1. Information Systems 365
October 7, 2008
Intrusion Detection and Prevention

2. What is Intrusion Detection?
• An Intrusion detection system
(IDS) is software and/or
hardware designed to detect
unwanted attempts at accessing,
manipulating, and/or disabling of
computer systems.

3. Examples
• Industrial
Espionage
• Malware
• Disgruntled
Employees

4. What does an IDS Detect?
• Attacks against a specific
service, such as File Transfer
Protocol (FTP)
• Data driven attacks at the
application layer. For
example, SQL injection error
could be used to crash an
application.

5. What Does and IDS Detect?
• Host Based
Attacks
(privilege
escalation)
• Malware,
Viruses, Trojan
Horses, Worms

6. IDS Components
• Sensors - Generate security
events such as log files
• Console – Monitors events,
alerts and controls sensors
• Engine – Analyzes the data
using artificial intelligence to
generate alerts from the
events received
• 3 in 1 (sometimes all three
are in one appliance)

7. Sensor, Looks Boring

8. Types of Intrusion Detection
Systems
• Network Based Intrusion
Detection System (NDS)
• Protocol Based Intrusion
Detection System (PIDS)
• Application Protocol Based
Intrusion Detection System
(APIDS)
• Host Based Intrusion
Detection System (HIDS)
• Hybrid System

9. Network Intrusion Detection
System
• Is an independent platform
which identifies intrusions by
examining network traffic and
monitors multiple hosts.
Network Intrusion Detection
Systems gain access to
network traffic by connecting
to a hub, network switch
configured for port mirroring,
or network tap. An example of
a NIDS is Snort.

11. Protocol Based Intrusion
Detection System
• Consists of a system or agent that
would typically sit at the front end
of a server, monitoring and
analyzing the communication
protocol between a connected
device (a user/PC or system).

12. Application Protocol Based
Intrusion Detection System
• Consists of a system or agent that
would typically sit within a group
of servers, monitoring and
analyzing the communication on
application specific protocols. For
example; in a web server with
database this would monitor the
SQL protocol specific to the
middleware/business-login as it
transacts with the database.

13. Host Based Intrusion Detection
System
• Consists of an agent on a host
which identifies intrusions by
analyzing system calls,
application logs, file-system
modifications (binaries,
password files, capability/acl
databases) and other host
activities and state. An
example of a HIDS is OSSEC

14. Passive vs. Reactive IDS
• In a passive system, the
intrusion detection system (IDS)
sensor detects a potential
security breach, logs the
information and signals an alert
on the console and or owner

15. Passive vs. Reactive IDS
• In a reactive system, also
known as an Intrusion
Prevention System (IPS), the
IDS responds to the suspicious
activity by resetting the
connection or by reprogramming
the firewall to block network
traffic from the suspected
malicious source.

16. How Is A Firewall Different from
and IDS?
• Firewalls look
outwardly and protect
from external attacks
• An IDS evaluates a
suspected intrusion
once it has taken
place and signals an
alarm.
• An IDS also watches
for attacks that
originate from within
a system.

17. Firewall vs. IDS
• This is traditionally achieved
by examining network
communications, identifying
heuristics and patterns (often
known as signatures) of
common computer attacks,
and taking action to alert
operators

18. IDS Evasion Techniques
• Bypass detection by creating
unrecognized states on the
IDS and on the targeted
computer. The adversary
accomplishes this by
manipulating either the attack
itself or the network traffic
that contains the attack.

19. Obfuscating Attack Payload
• Encoding the attack payload in
a way that the target
computer will reverse but the
IDS will not. In the past, an
adversary using the Unicode
character could encode attack
packets that an IDS would not
recognize but that an IIS web
server would decode and
become attacked.

20. Obfuscating Attack Payload
• Speaking
French to a
bilingual
computer,
while the IDS
only speaks
English

21. Polymorphic Code
• Is another
means to
circumvent
signature-
based IDS by
creating unique
attack
patterns, so
that the attack
does not have
a single
detectable
signature.

22. Using HTTPS to Obfuscate
• Attacks on
encrypted
protocols
such as
HTTPS are
obfuscated if
the attack is
encrypted.

23. Fragmentation and Small
Packets
• One basic technique is to split the
attack payload into multiple small
packets
• The IDS must reassemble the
packet stream to detect the
attack.

24. Fragmentation Continued
• By itself, small packets will not
evade any IDS that reassembles
packet streams. However, small
packets can be further modified in
order to complicate reassembly
and detection.
• One evasion technique is to pause
between sending parts of the
attack, hoping that the IDS will
time out before the target
computer does

25. Protocol Violations
• Some IDS evasion techniques
involve deliberately violating
the TCP or IP protocols in a
way the target computer will
handle differently than the
IDS. For example, the TCP
Urgent Pointer is handled
differently on different
operating systems and may
not be handled correctly by
the IDS.

26. Denial of Service
• An adversary can evade
detection by disabling or
overwhelming the IDS. This
can be accomplished by
exploiting a bug in the IDS,
using up computational
resources on the IDS, or
deliberately triggering a large
number of alerts to disguise
the actual attack.

27. What is a Denial of Service
Attack Anyway?

28. Inserting Traffic at the IDS
• An adversary can send packets
that the IDS will see but the target
computer will not. For example,
the attacker could send packets
whose Time to live fields have
been crafted to reach the IDS but
not the target computers it
protects. This technique will result
in an IDS with different state than
the target.

29. Intrusion Prevention Goes One
Step Further than IDS
• An intrusion prevention system
is a network security device that
monitors network and/or system
activities for malicious or
unwanted behavior and can react,
in real-time, to block or prevent
those activities.

30. Unified Threat Management
(UTM)
• Next generation devices
• Firewall
• Virus Scanning
• Content Filtering
• VPN
• Anti-Spam
• Intrusion Detection and
Prevention

31. How IDS and IPS Differ
• Intrusion Prevention systems
are designed to sit inline with
traffic flows and prevent
attacks in real-time
• In addition, most IPS solutions
have the ability to look at
(decode) layer 7 protocols like
HTTP, FTP, and SMTP

32. Rate Based IPS
• RBIPS can identify abnormal rates
for certain types of traffic
• Connections per second
• Packets per connection
• Packets to specific ports etc.
• Attacks are detected when
thresholds are exceeded.
• The thresholds are dynamically
adjusted based on time of day, day
of the week etc., drawing on
stored traffic statistics.

33. Host-based vs. Network IPS
• Benefit of HIPS
• HIPS can
handle
encrypted and
unencrypted
traffic equally,
because it can
analyze the
data after it
has been
decrypted on
the host.

34. Host-based vs. Network IPS
• Benefit of NIPS
• NIPS does not use processor and
memory on computer hosts but
uses its own CPU and memory.

35. Host-based vs. Network IPS
• NIPS drawback AND benefit,
depending on how you look at it
• NIPS is a single point of failure,
which is considered a
disadvantage; however, this
property also makes it simpler to
maintain.
• Use failover or load balancing to
combat this NIPS disadvantage

36. Host-based vs. Network IPS
• NIPS can detect events scattered
over the network (e.g. low level
event targeting many different
hosts, like a worm) and can react
• With a HIPS, only the host’s data
itself is available to take a decision
• It would take too much time to
report it to a central decision
making engine and report back to
block.

37. Some IDS and IPS Movies
• Cisco Sensor
• Cisco IDS/IPS Overview
• Snort With Add On Tools

38. Questions?