Advances in Network Security

Case Study: Intrusion Detection

Max Lakshtanov

Comp 529

T 7-10

Intrusion Detection

Introduction and Background

Overview of Mobile Agents

Mobile Agents VS. Intruders

Other Intrusion Detection Techniques

Conclusion

Questions
2

Network Security: preventive and reactive

Preventive approach:

Prevent intrusions from occurring

User

authentication logins and passwords

Firewalls filter network traffic

Reactive approach:

Intrusion Detection System (IDS)

How

to detect intrusions
How to respond

Firewalls
Firewall is a security device that allows
limited access out of and into ones
network from the Internet
Piece of hardware connected to a network
for protection
Only permits approved traffic in and out
of ones local site
Allows administrator to select applicable
services necessary to ones business and
screens out the rest

Types of Attacks
Internet

Corporate Intranet

Hacker
Mail
server

HR/Finance

Mobile worker
Web site

Supplier
Manufacturing
Hacker
Branch Office
Engineering

Hacker
5

Why firewalls are not enough?

Not all access to the Internet occurs
through the firewalls
Not all threats originate from outside the
firewall
Firewalls are subject to attack themselves
Little protection against data-driven
attacks (i.e. virus-infected programs or
data files, as well as malicious Java
applets and ActiveX controls)

What is an Intrusion Detection System?

Concept established in 1980 by J. P.
Anderson
Abbreviated as IDS, it is a defense system,
which detects hostile activities in a network
IDS complements firewalls by allowing a
higher level of analysis of traffic on a
network, and by monitoring its behavior of
the sessions on the servers
Helps computer and network systems
prepare for and deal with an attack

Basic Intrusion Detection

Target
Syste
m
Respond

Monitor Intrusion
Detection
System
Report

Intrusion Detection System Infrastructure

Desirable characteristics
Run continually
Fault tolerant
Resist subversion
Minimal overhead
Configurable
Adaptable
Scalable
Provide graceful degradation of service
Allow dynamic reconfiguration

What does an IDS do?

IDS inspects all inbound and outbound
network activity and identifies suspicious
patterns that may indicate a network or
system attack
In a passive system, the IDS detects a
potential security breach, logs the
information and signals an alert
In a reactive system, the IDS logs off a user
or reprograms the firewall to block network
traffic from the suspected malicious source

10

First major type of IDS

Host based IDS

loaded
make

on each protected asset

use of system resources

disk space, RAM, CPU time

detect

host-related activity

analyze

operating system, application, and

system audit trails

can

be self-contained or remotely managed

some

attacks cannot be detected at a single

location
11

Host based IDS

12

Second major type of IDS

Network based IDS

monitor
usually

activity on a specific network segment

dedicated platforms with two components:

Sensor passively analyzes network traffic

Management system

displays alarm information

configure the sensors

perform
high

rules-based or expert system analysis

network load scalability problems

problems

with encrypted communication

13

Network based IDS

14

Audit Data Example

From Operating System

Shell command
records

From Network

Network connection records

15

What are False Positives?

Occur when the system classifies an action as a possible

intrusion when it is a legitimate action
Any alert that was triggered incorrectly
alerts about telnet connections that are legitimate
Common Causes
Abnormal traffic patterns
Too much traffic (High Bandwidth Connections)
Incorrectly configured software
Results
Tend to clutter up the displays
Attacker may use this to cause DoS attacks using auto
responses
16

Analysis Techniques

Misuse Detection
predetermined knowledge base
high levels of detection accuracy
minimal number of false positives

Problems
relies heavily on the thorough and correct
construction of this knowledge base
variations of known attacks
intrusions not in knowledge base
traditionally requires human domain experts

17

Analysis Techniques

Anomaly Detection
events unlike normal system behavior
variety of techniques including

statistical

modeling
neural networks
hidden Markov models

baseline model that represents normal system

behavior against which anomalous events can
be distinguished
threshold of the range of normal behavior

18

Anomaly Detection

Advantages
ability to identify new and previously unseen
attacks
automated, do not require expert knowledge of
computer attacks

Problems
attacks that resemble normal behavior
higher numbers of false positives

all

anomalous events assumed to be intrusive

false positive if implementation errors
19

Unrealistic Expectations

They are not silver bullets for security

They can not compensate for weak identification
and authentication mechanisms
They can not conduct investigations of attacks
without human intervention
They can not compensate for weakness in network
protocols, applications, systems,.
They can not analyze all of the traffic on a network
They can not always deal with problems involving
packet-level attacks
20

