Monitoring Systems

Motivation

Protective measures like firewalle reduce the attack risk, but cannot totally eliminate it
- e.g. bogus packer headers can lead to an attack not being detected
are principally "burglar alarms"
are employed for automated attack detection -> by monitoring accordance with provided security guidelines / rules
possible statements produced by an analysis are e.g.:
- accordance with security guidelines
- violation of security guidelines
- suspective behaviour
about attackers:
- from the outside
- from the inside: according to a study by the FBI, the larger part of network attacks originates from its inside (Insiders know more about a systems architecture, protective measures etc.)
- types: vandalism / espionage / just for fun / find security flaws in cooperation with the host
maybe a better name would be "Signature Compare System" or "Signature Compare Automaton"

Realtime IDS - reports suspected intrusions which are proceeding (e.g. by network packet analysis)
Standard IDS - reports sucessful attacks (e.g. by logfile analysis)

HIDS - host-based IDS

receive their audit files from a host
use e.g. log files
system manipulations can be detected using checksums
by these mechanisms, attacks can only be detected when they already have occured -> forensic use
examples:
- sXid - monitors SUID/GUID files
- Tripwire - monitors file integrity (employing a database and hash functions to detect changes)

logcheck - logfile analysis by provided strings which are classified as security relevant: denied / failed; security violations: login root refused

NIDS - network-based IDS

analyzes network data
NIDS come in different flavours:
- sensor-based system: has a network interface to "`sniff"' on the traffic
- agent-based system: agents are installed on the monitored systems to catch the packets (from the different of the TCP/IP stack) and send them to a centralised unit for analyis.
Position:
- between "outside world" and firewall, but before the internal network -> interesting to get an overview, but not a good choice on the long run because too much data is collected (..every portscan is recorded)
- behind firewall, inside the local network -> can be used as a controlling device, unusal activities from local hosts are also reported
- between 2 firewalls -> does not have to react on every single portscan, can be used to monitor inbound as well as outbound traffic
- multiple sensors -> are useful in larger networks, collected data can be sent to a central analysis unit

hybrid forms

combinations of HIDS and NIDS
by partial data analyis on each host the central analysis unit can be relieved of some load

misuse detection

works similar to virus scanners
detection by known signatures
pattern matching -> incoming pattern is compared to known attack patterns from a database
signs of an attack:
- malformed network packets (big / small / characteristic sub-strings in packet data)
- unusual protocols
- access to certain ports
Disadvantage: only known attack methods can be detected. An up-to-date attack database is essential!

State Transition

another misuse detection technique
every state represents a state of the system / each transition is an action
state-transition diagram for every attack pattern
when system activity occurs, the analysis unit can change the state of the state automaton
(+) probability and proceeding of an attack can be modelled / some prediction can be made on the attackers next actions
(+) an attack is modelled on a very abstract basis / attack variants can be modelled with small additional automatons
(+) coordinated and slowed attacks can be detected!
next stage of development: colored Petri nets

Anomaly Detection

is not based on a static dataset
assumption: every behaviour that is not normal is an attack / suspective behaviour
the system has to "learn" for severeal weeks what normal behaviour means
this must be done while the systems integrity is certainz
an IDS may register e.g.
- protocols
- ports
- attributes of system critical files (rights / users / size / modification date etc.)
when the learing phase is completed, learned behaviour is considered normal, everything else as anomalous.

Quantitative Analysis

Treshold Detection:
- system and user activities are represented by counters:
- exceeding a treshold is reported as possible attack
- simple example: system log in, threshold of 3 -> 3 failed logins - user account is blocked
extension: heuristical treshold analyis
- treshold is not fixed, but adjusted dynamically
- in our example: the treshold is computed from the users past login activities
integrity checking
- changes to system objects that may not be changed (data, programs, hardware) are monitored

Statistical Analysis

IDS keeps statistical profiles on each users normal behaviour
security alert is defined as strong deviation from this normal behaviour
(+) attackers using a "hijacked" account can be detected
(+) previously unknown patterns and methods of attack can be recognized
(-) bad real-time behaviour: all actions must have already happend to see if they are normal
(-) may pose too many restrictions on users
(-) may simplify "social monitoring" ("`..user X sends emails after lunch break"')

rule-based systems

operation similar to statistical systems (rules are defined instead of statistics)
rules may be user-defined or derived from data analyis
special subclass: Time-Based-Indictive IDS
- monitors sequence of system operations
- an anomaly is detected if order of events is not correct

neuronal networks

Strict Anomaly Detection (Burglar Alarm / Passive Traps)