Intrusion Detection Systems

Prepared by
Mr. S. Saravanan,
Asst. Prof, Amrita School of Computing, Chennai
Definitions
Network-based ID involves looking at the packets on the
net-
work as they pass by some sensor.
Monitoring Networks and Hosts
Network Packets

tcpdump

BSM
Operating System
Events
 Host-Based IDSs
• Using OS auditing mechanisms
– E.G., BSM on Solaris: logs all direct or indirect events
generated by a user

– strace for system calls made by a program

• Monitoring user activities

– E.G., Analyze shell commands

• Monitoring executions of system programs

– E.G., Analyze system calls made by sendmail
 Network IDSs
• Deploying sensors at strategic locations
– E.G., Packet sniffing via tcpdump at routers

• Inspecting network traffic

– Watch for violations of protocols and unusual connection
patterns

• Monitoring user activities

– Look into the data portions of the packets for malicious
command sequences

• May be easily defeated by encryption

– Data portions and some header information can be encrypted

• Other problems …
it relies on pre-defined patterns (signatures) to identify
malicious activity in network traffic
Example for signatures in misuse detection
Consider a web application that uses SQL queries
to authenticate users. The application may have a
login page with the following SQL query to check
user credentials
SELECT * FROM users WHERE username = 'input_username'
AND password = 'input_password';

An attacker, aware of the vulnerability, may input

the following into the username field:
' OR '1'='1'; --

The manipulated SQL query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1'; --' AND
password = 'input_password';
Detection Using Attack Signature
• A signature-based intrusion detection system
may have a signature rule that looks for the
specific pattern associated with this SQL
injection attempt. The attack signature could
be defined as:
If input contains the pattern: ' OR '1'='1'; --

Then generate an alert for potential SQL injection attack.

• When the system detects this pattern in the

user input during a login attempt, it raises an
alert, allowing administrators to investigate and
take appropriate action to mitigate the attack.
Example for signature based attack detection in
NIDS
• The NIDS uses signature-based detection to identify
known attack patterns or signatures. For example, it
has a signature for the well-known "SQL Slammer"
worm.
Signature for detecting the SQL Slammer worm:
If packet payload contains the specific hex pattern associated with the
SQL Slammer worm, generate an alert.

The SQL Slammer, also known as the SQL Slammer

worm or SQL Server worm, is a computer worm that
spread rapidly across the internet in January 2003.
ItTheisfollowing
one of is thethe fastest-spreading
hex pattern wormsworm:
associated with the SQL Slammer in the
history04of cybersecurity. The primary target of the
01 00 20 02 00 00
SQL Slammer 00 was Microsoft SQL Server, a
Anomaly based IDS example
• Imagine you have a server that hosts a web
application. You've installed a HIDS on this
server to monitor and detect any suspicious
activity or potential security threats.
• Let's say the web server starts experiencing an
unusually high number of failed login attempts
within a short period. The HIDS, through its
anomaly detection, recognizes this as abnormal
behavior based on the established baseline. It
raises an alert and provides details about the
suspicious activity, such as the source IP address
and the affected user account.
• The system administrator receives the alert,
investigates the issue, and takes appropriate
Host-based intrusion detection
techniques
 Misuse Detection
pattern
matching

Intrusion intrusion
Patterns

activities

Example: if (src_ip == dst_ip) then “land attack”

Can’t detect new attacks

 Anomaly Detection
90
80 probable
70 intrusion
60
activity 50
measures 40 normal profile
30 abnormal
20
10
0
CPU Process
Any problem ? Size

Relatively high false positive rate -

anomalies can just be new normal
activities.
Three primary types of signatures in NIDS are
string signatures, port signatures, and header
condition signatures

String signatures - String signatures look for a

text string that indicates a possible attack. An
example string signature for UNIX might be “cat
“+ +” 7/.rhosts”, which if successful, might cause
a UNIX system to become extremely vulnerable
to network attack

Port signatures - Port signatures simply watch for

connection attempts to well known, frequently
Header signatures watch for dangerous or
illogical combinations in packet headers. The
most famous example is WinNuke, where a
packet is destined for a NetBIOS port and
the Urgent pointer, or Out Of Band pointer is
set. This resulted in the “blue screen of
death” for Windows systems.

Another well-known header signature is a TCP

packet with both the SYN and FIN flags set,
signifying that the requestor wishes to start
NIDS placement
There are four types of
locations for the
sensors:
1. Outside the main
enterprise firewall.
Useful for
establishing the level
of threat for a given
enterprise network.
2. In the network DMZ
(inside the main
firewall but outside
internal firewalls).
 Snort IDS
Snort is an open source network intrusion
detection system, capable of performing real-
time traffic analysis and packet logging on IP
networks. It can perform protocol analysis,
content searching/matching and can be used to
detect a variety of attacks and probes, such as
buffer overflows, stealth port scans, CGI
attacks, SMB probes, OS fingerprinting
attempts, and much more.

Snort uses a flexible rules language to describe

traffic that it should collect or pass, as well as a
detection engine that utilizes a modular plugin
 Next Generation IDSs
• Adaptive
– Detect new intrusions
• Scenario-based
– Correlate (multiple sources of) audit data and
attack information
• Cost-sensitive
– Model cost factors related to intrusion detection
– Dynamically configure IDS components for best
protection/cost performance