to correlate activity from
a number of sites and networks to detect suspicious activity that would otherwise
remain undetected.
Network-Based IDS (NIDS)
25
A network-based IDS (NIDS) monitors traffic at selected points on a network or
interconnected set of networks. The NIDS examines the traffic packet by packet in
real time, or close to real time, to attempt to detect intrusion patterns. The NIDS
may examine network-, transport-, and/or application-level protocol activity. Note
the contrast with a host-based IDS; a NIDS examines packet traffic directed toward
potentially vulnerable computer systems on a network. A host-based system examines
user and software activity on a host.
A typical NIDS facility includes a number of sensors to monitor packet traffic, one
or more servers for NIDS management functions, and one or more management consoles
for the human interface. The analysis of traffic patterns to detect intrusions may
be done at the sensor, at the management server, or some combination of the two.
Monitors traffic at selected points on a network
Examines traffic packet by packet in real or close to real time
May examine network, transport, and/or application-level protocol activity
Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two
26
Sensors can be deployed in one of two modes: inline and passive. An inline
sensor is inserted into a network segment so that the traffic that it is monitoring
must pass through the sensor. One way to achieve an inline sensor is to combine
NIDS sensor logic with another network device, such as a firewall or a LAN
switch. This approach has the advantage that no additional separate hardware
devices are needed; all that is required is NIDS sensor software. An alternative
is a stand-alone inline NIDS sensor. The primary motivation for the use of
inline sensors is to enable them to block an attack when one is detected. In this
case the device is performing both intrusion detection and intrusion prevention
functions.
More commonly, passive sensors are used. A passive sensor monitors a
copy of network traffic; the actual traffic does not pass through the device. From
the point of view of traffic flow, the passive sensor is more efficient than the
inline sensor, because it does not add an extra handling step that contributes to
packet delay.
Figure 8.4 illustrates a typical passive sensor configuration. The sensor connects
to the network transmission medium, such as a fiber optic cable, by a direct
physical tap. The tap provides the sensor with a copy of all network traffic being
carried by the medium. The network interface card (NIC) for this tap usually does
not have an IP address configured for it. All traffic into this NIC is simply collected
with no protocol interaction with the network. The sensor has a second NIC that
connects to the network with an IP address and enables the sensor to communicate
with a NIDS management server.
Consider an organization with multiple sites, each of which has one or more LANs,
with all of the networks interconnected via the Internet or some other WAN
technology. For a comprehensive NIDS strategy, one or more sensors are needed
at each site. Within a single site, a key decision for the security administrator is the
placement of the sensors.
Figure 8.5 illustrates a number of possibilities. In general terms, this configuration
is typical of larger organizations. All Internet traffic passes through an external firewall
that protects the entire facility. Traffic from the outside world, such as customers and
vendors that need access to public services, such as Web and mail, is monitored. The
external firewall also provides a degree of protection for those parts of the network
that should only be accessible by users from other corporate sites. Internal firewalls
may also be used to provide more specific protection to certain parts of the network.
A common location for a NIDS sensor is just inside the external firewall
( location 1 in the figure). This position has a number of advantages:
• Sees attacks, originating from the outside world, that penetrate the network’s
perimeter defenses (external firewall).
• Highlights problems with the network firewall policy or performance.
• Sees attacks that might target the Web server or ftp server.
• Even if the incoming attack is not recognized, the IDS can sometimes recognize
the outgoing traffic that results from the compromised server.
Instead of placing a NIDS sensor inside the external firewall, the security
administrator may choose to place a NIDS sensor between the external firewall and
the Internet or WAN (location 2 ). In this position, the sensor can monitor all network
traffic, unfiltered. The advantages of this approach are as follows:
• Documents number of attacks originating on the Internet that target the network
• Documents types of attacks originating on the Internet that target the network
A sensor at location 2 has a higher processing burden than any sensor located
elsewhere on the site network.
In addition to a sensor at the boundary of the network, on either side of the
external firewall, the administrator may configure a firewall and one or more sensors
to protect major backbone networks, such as those that support internal servers
and database resources (location 3). The benefits of this placement include the
following:
• Monitors a large amount of a network’s traffic, thus increasing the possibility
of spotting attacks
• Detects unauthorized activity by authorized users within the organization’s
security perimeter
Thus, a sensor at location 3 is able to monitor for both internal and external
attacks. Because the sensor monitors traffic to only a subset of devices at the site, it can
be tuned to specific protocols and attack types, thus reducing the processing burden.
Finally, the network facilities at a site may include separate LANs that support
user workstations and servers specific to a single department. The administrator
could configure a firewall and NIDS sensor to provide additional protection for
all of these networks or target the protection to critical subsystems, such as personnel
and financial networks (location 4). A sensor used in this latter fashion provides
the following benefits:
• Detects attacks targeting critical systems and resources
• Allows focusing of limited resources to the network assets considered of
greatest value
As with a sensor at location 3, a sensor at location 4 can be tuned to specific
protocols and attack types, thus reducing the processing burden.
