lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules

index.md (4552B)

      1 +++
      2 title = "Lecture 14: Intrusion Detection Systems (IDS)"
      3 +++
      4 # Lecture 14: Intrusion Detection Systems (IDS)
      5 
      6 ## Intrusion Detection Systems (IDS)
      7 - analysis of actions performed by users and apps to identify evidence of maliciousness
      8 - stream of events generated by event sources (traffic dumps, system calls, kernel messages, logs)
      9 - typically streams go to analysis engine, which can dispatch actions for protection and add stuff to databases
     10 - approaches:
     11     - misuse detection: relies on models of wrong behavior, identifies matching entries in event stream
     12         - pros: not many false alarms, givs explanation, attack modesl are easy to understand, more resilient and usually faster
     13         - cons: needs constant updating, vulnerable to over-stimulation, detects only known attack types
     14     - anomaly detection: have a model of "normal behavior", identifies anomalous entries in event stream
     15         - pros: detects previously unknown attacks, doesn't need updating
     16         - cons: hard to configure, assumes anomalous == malicious, many false alarms, easy to evade, usually slow and resource-intensive
     17 - event sources: OS audit records, network packets, app logs, intrusion detection alerts
     18 - timeliness: real-time or non-real-time (offline/periodic)
     19 - response type: passive (logs, alerts) or active (reconfigures e.g. firewalls)
     20 - state-dependency: stateful or stateless analysis
     21 
     22 
     23 Confusion matrix:
     24 - "hit": detecting an actual attack (true positive)
     25 - "miss": not detecting an actual attack (false negative)
     26 - "false alarm": detecting a non-attack(false positive)
     27 
     28 ![Confusion matrix](3dd38ed3705348899b10d823c06f5ee1.png)
     29 
     30 Metrics:
     31 - Accuracy: (true_positives+true_negatives)/total
     32 - Precision: true_positives/(true_positives+false_positives)
     33 - Recall: true_positives/(true_positives+false_negatives)
     34 - F-measure: 2×(precision×recall)/(precision+recall)
     35 
     36 ROC curves
     37 - ROC (receiver operating characteristic): curve expressing performance of classifier
     38 - plots true positive rate vs false positive rate
     39 - false positive rate: false_positives/(false_positives+true_negatives)
     40 - true positive rate: true_positives/(true_positives+false_negatives)
     41 - ideally, area under the curve should be 1.
     42 
     43 The false positive rate dominates the effectiveness of an IDS (look at Bayes' Theorem calculation of P(intrusion|alert)).
     44 
     45 IDS output should have truth file: meta-information about even stream describing attacks and relationships between each attack and events in stream
     46 
     47 ## Host vs Network IDS
     48 Host IDS:
     49 - monitors internals of computing system for unusual activities, file changes, signature patterns
     50 - honeypots: special machines that are there to be attacked and are used to analyze the attacker's activities
     51 - taint analysis (e.g. Argos): mark some bytes as tainted with propagation using shadow memory, raise alarm when tainted bytes are loaded into program counter
     52 
     53 Network IDS:
     54 - based on analysis of network traffic
     55 - sniffing traffic:
     56     - pros: access to events from multiple host at single point, no performance effect on hosts.
     57     - cons: vulnerable to evasion techniques, limited by switched architectures and encryption
     58     - vulnerable to:
     59         - susceptible to DOS attacks
     60         - insertion: an IDS may accept packet that end-system rejects, so victim forms proper payload but IDS misses it
     61         - evasion: end-system may accept packet that IDS rejects
     62 - OS-level network tap:
     63     - pros: can analyze encrypted traffic after decryption, IDS view == host view, less traffic
     64     - cons: affects performance of host, must be deployed on each host, can't access info related to other hosts.
     65 - desynchronising viewpoints
     66     - IP:
     67         - IP TTL field may not be large enough for number of hops to destination
     68         - packet may be too large for downstream link without fragmenting
     69         - destination may drop source-routed packets
     70         - processing of fragmentation may be different
     71     - TCP:
     72         - destination may not accept packets with certain options
     73         - destination may silently drop packets with old timestamps (protection against wrapped sequence numbers, PAWS)
     74         - destination may not check sequence numbers on RST
     75         - destination may resolve conflicting segments differently
     76         - reassembly may be different
     77 - a potential solution: "normalizer" at network access point to process suspicious packets ('scrubbing')
     78 
     79 Evaluating IDS:
     80 - effectiveness: how many detected
     81 - precision: how many false positives
     82 - performance: how much traffic can be processed
     83 - descriptiveness