Category: Security

P(I) is base rate: prior probability of attacks

base-rate fallacy
– even if false alarm rate P(A|¬I) is very low, Bayesian detection rate P(I|A) is still low if base-rate P(I) is low
– E.g. if P(A|I)=1, P(A|¬l)=10^-5, P(I)=2×10^-5, P(I|A)=66%

When the IDS produces an alert, the probability that an intrusion has actually occurred is low.

Implications to IDS
– Design algorithms to reduce false alarm rate
– Deploy IDS to appropriate point/layer with sufficiently high base rate
– Multiple independent detection models

Architecture of Network IDS
– Packet data volume can be huge
– Base rate at the packet level is typically low
– Applying detection algorithms at this level may result in a low bayesian detection rate

Network -> libcap -> Event Engine -> Detection Engine

Eluding Network IDS
What the IDS sees may not be what the end system gets
Ambiguities in protocols lead different implementations in operating systems:
E.G, TTL, fragments

Detection rate or True Positive(TP) rate:
given that there is an intrusion, how likely will the IDS correct output an alert.

False Negative Rate: FN = 1- TP

False alarm or False Positive(FP) rate:given that there is no intrusion, how likely is the IDS to falsely output an alert.

True Negative Rate: TN = 1 – FP

Bayesian detection rate: given that the IDS produces an alert, how likely is it that an intrusion actually occurs?

Alarm/positive: A; Intrusion: I
Detection (true positive) rate: P(A|I)
false negative rate P(¬A|I)
False alarm rate: P(A|¬I)
true negative rate P(¬A|¬I)
Bayesian detection rate: P(I|A)

System should be: scalable, resilient to attacks

Bayesian Detection Rate
P(I|A) = P(I)P(A|I)/P(I)P(A|I)+P(¬I)P(A|¬I)
P(I) is prior probability of attacks: this is the probability of intrusion evidences in the data.

(a)Rule header
Action, Protocol, Source IP Address, Source Port, Action, Dest IP address, Dest Port

(b)Options
Option Keyword, Protocol Arguments

Meta-data:provides information about the rule but do not have any effect during detection
Payload:look for data inside the packet
Post-detection: rule-specific triggers that happen after a rule has matched a packet

snort rule actions
alert, log, pass, activate, dynamic, drop, reject, sdrop

snort rule example
alert tcp any any -> 192.168.1.0/24 25(content:”mail from:root”;msg:”root users attempts to send an email”;)

Honeypots
Honeypots are decoy systems designed to lure attackers away from critical systems

Honeypots are designed to:
divert an attacker
collect information about an attacker
encourage an attacker to stay long enough for administrators to respond

Honeypots are filled with fabricated information
Any accesses to a honeypot trigger monitors and event loggers
An attack against a honeypot is made to seem successful

A honeypot has no production value
there is no legitimate reason to access a honeypot
any attempt to communicate with a honeypot is most likely a probe, scan, or attack
if a honeypot initiates outbound traffic, the system is most likely compromised

Firewall
-active filtering
-fail-close

Network IDS
-passive monitoring
-fail-open

NIDS Sensor Deployment

SNORT
-open source
-Highly configurable
-Lightweight IDS

Characteristics:
easily deployed on most nodes
efficient operation
easily configured by system administrators

Performs real-time packet capture
Detects a variety of attacks and probes

Packet -> Decoder -> Detection Engine -> Alert

Configured as passive
– Monitors traffic
– Is not in the main transmission path
– Is not an inline sensor

Configured as Intrusion Detection

Example: if(src_ip == dsp_ip && src_prt == dst_prt)
then “land attack”

Monitoring Networks and Host
An IDS performs passive monitoring:
it records and analyzes data about system and network activity
if the IDS sends out an alert AND the response policy dictates intervention, then activities are affected

Network Based IDS
– Monitors traffic at selected points on a network in real or close to real time
– May examine network, transport, and/or application-level protocol activity
– Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface
– Analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

Host IDS
– Operating System Event

Inline Sensors
– used to block an attack when one is detected, performing both intrusion detection and prevention functions
– An inline sensor is inserted into a network segment so that the traffic that it is monitoring must pass through the sensor.
– Combining NIDS sensor logic with a firewall or LAN switch. This has the advantage of no additional hardware is needed
– Using a stand-alone inline NIDS sensor

Passive Sensors
– A passive sensor monitors a copy of network traffic; the actural traffic does not pass through the device
– Passive sensors are more efficient
Network traffic: monitoring interface, management interface(with IP)

Neural networks: Simulate human brain operaion with neurons and synapse between them

clustering and out lier detection: Group the observed data into clusters then identify subsequent data as either belonging to cluster or as an outlier.