Problems of existing monolithic IDS

Central data collection and analysis

Single point of failure

Network traffic

Computational workload

Ad Hoc Networks

Possibility of distributed, coordinated attacks

Lack of common vocabulary or standards

21

Wireless Ad Hoc Networks

Collection of mobile nodes

No pre-existing
communication infrastructure
Each node can act as router as
well as host
Dynamic participation of
each node
No centralized authority for
authentication and
monitoring
22

Vulnerabilities of ad hoc networks

Wireless communication (open media)

Cooperation among nodes is necessary (lack of
centralized author.)
Dont rely on existing infrastructure
Have many operational limitations:

Transmission Range and Bandwidth

Energy, CPU, and Memory

Autonomous units capable of roaming

independently

easily captured and compromised without physical

protection
very expensive and not scalable if physically
protected
23

Vulnerabilities of ad hoc networks

Usually used in situations where rapid

deployment is necessary
Usually deployed in hostile (not physically
protected) places
Dynamic topology change (due to mobility)
Lack of key concentration points (e.g. switches
and routers)

No firewalls or gateways

Difficult to distribute and update signatures

(detection database)
24

ID Techniques

Mobile Agents

Haystack Algorithm

Indra

Detection at network layer

Multi-layer detection

25

What are Mobile Agents?

executing programs that can migrate from machine

to machine in a heterogeneous network under their
own control
correlate all suspicious events occurred in different
monitored hosts
may have these characteristics:

autonomous
goal-driven
reactive
social
adaptive
mobile
26

Mobile Agent Characteristics

can be programmed to satisfy one or more goals

move independently from one device to another
on a network
generally serializable and persistent
provide more accurate alarms
dynamically increase/reduce the suspicion level
of certain host or login user
evade attackers
can resurrect themselves if attacked
27

Components

Two Components
Agent
Agent Platform

The mobile agent

contains code and
state information
needed for carrying
out computation tasks
on an agent platform
28

Advantages of Mobile Agents

Reducing Network Load - move logic, not data

Overcoming Network Latency - agents operate

directly on the host

Autonomous Execution - still function when portions

of the IDS get destroyed or separated

Platform Independence - inserts an OS independent

layer between the hosts and the IDS using agents

Dynamic Adaption - reconfigure at run-time

Upgradability - signature database and the detection

algorithms are up-to-date

Scalability reduce computational and network load

29

Problems of Mobile Agents

Security - several security implications that

must be considered:
the host (and the agent platform) must be
protected against malicious code
certificates,

agents can be modified/eavesdropped when

they move over the network
encrypting

digital signatures

agents

mobile agents can be attacked by a malicious

agent platform itself
difficult

to fight when agents need unrestricted

movement around the network
30

Problems of Mobile Agents

Code Size

Complex piece of software

Agents might get large
Transferring agents code over the network takes time
Only needed once, when hosts store agent code locally

Performance

Often written in scripting or interpreted languages to be

easily ported between different platforms.
This mode of execution is very slow compared to native
code.
As an IDS has to process a large amount of data under very
demanding timing constraints (near real-time), the use of
MAs could degrade its performance.
31

IDSs using agents

Autonomous Agents For Intrusion

Detection (AAFID) at Purdue

Local Intrusion Detection System (LIDS)

Mobile Agent Intrusion Detection

Systems (MAIDS)

Intrusion Detection Agent System (IDA)

at IPA, Japan
32

MA Systems - AAFID

AAFID: Autonomous Agents for

Intrusion Detection

33

The problem
Monolithic IDS
Host
Limited scalability
Single point of
Host
failure
Difficult
Host
configurability
Prone to insertion
and evasion
attacks

Host
Host

IDS
Host
Host

34

AAFID architecture
Distributed data
collection and
analysis
Autonomous
agents

Independent
entities

Hierarchical
structure
35

System Architecture

B
Agents
Monitors
Transceivers
Filters

Control
Data

UI

36

Communications organization

C
UI

A
B

D
E
37

What is an Agent?