27
Intrusion Detection Techniques
Attacks suitable for
Signature detection
Attacks suitable for
Anomaly detection
Application layer reconnaissance and attacks
Transport layer reconnaissance and attacks
Network layer reconnaissance and attacks
Unexpected application services
Policy violations
Denial-of-service (DoS) attacks
Scanning
Worms
28
As with host-based intrusion detection, network-based intrusion detection makes
use of signature detection and anomaly detection. Unlike the case with HIDS, a
number of commercial anomaly NIDS products are available [GARC09]. One of
the best known is the Statistical Packet Anomaly Detection Engine (SPADE),
available as a plug-in for the Snort system that we discuss later.
NIST SP 800-94 (Guide to Intrusion Detection and Prevention
Systems, July 2012) lists the following as examples of that types of attacks that
are suitable for signature detection:
• Application layer reconnaissance and attacks: Most NIDS technologies
analyze several dozen application protocols. Commonly analyzed ones include
Dynamic Host Configuration Protocol (DHCP), DNS, Finger, FTP, HTTP,
Internet Message Access Protocol (IMAP), Internet Relay Chat (IRC),
Network File System (NFS), Post Office Protocol (POP), rlogin/rsh, Remote
Procedure Call (RPC), Session Initiation Protocol (SIP), Server Message
Block (SMB), SMTP, SNMP, Telnet, and Trivial File Transfer Protocol
(TFTP), as well as database protocols, instant messaging applications, and
peer-to-peer file sharing software. The NIDS is looking for attack patterns
that have been identified as targeting these protocols. Examples of attack include
buffer overflows, password guessing, and malware transmission.
• Transport layer reconnaissance and attacks: NIDSs analyze TCP and UDP
traffic and perhaps other transport layer protocols. Examples of attacks are
unusual packet fragmentation, scans for vulnerable ports, and TCP-specific
attacks such as SYN floods.
• Network layer reconnaissance and attacks: NIDSs typically analyze IPv4, IPv6,
ICMP, and IGMP at this level. Examples of attacks are spoofed IP addresses
and illegal IP header values.
• Unexpected application services: The NIDS attempts to determine if the
activity on a transport connection is consistent with the expected application
protocol. An example is a host running an unauthorized application service.
• Policy violations: Examples include use of inappropriate Web sites and use of
forbidden application protocols.
NIST SP 800-94 lists the following as examples
of the types of attacks that are suitable for anomaly detection:
• Denial-of-service (DoS) attacks: Such attacks involve either significantly
increased packet traffic or significantly increase connection attempts, in an
attempt to overwhelm the target system. These attacks are analyzed in Chapter 7.
Anomaly detection is well suited to such attacks.
• Scanning: A scanning attack occurs when an attacker probes a target network
or system by sending different kinds of packets. Using the responses received
from the target, the attacker can learn many of the system’s characteristics and
vulnerabilities. Thus, a scanning attack acts as a target identification tool for
an attacker. Scanning can be detected by atypical flow patterns at the application
layer (e.g., banner grabbing3), transport layer (e.g., TCP and UDP port
scanning), and network layer (e.g., ICMP scanning).
• Worms: Worms spreading among hosts can be detected in more than one
way. Some worms propagate quickly and use large amounts of bandwidth.
Worms can also be detected because they can cause hosts to communicate
with each other that typically do not, and they can also cause hosts to use ports
that they normally do not use. Many worms also perform scanning. Chapter 6
discusses worms in detail.
Stateful Protocol Analysis (SPA)
Subset of anomaly detection that compares observed network traffic against predetermined universal vendor supplied profiles of benign protocol traffic
This distinguishes it from anomaly techniques trained with organization specific traffic protocols
Understands and tracks network, transport, and application protocol states to ensure they progress as expected
A key disadvantage is the high resource use it requires
NIST SP 800-94 details this subset of anomaly
detection that compares observed network traffic against predetermined universal
vendor supplied profiles of benign protocol traffic. This distinguishes it from anomaly
techniques trained with organization specific traffic profiles. SPA understands and
tracks network, transport, and application protocol states to ensure they progress as
expected. A key disadvantage of SPA is the high resource use it requires.
29
Logging of Alerts
Typical information logged by a NIDS sensor includes:
Timestamp
Connection or session ID
Event or alert type
Rating
Network, transport, and application layer protocols
Source and destination IP addresses
Source and destination TCP or UDP ports, or ICMP types and codes
Number of bytes transmitted over the connection
Decoded payload data, such as application requests and responses
State-related information
When a sensor detects a potential violation, it sends an alert and logs information
related to the event. The NIDS analysis module can use this information to refine
intrusion detection parameters and algorithms. The security administrator can use
this information to design prevention techniques. Typical information logged by a
NIDS sensor includes the following:
• Timestamp (usually date and time)
• Connection or session ID (typically a consecutive or unique number assigned to
each TCP connection or to like groups of packets for connectionless protocols)
• Event or alert type
• Rating (e.g., priority, severity, impact, confidence)
• Network, transport, and application layer protocols
• Source and destination IP addresses
• Source and destination TCP or UDP ports, or ICMP types and codes
• Number of bytes transmitted over the connection
• Decoded payload data, such as application requests and responses
• State-related information (e.g., authenticated username)
30
31
In recent years, the concept of communicating IDSs has evolved to schemes that
involve distributed systems that cooperate to identify intrusions and to adapt to
changing attack profiles. These combine in a central IDS, the complementary information
sources used by HIDS with host-based process and data details, and NIDS
with network events and data, to manage and coordinate intrusion detection and
response in an organization’s IT infrastructure. Two key problems have always
confronted systems such as IDSs, firewalls, virus and worm detectors, and so on.
