Intrusion Detection

Dr. James P. Early CS526 Lecture November 8, 2005

Lecture Outline
Terminology History Challenges

What is an intrusion?
Any set of actions that attempt to compromise the confidentiality, integrity, or availability of a computer resource Term is overloaded Trying to detect a policy violation

Types of Violations
Attack
Attempts to exploit a vulnerability Ex: denial of service, privilege escalation

Intrusion
Masquerading as another legitimate user

Misuse
User abuses privileges Often called the insider threat

Differentiating ID Systems
Monitoring strategy
Data sources

Analysis Type Timing Detection Goals Control

Monitoring Strategy
Host
Internal computer sources Ex: OS audit and system logs

Network
Packets via sniffing

Application
Application event streams and logs

Target-based
Monitor object for changes Ex: Tripwire

Analysis Type
Misuse detection
Built with knowledge of bad behaviors Collection of signatures Examine event stream for signature match

Anomaly detection
Built with knowledge of normal behaviors Examine event stream for deviations from normal

Timing
Batch/interval
Analysis is done on bulk data (files) Analysis is periodic

Real-time
Analysis tries to keep pace with events Results can be used to take timely action

Detection Goals
Accountability
Capability to attribute an action to the responsible party Very challenging in networked environments

Response
Record result to a log Trigger alarm Adapter the system
Kill a process; update a firewall rule

Control
Centralized
Central repository for data collection/analysis Ex: Tripwire (host) and SNORT (network)

Agent-based
Distributed collection using agents or sensors Alerts can be sent to central collection point Ex: ESP (host) and AAFID (network)

History
1970s - Observation by administrators
When an account is used When/how much a resource is used

Early 1980s Usage models

First proposed by Anderson (1980) Based on accounting logs Login frequency, volume data processed, etc. Batch processing; not real time

Andersons Threat Matrix

Not authorized to use data/program Not authorized to use computer Authorized to use computer Case A: External Case B: Internal Case C: Misfeasance Authorized to use data/program

History
Late 1980s Real-time Intrusion Detection
Principles formalized by D. Denning (from Purdue!) Created the Intrusion Detection Expert System (IDES)
Hybrid of anomaly detection and an expert system Used adaptive statistical profiles and policy rules

Many more followed

Haystack, MIDAS, NADIR, NSM, Wisdom and Sense

History
1990s
Increased attention on network-based systems
GrIDS, EMERALD

Introduction of machine learning and data mining techniques

MADAMID (Mining Audit Data for Automated Models for Intrusion Detection) ADAM (Audit Data Analysis and Mining)

Challenge: Data Sources

Are we collecting the right information?
Does it permit identification of violations?

How much information is enough? Where to collect?

Host versus network?

Format for interoperability?

IDMEF: XML-based message format (2004)

System Features
Accounting information
Login attempts, time, CPU used Resources accessed

Sequences of system calls

Hofmeyr (1998)

Sequences of user commands

Lane (1998)

Mouse movements
Pusara (2003)

Network Features
Packet header values
Mahoney (2002)

TCP Sessions
Lee (2002)

Behavioral features
Early (2005)

The Evasion Problem

Location can make IDS vulnerable
Overload monitor with events Slow processing Overload disk storage DoS attacks

Ptacek and Newsham (1998)

Monitor A T T A X C K Dropped by network Victim A T T A C K

Challenge: Analysis Type

Misuse detection
Limited by available signatures Cant detect new attacks Must be updated frequently

Anomaly detection
Requires representative normal data Requires attack-free data

Some systems combine approaches

Challenge: Timing
Time to detect
How many signatures can be checked? How long to verify model compliance? Is there time to react?

Violations within idle interval

A file modification between Tripwire runs

Challenge: Control
Centralized
Sufficient processing resources Protection from attack

Agent-based
Secure communication Efficiency
Does the agent make reasonable processing demands?

Subversion

Causes of Security Problems

System design and development
Software platform: buffer overflows, stack smashing Inadequate development process / quality assurance Errors/bugs

System management
Failure to create adequate policies Failure to maintain (patches, etc.)

Trust allocation
Protocols with inadequate authentication Faulty cryptographic protocols Failure to create adequate policies

Defining Policy
Consider this example
A hospital deploys a database system for patient records. The system consists of a centralized DB server accessed by client systems in the hospital. Clients access the information through a network of connected PCs and via wireless PDAs

What sorts of policy statements can we make about the hardware? Software? Users?

Defining Policy
Possible statements
The DB server software will be kept up to date Unused network services (ports) on the DB server will be disabled Wireless access will employ strong cryptographic protocols Users are prohibited from examining records of patients not in their care

Machine readable policy is very hard problem

Particularly for misfeasance (i.e. insiders)

Performance Issues
False positive rates
Labeling a benign event as an attack Particularly troublesome for anomaly detection systems Dominate IDS performance
Base Rate Fallacy, Axelsson (1998)

False negative rates

Failure to detect an attack event

Data volume
Partitioning / filtering event streams

Honeypots and Honeynets

Real or virtual system Any activity is an attack Entice attackers to break in Observe actions and tool usage Record all activities Use information to develop stronger defenses

Research Directions
Policy derivation/validation
Theorem provers

Worm propagation Infrastructure protection

Routing and DNS tables

Feature extraction
Library interposition (Kuperman 2004) Network protocols (Early 2005)

Questions?

References
Intrusion Detection, Rebecca Bace, Macmillan Technical Publishing, 2000 CERIAS
http://www.cerias.purdue.edu/tools_and_reso urces/hotlist/

Phillip Chan
http://www.cs.fit.edu/~pkc/id/related/