[IT-Security-2] 入侵偵測 Intrusion Detection

Intrusion Detection

Notes from RWTH Aachen University course 
“IT security 2” Wintersemester 2019/20
professor: Meyer, Ulrike Michaela

Typical attack methodology

• 取得資訊
• 取得權限
• 權限提升
• 取得系統資訊
• 維持權限
• 掩蓋蹤跡

 What is Intrusion Detection

•  Security Intrusion
  • 一個安全事件，未經過authorization，取得或嘗試取得access to a system(or resource)
•  Intrusion Detection
  • 一安全服務，監視系統事件以real-time通知入侵行為

 Components of a Intrusion Detection System (IDS)

• Sensors 紀錄行為、蒐集資料
• Analyzers 根據資料分析、決定
• User Interface 輸出結果

 Detection rate

•  因為intruder和authorized user行為有overlap，detection有可能偵測錯誤
•  \(\text{Detection rate = Recall = }\frac{TP}{TP+FN}\)
  \(TP=\text{True Positive (攻擊導致alarm)}\)
  \(FN=\text{False Negative (攻擊沒有導致alarm)}\)
  越大越好
•  \(\text{False alarm rate = False Positive rate = }\frac{FP}{FP+TN}\)
  \(FP=\text{導致alarm的良性行為}\)
  \(TN=\text{沒有alarm的良性行為}\)
  越小越好

 Base Rate Fallacy

• 難以達到detection rate越大、false alarm rate越小
• 因為攻擊機率低，若有alarm，則低機率是attack
•  Bayes Theorem
  \[Pr(A|B)=\frac{Pr(A\cap B)}{Pr(B)}\]\[Pr(B|A)=\frac{Pr(A|B)P(B)}{Pr(A)}\]

 IDS Approaches

•  Anomaly Detection
  • 蒐集資料
  • 建立model
  • 檢查與model不符的行為

  false alarm rates可能很高

  • 方法
    • Statistical univariate, multivariate, time-series
    • Knowledge-based expert system 提供的 rules
    • Machine-learning Bayesian networks, Markov models, fuzzy logic, clustering…
•  Signature or Heuristic detection (Misuse Detection)
  • 惡意的data pattern(signatures)
    • Signature越大越能減少false alarm rate
    • low cost
  • attack rules(heuristics)
    • 利用 rules 辨別可疑行為 (針對各OS, machine)
    • 經過分析
    • eg. SNORT 是rule-based IDS
    • rules:
      • buffer overflow (eg. setuid program產生特定的arguments)
      • SYN flooding (eg. 有很多SYN packets但沒有ACK)
  • 只能檢查已知的attack
• Extracting Misuse Signatures
  • attack不變的特徵
  • Honeypots
•  Host-based IDS (HIDS)
  • 在特定的host觀察
  • 只提供local view
  • 只有在被攻擊時能偵測
  • 可觀察的資料:
    • System call
      • 看誰呼叫system call
      • 但Windows的DLL使用會隱藏誰呼叫
    • Audit recored(log files)
      • 攻擊者也可能修改log file或不紀錄
    • File integrity checksums
      • 用MAC計算checksums
    • Registry access
      • 檢查registry
•  Network-based IDS (NIDS)
  • network中選定的一群節點
  • 通常包含如firewall
  • 越少節點能包含完整網路越好
  • Sensor
    • Inline sensor: traffic必須通過
    • Passive sensor: 複製traffic
  • Sensor Placement
    • with external firewall
    • DMZ
    • with internal firewall
    • internal

可偵測的攻擊

•  Anomaly detection
  • DoS
  • scanning attack
  • worm
  • bot
•  Misuse-based detection
  • application layer attack (DHCP, DNS, FTP, IMAP…)
  • Transport layer attack (SYN floods)
  • Network layer (IPv4, IPv6…)
  • host running SMTP server
•  Distributed IDS
• 結合 HIDS及NIDS
• 溝通並交換資訊
• Intrusion Detection Exchange Protocol (IDXP)
• 如何交換資訊的protocol

        

 Snort

• Highly configurable host-based/network-based IDS

• packet/ protocol/ content

• 針對 TCP/ UDP/ ICMP

• based on rules

• inline/ passive

•  Architecture

  • 
  • Decoder 識別並隔離(isolate)封包 (各layer的header)
  • Detection Engine 根據rules分析，找第一個對應的rule
  • Logger 儲存packet
  • Alerter 通知file/ UNIX socket/ database

•  Rules

  • simple, flexible rule definition language
  • 有header, option

  Header	description	example
  Action	what to do	alert/ log/ pass/ drop/ reject
  Protocol		TCP/ UDP/ ICMP/ IP
  Source IP address
  Source port
  Direction		unidirectional/ bidirectional
  Destination IP address and port

  Options
  keyword
  arguments

  • Categories of rule options
    • Metadata
    • Payload
    • Non-payload
    • Post-detection

  Snort 有 remote buffer overflow 的漏洞
  會執行 remote code
  之後被修正了

 Attacking and Evading NIDS

•  Overload NIDS
  • 用大量資料overload，以入侵NIDS
  • Solution: watchdog timer
•  Encrypt
•  split packets
•  偵測困難
• scanning (可能split封包)
• recording (可能reorder封包)
• fully reassembly of TCP state (用TCP tricks)
• 都不夠

Readings

Stallings and Brown: Computer Security, 2015 

    §Chapter 8: Intrusion Detection Systems

Matt Bishop: Introduction to Computer Security, 2004 

    §Chapter 22: Intrusion Detection