First, these tools may not recognize new threats or radical modifications of existing
threats. And second, it is difficult to update schemes rapidly enough to deal
with quickly spreading attacks. A separate problem for perimeter defenses, such as
firewalls, is that the modern enterprise has loosely defined boundaries, and hosts
are generally able to move in and out. Examples are hosts that communicate using
wireless technology and employee laptops that can be plugged into network ports.
Attackers have exploited these problems in several ways. The more traditional
attack approach is to develop worms and other malicious software that spreads ever more
rapidly and to develop other attacks (such as DoS attacks) that strike with overwhelming
force before a defense can be mounted. This style of attack is still prevalent. But more
recently, attackers have added a quite different approach: Slow the spread of the attack so
that it will be more difficult to detect by conventional algorithms [ANTH07].
A way to counter such attacks is to develop cooperated systems that can recognize
attacks based on more subtle clues and then adapt quickly. In this approach,
anomaly detectors at local nodes look for evidence of unusual activity. For example,
a machine that normally makes just a few network connections might suspect that an
attack is under way if it is suddenly instructed to make connections at a higher rate.
With only this evidence, the local system risks a false positive if it reacts to the suspected
attack (say by disconnecting from the network and issuing an alert) but it risks
a false negative if it ignores the attack or waits for further evidence. In an adaptive,
cooperative system, the local node instead uses a peer-to-peer “gossip” protocol to
inform other machines of its suspicion, in the form of a probability that the network
is under attack. If a machine receives enough of these messages so that a threshold is
exceeded, the machine assumes an attack is under way and responds. The machine
may respond locally to defend itself and also send an alert to a central system.
An example of this approach is a scheme developed by Intel and referred to
as autonomic enterprise security [AGOS06]. Figure 8.6 illustrates the approach.
This approach does not rely solely on perimeter defense mechanisms, such as
firewalls, or on individual host-based defenses. Instead, each end host and each
network device (e.g., routers) is considered to be a potential sensor and may have
the sensor software module installed. The sensors in this distributed configuration
can exchange information to corroborate the state of the network (i.e., whether an
attack is under way).
The Intel designers provide the following motivation for this approach:
1. IDSs deployed selectively may miss a network-based attack or may be slow
to recognize that an attack is under way. The use of multiple IDSs that
share information has been shown to provide greater coverage and more
rapid response to attacks, especially slowly growing attacks (e.g., [BAIL05],
[RAJA05]).
2. Analysis of network traffic at the host level provides an environment in which
there is much less network traffic than found at a network device such as a
router. Thus, attack patterns will stand out more, providing in effect a higher
signal-to-noise ratio.
3. Host-based detectors can make use of a richer set of data, possibly using
application data from the host as input into the local classifier.
NIST SP 800-94 notes that adistributed or hybrid IDS can be constructed using multiple products from
a single vendor, designed to share and exchange data [SCAR12]. This is clearly an
easier, but may not be the most cost-effective or comprehensive solution. Alternatively,
specialized security information and event management (SIEM) software
exists that can import and analyze data from a variety of sources, sensors, and
products. Such software may well rely on standardized protocols, such as Intrusion
Detection Exchange Format we discuss in the next section. An analogy may help
clarify the advantage of this distributed approach. Suppose that a single host is subject
to a prolonged attack and that the host is configured to minimize false positives.
Early on in the attack, no alert is sounded because the risk of false positive is high.
If the attack persists, the evidence that an attack is under way becomes stronger and
the risk of false positive decreases. However, much time has passed. Now consider
many local sensors, each of which suspect the onset of an attack and all of which collaborate.
Because numerous systems see the same evidence, an alert can be issued
with a low false positive risk. Thus, instead of a long period of time, we use a large
number of sensors to reduce false positives and still detect attacks. A number of
vendors now offer this type of product.
We now summarize the principal elements of this approach, illustrated in Figure
8.6. A central system is configured with a default set of security policies. Based
on input from distributed sensors, these policies are adapted and specific actions
are communicated to the various platforms in the distributed system. The devicespecific
policies may include immediate actions to take or parameter settings to be
adjusted. The central system also communicates collaborative policies to all platforms
that adjust the timing and content of collaborative gossip messages. Three
types of input guide the actions of the central system:
• Summary events: Events from various sources are collected by intermediate
collection points such as firewalls, IDSs, or servers that serve a specific segment
of the enterprise network. These events are summarized for delivery to
the central policy system.
• DDI events: Distributed detection and inference (DDI) events are alerts that
are generated when the gossip traffic enables a platform to conclude that an
attack is under way.
• PEP events: Policy enforcement points (PEPs) reside on trusted, self-defending
platforms and intelligent IDSs. These systems correlate distributed
information, local decisions, and individual device actions to detect intrusions
that may not be evident at the host level.
