网络信息安全(入侵检测)1

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,Intrusion Detection System,What is IDS?,IDS =,I,ntrusion,D,etection,S,ystem,Intrusion detection systems (IDSs) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems.,Not firewall,Why use IDS?,To prevent problem behaviors,2. To detect attacks and other security violations that are not prevented by other security measures,3. To document the existing threat to an organization, allowing improved diagnosis, recovery, and correction of ausative factors.,4. To act as quality control for security design and administration,General IDS Model,Sensor,Analyzer,Manager,Operator,Administrator,Basic Classification,NIDS - Network Based,e.g. Cisco Secure IDS , Axent Netpowler, Snort, ISS RealSecure Network Sensor, NAI Cybercop Monitor,HIDS - Host Based,e.g. Axent Intruder Alert, ISS RealSecure OS Sensor, Tripwire,Based on different data resource,NIDS - Network Based,NIDS detect attacks by capturing and analyzing network packets.,Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.,monitor a large network.,little impact upon an existing network.,very secure against attack and even made invisible to many attackers.,Advantages of Network-Based IDS,Network-based IDSs may have difficulty processing high traffic.,Many of NIDSs dont apply to switch-based networks.,Network-based IDSs cannot analyze encrypted information.,NIDSs have problems dealing with network based attacks that involve fragmenting packets.,Disadvantages of Network-Based IDSs:,Host-based IDSs operate on information collected from within an individual computer system.,Host-Based IDSs,Host-based IDSs normally utilize operating system audit trails, and system logs as information sources,HIDS can directly access and monitor the data files and,system processes, so analyze activities with great,reliability and precision,Host-based IDSs can operate encrypted network traffic,Host-based IDSs are unaffected by switched networks.,When Host-based IDSs operate on OS audit trails, they can help detect Trojan Horse or other attacks that involve software integrity breaches.,Advantages,HIDS are harder to manage, as information must be configured and managed for every host monitored.,The IDS may be attacked and disabled as part of the attack because of the source residing on host,Host-based IDSs are not well suited for detecting network scans or other entire network attack,Disadvantages,HIDS can be disabled by certain DOS attacks.,HIDS use operating system audit trails as information source, therefore requiring additional local storage on the system.,HIDS use the computing resources of the hosts , therefore inflicting a performance cost on the monitored systems.,IDS,Analysis,Tecnology,two primary approaches :,misuse detection and anomaly detection,Misuse detectors analyze system activity, looking for events that match a predefined pattern of events that describe a known attack.,As the patterns corresponding to known attacks are called,signatures, misuse detection is sometimes called “signature-based detection.”,The most common form of misuse detection used in,commercial products,Misuse Detection,Less false alarms.,Advantages,Quickly and reliably diagnose the use of attack tool or technique.,Misuse detectors can allow system managers to track security problems