Escolar Documentos
Profissional Documentos
Cultura Documentos
Lecture Outline
Terminology History Challenges
What is an intrusion?
Any set of actions that attempt to compromise the confidentiality, integrity, or availability of a computer resource Term is overloaded Trying to detect a policy violation
Types of Violations
Attack
Attempts to exploit a vulnerability Ex: denial of service, privilege escalation
Intrusion
Masquerading as another legitimate user
Misuse
User abuses privileges Often called the insider threat
Differentiating ID Systems
Monitoring strategy
Data sources
Monitoring Strategy
Host
Internal computer sources Ex: OS audit and system logs
Network
Packets via sniffing
Application
Application event streams and logs
Target-based
Monitor object for changes Ex: Tripwire
Analysis Type
Misuse detection
Built with knowledge of bad behaviors Collection of signatures Examine event stream for signature match
Anomaly detection
Built with knowledge of normal behaviors Examine event stream for deviations from normal
Timing
Batch/interval
Analysis is done on bulk data (files) Analysis is periodic
Real-time
Analysis tries to keep pace with events Results can be used to take timely action
Detection Goals
Accountability
Capability to attribute an action to the responsible party Very challenging in networked environments
Response
Record result to a log Trigger alarm Adapter the system
Kill a process; update a firewall rule
Control
Centralized
Central repository for data collection/analysis Ex: Tripwire (host) and SNORT (network)
Agent-based
Distributed collection using agents or sensors Alerts can be sent to central collection point Ex: ESP (host) and AAFID (network)
History
1970s - Observation by administrators
When an account is used When/how much a resource is used
History
Late 1980s Real-time Intrusion Detection
Principles formalized by D. Denning (from Purdue!) Created the Intrusion Detection Expert System (IDES)
Hybrid of anomaly detection and an expert system Used adaptive statistical profiles and policy rules
History
1990s
Increased attention on network-based systems
GrIDS, EMERALD
System Features
Accounting information
Login attempts, time, CPU used Resources accessed
Mouse movements
Pusara (2003)
Network Features
Packet header values
Mahoney (2002)
TCP Sessions
Lee (2002)
Behavioral features
Early (2005)
Anomaly detection
Requires representative normal data Requires attack-free data
Challenge: Timing
Time to detect
How many signatures can be checked? How long to verify model compliance? Is there time to react?
Challenge: Control
Centralized
Sufficient processing resources Protection from attack
Agent-based
Secure communication Efficiency
Does the agent make reasonable processing demands?
Subversion
System management
Failure to create adequate policies Failure to maintain (patches, etc.)
Trust allocation
Protocols with inadequate authentication Faulty cryptographic protocols Failure to create adequate policies
Defining Policy
Consider this example
A hospital deploys a database system for patient records. The system consists of a centralized DB server accessed by client systems in the hospital. Clients access the information through a network of connected PCs and via wireless PDAs
What sorts of policy statements can we make about the hardware? Software? Users?
Defining Policy
Possible statements
The DB server software will be kept up to date Unused network services (ports) on the DB server will be disabled Wireless access will employ strong cryptographic protocols Users are prohibited from examining records of patients not in their care
Performance Issues
False positive rates
Labeling a benign event as an attack Particularly troublesome for anomaly detection systems Dominate IDS performance
Base Rate Fallacy, Axelsson (1998)
Data volume
Partitioning / filtering event streams
Research Directions
Policy derivation/validation
Theorem provers
Feature extraction
Library interposition (Kuperman 2004) Network protocols (Early 2005)
Questions?
References
Intrusion Detection, Rebecca Bace, Macmillan Technical Publishing, 2000 CERIAS
http://www.cerias.purdue.edu/tools_and_reso urces/hotlist/
Phillip Chan
http://www.cs.fit.edu/~pkc/id/related/