Sana Ullah Jan

Intrusions
Intrusion Detection/Prevention
IDPS History
 Intrusions

Intrusion/Threat Definition

Deliberate unauthorized attempt to:

a) access information,
Intro

b) manipulate information, or
c) render a system unreliable or unusable
IDPS

J.P Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P
Anderson Co., Fort Washington, Pennsylvania, April 1980
 Types of Intrusions

Intrusions can be broadly divided into 6 main types:

1. Attempted break-ins
– Outsider convinces the system to be authorised user (using user
identification/ password)
Intro

– Detected by atypical behaviour profiles or violations of security constraints.

2. Masquerade attacks
– Imitating a different user’s identity, presumably one with higher privilege
– Detected by atypical behaviour profiles or violations of security constraints.
3. Penetration of the security control system
– Attempt to modify system’s security characteristics (passwords)
IDPS

– Detected by monitoring for specific patterns of activity.

 Types of Intrusions

• Leakage
– Information moving out of system (printing bulks of documents or displaying
on a terminal that can capture)
– Detected by atypical use of system resources.
Intro

• Denial of service
– Making system resources unavailable (to other users)
– Detected by atypical use of system resources.
• Malicious use
– Resource hogging, file deletion, etc.
– Detected by atypical behavior profiles, violations of security constraints, or
IDPS

use of special privileges.

Steven E Smaha. Haystack: An Intrusion Detection System. In Fourth Aerospace Computer Security
Applications Conference, page 40, Tracor Applied Science Inc., Austin, Texas, December 1988
Policy
Breach
Misuse

/Intrusions
 Reports an intrusion
within the building,
but can’t stop the
intruder making off
with the loot

IDS Raises Alarm to

administrator when a
it detects intrusions Q. Other examples of physical IDS?
 Intrusion Detection Systems (IDS)
Intrusion Detection Systems
• IDS report intrusion/attack in organisation
– Alarm-based system
– Monitors Systems/Networks for unauthorised access and
misuse
Intro

– Reports possible intrusion to human, who can analyse/respond

to attack

– Fire alarm – sometimes after human analysis – no fire!

– Like alarm system, cannot stop attack
– Passive System
IDPS
 Prevention

IPS Sensors typically triggers

alarm, but can also provide an
Active Response to an
intrusion
 Intrusion Prevention Systems (IPS)
Intrusion Prevention Systems
• Attempts to stop intrusion/attack, as well as detect
and report
– Alarm-based system – does what IDS can do - monitors
Systems/Networks
– Extended with an Active Response to prevent attack from
Intro

succeeding/doing harm

– Unlike IDS alarm-based system, does also try to stop attack

in progress
– Fire alarm + sprinkler system!
IDPS

• Summary: IDS - Passive vs IPS - Active

Detection Sensors
Alert Types
Detection method types
 Intrusion Detection Systems (IDS)
• IDS Sensors Report intrusion/attack against monitored assets
• Monitors Systems/Networks
– Network-based IDS
– Host-based IDS
Intro
IDPS

• Mature Technology
• IDS not primary form of defence, and not replacement for
other defences – use as part of defence-in-depth
 Intrusion Detection Systems (IDS)
• An administrator can
– Analyse alert raised, and any logged information from IDS to make
decision on response
– Collect data for Incident Response, and Forensics
Intro
IDPS
 IDS Alerts
• 2 Type of Alert Classification:
– Positive Alert
• Alert raised due to identifying an activity deemed a possible intrusion
• Sometimes called an Event Of Interest (EOI)
– Negative Alert
• Alert not raised due to identifying an activity as not an intrusion
Intro

• Activity deemed not an EOI

– IDS does not always get this correct

• The classification can also be TRUE or FALSE
• TRUE – Correct Classification
IDPS

– TRUE Positive: Alert Raised - Correctly

• FALSE – Incorrect Classification
– FALSE Positive: Alert Raised - Incorrectly
IDS Alert Classification
• 4 Types of Alerts
 IDS Alert Classification
• Ideally IDS would generate only TRUE Positives, and TRUE
Negatives

• Difficult analysis, and cunning attackers make this unlikely – FALSE

Positives and FALSE Negatives
– FALSE Negatives – IDS missed intrusion and no information for the
administrator to analyse, which are being addressed by companies using
new techniques - such as Machine Intelligence
Intro

– FALSE Positives

• Measuring IDS Alerts:

– TRUE Positives – as high as possible
– FALSE Positives – as low as possible
Detection Rate = True Positives / (True Positives + False Negatives)
– Can’t measure FALSE Negatives
IDPS