IETF Intrusion Detection Working Group
Purpose is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to management systems that may need to interact with them
The working group issued the following RFCs in 2007:
To facilitate the development of distributed IDSs that can function across a wide
range of platforms and environments, standards are needed to support interoperability.
Such standards are the focus of the IETF Intrusion Detection Working
Group. The purpose of the working group is to define data formats and exchange
procedures for sharing information of interest to intrusion detection and response
systems and to management systems that may need to interact with them. The
working group issued the following RFCs in 2007:
• Intrusion Detection Message Exchange Requirements (RFC 4766): This
document defines requirements for the Intrusion Detection Message
Exchange Format (IDMEF). The document also specifies requirements for a
communication protocol for communicating IDMEF.
• The Intrusion Detection Message Exchange Format (RFC 4765): This
document describes a data model to represent information exported by
intrusion detection systems and explains the rationale for using this model.
An implementation of the data model in the Extensible Markup Language
(XML) is presented, an XML Document Type Definition is developed, and
examples are provided.
• The Intrusion Detection Exchange Protocol (RFC 4767): This document
describes the Intrusion Detection Exchange Protocol (IDXP), an
application-level protocol for exchanging data between intrusion detection
entities. IDXP supports mutual-authentication, integrity, and confidentiality
over a connection-oriented protocol.
32
Intrusion Detection Message Exchange Requirements (RFC 4766)
Document defines requirements for the Intrusion Detection Message Exchange Format (IDMEF)
Also specifies requirements for a communication protocol for communicating IDMEF
The Intrusion Detection Message Exchange Format (RFC 4765)
Document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model
An implementation of the data model in the Extensible Markup Language (XML) is presented, and XML Document Type Definition is developed, and examples are provided
The Intrusion Detection Exchange Protocol (RFC 4767)
Document describes the Intrusion Detection Exchange Protocol (IDXP), an application level protocol for exchanging data between intrusion detection entities
IDXP supports mutual authentication, integrity, and confidentiality over a connection oriented protocol
33
Figure 8.7 illustrates the key elements of the model on which the intrusion
detection message exchange approach is based. This model does not correspond
to any particular product or implementation, but its functional components are the
key elements of any IDS. The functional components are as follows:
• Data source: The raw data that an IDS uses to detect unauthorized or undesired
activity. Common data sources include network packets, operating system
audit logs, application audit logs, and system-generated checksum data.
• Sensor: Collects data from the data source. The sensor forwards events to the
analyzer.
• Analyzer: The ID component or process that analyzes the data collected by
the sensor for signs of unauthorized or undesired activity or for events that
might be of interest to the security administrator. In many existing IDSs, the
sensor and the analyzer are part of the same component.
• Administrator: The human with overall responsibility for setting the security
policy of the organization, and, thus, for decisions about deploying and
configuring the IDS. This may or may not be the same person as the operator
of the IDS. In some organizations, the administrator is associated with the
network or systems administration groups. In other organizations, it’s an
independent position.
Manager: The ID component or process from which the operator manages
the various components of the ID system. Management functions typically
include sensor configuration, analyzer configuration, event notification management,
data consolidation, and reporting.
• Operator: The human that is the primary user of the IDS manager. The operator
often monitors the output of the IDS and initiates or recommends further
action.
In this model, intrusion detection proceeds in the following manner. The sensor
monitors data sources looking for suspicious activity , such as network sessions
showing unexpected telnet activity, operating system log file entries showing a user
attempting to access files to which he or she is not authorized to have access, and
application log files showing persistent login failures. The sensor communicates suspicious
activity to the analyzer as an event , which characterizes an activity within a
given period of time. If the analyzer determines that the event is of interest, it sends
an alert to the manager component that contains information about the unusual
activity that was detected, as well as the specifics of the occurrence. The manager
component issues a notification to the human operator. A response can be initiated
automatically by the manager component or by the human operator. Examples of
responses include logging the activity; recording the raw data (from the data source)
that characterized the event; terminating a network, user, or application session; or
altering network or system access controls. The security policy is the predefined,
formally documented statement that defines what activities are allowed to take
place on an organization’s network or on particular hosts to support the organization’s
requirements. This includes, but is not limited to, which hosts are to be denied
external network access.
The specification defines formats for event and alert messages, message types,
and exchange protocols for communication of intrusion detection information.
Honeypots
Decoy systems designed to:
Lure a potential attacker away from critical systems
Collect information about the attacker’s activity
Encourage the attacker to stay on the system long enough for administrators to respond
Systems are filled with fabricated information that a legitimate user of the system wouldn’t access
Resources that have no production value
Therefore incoming communication is most likely a probe, scan, or attack
Initiated outbound communication suggests that the system has probably been compromised
34
A further component of intrusion detection technology is the honeypot. Honeypots
are decoy systems that are designed to lure a potential attacker away from critical
systems. Honeypots are designed to:
• Divert an attacker from accessing critical systems.
• Collect information about the attacker’s activity.
• Encourage the attacker to stay on the system long enough for administrators
to respond.
