Skip to main content

Intrusion Detection

Anti-virus

Anti-virus - computer programs used to prevent, detect and remove malware - prevention, detection, recovery

Signature Detection

  • Store some small code signature for each virus
  • Scan files either in bulk or at runtime, compare with the signatures on file
  • Generic signatures

Heuristic Detection

  • Determine what actions and rules a virus program will normally adopt
  • Start the program in a VM and see what it does
  • Theoretically could detect a virus that doesn't strictly match some signature

Next-gen

  • AI crap
  • Reg keys, configuration, network activity, system calls, access patterns

Network Attack Models - Firewalls don't protect against, attacks using valid protocols, insider attacks

Intrusion Detection Systems (IDS)

  • Detects possible intrusion attempts
  • Generates alerts and logs

Intrusion Prevention Systems (IPS) - Same as IDS, except also stops attacks

Deployment

Host-based (HIDS)

  • Monitors a single host to find suspicious activity including resource/app usage
  • Many ways modern Anti-virus does this
  • Additional layer of security software running on host within protected LAN or VPN
  • Creates a profile of usage for specific users
  • Can monitor CPU, memory use, application use and the network stack Network-based (NIDS)
  • Monitors network traffic and analyses packets from different protocols to identify suspicious activity
  • Placed at a viewpoint on a network to examine and analyse traffic (Installed on a firewall or in a DMZ)
  • May perform deeper analysis than many firewalls, e.g. stateful protocol analysis and deep packet inspection

Components of IDS

  • Sensors/Agents: Collect and collate data from multiple viewpoints on a network
  • Analysers: Ascertain if an intrusion has taken place
  • Reporting: Notify the administrators via alerts on a console or graphical interface

Multiple sensors allow us to distribute capture, but centralise computing overhead

Detection Modes

Signature-based

Fingerprinting sequences of operations or packets

  • Like antivirus, signatures are created and stored in a database
  • Compare network activity against the database and an alarm is triggered if there is a match
  • Include some form of attack language Pros and cons of these systems are identical to their anti-virus counterparts
  • Computationally efficient
  • Always spots known attacks
  • Always misses unknown attacks
  • Detailed signature databases must be kept up-to-date

Examples

Signs that a host is performing port scans

  • Large amounts of ICMP traffic
  • Many TCP connection (SYN) packets
  • Connections going to a variety of other hosts

If a host establishes more than 3 TCP connections to different hosts in 5 seconds, its port scanning

Snort - Uses rules to analyse network packs and can provide alerts and logging

Nmap timings

  • Can avoid detection when using nmap by reducing the speed of the scan
  • Makes port scanning very hard to distinguish from general network noise

Anomaly-based

Build a model of "normal" and find deviations

  • Detection has wide-ranging applications from IDS to banking fraud
  • Build up a picture of normal usage, and detect when usage moves beyond what is normal
  • Always a trade off between false positives and false negatives

"Normal" - Run a host within a quarantined environment and collect training data. Monitoring logs

Machine Learning

  • Train a model to make predictions on data
  • Support Vector Machines, NM all see use in intrusion detection
  • A network can be pre-trained
  • Sensor measurements are then passed through the network
  • Activations in the specific output neuron signal an alert

Drawbacks

  • Scaling - search space can increase exponentially, real-time data
  • False Negatives - Limits in the representation, what is normal can change

Stateful Protocol Analysis

More complex version of a stateful packet filter

  • Hold detailed session information on protocols being used, examine for attacks
  • Computationally costly, and requires the IDS have all possible versions of these protocols described in its database