Intrusion Detection Systems: Introduction
Number 0x01: 03/23/2006
[ --- The Bug! Magazine
_____ _ ___ _
/__ \ |__ ___ / __\_ _ __ _ / \
/ /\/ '_ \ / _ \ /__\// | | |/ _` |/ /
/ / | | | | __/ / \/ \ |_| | (_| /\_/
\/ |_| |_|\___| \_____/\__,_|\__, \/
|___/
[ M . A . G . A . Z . I . N . E ]
[ Numero 0x01 <---> Edicao 0x01 <---> Artigo 0x02 ]
.> 23 de Marco de 2006,
.> The Bug! Magazine < staff [at] thebugmagazine [dot] org >
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Intrusion Detection Systems: Introduction
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
.> 30 de Fevereiro de 2006,
.> Gustavo Monteiro a.k.a y0rk < gfm [at] rfdslabs [dot] com [dot] br >
"In God we trust. All others we monitore."
- United States Navy
Indice
- First Words
- Introduction
- 2.1 Principles
- 2.2 Terminologies
- DME
- 3.1 NIDS
- 3.2 HIDS
- 3.3 Architecture
- 3.4 IDS itself: an overview
- 3.5 IDS vs Firewall
- Monitoring
- 4.1 Operation - Capture, Filters
- 4.2 Monitoring itself
- 4.3 Output Plugins
- IPS
1. first words
This article is the first in a series of articles for The Bug! Magazine. In this one, we will approach the proposal of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Throughout the series, we will treat in a more particular way these systems and all their aspects.
Note: I will be as PRACTICAL/DIRECT/OBJECTIVE as possible.
2. introduction
The idea of IDS emerged in the early 1980s based on studies at the Stanford Research Institute. Known as Project 6169 - Statistical Techniques Development For An Audit Trail System, the study used a high-speed algorithm that discriminated users based on their behavioral profiles.
Several systems were tested and implemented. Many of them are designed to act on stand-alone computers, are based on Denning's statistical model of intrusion detection, and use audit trail data generated within the C2 security standard.
In short, they are intelligent automated tools to detect intrusion attempts in real time.
2.1. Principles
Action, process or effect of detecting; discovery, revelation. Drastically and dramatically: The last cycle of security. An intrusion can be defined as: Any set of actions that attempt to compromise the integrity, confidentiality or availability of data and/or a system.
2.2. Terminology in a simple way
Alerts/Events: Is a warning issued by IDS to the system operator when it detects a suspicious activity. The IDS can issue alerts in several ways, both locally and remotely.
Evasion: Evasion is nothing more than attacking the IDS without the IDS detecting the attack. In simple terms, it is the technique of bypassing the IDS, or not making it see the situation.
Fragmentation: When a packet crosses network boundaries, it is fragmented (broken into smaller pieces). Fragmentation usually happens when the maximum transmission length (MTU) differs. This fragmentation is often targeted by those interested in evading, or DOS attacks.
Signatures: Signatures are what makes the IDS alert to suspicious activity. That is, it will compare the event X with the signature base, and see if there is any rule.
3. IDS
3.1. NIDS
Network-based IDS:
Monitors ALL network traffic, as long as it passes through the sensor. Detect network-oriented attacks like DDoS for example. Sensors are placed at the choke point of the network, often in a DMZ or in edge networks (the important thing is to see where your sensors would communicate with the signature base, so as not to open holes in a DMZ for nothing). They examine the traffic - in effect they sniff the traffic (packet headers especially) for attack signatures, and determine if it is within acceptable limits.
Note: A substantial number of attack signatures are in the contents of the packet, and a simple traffic analysis is sufficient in these cases.
Picture:
[Internet]
Z
Z
[IDS]----------[HUB]
|
|
[Firewall]
|
|_____[Estacoes]
They can operate in two modes:
- Normal mode: Where only packets destined for the computer are captured.
- Promiscuous Mode: Where all packets seen on the Ethernet bed are captured (most common and used).
3.2. HIDS
Host-Based IDS systems:
They analyze traffic individually by analyzing signatures through events. Use application logs to obtain event records and analyze them to determine what to pass to the central processor. This could be virtual kernel logs for example. If agents are placed directly into the kernel, the agent simply records the logs generated by the kernel. It should operate preferably in real time, so failures are quickly detected.
3.3. Architecture
I---------|-------|
N |Agente |\
T |-------| \ |-------------|
E (Host A) \________| Central |
R / |-------------|\
N---------|-------| / \
E |Agente |/ \
T |-------| \|-----------|
(Host B) |Notificador|
|-----------|
Agent
AAFID: Autonomous Agents for Intrusion Detection
It is a distributed monitoring and intrusion detection system. The Agent is the one that obtains the information (vital signs, logs, files, network flow, etc...). This information is sent to the Central. It is pre-processed in a specific format (log, bin, xml). The Agent collects what is defined by the central processing unit.
(!) Network monitors:
Monitor the network flow coming into the host, checking for integrity in search of a possible threat.
EX: x86 NOOP.
(!) Integrity monitors:
Monitor vital signs (files, file systems, directories) or other parts of the server itself, looking for suspicious activity and or changes to these files that could potentially represent an attempt to invade or compromise the system.
