Intrusion Detection
Anti-virus
Anti-virus - computer programs used to prevent, detect and remove malware - prevention, detection, recovery
Signature Detection
- Store some small code signature for each virus
- Scan files either in bulk or at runtime, compare with the signatures on file
- Generic signatures
Heuristic Detection
- Determine what actions and rules a virus program will normally adopt
- Start the program in a VM and see what it does
- Theoretically could detect a virus that doesn't strictly match some signature
Next-gen
- AI crap
- Reg keys, configuration, network activity, system calls, access patterns
Network Attack Models - Firewalls don't protect against, attacks using valid protocols, insider attacks
Intrusion Detection Systems (IDS)
- Detects possible intrusion attempts
- Generates alerts and logs
Intrusion Prevention Systems (IPS) - Same as IDS, except also stops attacks
Deployment
Host-based (HIDS)
- Monitors a single host to find suspicious activity including resource/app usage
- Many ways modern Anti-virus does this
- Additional layer of security software running on host within protected LAN or VPN
- Creates a profile of usage for specific users
- Can monitor CPU, memory use, application use and the network stack Network-based (NIDS)
- Monitors network traffic and analyses packets from different protocols to identify suspicious activity
- Placed at a viewpoint on a network to examine and analyse traffic (Installed on a firewall or in a DMZ)
- May perform deeper analysis than many firewalls, e.g. stateful protocol analysis and deep packet inspection
Components of IDS
- Sensors/Agents: Collect and collate data from multiple viewpoints on a network
- Analysers: Ascertain if an intrusion has taken place
- Reporting: Notify the administrators via alerts on a console or graphical interface
Multiple sensors allow us to distribute capture, but centralise computing overhead
Detection Modes
Signature-based
Fingerprinting sequences of operations or packets
- Like antivirus, signatures are created and stored in a database
- Compare network activity against the database and an alarm is triggered if there is a match
- Include some form of attack language Pros and cons of these systems are identical to their anti-virus counterparts
- Computationally efficient
- Always spots known attacks
- Always misses unknown attacks
- Detailed signature databases must be kept up-to-date
Examples
Signs that a host is performing port scans
- Large amounts of ICMP traffic
- Many TCP connection (SYN) packets
- Connections going to a variety of other hosts
If a host establishes more than 3 TCP connections to different hosts in 5 seconds, its port scanning
Snort - Uses rules to analyse network packs and can provide alerts and logging
Nmap timings
- Can avoid detection when using nmap by reducing the speed of the scan
- Makes port scanning very hard to distinguish from general network noise
Anomaly-based
Build a model of "normal" and find deviations
- Detection has wide-ranging applications from IDS to banking fraud
- Build up a picture of normal usage, and detect when usage moves beyond what is normal
- Always a trade off between false positives and false negatives
"Normal" - Run a host within a quarantined environment and collect training data. Monitoring logs
Machine Learning
- Train a model to make predictions on data
- Support Vector Machines, NM all see use in intrusion detection
- A network can be pre-trained
- Sensor measurements are then passed through the network
- Activations in the specific output neuron signal an alert
Drawbacks
- Scaling - search space can increase exponentially, real-time data
- False Negatives - Limits in the representation, what is normal can change
Stateful Protocol Analysis
More complex version of a stateful packet filter
- Hold detailed session information on protocols being used, examine for attacks
- Computationally costly, and requires the IDS have all possible versions of these protocols described in its database