Đang tải... (xem toàn văn)
IDS (Intrusion Detection Syste)Phát hiện tấn công, có thể khởi tạo các hành động trên thiết bị khác để ngăn chặn tấn công. Nhận ra tấn công bằng cách phân tích bản sao của lưu lượng mạng.IPS (Intrusion Prevention System)Chặn đứng trước khi tấn công đến mạng bên trong. Cung cấp khả năng bảo vệ mạng dựa vào định danh, phận loại và ngăn chặn mối đe dọa được biết hoặc chưa biết như worm, virus, đe dọa đến ứng dụng, …
02/12/2017 Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE IDS Comparison Architecture Requirement Classification o Signature-based and anomaly-based IDS o Host-based and network-based IDS IPS Practice 02/12/2017 02/12/2017 IDS: o is a system of devices or applications o has capability of detecting illegitimate intrusions on networks Logical components: o sensors - collect data o Detection (Analyzers) - determine if intrusion has occurred o Response (user interface) - manage /direct /view IDS Detection Response 02/12/2017 Firewall IDS Protect permit or deny traffic (incoming and outgoing) Some: like firewall Almost: merely monitor the network, detect, and alarm on security violations Detection capabilities - are standard among the most popular firewall systems - Based IP, port address - monitoring a single computer or a network, - Based signature others detection on both attack-signature and composite (port-sweep) attacks Response respond to undesired incoming and outgoing connection requests respond to malicious activity: log the session, alarm through visual alarms, email or message 02/12/2017 Data gathering device (sensor): thu thập liệu từ hệ thống giám sát Detector : phân tích liệu để xác định hành vi xâm nhập Know ledge base (database): o o Các dấu hiệu công biết trước (signature-based) Các prof ile v ề hành v i hợp pháp hệ thống (alnomaly -based) Configuration device: cung cấp thơng tin cấu hình IDS Response com ponent: bắt đầu hành động hành vi xâm nhập phát 02/12/2017 02/12/2017 run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration IDS types: Information source IDS Analysis strategy Time Aspects Architecture Host based Misuse detection Real Time Central Network based Anomaly detection Offline Distribute Response Active Passive Wireless network 02/12/2017 02/12/2017 Updating the existing rules Corresponds to the rule? Signature-based o Depend on matching patterns that are collected from known attacks Anomaly-based Time Information o Thru continuous observation and modeling of normal behavior, the system finds possible threats via deviation from the normal model or a classification executed Attack state Data source Add a new rule Profile update Data source Deviation? Anomaly behavior Classification? 02/12/2017 Dynamic generation of a new profile 02/12/2017 threshold detection o checks excessive event occurrences over time o alone a crude and ineffective intruder detector o must determine both thresholds and time intervals profile based o characterize past behavior of users / groups o then detect significant deviations o based on analysis of audit records • gather metrics: counter, guage, interval timer, resource utilization • analyze: mean and standard deviation, multivariate, markovprocess, time series Advantage: o detect insider attacks based on collected normal activities in the system; o ability to detect previously unknown attacks; and o it is very difficult for an attacker to know which certainty activity can be executed without generate an alarm Limits: o the system must go through a training period in which appropriate user profiles are created by defining normal traffic profiles, that is a difficult task and consumes a lot time o Because it is looking for anomalous events rather than attacks, so they will generate false alarms when there is an anomalous behavior but not an attack 02/12/2017 Incoming packet Classfication Rules Signature database Signature Classfier Signature Engine Log File Drop Packet 02/12/2017 13 observe events on system and applying a set of rules to decide if intruder approaches: o rule-based anomaly detection • analyze historical audit records for expected behavior, then match with current behavior o rule-based penetration identification • rules identify known penetrations / weaknesses • often by analyzing attack scripts from Internet • supplemented with rules from security experts 02/12/2017 o (-) Can penetrate to know signatures, then another method is used to attack Anomaly-based o (+) Detect unknown attacks o (-) False positive alarm DETECTIO N o (-) False negative alarm False positive True positive True negative False negative Normal o (+) Detect known attacks Anomalous Signature-based o (+) Can’t penetrate to know certainty activity can be executed without generate an alarm Harmless Attack EVENT NATURE 02/12/2017 15 specialized software to monitor system activity to detect suspicious behavior o primary purpose is to detect intrusions, log suspicious events, and send alerts o can detect both external and internal intrusions two approaches, often used in combination: o anomaly detection - defines normal/expected behavior • threshold