Independently-running entity

Usually a separate process or thread

Can keep state

May perform arbitrary actions

Can be very simple or very complex

May exchange data with other entities

38

What is a Transceiver?
Communications backbone for a host
Handles all the agents in a host
May do processing on data received from
agents
Interacts with a monitor

39

What is a Monitor?
Highest level entity
Main control and data processing entity
Handles one or more transceivers
Can control other monitors
Can be connected hierarchically to other
monitors
May interact with a user interface

40

What is a Filter?

Platform and OS specific entity

Extract necessary data providing hardware

and OS abstraction layer

Subscription-based mechanism

Allows for increased portability of agents

41

AAFID2 prototype
Road-test the architecture
Focus on usability and flexibility
Run-time distribution of code
Little focus on performance
Provides infrastructure for development
Uses pipes and TCP for communication
Implemented in Perl5

Easy portability, easy to install and run it

42

Development support
APIs for development of Agents and
Filters
Code generation tool for agents already
exists
The APIs implement generic behavior, so
implementers only need to add specific
functionality.

43

Graphical User Interface

Very simple support for starting and
controlling entities
Implemented in Perl/Tk

Current status:
Prototype distributed to the public
ftp://coast.cs.purdue.edu/pub/coast/AAFID/
http://www.cs.purdue.edu/coast/projects/auto
nomous-agents.html
44

Performance impact

Measurements on 22 machines in the COAST lab

over 14 hours.

Sparc LX, Sparc 5, Sparc 10, Ultra 1, Ultra 2

On average:
%CPU
~0.5%
GUI
~2%
Monitor
Transceiver ~0.1%
~0.26%
Agents
(combined)

%MEM
~8%
~6%
~4%
~4.5%

45

Detection
ARP cache poisoning
Writable user and configuration files
Suspicious sequences of commands
Accesses to network services
Health of system services
Repeated login failures
Configuration problems in ftp and www
servers

46

Benefits of AAFID
Graceful degradation of service
Scalability
Easier to modify configuration
Information can be collected at the end
host
Can combine host-based and networkbased approaches to intrusion detection

47

Drawbacks of AAFID

Monitors may still be single points of failure

Ensure consistent information among redundant

monitors
Detection of intrusions at monitor level delayed
until all information reaches the monitor
Difficult to keep global state
Data reduction is not implemented correctly

Solution: Hierarchical structure, redundancy

Still creates a lot of network traffic

More difficult to do failure tolerance

48

MA Systems - LIDS

LIDS:
Local Intrusion Detection System

49

ID in ad hoc wireless network

Mobile Agents
Mobile Agents
LIDS

LIDS

LIDS
Mobile Agents

Mobile Agents

Mobile Agents
LIDS
Mobile Agents

LIDS

50

Features of LIDS
Reliable
Flexible
Behavior based
Blackboard-based architecture
Controlled by autonomous agents
Learning and adapting capability
Low maintenance cost
Uses building blocks of computational
intelligence as intrusion analyzer
Low rate of false positives

51

ID Systems

Other intrusion detection techniques

52

Haystack Algorithm
Host-based system
A statistical anomaly detection algorithm
Requires a designated node to act as a
central administrator
Uses audit trail generated from host
Analyzes users session vectors
Weight-scoring with threshold vectors
Able to detect several types of intrusions

53

Indra - Intrusion Detection and Rapid Action

A Peer-to-peer Approach
Makes use of cross-monitoring or
neighborhood watch
Information on attempted attacks
gathered by intended victims
Victim notify adjacent hosts on attack or
peer nodes detect attack and sound alarm
Uses daemons
Web-of-trust model for certification of
nodes

54

Detection at network layer

Watchdog
Verify that next node in path forwards packet
Listening in promiscuous mode

Control Messages

Adding two control messages to DSR

protocol

Neighborhood Watch
Observing route protocol behavior
Listening to transmission of next node
Alarm messages

55

Multi-layer IDS (mIDS)

Detection on one layer can be initiated or
aided by evidence from other layers.
Aggregation of evidence allows a more
informed decision
Improved performance higher true
positive and lower false positive rates

56

Conclusion

Mobile Agent Benefits

Run continually
Fault tolerant
Resist subversion
Minimal overhead
Configurable
Adaptable
Scalable
Provide graceful degradation of service
Allow dynamic reconfiguration
57

Questions & Answers

Mobile Agents For Intrusion Detection

58