Limitations of Anomaly Detection
They are generally trained on legitimate data
This limits the effectiveness of some of the techniques discussed.

Relatively high false positive rate anomalies can just be new normal activities

Detect intrusion by:
– observing events in the system
– applying a set of patterns or rules to the data
– determining if the is intrusive or normal

Signature Approaches
– match a large collection of known patterns of malicious data against data stored on system or in transit over a network
– the signature need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data
– Widely used in anti-virus products, network traffic scanning proxies, and in NIDS

Signature Approach
-Advantages:
low cost in time and reource use
Wide acceptance
-Disadvantages:
significant effort to identify and review new malware to create signatures
inability to detect zero-day attacks

Rule-Based Detection
-involves the use of rules for identifying known penetrations or penetraions that would exploit known weakness
-Rules can also defined that identify suspicious behavior
-Typically rules used are specific

Statistical: Analysis of the observed behavior using univariate, multivariate, or time-series models of observed metrics.
Knowledge based: Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior.
Machine learning: Approaches automatically determine a suitable classification model from the training data using data mining techniques.

Issues Affecting Performance:
Efficiency, cost of detection

Statistical Approaches
characteristics:
– use captured sensor data
– multivariate models using time of and order of event

Advantages:
– their relative simplicity
– low computation cost
– lack of assumptions about expected behavior

Disadvantages:
– difficulty selecting suitable metrics
– not all behaviors can be modeled using these approaches.

Knowledge base approaches
– developed during training to characterize data into distinct classes

advantages:
– robust
– flexible

disadvantages:
– the difficulty and time required to develop knowledge from the data
– human experts must assist with the process

Machine learning approaches
– use data mining techniques to develop a model that can classify data as normal or anomalous

Advantages:
– flexibility
– adaptability
– ability to capture inter-dependencies between observed metrics

disadvantages:
– dependency on assumptions about accepted behavior
– high false alarm rate
– high resource cost
– significant time and computational resources

Bayesian networks: encode probabilistic relationship among observed metrics
Markov models: Develop a model with sets of states

components of intrusion detection systems:
From an algorithmic perspective
-Features – capture intrusion evidences
-Models – piece evidences together

From a system architecture perspective:
Audit data processor, knowledge base, decision engine, alarm generation and responses

Data preprocessor
Detection Engine <- Detection Models Decision Engine <- Decision Table Modeling and analysis - misuse detection(a.k.a. signature-based) - anomaly detection Deployment - host-based - network-based Development and maintenance - hand-coding of "expert knowledge" - learning based on data Analysis Approaches - anomaly detection - misuse / signature detection Anomaly Detection: involves the collection of data relating to the behavior of legitimate users over a period of time current observed behavior is analyzed to determine whether this behavior is that of a legitimate user or that of an intruder Misuse/ Signature Detection uses a set of known malicious data patterns or attack rules that are compared with current behavior also known as misuse detection Can only identify known attacks for which it has patterns or rules

Prevent -> Detect -> Survive

Instruction Examples
– remote root compromise, running packet sniffer, web server defacement, distributing pirated software, guessing/cracking password, using an unsecured modem to access internal network, copying databases containing credit card numbers, impersonating an executive to get information, viewing sensitive data without authorization, using an unattended workstation

Designed to Counter Threats:
known, less sophisticated attacks
sophisticated targeted attacks
new, zero-day exploits

Defense-in-depth strategies include:
encryption
detailed audit trails
strong authentication and authorization controls
active management of operation systems
application security

Intruder behavior
primary assumptions:
system activities are observable
Normal and intrusive activities have distinct evidence

-Can be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface
– Typcially much less complex than server-based or standalone firewalls
– Primary role is to deny unauthorized remote access
– May also monitor outgoing traffic to detect and block worms and malware activity

Stealth Mode hides the system from the internet by dropping unsolicited communication packets
UDP packets can be blocked
Logging for checking on unwanted activity
Applications must have authorization to provide services

Deploying firewalls
– Internal DMZ network
– Internal protected network

Add more stringent filtering capabililty
Provide two-way protection with respect to the DMZ
Multiple firewalls can be used to protect portions of the internal network from each other

An important aspect of distribute firewall configuration: security monitoring

Host-resident firewall, screening router, single bastion inline, single bastion, double bastion inline, double bastion T, distribution firewall configuration