These systems are filled with fabricated information designed to appear valuable
but that a legitimate user of the system would not access. Thus, any access to
the honeypot is suspect. The system is instrumented with sensitive monitors and
event loggers that detect these accesses and collect information about the attacker’s
activities. Because any attack against the honeypot is made to seem successful,
administrators have time to mobilize and log and track the attacker without ever
exposing productive systems.
The honeypot is a resource that has no production value. There is no legitimate
reason for anyone outside the network to interact with a honeypot. Thus, any
attempt to communicate with the system is most likely a probe, scan, or attack. Conversely,
if a honeypot initiates outbound communication, the system has probably
been compromised.
Honeypot Classifications
Low interaction honeypot
Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems
Provides a less realistic target
Often sufficient for use as a component of a distributed IDS to warn of imminent attack
High interaction honeypot
A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers
Is a more realistic target that may occupy an attacker for an extended period
However, it requires significantly more resources
If compromised could be used to initiate attacks on other systems
35
Honeypots are typically classified as being either low or high interaction.
• Low interaction honeypot: Consists of a software package that emulates particular
IT services or systems well enough to provide a realistic initial interaction,
but does not execute a full version of those services or systems.
• High interaction honeypot: Is a real system, with a full operating system, services
and applications, which are instrumented and deployed where they can be
accessed by attackers.
A high interaction honeypot is a more realistic target that may occupy an
attacker for an extended period. However, it requires significantly more resources,
and if compromised could be used to initiate attacks on other systems. This may
result in unwanted legal or reputational issues for the organization running it. A low
interaction honeypot provides a less realistic target, able to identify intruders using
the earlier stages of the attack methodology we discussed earlier in this chapter.
This is often sufficient for use as a component of a distributed IDS to warn of imminent
attack. “The Honeynet Project” provides a range of resources and packages
for such systems.
Initial efforts involved a single honeypot computer with IP addresses designed
to attract hackers. More recent research has focused on building entire honeypot
networks that emulate an enterprise, possibly with actual or simulated traffic and
data. Once hackers are within the network, administrators can observe their behavior
in detail and figure out defenses.
36
Honeypots can be deployed in a variety of locations. Figure 8.8 illustrates
some possibilities. The location depends on a number of factors, such as the type
of information the organization is interested in gathering and the level of risk that
organizations can tolerate to obtain the maximum amount of data.
A honeypot outside the external firewall ( location 1 ) is useful for tracking
attempts to connect to unused IP addresses within the scope of the network. A honeypot
at this location does not increase the risk for the internal network. The danger
of having a compromised system behind the firewall is avoided. Further, because
the honeypot attracts many potential attacks, it reduces the alerts issued by the firewall
and by internal IDS sensors, easing the management burden. The disadvantage
of an external honeypot is that it has little or no ability to trap internal attackers,
especially if the external firewall filters traffic in both directions.
The network of externally available services, such as Web and mail, often
called the DMZ (demilitarized zone), is another candidate for locating a honeypot
( location 2 ). The security administrator must assure that the other systems in the
DMZ are secure against any activity generated by the honeypot. A disadvantage of
this location is that a typical DMZ is not fully accessible, and the firewall typically
blocks traffic to the DMZ the attempts to access unneeded services. Thus, the firewall
either has to open up the traffic beyond what is permissible, which is risky, or
limit the effectiveness of the honeypot.
A fully internal honeypot ( location 3 ) has several advantages. Its most important
advantage is that it can catch internal attacks. A honeypot at this location can
also detect a misconfigured firewall that forwards impermissible traffic from the
Internet to the internal network. There are several disadvantages. The most serious
of these is if the honeypot is compromised so that it can attack other internal
systems. Any further traffic from the Internet to the attacker is not blocked by the
firewall because it is regarded as traffic to the honeypot only. Another difficulty for
this honeypot location is that, as with location 2, the firewall must adjust its filtering
to allow traffic to the honeypot, thus complicating firewall configuration and potentially
compromising the internal network.
An emerging related technology is the use of honeyfiles, that emulate legitimate
documents with realistic, enticing names and possibly content. These documents
should not be accessed by legitimate users of a system, but rather act as bait
for intruders exploring a system. Any access of them is assumed to be suspicious
[WHIT13]. Appropriate generation, placement, and monitoring of honeyfiles is an
area of current research.
37
Snort is an open source, highly configurable and portable host-based or network-based
IDS. Snort is referred to as a lightweight IDS, which has the following characteristics:
• Easily deployed on most nodes (host, server, router) of a network
• Efficient operation that uses small amount of memory and processor time
• Easily configured by system administrators who need to implement a specific
security solution in a short amount of time
Snort can perform real-time packet capture, protocol analysis, and content searching
and matching. Snort can detect a variety of attacks and probes, based on a set of
rules configured by a system administrator.
A Snort installation consists of four logical components ( Figure 8.9 ):
• Packet decoder: The packet decoder processes each captured packet to
identify and isolate protocol headers at the data link, network, transport, and
application layers. The decoder is designed to be as efficient as possible and its
primary work consists of setting pointers so that the various protocol headers
can be easily extracted.