on their systems, initiating incident handling procedures,.,Misuse detectors can only detect those attacks they know about , therefore they must be constantly updated with signatures of new attacks.,Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks.,Disadvantages,Snort,libpcap,malicious,patterns,logs, alerts, .,Filtered,packet,stream,libpcap,Takes the,“,raw,”,packet stream,Parses the packets and presents them as a,Filtered packet stream,Lib,rary for,p,acket,cap,ture,Website for more details,Malicious Pattern Example,alert tcp any any - 10.1.1.0/24 80 (content: “/cgi-bin/phf”;,msg: “PHF probe!”;),pass:,忽略，丢弃,log：,日志,alert：,报警并日志,activate：,报警并激活另一条,dynamic,规则,dynamic：,保持空闲直到被激活，然后作为一,条,log,执行,protocol,source address,source port,destination address,destination port,规则头（,Header）,规则项（,Options）,;,分隔,选项关键字（,Options Keywords,）,方向操作符：规则所施加的流的方向,:双向操作符,Malicious Patterns Example,content:,“,/cgi-bin/phf,”,Matches any packet whose payload contains the string,“,/cgi-bin/phf,”,Look at,msg:,“,PHF probe!,”,Generate this message if a match happens,More Examples,alert tcp any any -,10.1.1.0/24 6000:6010 (msg: “X traffic”;),alert tcp !10.1.1.0/24 any -,10.1.1.0/24 6000:6010 (msg: “X traffic”;),24：,C,类子网,16：,B,类子网,32：特定机器地址,目标端口号在6000到6010范围内,对任何来自10.1.1.0子网以外的，发送到10.1.1.0子网内的，目标端口号在6000-6010范围内的,tcp,流，在报警和日志中打印一条消息,How to generate new patterns?,Buffer overrun found in,Internet Message Access Protocol (IMAP),Run exploit in a test network and record all traffic,Examine the content of the attack packet,Notional IMAP buffer overflow packet,052499-22:27:58.403313 192.168.1.4:1034 - 192.168.1.3:143,TCP TTL:64 TOS:0x0 DF,*PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78,90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B .;,5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C .v.1.1.1.n.n.,B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .n.n.,31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1.,90 90 90 90 90 90 90 90 90 90 90,E8 C0 FF FF FF,.,2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90,/bin/sh,.,Alert rule for the new buffer overflow,alert tcp any any - 192.168.1.0/24 143 (content:|E8C0 FFFF FF|/bin/sh; msg:New IMAP Buffer Overflow detected!;),Can mix hex formatted bytecode and text,Advantages of Snort,Lightweight,Small footprint,Focused monitoring,: highly tuned Snort for the SMTP server,Malicious patterns easy to develop,Large user community,Consider the IRDP denial-of-service attack,Rule for this attack available on the same day the attack was announced,Disadvantages,Does not perform stream reassembly,Attackers can use that to,“,fool,”,Snort,Break one attack packet into a stream,Pattern matching is expensive,Matching patterns in payloads is expensive (avoid it!),Rule development methodology is adhoc,例如，在,telnet,之类的交互会话中，攻击者企图读取,etc/passwd,文件。在获得,/,etc/passwd,文件的内容时，我们不直接输入,cat /etc/passwd,等命令行，而是通过一个命令解释器,(,例 如：,perl),来实现我们的目的：,badguyhost$ perl e $foo=pack(“C11”,47,101,116,99,47,112,97,115,115,119,100);bam=/bin/cat/ $foo; print”bamn”;,从这个命令中，入侵检测系统根本就不会重组出/,etc/passwd,这些字符。显然，防御这种攻击就很困难了，因为这要求入侵检测系统必 须能够理解这种解释器如何收到的命令。,Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network.,Assumption that attacks are different from “normal” (legitimate) activity and can therefore be detected by systems that identify these differences.,Anomaly detectors construct profiles representing normal behavior of users, hosts, or network connections.,Anomaly Detection,Techniques used in anomaly detection:,Statistical measures,the distribution of the profiled attributes is “learned” from a set of historical values, observed over time.,IDES,，,NIDES and Emerald,Rule-based measures,similar to statistical measures, but those patterns are specified as rules, not numeric quantities,Example,Other measures,including neural networks, genetic algorithms,and immune system models.,Teng,和,Chen,给出一种基于时间的归纳泛化技术，利,用基于时间的规则来描述用户的正常行为特征,。通过归纳学习产生这些规则集，并能动态地修改系统中的这些规则，即预测准确率较高与较高可信度的被保留下来。如果规则大部分时间是正确的，并能够成功地用于预测所观察到的数据，那么规则就具有较高的可信度。其规则形式如下：,其中,E,1,E,5,表示安全事件。该规则说明，如果事件发生的顺序是,E,1，,E,2，,E,3，,则,事件,E,4,发生的概率是95，事件,E,5,发生的概率是5。如果观测到的事件序列与规则的左边匹配，而后续的事件显著地背离根据规则预测到的事件，那么系统就可以检测出这种偏离，表明用户操作异常。通过观察主体行为产生的这一套规则就是主体的行为描述。,Only the first two measures are used,in current commercial IDS.,Detecting unusual behavior and symptoms of attacks without specific knowledge of details.,Producing information that can in turn be used to define signatures for misuse detectors.,Advantages,Producing a large number of false alarms,Often requiring extensive “training sets” of system event records in order to characterize normal behavior patterns.,Disadvantages,使用,ROC ( Receiver Operator Characteristic ),曲线能 够很好地显示不同入侵检测方,法在采用不同阈值时的,性能。同一,ROC,曲线上的点代表同一检测方法在阈值 不同时的误报率和漏报率。通常,ROC,曲线的,X,轴代表 误报率，,Y,轴代表检测率。,ROC,曲线下面积越大，,表 明模型的检测性能越好。,Response Options for IDS,Once IDS have obtained event information and analyzed it to find symptoms of attacks, they generate responses.,Active IDS responses are automated actions taken,There are three categories of active responses:,Collect additional information:,The most innocuous, but at times most productive,Change the Environment:,re-configure router,reset TCP inject,Take Action Against the Intruder:,this response is ill advised.,Active Responses,Passive Responses,Provide information to system users, relying on humans to take subsequent action based on that information.,Many commercial IDSs rely solely on passive responses.,Deploying IDS,Deployment Tips (1),Dual NIC,No TCP/IP binding,Network Performance,NIC optimization settings,Promiscuous mode,Deployment Tips (2),Locations,DMZ,In front of firewall,Behind firewall,Server segments,“Power user” segments,Sees attacks that penetrate the networks perimeter defenses.,Finding problems exiting in firewall policy or performance,Sees attacks that might target the web server or ftp server, which commonly reside in this DMZ,Even if the incoming attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the compromised server,Location1: Behind each external firewall, in the network DMZ,Location2: Outside an external firewall,Documents number of attacks originating on the Internet that target the network.,Documents types of attacks,originating on the Internet,that target the network,Monitors a large amount of a networks traffic, thus increasing the possibility of spotting attacks.,Detects unauthorized activity,by authorized users within,the organizations security,perimeter.,Location3: On major network backbones(,Server segments),Detects attacks targeting critical systems and resources.,Focusing limited resources,to the network considered,of greatest value.,Location4: On critical