Intrusion detection

Chapter 22: Intrusion Detection

• Principles
• Basics
• Models of Intrusion Detection
• Architecture of an IDS
– IDS – intrusion detection system
– IPS – intrusion prevention system
 Examples
• Equifax
– Attackers used a code vulnerability that allowed commands to be executed on the web server via a
web request
– The commands allowed the attackers to log into the database and download huge amounts of
personal data
• Symptoms
– Unusually large amounts of data leaving the server
• Since many GB of data is being stolen
– Unusual pattern of queries
• Since the web server is making request to “dump” data
– Unusual set of machines making requests to the server
• A relatively small number of machines in China make a large number of requests
– Unusual patterns in the web logs
• The URL includes long strings that are the commands that the server will execute
• Conclusion
– The intrusion can be detected by watching for unusual behavior
• Critical Note
– It is far better to have strict rules of what is allowed (and audit those rules) than trying to figure out
what is and is not unusual behavior
 Characteristics of Intrusions
• Assumption: Exploiting vulnerabilities requires
abnormal use of normal commands or
instructions
• Assumption:
– Normal usage means normal
– Abnormal usage means an attack
– Is this true? When is the last time you did
something new on your computer?
• False alarms!
 Accuracy of Intrusion Detection
• Detect intrusions with a high probability
– False negative: When the detection systems misses an
intrusion
– Objective: low false negative rate or probability
– Sometimes called Type II error
• Failure to reject the hypothesis that the behavior is normal when
the behavior is in fact abnormal
• Correctly detecting allowed behavior
– False positive: marking behavior as an intrusion when it is
not
– Objective: low false positive rate/probability
– Sometimes called Type I error
• Incorrectly rejecting the hypothesis that behavior is normal when
 Definitions of Accuracy
• False positive
– Alert is raised when there was no attack
• False negative
– Alert was not raised when there was an attack
• Precision
– Number of true positives / (Number of true positives + Number of false positive)
– Number of true positives / Number of alerts
– Measures how likely an IDS alert indicates an attack
• Should you freak out when the IDS raises an alert?

• Sensitivity (sometimes called Recall)

– Number of true positives / (Number of true positives + Number of false negative)
– Number of true positives / Number of attacks
– Does your IDS detect all attacks?
• Should you sleep well because your IDS has not raised an alert

• Specificity (aka selectivity)

– Number of true negative / (true negatives + false positives)
– Prob of not raising an alert when there is no attack
• If Specificity is low, then the IDS will send me many alerts
 False Alarms
• False negatives
– High false negatives means that actual intrusions
are missed
• False positives (false alarms)
– High false positives generates too much “useless”
work for the security team.
• Maybe it is not useless, but it is perceived to be useless
– High false alarms means that actual intrusions are
missed
 False negative vs. false positive
• In general, a lower false positive probability comes at the
expensive of high false negative probability
• A better IDS shifts the “ROC” curve to the lower left

False positive Sometimes this is called the

-log(False positive) receiver operating characteristic (ROC)

-log(False negative)
False negative
Approaches to Intrusion Detection
• Signature-based
– What is bad, is known
– What is not bad, is good
• Anomaly detection
– What is usual, is good
– What is unusual, is bad
• Specification-based detection
– What is correct, is good
– What is incorrect, is bad
 Signature-based IDS
• An attack fits an attack pattern
• E.g.,
– Attack CVE-2017-9841 arrives in a HTTP request: “GET
/vendor/phpunit/phpunit/src/Util/PHP/[Link]”
– How?
• System reads web server logs
• If the string “GET /vendor/phpunit/phpunit/src/Util/PHP/[Link]” is found, then an alert is raised,
– e.g., an email is sent
– A dashboard indicates a signature match/attack

• Pros:
– Obvious: If you know the signature, you should detect the attack with that signature
– Quick to deploy: When a new attack is detected, often the fastest defense to deploy is one
that uses the signature
– Low false positive (usually)
• Cons:
– Never ending list of signatures
• Need an automated way to building signatures and deploying them
– Unable to defend against unknown attacks
– Unable to defend against variations of the same attack
– Pattern matching systems are complicated and can be attacked
 Specification-based IDS
• Specification of software describes how the
software behaves
• If the IDS knows how it should behave, it will
also know when it is behaving incorrectly
 Agent-based Data Collection
2. Data is sent 3. Data received by your
through the Internet ingestion systems

Internet
1. Software agent
collects data about
4. Data saved in
the turbine
your DB

6. Power Brokers Enable

5. Data process Clean Energy
by your state-of-
the-art AI
 Attack of Agent-based Data Collection
2. Data is sent through
the Internet 3. Data ingestion is
overwhelmed

Internet
4. Data storage is
1. Attacker has reverse expensive
engineering your agent
and sends huge
amounts of data

• Specification: Each agent typically uploads 10MB per day.