detection • profile based o signature detection - defines proper behavior 02/12/2017 Host AM: collect data on securityrelated events on the host and transmit these to the central manager LAN Monitor: + analyzes LAN traffic and reports the results to the central manager Central m anager m odule: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion 02/12/2017 network-based IDS (NIDS) o monitor traffic at selected points on a network o in (near) real time to detect intrusion patterns o may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors o inline (possibly as part of other net device) o passive (monitors copy of traffic) 10 02/12/2017 Sensor Inline Sensor Passive 11 02/12/2017 signature detection o at application, transport, network layers; unexpected application services, policy violations anomaly detection o of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information o used by analysis module to refine intrusion detection parameters and algorithms o by security admin to improve protection 12 02/12/2017 • • • • • • Data source: raw data an IDS uses to detect unauthorized or undesired activity Sensor: collects data from the data source & forwards events to the analyzer Analyzer: process analyzing data collected for unauthorized/undesired activity Administrator: human with overall responsibility for setting security policy of org Manager: process from which operator manages components of ID system Operator: human that is the primary user of the IDS manager Pros Cons Snort Fairly easy to install and get up and Comes w ith no GUI, though communityrunning Vast community of users, many developed add-ons exist Packet support resources available online processing can be slow Suricata Can use Snort’s rulesets Has advanced Prone (easy) to false positives System features such as multi-threading and netw ork resource intensive capabilities and GPU acceleration Bro IDS Platform can be tailored for a variety of Some programming experience is netw ork security use cases, in addition required Gaining proficiency in Bro DSL to NIDS can take some effort Modular and plugin-based Softw are OpenWIPS and hardw are required can be built by -ng DIYers Security Onion 02/12/2017 Primarily a w ireless security solution Comprehensive security stack As a platform made up of several consisting of multiple, leading opentechnologies, Security Onion inherits the source solutions Provides an easy draw backs of each constituent tool setup tool for installing the w hole stack 26 13 02/12/2017 lightweight IDS o real-time packet capture and rule analysis o passive or inline Packet Decoder 14 02/12/2017 use a simple, flexible rule definition language with fixed header and zero or more options Header action protocol source direction IP example Option source port dest IP dest port rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) recent addition to security products which o inline net/host-based IDS that can block traffic o functional addition to firewall that adds IDS capabilities can block traffic like a firewall using IDS algorithms may be network or host based 15 02/12/2017 identifies attacks using both: o signature techniques • malicious application packets o anomaly detection techniques • behavior patterns that indicate malware can be tailored to the specific platform o e.g general purpose, web/database server specific can also sandbox applets to monitor behavior may give desktop file, registry, I/O protection inline NIDS that can discard packets or terminate TCP connections uses signature and anomaly detection may provide flow data protection o monitoring full application flow content can identify malicious packets using: o pattern matching, stateful matching, protocol anomaly, traffic anomaly, statistical anomaly cf SNORT inline can drop/modify packets 16 02/12/2017 02/12/2017 34 17 02/12/2017 Drop Mode A packet is dropped if it matches an attack signature Three options are available in this mode: o Drop: Drops a packet, sends a reset back to the host, logs the event o Sdrop: Drops a packet without sending a reset back to he host o Ignore: Drops a packet, sends a reset back to the host, does not log the event Replace Mode A packet is modified if it matches an attack signature 02/12/2017 35 IDS Comparison Architecture Requirement Classification Signature-based and anomaly-based IDS Host-based and network-based IDS IPS 18 02/12/2017 Set up an IDS with one of the following: o Snort o Suricata o Bro IDS o OpenWIPS-ng o Security Onion Simulate attacks and use IDS above to detect 02/12/2017 37 19 ... 02/12/2017 35 IDS Comparison Architecture Requirement Classification Signature-based and anomaly-based IDS Host-based and network-based IDS IPS 18 02/12/2017 Set up an IDS with one... arachnids, 198; classtype: attempted-recon;) recent addition to security products which o inline net/host-based IDS that can block traffic o functional addition to firewall that adds IDS capabilities... Set up an IDS with one of the following: o Snort o Suricata o Bro IDS o OpenWIPS-ng o Security Onion Simulate attacks and use IDS above to detect 02/12/2017 37 19