Professional Documents
Culture Documents
Comp 529
T 7-10
Intrusion Detection
Conclusion
Questions
2
Preventive approach:
Reactive approach:
to detect intrusions
How to respond
Firewalls
Firewall is a security device that allows
limited access out of and into ones
network from the Internet
Piece of hardware connected to a network
for protection
Only permits approved traffic in and out
of ones local site
Allows administrator to select applicable
services necessary to ones business and
screens out the rest
Types of Attacks
Internet
Corporate Intranet
Hacker
Mail
server
HR/Finance
Mobile worker
Web site
Supplier
Manufacturing
Hacker
Branch Office
Engineering
Hacker
5
Target
Syste
m
Respond
Monitor Intrusion
Detection
System
Report
Desirable characteristics
Run continually
Fault tolerant
Resist subversion
Minimal overhead
Configurable
Adaptable
Scalable
Provide graceful degradation of service
Allow dynamic reconfiguration
10
detect
host-related activity
analyze
can
some
12
Management system
perform
high
problems
14
Shell command
records
From Network
15
Analysis Techniques
Misuse Detection
predetermined knowledge base
high levels of detection accuracy
minimal number of false positives
Problems
relies heavily on the thorough and correct
construction of this knowledge base
variations of known attacks
intrusions not in knowledge base
traditionally requires human domain experts
17
Analysis Techniques
Anomaly Detection
events unlike normal system behavior
variety of techniques including
statistical
modeling
neural networks
hidden Markov models
18
Anomaly Detection
Advantages
ability to identify new and previously unseen
attacks
automated, do not require expert knowledge of
computer attacks
Problems
attacks that resemble normal behavior
higher numbers of false positives
all
Unrealistic Expectations
Network traffic
Computational workload
Ad Hoc Networks
No firewalls or gateways
ID Techniques
Mobile Agents
Haystack Algorithm
Indra
Multi-layer detection
25
autonomous
goal-driven
reactive
social
adaptive
mobile
26
Components
Two Components
Agent
Agent Platform
digital signatures
agents
Code Size
Performance
MA Systems - AAFID
33
The problem
Monolithic IDS
Host
Limited scalability
Single point of
Host
failure
Difficult
Host
configurability
Prone to insertion
and evasion
attacks
Host
Host
IDS
Host
Host
34
AAFID architecture
Distributed data
collection and
analysis
Autonomous
agents
Independent
entities
Hierarchical
structure
35
System Architecture
B
Agents
Monitors
Transceivers
Filters
Control
Data
UI
36
Communications organization
C
UI
A
B
D
E
37
What is an Agent?
Independently-running entity
38
What is a Transceiver?
Communications backbone for a host
Handles all the agents in a host
May do processing on data received from
agents
Interacts with a monitor
39
What is a Monitor?
Highest level entity
Main control and data processing entity
Handles one or more transceivers
Can control other monitors
Can be connected hierarchically to other
monitors
May interact with a user interface
40
What is a Filter?
Subscription-based mechanism
41
AAFID2 prototype
Road-test the architecture
Focus on usability and flexibility
Run-time distribution of code
Little focus on performance
Provides infrastructure for development
Uses pipes and TCP for communication
Implemented in Perl5
Development support
APIs for development of Agents and
Filters
Code generation tool for agents already
exists
The APIs implement generic behavior, so
implementers only need to add specific
functionality.
43
Current status:
Prototype distributed to the public
ftp://coast.cs.purdue.edu/pub/coast/AAFID/
http://www.cs.purdue.edu/coast/projects/auto
nomous-agents.html
44
Performance impact
On average:
%CPU
~0.5%
GUI
~2%
Monitor
Transceiver ~0.1%
~0.26%
Agents
(combined)
%MEM
~8%
~6%
~4%
~4.5%
45
Detection
ARP cache poisoning
Writable user and configuration files
Suspicious sequences of commands
Accesses to network services
Health of system services
Repeated login failures
Configuration problems in ftp and www
servers
46
Benefits of AAFID
Graceful degradation of service
Scalability
Easier to modify configuration
Information can be collected at the end
host
Can combine host-based and networkbased approaches to intrusion detection
47
Drawbacks of AAFID
MA Systems - LIDS
LIDS:
Local Intrusion Detection System
49
LIDS
LIDS
Mobile Agents
Mobile Agents
Mobile Agents
LIDS
Mobile Agents
LIDS
50
Features of LIDS
Reliable
Flexible
Behavior based
Blackboard-based architecture
Controlled by autonomous agents
Learning and adapting capability
Low maintenance cost
Uses building blocks of computational
intelligence as intrusion analyzer
Low rate of false positives
51
ID Systems
52
Haystack Algorithm
Host-based system
A statistical anomaly detection algorithm
Requires a designated node to act as a
central administrator
Uses audit trail generated from host
Analyzes users session vectors
Weight-scoring with threshold vectors
Able to detect several types of intrusions
53
A Peer-to-peer Approach
Makes use of cross-monitoring or
neighborhood watch
Information on attempted attacks
gathered by intended victims
Victim notify adjacent hosts on attack or
peer nodes detect attack and sound alarm
Uses daemons
Web-of-trust model for certification of
nodes
54
Watchdog
Verify that next node in path forwards packet
Listening in promiscuous mode
Control Messages
Neighborhood Watch
Observing route protocol behavior
Listening to transmission of next node
Alarm messages
55
56
Conclusion
58