EX: The authentication logs. Any pattern out of the routine, is alerted. That is, unusual or unexpected events...like, the user gustavo acquire root Sunday, after Fantastico. This is unexpected.
Central
Central is a data repository specifically oriented to an analysis system to determine attacks. After the IDS captures a suspicious packet, it sends it to the Central Processor. The pre-processors reassemble the packet in the correct way, to decrease false negatives when comparing with signatures, and give more reliability to the IDS. In the article "An Architecture for Intrusion Detection using Autonomous Agents, it is said that the Central Unit is a single point of failure. If someone can stop it from working, the whole network is unprotected.
Judy Novak's Frag3, which is the latest fragmentation (reassembly) engine from snort, supports fragmentation policies for overlaps, ttl evasion and timeouts. The packet is compared against the signature base, co-related, and, if the comparison returns a positive value, the IDS forwards it to the output plugins, otherwise it discards the packet (considered normal network traffic).
(!) False-negative:
Nothing else is when a packet passes through, without being notified by the IDS. The IDS thinks the packet is normal network flow.
(!) False-positive:
This is when the packet is notified as intrusive, but is actually just a false alarm.
3.4. IDS itself: An overview
They are useful not only for detecting security flaws, which have been or can be exploited, but also for monitoring intrusion attempts and providing counter-measures. Their performance is evaluated not on their ability to correctly identify intruders, but mainly on their ability to suppress false negatives. As far as rules go, it is important to try to make a rule as generic as possible. That is, if a rule is too specific, attacks that are similar but not identical will escape.
3.5. IDS x Firewalls
Usually, the question is always raised: "Well, if I already have a firewall, why then use an IDS?"
EX..:
You have a firewall rule that allows connections to the FTP server. Ok, but someone decided to download the passwd from the ftp server... The firewall will recognize the traffic on the FTP server, but will not block it. The IDS will probably see that there is something wrong...
Considering the firewall's packet filtering architecture, it typically works at the network and transport layers (taking into account the osi model). That is, after you apply rules (combination of IP address, protocols - like TCP/UDP, and port number), packets will be filtered based on: Source or destination IP, source or destination port, service type, flags set on the IP/TCP/UDP packet, MAC address, etc.
Most firewalls do not have a dynamic defense capability. That is, they do not analyze what the user is doing, they simply filter packets based on pre-set rules. In contrast, the IDS will work not only at layers 3 and 4, but also at the application layer, looking for Trojans, Denial of Service (DOS) attacks, worms, buffer overflow attacks, detection of network scans, etc.
In a way we can say that:
- Firewall = Static (mostly)
- IDS = Dynamic
4. monitoring
4.1. Operation
libcap (Library Capture) or libpcap (Library Packet Capture) captures all packets passing through the ethernet layer.
4.2. Monitoring itself
Monitoring can take many forms. The amount of shells opened, the amount of logins in X amount of time, amount of processing used by the machine, etc.. In short, the IDS will be based on a pre-established profile, to then monitor its behavior. Thus, if S1, S2, ...., Sn represent the abnormality values of the profile for the activities A1, A2, ..., An, then a value greater than Si indicates a higher abnormality in relation to that activity foreseen in Ai.
The pattern of each user is kept in a particular profile or even in group profiles. Routinely the current profile is compared with the pre-established profile, and thus an abnormal behavior is determined. The profiles can be modified (gradual changes in behavior), according to the needs of the individual user. Data that is outside a standard deviation around a median value can be considered anomalous. But we will only talk about anomalous behavior in the next article.
4.3. Exit plugins
The output plugins are tools that can be used to generate alerts, logs or to take some immediate action. They can interact with firewall, can send alerts in email, popups, record in text files, mysql, xml among others.
5. intrusion prevention system or inline IDS
Intrusion prevention can be considered a broad concept that unifies a number of features found in traditional antivirus, firewall, and intrusion detection products.
The IPS is the first step in this direction. In a simple sense, an IPS is an inline device that blocks attacks before they reach their target. In a broad sense, IPS is an extension of IDS. When an attack is detected, an IPS performs actions to stop the current attack and prevent future attacks. The actions can range from blocking connections to reconfiguring the firewall.
IPS were invented independently by Jed Haile and Vern Paxon to resolve ambiguities in passive network monitoring and in-line detection systems. A considerable improvement over the firewall, IPS does decision control based on application content. However, I think the IPS idea is still too immature to substitute a firewall, especially regarding the automatic responses...
The problem is that IPS blocks legitimate traffic. Therefore, the IPS tuning must be more careful than the IDS. In time, current IDS have IPS capabilities, and every IPS has an IDS module.
Picture:
[Internet]
Z
Z
[IPS]
|
|______[Estacoes][Estacoes]
To understand what an IPS is, you need the problem it aims to solve. The most xiite say that IDS are inadequate to protect them. The threat scenario is further exacerbated by the challenges involved in patching in a timely manner, and also in the case of organizations not enforcing patch control (Univ, ISPs, etc).
All in all, the important thing is to be aware that IDS/IPS are by no means a perfect science.
Take care.
6. references
Matt Bishop:
- Introduction to Computer Security.
Adriano Mauro Cansian:
- Development of an Adaptive Intrusion Detection System in Computer Networks.
- Google, Wikipedia
- Personal experience; conversations with friends.
- Maximum Security for Linux