TRUE Positives / FALSE Positives

• Tune IDS for best ratio – after FALSE Positives raised

 Detection Methods
• 2 Main Types
– Signature/Misuse-based Intrusion Detection
• Look for known attack patterns of misuse – typically uses
signatures
– Represent Intrusion or policy breach in some way
• Similar to an Anti-virus looking for malware signatures
Intro

– Anomaly-based Intrusion Detection

• Look for unexpected activities – not normal behaviour
• Tries to identify abnormal activities rather than well known
patterns
IDPS
 Signature-based Detection - Principle
• Detects Intrusions based on predefined Signature or Pattern
of Known attacks or misuse
– Signatures
• In simplest form, signatures are patterns which can be matched
against activities being monitored
– Rules
• IDS typically match against a more complex set of Detection Rules
which can include Signatures
Intro

– Network Detection Rule could include:

• Protocol, IP Addresses, Ports
– Layer 3 & 4 – IP, NetBios, TCP, UDP, ICMP
– IP Addresses – can be used to exclude systems or detect attack domains
– Ports – highlight specific application threats
• Payload contents
– Specific attacks - Buffer overflow – use byte start/offsets
IDPS

• State of connection
• String, HEX signature, or Regex patterns
– Search anywhere in packet, rather than specific offsets
 Signature-based Detection - Principle
• Detection Process
– Network IDS - Packet contents compared against signature
database in an IDS Sensor
– Signature matches – raise alert
• Different signatures may be used in different network
segments/specific systems
Intro
IDPS
 Signature-based Detection – Pros/Cons
• Advantages:
– Good for detecting known attacks
– Typically Low rates of False Positives

• Disadvantage:
Intro

– Poor for unknown attacks

– Signature DB must be kept up to date
– Who defines the signatures?
IDPS
 Example - Snort IDS
• Snort Rules
– Simplistic Snort Rule:

– Alert Raised:
NIDPS

– Full packet data typically also logged separately

– More complex Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P
napster client download attempt"; flow:to_server,established;
IDPS

content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation;

sid:551; rev:7;)
 Anomaly-based Detection
• Detects Intrusions based on anomalous/unexpected conditions in
activities
– Abnormal activity – deviation from normal conditions - are identified as suspicious
– Need an understanding of what normal conditions are – normal profile of
activities

• Baseline profile created by monitoring activities over a period - known as

a training or learning period
– Types of Activities/Features which can be profiled:
Intro

• Network traffic types - protocol % of traffic

• Server Traffic patterns – Web Server incoming on 80, DNS in/out 53, SMTP in/out 25
• System CPU usage, User behaviour patterns
– Static/Dynamic learning

• Different normal conditions must be compared against in different

network segments/specific systems
IDPS

• Network IDS – traffic patterns compared to a normal/good baseline

 Intrusion Prevention Systems (IPS)
Intrusion Prevention Systems
• Grown out of IDS technologies
– Active IDS – send TCP reset – but can’t drop the packet
• Attempts to stop intrusion/attack, as well as detect and report
• Network-based IPS (NIPS) or Host-based IPS (HIPS)
• NIPS - IDS Technology + Firewall – analysing network traffic
• HIPS – installed on host systems – stop attacks at OS/Application/Process
level
IPS

• Newer technology than IDS, but maturing rapidly

• Requires maintenance and monitoring – not cheap plug and play system
• False Positives more serious than IDS
– IDS FPs – waste time of security analyst
– IPS FPs – drop valid user/customer connections
IDPS

• Used within defence-in-depth – not replacement for system hardening

and patching
• No Silver Bullet!
Network-based IDPS
Host-based IDPS
Hybrid IDPS
COVERAGE/SCOPE
 Network IDPS Components
• Typically include Multiple Network Sensors + Central
Monitoring/Management System
• Network Sensors
– Monitor different subnets around the network
- Different types of subnets may have specific sensor setups/signatures
- Looking for diff types of intrusions
– Typically monitor traffic to/from all hosts on the subnet
– Alerts raised for intrusions detected
Intro

– Log event data locally

Send alerts/log data to the central system
• Central Monitoring/Management
– Larger organisations – central management of sensors/events
– Administrators can monitor/analyse events from all over the network
– Typically central logging of data related to detected events
– Some central systems can perform analysis on logging information
IDPS

- Can provide correlation functionality + threat intelligence

- Suspicious activities logged from two different sensors from the
same source IP Address.
 Network IDS (NIDS)
NIDS
• Collects packets from network passively – copies of
traffic
• Could use various methods of detection
– Signature/Anomaly-based
• Deployed at aggregation points
Intro

