Monitoring Systems

From
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

IDS - Intrusion Detection Systems

Motivation

  • Protective measures like firewalle reduce the attack risk, but cannot totally eliminate it
    • e.g. bogus packer headers can lead to an attack not being detected
  • are principally "burglar alarms"
  • are employed for automated attack detection -> by monitoring accordance with provided security guidelines / rules
  • possible statements produced by an analysis are e.g.:
    • accordance with security guidelines
    • violation of security guidelines
    • suspective behaviour
  • about attackers:
    • from the outside
    • from the inside: according to a study by the FBI, the larger part of network attacks originates from its inside (Insiders know more about a systems architecture, protective measures etc.)
    • types: vandalism / espionage / just for fun / find security flaws in cooperation with the host
  • maybe a better name would be "Signature Compare System" or "Signature Compare Automaton"


timing behaviour

  • Realtime IDS - reports suspected intrusions which are proceeding (e.g. by network packet analysis)
  • Standard IDS - reports sucessful attacks (e.g. by logfile analysis)


architectures

HIDS - host-based IDS

  • receive their audit files from a host
  • use e.g. log files
  • system manipulations can be detected using checksums
  • by these mechanisms, attacks can only be detected when they already have occured -> forensic use
  • examples:
    • sXid - monitors SUID/GUID files
    • Tripwire - monitors file integrity (employing a database and hash functions to detect changes)

logcheck - logfile analysis by provided strings which are classified as security relevant: denied / failed; security violations: login root refused


NIDS - network-based IDS

  • analyzes network data
  • NIDS come in different flavours:
    • sensor-based system: has a network interface to "`sniff"' on the traffic
    • agent-based system: agents are installed on the monitored systems to catch the packets (from the different of the TCP/IP stack) and send them to a centralised unit for analyis.
  • Position:
    • between "outside world" and firewall, but before the internal network -> interesting to get an overview, but not a good choice on the long run because too much data is collected (..every portscan is recorded)
    • behind firewall, inside the local network -> can be used as a controlling device, unusal activities from local hosts are also reported
    • between 2 firewalls -> does not have to react on every single portscan, can be used to monitor inbound as well as outbound traffic
    • multiple sensors -> are useful in larger networks, collected data can be sent to a central analysis unit


hybrid forms

  • combinations of HIDS and NIDS
  • by partial data analyis on each host the central analysis unit can be relieved of some load


analysis techniques

misuse detection

  • works similar to virus scanners
  • detection by known signatures
  • pattern matching -> incoming pattern is compared to known attack patterns from a database
  • signs of an attack:
    • malformed network packets (big / small / characteristic sub-strings in packet data)
    • unusual protocols
    • access to certain ports
  • Disadvantage: only known attack methods can be detected. An up-to-date attack database is essential!


State Transition

  • another misuse detection technique
  • every state represents a state of the system / each transition is an action
  • state-transition diagram for every attack pattern
  • when system activity occurs, the analysis unit can change the state of the state automaton
  • (+) probability and proceeding of an attack can be modelled / some prediction can be made on the attackers next actions
  • (+) an attack is modelled on a very abstract basis / attack variants can be modelled with small additional automatons
  • (+) coordinated and slowed attacks can be detected!
  • next stage of development: colored Petri nets


Anomaly Detection

  • is not based on a static dataset
  • assumption: every behaviour that is not normal is an attack / suspective behaviour
  • the system has to "learn" for severeal weeks what normal behaviour means
  • this must be done while the systems integrity is certainz
  • an IDS may register e.g.
    • protocols
    • ports
    • attributes of system critical files (rights / users / size / modification date etc.)
  • when the learing phase is completed, learned behaviour is considered normal, everything else as anomalous.


Quantitative Analysis

  • Treshold Detection:
    • system and user activities are represented by counters:
    • exceeding a treshold is reported as possible attack
    • simple example: system log in, threshold of 3 -> 3 failed logins - user account is blocked
  • extension: heuristical treshold analyis
    • treshold is not fixed, but adjusted dynamically
    • in our example: the treshold is computed from the users past login activities
  • integrity checking
    • changes to system objects that may not be changed (data, programs, hardware) are monitored


Statistical Analysis

  • IDS keeps statistical profiles on each users normal behaviour
  • security alert is defined as strong deviation from this normal behaviour
  • (+) attackers using a "hijacked" account can be detected
  • (+) previously unknown patterns and methods of attack can be recognized
  • (-) bad real-time behaviour: all actions must have already happend to see if they are normal
  • (-) may pose too many restrictions on users
  • (-) may simplify "social monitoring" ("`..user X sends emails after lunch break"')


rule-based systems

  • operation similar to statistical systems (rules are defined instead of statistics)
  • rules may be user-defined or derived from data analyis
  • special subclass: Time-Based-Indictive IDS
    • monitors sequence of system operations
    • an anomaly is detected if order of events is not correct


neuronal networks

  • network is trained on "clean" data
  • learning ability makes neuronal networks wells suited for anomaly detection
  • (-) does not report type of attack
  • solution: one network for each type of attack (e.g. SYN-flooding)


Strict Anomaly Detection (Burglar Alarm / Passive Traps)

  • assumption: everything that is not explicitely permitted is an attack
  • employs pattern matching
  • normal system behaviour provided in a database
  • every deviant system behaviour is reported as an attack
  • (+) fewer patterns must be saved in the database
  • (+) updates to the database are only needed when the system is changed
Retrieved from "https://sarwiki.informatik.hu-berlin.de/index.php?title=Monitoring_Systems&oldid=3052"