July 2017 – Page 15 – ソフトウェアエンジニアの技術ブログ：Software engineer tech blog

Intro to Cryptography

Encryption/Decryption

plaintext -> Encryption -> ciphertext -> Decryption -> plaintext

there is a one-to-one mapping
provides confidentiality protection

Other services:
Integrity checking: no tampering
Authenticity: verified authorship
Authentication: not an imposter

Encryption basics
ancient crypto:
early sings of encryption in Egypt in ~2000 B.C.
letter-based scheme (e.g., Caesar’s cipher) ever since

Symmetric ciphers:
from ancient time to the presence
Asymmetric ciphers:
first by diffie-Hellman-

DoS Attacks on Network IDS

– Resource exhaustion
– cpu resources
– memory
– Network bandwidth

– Abusing reactive IDS
– false positives
– nuisance attacks or “error” packets/connections

Intrusion Prevention System(IPS)
also known as intrusion detection and prevention system(IDPS)
is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity
can be host-based, network-based, or distributed/hybrid
can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffic as a firewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so

Bayesian Detection Rate

P(I) is base rate: prior probability of attacks

When the IDS produces an alert, the probability that an intrusion has actually occurred is low.

Implications to IDS
– Design algorithms to reduce false alarm rate
– Deploy IDS to appropriate point/layer with sufficiently high base rate
– Multiple independent detection models

Architecture of Network IDS
– Packet data volume can be huge
– Base rate at the packet level is typically low
– Applying detection algorithms at this level may result in a low bayesian detection rate

Network -> libcap -> Event Engine -> Detection Engine

Eluding Network IDS
What the IDS sees may not be what the end system gets
Ambiguities in protocols lead different implementations in operating systems:
E.G, TTL, fragments

Evaluating IDS

Detection rate or True Positive(TP) rate:
given that there is an intrusion, how likely will the IDS correct output an alert.

False Negative Rate: FN = 1- TP

False alarm or False Positive(FP) rate:given that there is no intrusion, how likely is the IDS to falsely output an alert.

True Negative Rate: TN = 1 – FP

Bayesian detection rate: given that the IDS produces an alert, how likely is it that an intrusion actually occurs?

System should be: scalable, resilient to attacks

Bayesian Detection Rate
P(I|A) = P(I)P(A|I)/P(I)P(A|I)+P(¬I)P(A|¬I)
P(I) is prior probability of attacks: this is the probability of intrusion evidences in the data.

Snort Rules

(a)Rule header
Action, Protocol, Source IP Address, Source Port, Action, Dest IP address, Dest Port

(b)Options
Option Keyword, Protocol Arguments

Meta-data:provides information about the rule but do not have any effect during detection
Payload:look for data inside the packet
Post-detection: rule-specific triggers that happen after a rule has matched a packet

snort rule actions
alert, log, pass, activate, dynamic, drop, reject, sdrop

snort rule example
alert tcp any any -> 192.168.1.0/24 25(content:”mail from:root”;msg:”root users attempts to send an email”;)

Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems

Honeypots are designed to:
divert an attacker
collect information about an attacker
encourage an attacker to stay long enough for administrators to respond

Honeypots are filled with fabricated information
Any accesses to a honeypot trigger monitors and event loggers
An attack against a honeypot is made to seem successful

A honeypot has no production value
there is no legitimate reason to access a honeypot
any attempt to communicate with a honeypot is most likely a probe, scan, or attack
if a honeypot initiates outbound traffic, the system is most likely compromised

Firewall Versus Network IDS

Firewall
-active filtering
-fail-close

Network IDS
-passive monitoring
-fail-open

NIDS Sensor Deployment

SNORT
-open source
-Highly configurable
-Lightweight IDS

Characteristics:
easily deployed on most nodes
efficient operation
easily configured by system administrators

Performs real-time packet capture
Detects a variety of attacks and probes

Packet -> Decoder -> Detection Engine -> Alert

Configured as passive
– Monitors traffic
– Is not in the main transmission path
– Is not an inline sensor

Configured as Intrusion Detection

Misuse Signature Intruder Detection

Example: if(src_ip == dsp_ip && src_prt == dst_prt)
then “land attack”

Monitoring Networks and Host
An IDS performs passive monitoring:
it records and analyzes data about system and network activity
if the IDS sends out an alert AND the response policy dictates intervention, then activities are affected

Network Based IDS
– Monitors traffic at selected points on a network in real or close to real time
– May examine network, transport, and/or application-level protocol activity
– Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
– Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

Host IDS
– Operating System Event

Inline Sensors
– used to block an attack when one is detected, performing both intrusion detection and prevention functions
– An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
– Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
– Using a stand-alone inline NIDS sensor

Passive Sensors
– A passive sensor monitors a copy of network traffic; the actural traffic does not pass through the device
– Passive sensors are more efficient
Network traffic: monitoring interface, management interface(with IP)