subnets,(Power user segments),Problem Scenarios (1),Signature quality,False POSITIVES,False NEGATIVES,Threshold values,Duplicates elimination,Encrypted traffic,SSL, IPSEC & PPTP tunnels, PGP attachment,Problem Scenarios (2),Switch instead of Hub,Collision domain,Port Spanning/Mirroring/Monitoring,Performance degrade,High speed network,Packet drop,DoS,How to choose an IDS (1),Attack Signature,Quality,Update frequency,Update mechanism,How to choose an IDS (2),Scalability,Traffic handling capacity,Shutdown mechanism,Supported platforms (HIDS),How to choose an IDS (3),Manageability,Examining log,Cross reference,Archiving,Centralized console,How to choose an IDS (4),Hardware platform,Intel based,SPARC based,Response Actions (1),Log,Header, significant application data,Raw packet,Alert,Console,Increase log level,Modem to Pager,Email to SMS,Redirect to Honey Pot,Response Actions (2),Third-party Integration,Firewall,Router,Honey Pot,Honey pots,are decoy systems that are designed to lure a potential attackeraway from critical systems. Honey pots are designed to:,divert an attacker from accessing critical systems,collect information about the attackers activity, and,encourage the attacker to stay on the system long enough for administrators to respond.,These systems are filled with fabricated information designed to appear valuable but that a legitimate user of the system wouldntt access. Thus, any access to the honey pot is suspect. The system is instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attackers activities.,Today,Hardware IDS,ASIC based IDS,NP(Network Processor),Distributed IDS(DIDS),IDS Evaluation System,intelligent IDS,Genetic Algorithm,SVM,Neural Network,Standards,CVE (Common Vulnerabilities and Exposures),IDWG,(,I,ntrusion,D,etection,W,orking,G,roup,),CVE,的英文全称是“,Common Vulnerabilities & Exposures”,公共漏洞和暴露。,CVE,就好像是一个字典表，为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。,使用一个共同的名字，可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。,如果在一个漏洞报告中指明的一个漏洞，如果有,CVE,名称，你就可以快速地在任何其它,CVE,兼容的数据库中找到相应修补的信息，解决安全问题。,CVE (1),CVE的特点：- 为每个漏洞和暴露确定了唯一的名称- 给每个漏洞和暴露一个标准化的描述- 不是一个数据库，而是一个字典- 任何完全迥异的漏洞库都可以用同一个语言表述- 由于语言统一，可以使得安全事件报告更好地被理解，实现更好,的协同工作- 可以成为评价相应工具和数据库的基准- 非常容易从互联网查询和下载， :/ cve.mitre.org - 通过“CVE编辑部”体现业界的认可,CVE (2),为了提高,IDS,产品、组件及与其他安全产品之间的互操作性，美国国防高级研究计划署（,DARPA）,和互联网工程任务组（,IETF）,的入侵检测工作组（,IDWG）,发起制订了一系列建议草案，从体系结构、,API、,通信机制、语言格式等方面规范,IDS,的标准。,IDWG,I,ntrusion,D,etection,W,orking,G,roup,公共入侵检测框架（,CIDF）,CIDF,，,即公共入侵检测框架（,The Common Intrusion Detection Framework,）,是构建分布式,IDS,的基础。它要求各种,IDS,必须遵循相同的信息表达方式和相应的通信机制，也就是必须遵循一个公共的,IDS,的框架结构。,CIDF,的主要作用在于集成各种,IDS,使之协同工作，实现各,IDS,之间的组件重用,各系统之间可以配合实施统一的配置响应和恢复策略。,CIDF,所做的工作主要包括四部分：,IDS,的体系结构、通信机制、描述语言和应用编程接口,API。,CIDF,在,IDES,和,NIDES,的基础上提出了一个通用模型，将入侵检测系统分为四个基本组件：事件产生器、事件分析器、响应单元和事件数据库。结构如图所示。,响应单元（,R-boxes）,事件数据库（,D-boxes）,事件分析器（,A-boxes）,事件产生器（,E-boxes）,原事件来源,CIDF,的通信机制,为了保证各个组件之间安全、高效的通信，,CIDF,将通信机制构造成一个三层模型：,GIDO,层、消息层和协商传输层。,GIDO,层的任务就是提高组件之间的互操作性，所以,GIDO,就如何表示各种各样的事件做了详细的定义。 消息层确保被加密认证消息在防火墙或,NAT,等设备之间传输过程中的可靠性。消息层只负责将数据从发送方传递到接收方，而不携带任何有语义的信息；,单一的传输协议无法满足,CIDF,各种各样的应用需求，只有当两个特定的组件对信道使用达成一致认识时，才能进行通信。协商传输层规定,GIDO,在各个组件之间的传输机制。,三、,CIDF,语言,CIDF,的总体目标是实现软件的复用和,IDR（,入侵检测与响应）组件之间的互操作性。,CIDF,的工作重点是定义了一种应用层的语言,CISL（,公共入侵规范语言），用来描述,IDR,组件之间传送的信息，以及制定一套对这些信息进行编码的协议。,CISL,可以表示,CIDF,中的各种信息，如原始事件信息（审计踪迹记录和网络数据流信息）、分析结果（系统异常和攻击特征描述）、响应提示（停止某些特定的活动或修改组件的安全参数）等。