– Network Tap/On a mirror port of a switch

– Copies of network traffic to IDS Sensor
– Issues with traffic overwhelming sensor/reducing performance
of switch
• Sensor Network Interface Cards (NIC) runs in
Promiscuous mode
IDPS

– Listens to all traffic – whether addressed to sensor or not

• Deployment typically as an Out-of-line Sensor
Network IDS (NIDS) Deployment
 Network IDS (NIDS)
NIDS Advantages
• Provide details of types of traffic on the network
– Detect general problems/misuse – p2p
• Help facilitate quick response to specific incidents
– Reconnaissance, Attacks, Malware
NIDPS

• Auditing other defences

– IDS in front of/behind a perimeter firewall
• Monitor for Data Leakage
– Signatures for sensitive data, Honeytokens
• Does not affect throughput of traffic, as acting on copy of
IDPS

traffic - not in traffic flow

• No performance impact if sensor fails
 Network IDS (NIDS)
NIDS Limitations
• Packets from attack in progress cannot be stopped - can only
report on malicious packets
• Resources must be spent tuning sensors – to minimise False
Positives
• Level of Incident Response must be detailed in Security Policy
NIDPS

• Switch mirror port use can cause issues

– Performance as all traffic copied to mirror port
– Mirror ports may have issues with multiple VLANS
• Difficult to analyse with Encrypted traffic
• Performance Limitations when performing deep packet
IDPS

analysis
– Common for DoS on the network while targeted attack being carried
out
 Network IPS (NIPS)
NIPS
• Typically deployed at the network perimeters – between
2 networks
– Outside firewall can protect firewall and DMZ from Internet-
based attacks
– Inside firewall can help with VPN traffic and tracing intrusions
NIDPS

post NAT

• Deployment typically as an In-line Sensor at an

aggregation point
– Sensor needs multiple Network Interface Cards (NIC)
• Could use various methods of detection – same as NIDS
IDPS

– Should not generate false positives - as dropping valid traffic

could be serious issue
Network IPS (NIPS) Deployment

In line NIPS
 Network IPS (NIPS)
NIPS Limitations
• IPS inspection affects throughput of traffic, as deployed in the
flow of traffic
– Care in choosing IPS based on maximum throughput needed
– NIDS may miss intrusion… NIPS fail open, or drop legitimate traffic
• Redundancy would have to be considered as in flow of traffic
NIDPS

• May not be able to detect all attacks NIDS can, as cannot risk
raising false positives
– NIPS false positive drops legitimate traffic!
NIPS Advantages
• Can take immediate action on malicious packets
IDPS

– Packets from attack in progress can be stopped, or

malicious payload data stripped out
 Host-based IDPS (HIDPS)
• Host-based Sensors – installed on, and monitor a single host system
for intrusions
– Deployed as Software agents
• Similar functionality to NIDPS but distributed to hosts
• Local analysis/alerting may be performed, but typically
information sent to central IDPS analysis system
• Can monitor more than NIDPS as access to host activities,
HIDPS

unencrypted traffic
– Adds granularity to an overall solution
• Can have performance impacts on hosts

• HIDPS agents Monitor Activities such as:

- Network traffic for single host
- System/Audit Logs
IDPS

- Processes running on host

- File accesses/changes
- System settings/configuration changes
 Host-based IDS (HIDS)
Host-based Intrusion Detection
• Host only Network Traffic Monitoring
– Network traffic monitoring in non promiscuous mode – all interfaces
– Signature and Anomaly-based detection as NIDS
• System Integrity Verifiers (SIV)
– Monitors changes to list of critical business/system files periodically
– HIDS Agent generates hash signatures, which it can compare to file
HIDPS

periodically to check its integrity

– If file is changed, hashes will not match – alert raised
– Tripwire File Integrity Verifier – snapshot of file hashes
• Log File Monitors (LFM)
– Analysing log/audit files from OS/Applications/Devices – matching
patterns/signatures in log file
– If patterns found – alert raised
IDPS

– Original IDS LFMs

– Swatch (Simple Watchdog)
• Alert raised if certain attack patterns found in logs
SIV & LFMs
Monitor Host Activities – Detects
after they have happened
 Host-based IPS (HIPS)
Host-based Intrusion Prevention
• Can stop known and unknown attacks
• Typically a Shim – a proxy process – inserted into the
hosts architecture between application and resources on
the host
HIDPS

– HIPS process proxies requests from applications to access

systems resources – typically via system call interception
– Has signatures/profiles - defining which processes can use
which resources – can deny requests for resources based on
policies
– Can be used for several types of resources:
- File system activity
IDPS