• Detection engine: The detection engine does the actual work of intrusion
detection. This module analyzes each packet based on a set of rules defined
for this configuration of Snort by the security administrator. In essence, each
packet is checked against all the rules to determine if the packet matches
the characteristics defined by a rule. The first rule that matches the decoded
packet triggers the action specified by the rule. If no rule matches the packet,
the detection engine discards the packet.
• Logger: For each packet that matches a rule, the rule specifies what logging
and alerting options are to be taken. When a logger option is selected, the logger
stores the detected packet in human readable format or in a more compact
binary format in a designated log file. The security administrator can then use
the log file for later analysis.
• Alerter: For each detected packet, an alert can be sent. The alert option in the
matching rule determines what information is included in the event notification.
The event notification can be sent to a file, to a UNIX socket, or to a
database. Alerting may also be turned off during testing or penetration studies.
Using the UNIX socket, the alert can be sent to a management machine
elsewhere on the network.
A Snort implementation can be configured as a passive sensor, which monitors
traffic but is not in the main transmission path of the traffic, or an inline sensor,
through which all packet traffic must pass. In the latter case, Snort can perform
intrusion prevention as well as intrusion detection. We defer a discussion of intrusion
prevention to Chapter 9 .
38
Snort uses a simple, flexible rule definition language that generates the rules used
by the detection engine. Although the rules are simple and straightforward to write,
they are powerful enough to detect a wide variety of hostile or suspicious traffic.
Each rule consists of a fixed header and zero or more options (Figure 8.10).
Table 8.3
Snort Rule Actions
39
The header has the following elements:
• Action: The rule action tells Snort what to do when it finds a packet that
matches the rule criteria. Table 8.3 lists the available actions. The last three
actions in the list (drop, reject, sdrop) are only available in inline mode.
• Protocol: Snort proceeds in the analysis if the packet protocol matches this field.
The current version of Snort (2.9) recognizes four protocols: TCP, UDP, ICMP,
and IP. Future releases of Snort will support a greater range of protocols.
• Source IP address: Designates the source of the packet. The rule may specify a
specific IP address, any IP address, a list of specific IP addresses, or the negation
of a specific IP address or list. The negation indicates that any IP address
other than those listed is a match.
• Source port: This field designates the source port for the specified protocol (e.g.,
a TCP port). Port numbers may be specified in a number of ways, including specific
port number, any ports, static port definitions, ranges, and by negation.
• Direction: This field takes on one of two values: unidirectional (->) or bidirectional
(<->). The bidirectional option tells Snort to consider the address/
port pairs in the rule as either source followed by destination or destination
followed by source. The bidirectional option enables Snort to monitor both
sides of a conversation.
• Destination IP address: Designates the destination of the packet.
• Destination port: Designates the destination port.
Following the rule header may be one or more rule options. Each option
consists of an option keyword, which defines the option; followed by arguments,
which specify the details of the option. In the written form, the set of rule options is
separated from the header by being enclosed in parentheses. Snort rule options are
separated from each other using the semicolon (;) character. Rule option keywords
are separated from their arguments with a colon (:) character.
Table 8.4
Examples of
Snort Rule Options
(Table can be found on page 283 in textbook.)
There are four major categories of rule options:
• Meta-data: Provide information about the rule but do not have any affect during
detection
• Payload: Look for data inside the packet payload and can be interrelated
• Non-payload: Look for non-payload data
• Post-detection: Rule-specific triggers that happen after a rule has matched a
packet
Table 8.4 provides examples of options in each category.
40
Summary
Host-based intrusion detection
Data sources and sensors
Anomaly HIDS
Signature or heuristic HIDS
Distributed HIDS
Network-based intrusion detection
Types of network sensors
NIDS sensor deployment
Intrusion detection techniques
Logging of alerts
Example system: Snort
Snort architecture
Snort rules
Intruders
Intruder behavior
Intrusion detection
Basic principles
The base-rate fallacy
Requirements
Analysis approaches
Anomaly detection
Signature or heuristic detection
Distributed or hybrid intrusion detection
Intrusion detection exchange format
Honeypots
41
Chapter 8 summary.