,CIDF API,CIDF,的,API,负责,GIDO,的编码、解码和传递，它提供的调用功能使得程序员可以在不了解编码和传递过程具体细节的情况下，以一种很简单的方式构建和传递,GIDO。 GIDO,的生成分为两个步骤：第一，构造表示,GIDO,的树型结构；第二，将此结构编成字节码。,Summary,IDS Classification,IDS Deployment Considerations,How to choose an IDS,Industry standards,End,CVE,的英文全称是“,Common Vulnerabilities & Exposures”,公共漏洞和暴露。,CVE,就好像是一个字典表，为广泛认同的信息安全漏洞或者已经暴露出来的弱点给出一个公共的名称。,使用一个共同的名字，可以帮助用户在各自独立的各种漏洞数据库中和漏洞评估工具中共享数据。,如果在一个漏洞报告中指明的一个漏洞，如果有,CVE,名称，你就可以快速地在任何其它,CVE,兼容的数据库中找到相应修补的信息，解决安全问题。,CVE (1),CVE的特点：- 为每个漏洞和暴露确定了唯一的名称- 给每个漏洞和暴露一个标准化的描述- 不是一个数据库，而是一个字典- 任何完全迥异的漏洞库都可以用同一个语言表述- 由于语言统一，可以使得安全事件报告更好地被理解，实现更好,的协同工作- 可以成为评价相应工具和数据库的基准- 非常容易从互联网查询和下载， :/ cve.mitre.org - 通过“CVE编辑部”体现业界的认可,CVE (2),Standards,CVE (Common Vulnerabilities and Exposures),IDMEF (Intrusion Detection Message Exchange Format),IDWG,I,ntrusion,D,etection,W,orking,G,roup,Aims,Define data format,Define exchange procedure,Outputs,Requirement document,Common intrusion language specification,Framework document,IDMEF,（,Intrusion Detection Message Exchange Format,）,Standard data format (using XML),Interoperability,Typical deployments:,Sensor to Manager,Database,Event correlation system,Centralized console,IDMEF Addressed Problems,Inherently heterogeneous information,Different sensor types,Different analyzer capabilities,Different operation systems,Different objectives of commercial vendors,Message Classes (1),IDMEF-Message Class,Alert Class,ToolAlert,CorrelationAlert,OverflowAlert,Heartbeat Class,Message Classes (2),Core Classes,Analyzer,Source,Target,Classification,Additional Data,Message Classes (3),Time Class,CreatTime,DetectTime,AnalyzerTime,Message Classes (4),Support Class,Node,User,Process,Service,Example,Headquarters DMZ Network,2000-03-09T10:01:25.93464-05:00,123.234.231.121,255.255.255.255,0xde796f70,124,Summary,IDS Classification,IDS Deployment Considerations,How to choose an IDS,Industry standards,HKCERT/CC,Telephone - 2788 6060,Fax - 2190 9760,Reference,Thank You,For suggestions and corrections, please send email to,or,Discussion,SLA - cannot stop service immediately,Switch to standby system if possible,Contingency planning,Trace the source; Track its activity,Technology,Signature detection,Anomaly detection,CVE (1),Standardized name,Interoperability between tools,Tool comparison guidelines,CVE-Compatible,No. of signatures,CVE (2),Version,As of August 2001: 20010507,Classification,CVE candidate(CAN-YYYY-XXXX),CVE entry(CVE-YYYY-XXXX),Data Sources,Security Focus - SecurityFocus weekly Newsletters( :/ securityfocus /vdb),Network Computing and the SANS Institute - weekly Security Alert Consensus( :/archives.neohapsis /archives/securityexpress/current/),ISS - monthly Security Alert Summary( :/ CyberNotes - biweekly issues( :/ nipc.gov/cybernotes.htm),Reference Source,AIXAPAR,ALLAIRE,ASCEND,ATSTAKE,AUSCERT,BID,BINDVIEW,BUGTRAQ,CALDERA,CERT,CERT-VN,CHECKPOINT,CIAC,CISCO,COMPAQ,CONECTIVA,CONFIRM,DEBIAN,EEYE,EL8,ERS,FREEBSD,FarmerVenema,FreeBSD,HERT,HP,IBM,INFOWAR,ISS,KSRT,L0PHT,MANDRAKE,MISC,MS,MSKB,NAI,NETBSD,NETECT,NTBUGTRAQ,NetBSD,OPENBSD,REDHAT,RSI,SCO,SEKURE,SF-INCIDENTS,SGI,SNI,SUN,SUNBUG,SUSE,TURBO,URL,VULN-DEV,WIN2KSEC,XF,Tips for using CVE,Do not use general terms (e.g. buffer overflow) to search,Use exact process name (e.g. sendmail),Go to the “references” for Fix,