- System calls
- Windows registry access
- Network resources
HIPS
Monitor Host Activities - as
they happen
 Host IPS (HIPS) Limitations
HIPS Limitations
• Implementation and maintenance complex and
expensive
– testing, deployment, troubleshooting updates
• Limited Application support
NIDPS

– IIS or Apache may have good support, but custom

applications may have none
• Performance issues
– HIPS have been known to use up to 25% of CPU and
memory resources
IDPS
 Centralised Event Analysis
Analysis
• Logging extensive data relating to alerts - Logged to database servers for later
analysis
- Example Data fields: Event date & time, event type, severity, prevention actions taken +
NIDPS – packet captures, HIDPS – User ID, process info
• Analysis of Logs
- Validation of security events
IDPS Monitoring

- Correlation of events, match events from more than one sensor,

+ other log data from other sources such as firewall logs, antivirus
- Report generation – built-in standard reporting in many systems
• Scale - Depending on number of IDPS sensors, several console and logging
servers may be needed
- Cisco recommend < 25 sensors per console
- Tuning sensors is important - consume logging/console/admin time resources
• Alert/Log Analysis
- General purpose tools such as Grep or Splunk (indexes and searches data)
- Custom vendor utilities such as Cisco MARS
IDPS

- SIEM systems – data warehousing of info/data analytics/data mining - from

heterogeneous vendor devices/applications
- Intelligent Data Warehousing/mining/Visualisation systems now being used in next
generation products
 SIEM Systems
Security Information and Event Management (SIEM)
- Import information from range of different security logging
systems and correlate events across all the data
- IDPS logging
- F/w Logging
- Antivirus
IDPS Monitoring

- OS logging (audit/security logs)

- Application Servers (web/email)
- Normalisation of Data
- Convert data from device logs to a common format/fields
- Good if using a range of security devices from different vendors
- Correlate events based on IP Address, timestamps, User ID etc
- May identify attacks from multiple security events
- Individual logging devices may not be able to identify
IDPS

- Aggregate log data (consolidate repeated info)

- Report on correlations across data
- Visualisation of data
Splunk Enterprise
Data Analytics/Mining
Visualisation
 Internet Storm Center (ISC)
Internet Storm Center Threat Analysis
• Centralised Internet Intrusion Analysis
• Collects alerts/logging data from thousands of IDPS and
Firewalls from many countries
IDPS Monitoring

• Correlation and visualisation engines

• isc.sans.org
IDPS
Sana Ullah Jan
IDPS Intro

Appendix
 Appendix
Security Onion
– SO is a Linux distro for intrusion detection,
network security monitoring, and log management
– It's based on Ubuntu and contains Snort, Suricata, Bro,
OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and
Intro

many other security tools

https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion
IDPS
 IDS Alert Classification
• Classifications?

– Workmen repeatedly sets off fire alarm due to dust generated while
fitting new windows?
Intro

– Chip fat in canteen starts a large fire but sensor has been tuned badly
due to heat in kitchen and no alarm raised?

– Dust from Rich’s desk blows into sensor but no alarm is set off?
IDPS
 Anomaly-based Detection
• Detects Intrusions based on anomalous/unexpected conditions in
activities
• Abnormal activity – deviation from normal conditions - are
identified as suspicious
• Need an understanding of what normal conditions are – normal
profile of activities
• Network IDS – traffic patterns compared to a normal/good baseline
• Baseline profile created by monitoring activities over a period -
Intro

known as a training or learning period

– Types of Activities/Features which can be profiled:
• Network traffic types - protocol %of traffic
• Server Traffic patterns – Web Server incoming on 80, DNS in/out 53, SMTP in/out
25
• System CPU usage, User behaviour patterns
– Static/Dynamic learning
IDPS

• Different normal conditions must be compared against in different

network segments/specific systems
 Cisco PIX NIPS
Cisco ASA IDPS
• ASA IPS IDS and IPS, based on built in signatures
• Cisco IDPS Signatures are split into two categories:
– Informational Signatures – Identify non-malicious traffic, which the
sys admin may want to be informed of, such as organisational policy
breaches, or some reconnaissance methods.
NIDPS

– Attack Signatures – Identify traffic which could be a direct attack, or

could lead to an attack.

• Three actions are available when a signature is matched:

– Alarm - Sends an alert to a logging server and management console
IDPS

– Drop – Drops the packet, and does not send to the destination
– Reset – Sends a TCP RST packet to both end of the connection