Figure 8.1 Profiles of Behavior of Intruders and Authorized Users
overlap in observed or expected behavior
profile of intruder behavior
profile of authorized user
behavior
Measurable behavior parameter
average behavior of intruder
average behavior of authorized user
Probability density function
Figure 8.1 Profiles of Behavior of Intruders and Authorized Users
overlap in observed
or expected behavior
profile of
intruder behavior
profile of
authorized user
behavior
Measurable behavior
parameter
average behavior
of intruder
average behavior
of authorized user
Probability
density function
Table 8.2 Linux System Calls and Windows DLLs Monitored
(a) Ubuntu Linux System Calls
accept, access, acct, adjtime, aiocancel, aioread, aiowait, aiowrite, alarm, async_daemon, auditsys, bind, chdir, chmod, chown, chroot, close, connect, creat, dup, dup2, execv, execve, exit, exportfs, fchdir, fchmod, fchown, fchroot, fcntl, flock, fork, fpathconf, fstat, fstat, fstatfs, fsync, ftime, ftruncate, getdents, getdirentries, getdomainname, getdopt, getdtablesize, getfh, getgid, getgroups, gethostid, gethostname, getitimer, getmsg, getpagesize, getpeername, getpgrp, getpid, getpriority, getrlimit, getrusage, getsockname, getsockopt, gettimeofday, getuid, gtty, ioctl, kill, killpg, link, listen, lseek, lstat, madvise, mctl, mincore, mkdir, mknod, mmap, mount, mount, mprotect, mpxchan, msgsys, msync, munmap, nfs_mount, nfssvc, nice, open, pathconf, pause, pcfs_mount, phys, pipe, poll, profil, ptrace, putmsg, quota, quotactl, read, readlink, readv, reboot, recv, recvfrom, recvmsg, rename, resuba, rfssys, rmdir, sbreak, sbrk, select, semsys, send, sendmsg, sendto, setdomainname, setdopt, setgid, setgroups, sethostid, sethostname, setitimer, setpgid, setpgrp, setpgrp, setpriority, setquota, setregid, setreuid, setrlimit, setsid, setsockopt, settimeofday, setuid, shmsys, shutdown, sigblock, sigpause, sigpending, sigsetmask, sigstack, sigsys, sigvec, socket, socketaddr, socketpair, sstk, stat, stat, statfs, stime, stty, swapon, symlink, sync, sysconf, time, times, truncate, umask, umount, uname, unlink, unmount, ustat, utime, utimes, vadvise, vfork, vhangup, vlimit, vpixsys, vread, vtimes, vtrace, vwrite, wait, wait3, wait4, write, writev
(b) Key Windows DLLs and Executables
comctl32 kernel32 msvcpp msvcrt mswsock ntdll ntoskrnl user32 ws2_32
Table 8.2 Linux System Calls and Windows DLLs Monitored
(a) Ubuntu Linux System Calls
accept, access, acct, adjtime, aiocancel, aioread, aiowait, aiowrite, alarm, async_daemon,
auditsys, bind, chdir, chmod, chown, chroot, close, connect, creat, dup, dup2, execv, execve,
exit, exportfs, fchdir, fchmod, fchown, fchroot, fcntl, flock, fork, fpathconf, fstat, fstat,
fstatfs, fsync, ftime, ftruncate, getdents, getdirentries, getdomainname, getdopt, getdtablesize,
getfh, getgid, getgroups, gethostid, gethostname, getitimer, getmsg, getpagesize,
getpeername, getpgrp, getpid, getpriority, getrlimit, getrusage, getsockname, getsockopt,
gettimeofday, getuid, gtty, ioctl, kill, killpg, link, listen, lseek, lstat, madvise, mctl, mincore,
mkdir, mknod, mmap, mount, mount, mprotect, mpxchan, msgsys, msync, munmap,
nfs_mount, nfssvc, nice, open, pathconf, pause, pcfs_mount, phys, pipe, poll, profil, ptrace,
putmsg, quota, quotactl, read, readlink, readv, reboot, recv, recvfrom, recvmsg, rename,
resuba, rfssys, rmdir, sbreak, sbrk, select, semsys, send, sendmsg, sendto, setdomainname,
setdopt, setgid, setgroups, sethostid, sethostname, setitimer, setpgid, setpgrp, setpgrp,
setpriority, setquota, setregid, setreuid, setrlimit, setsid, setsockopt, settimeofday, setuid,
shmsys, shutdown, sigblock, sigpause, sigpending, sigsetmask, sigstack, sigsys, sigvec,
socket, socketaddr, socketpair, sstk, stat, stat, statfs, stime, stty, swapon, symlink, sync,
sysconf, time, times, truncate, umask, umount, uname, unlink, unmount, ustat, utime, utimes,
vadvise, vfork, vhangup, vlimit, vpixsys, vread, vtimes, vtrace, vwrite, wait, wait3, wait4,
write, writev
(b) Key Windows DLLs and Executables
comctl32
kernel32
msvcpp
msvcrt
mswsock
ntdll
ntoskrnl
user32
ws2_32
Central Manager
LAN Monitor Host Host
Agent module
Router
Internet
Figure 8.2 Architecture for Distributed Intrusion Detection
Manager module
Central Manager
LAN Monitor
Host Host
Agent
module
Router
Internet
Figure 8.2 Architecture for Distributed Intrusion Detection
Manager
module
OS audit information
Alerts
Modifications
Query/ response
Notable activity;
Signatures; Noteworthy
sessions
Host audit record (HAR)
Figure 8.3 Agent Architecture
Filter for security interest
Reformat function
OS audit function
Analysis module
Templates
Central manager
Logic module
OS audit
information
Alerts
Modifications
Query/
response
Notable
activity;
Signatures;
Noteworthy
sessions
Host audit record (HAR)
Figure 8.3 Agent Architecture
Filter for
security
interest
Reformat
function
OS audit
function
Analysis
module
Templates
Central
manager
Logic
module
NIDS sensor
Figure 8.4 Passive NIDS Sensor
Network traffic
Monitoring interface (no IP, promiscuous mode)
Management interface (with IP)
NIDS
sensor
Figure 8.4 Passive NIDS Sensor
Network traffic
Monitoring interface
(no IP, promiscuous mode)
Management interface
(with IP)
Internet
workstation networks
external firewall
internal firewall
internal firewall
LAN switch or router
LAN switch or router
LAN switch or router
Figure 8.5 Example of NIDS Sensor Deployment
internal server and data resource
networks
service network (Web, Mail, DNS, etc.)
2
1
3
4
Internet
workstation
networks
external
firewall
internal
firewall
internal
firewall
LAN switch
or router
LAN switch
or router
LAN switch
or router
Figure 8.5 Example of NIDS Sensor Deployment
internal server
and data resource
networks
service network
(Web, Mail, DNS, etc.)
2
1
3
4
Distributed detection and inference
Platform policies
Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System
Platform policies
Platform policies
Adaptive feedback based policies
Network policies
PEP events
PEP = policy enforcement point DDI = distributed detection and inference
DDI events
Summary events
Platform events
Platform events
Collaborative policies
goss ip
Distributed detection
and inference
Platform
policies
Figure 8.6 Overall Architecture of an Autonomic Enterprise Security System
Platform
policies
Platform
policies
Adaptive feedback
based policies
Network
policies
PEP
events
PEP = policy enforcement point
DDI = distributed detection and infer ence
DDI
events
Summary
events
Platform
events
Platform
events
Collaborative
policies
g
o
s
s
i
p
Data
sour ce
Sens or
Sens or
Ana lyze
r
Man ager
Response
Activity
Event
Event
Alert
Notification
Operator
Administrator
Security policy
Figure 8.7 Model For Intrusion Detection Message Exchange
Security policy
Data
sour
ce
Sensor
Sensor
Analyzer
Manager
Response
Activity
Event
Event
Alert
Notification
Operator
Administrator
Security
policy
Figure 8.7 Model For Intrusion Detection Message Exchange
Security
policy
Internet
External firewall
Honeypot
Honeypot
Honeypot
LAN switch or router
LAN switch or router
Figure 8.8 Example of Honeypot Deployment
Internal network
Service network (Web, Mail, DNS, etc.)
2
1
3
Internet
External
firewall
Honeypot
Honeypot
Honeypot
LAN switch
or router
LAN switch
or router
Figure 8.8 Example of Honeypot Deployment
Internal
network
Service network
(Web, Mail, DNS, etc.)
2
1
3
Packet Decoder
Figure 8.9 Snort Architecture
Detection Engine
Log
Alert
Packet Decoder
Figure 8.9 Snort Architecture
Detection
Engine
Log
Alert
Action Protocol Source
IP address Source
Port Direction
Dest IP address
Dest Port
(a) Rule Header
Option Keyword
Option Arguments
• • •
(b) Options
Figure 8.10 Snort Rule Formats
Action Protocol
Source
IP address
Source
Port
Direction
Dest
IP address
Dest
Port
(a) Rule Header
Option
Keyword
Option
Arguments
• • •
(b) Options
Figure 8.10 Snort Rule Formats
Action Description alert Generate an alert using the selected alert method, and then log the packet. log Log the packet.
pass Ignore the packet. activate Alert and then turn on another dynamic rule. dynamic Remain idle until activated by an activate rule , then act as a log rule.
drop Make iptables drop the packet and log the packet.
reject Make iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
sdrop Make iptables drop the packet but does not log it.
Action Description
alert Generate an alert using the selected alert method, and then log the packet.
log Log the packet.
pass Ignore the packet.
activate Alert and then turn on another dynamic rule.
dynamic Remain idle until activated by an activate rule , then act as a log rule.
drop Make iptables drop the packet and log the packet.
reject
Make iptables drop the packet, log it, and then send a TCP reset if the
protocol is TCP or an ICMP port unreachable message if the protocol is
UDP.
sdrop Make iptables drop the packet but does not log it.
|
meta-data |
|
msg Defines the message to be sent when a packet generates an event.
reference Defines a link to an external attack identification system, which provides additional information.
classtype Indicates what type of attack the packet attempted. |
|
payload |
|
content Enables Snort to perform a case-sensitive search for specific content (text and/or binary) in the packet payload.
depth Specifies how far into a packet Snort should search for the specified pattern. Depth modifies the previous content keyword in the rule.
offset Specifies where to start searching for a pattern within a packet. Offset modifies the previous content keyword in the rule.
nocase Snort should look for the specific pattern, ignoring case. Nocase modifies the previous content keyword in the rule. |
|
non-payload |
|
ttl Check the IP time-to-live value. This option was intended for use in the detection of traceroute attempts.
id Check the IP ID field for a specific value. Some tools (exploits, scanners and other odd programs) set this field specifically for various purposes, for example, the value 31337 is very popular with some hackers.
dsize Test the packet payload size. This may be used to check for abnormally sized packets. In many cases, it is useful for detecting buffer overflows.
flags Test the TCP flags for specified settings.
seq Look for a specific TCP header sequence number.
icmp-id Check for a specific ICMP ID value. This is useful because some covert channel programs use static ICMP fields when they communicate. This option was developed to detect the stacheldraht DDoS agent.
|
|
post-detection |
|
logto Log packets matching the rule to the specified filename.
session Extract user data from TCP Sessions. There are many cases where seeing what users are typing in telnet, rlogin, ftp, or even web sessions is very useful.
|