• IDS: If an agent upload more than 10MB in 24 hours, then block all uploads from
that agent
 Agent-based Data Collection
2 days later
Upload 20MB 2. Data is sent 3. Data received by your
through the Internet ingestion systems

Internet

1. Software agent
collects data 4. Data saved in
about the turbine your DB
In the event of a
network failure,
buffer data and 6. Power Brokers Enable
upload when 5. Data process Clean Energy
connectivity is by your state-of-
restored the-art AI
 Attack of Agent-based Data Collection
2. Data is sent through
the Internet 3. Data ingestion is
overwhelmed

Internet
4. Data storage is
1. Attacker has reverse expensive
engineering your agent
and send huge
amounts of data

• Specification: Each agent typically uploads 10MB per day.

• IDS: If an agent upload more than 10MB in 24 hours, then block all uploads from
that agent
• More Specification: If the agent’s connection to the server is broken, then the
agent buffers the data
• Better IDS: If an agent upload more than 100MB in 24 hours, then block all
uploads from that agent (allows for 10 days disconnection)
• IDS: If an agent upload more than 1000MB in 24 hours, then block all uploads
from that agent
• Because the server can easily handle 1000MB. This puts a large gap
between the specification and the limit imposed by the IDS/IPS
 Specification-based IDS
• Specification of software describes how the software behaves
• If the IDS knows how it should behave, it will also know when
it is behaving incorrectly
• Ideally
– The software developer knows what the software should and
should not do.
– The IDS can use this knowledge to make a specification-based IDS
• Instead of designing the IDS to block behavior that does not
follow the specification, consider blocking behavior that does
not follow the specification and is nearly harmful
 Specification-based IDS Reality
• The software developer does not always know exactly what the
software does, e.g., if the software is a platform where customers
can plug-in components
• Software development is complicated, and often, no one really
know how things work
• There is no mechanism to link specifications to the IDS
– Suppose I write software, how can I tell the IDS what my software can
and cannot do
• Vendor-driven: Each IDS vendor builds a specification for different
software
– E.g., Vendor makes a rule that MS SQL cannot make any http or https
connections
– Endless work for the vendor
 Anomaly Detection
• Analyzes a set of characteristics of system, and
compares their values with expected values; report
when computed statistics do not match expected
statistics
– Threshold metrics
• A host tries to connect to too many host that do not exist. The
host could be scanning for more system to infect
– Markov model
• Models steps that user or host takes
– Others
• Many
 Threshold Metrics
• Counts number of events that occur
– Between m and n events (inclusive) expected to occur
– If number falls outside this range, then the behavior is anomalous
• Example
– Windows: lock user out after k failed sequential login attempts. Range is (0, k–1).
• k or more failed logins deemed anomalous

• Example: windows lock out after too many failed login attempts
– Appropriate threshold may depend on non-obvious factors
• Typing skill of users
• If keyboards are US keyboards, and most users are French, typing errors very common
– Dvorak vs. non-Dvorak within the US
– Stealth attack
• Suppose the threshold is 100 failed attempts per day
• Attacker tries a random password 99 times a day for each account
• Maybe make the threshold smaller, but then risk spurious lock-outs
• Difficulties
– Thresholds are difficult to set in general
– Detecting Stealth attacks vs random errors
 Threshold metric detailed example: detecting scanning

• If a host is infiltrated, it might scan the network looking for

other hosts to infect
• By sending a packet to a host, an attacker can determine the type of
operating system and what services are running on the machine, e.g.,
web server, database server, etc.
• A network error message is generated when:
• A host sends a packet to a machine that does not exist
• A host sends a packet to a port that is not being used.
– Scanning can be detected by counting network error
messages
– However, normal behavior will result in some error messages
 Scanning detection algorithm
• Let N(k) be the number of network error messages
detected during the kth time interval
• Approaches
– If N(k)>T, then raise alarm
• What is the time interval?
• What if the attacker knows T and the time interval, they can launch a
stealthy attack
• Sometimes machines/software will produce bursts of suspicious
events
– E.g., failed log in. A 3 failures in a minute is ok.
» But 3*60 per hour is too many. So make the time interval one hour.
» But 3*60 in a minute is too many. Also, we wait an hour before raising
the alarm?
• We know that selecting T is a problem, now we must also select the
time interval
 Scanning detection algorithm
• Let N(k) be the number of network error messages detected
during the kth time interval
• Approach: Running Sum
– S(k+1) = S(k) + N(k)
– If S(k)>T, then raise alarm
• A slow and steady stream of events will accumulate, hence stealthy
attackers are detected
• Make time interval small and catch huge bursts of events are caught
immediately
• But, S(k) is always increasing, so allowable events will eventually result in
S(k)>T
• Solution: reset S(k) every now and then
 Scanning detection algorithm
• Let N(k) be the number of network error messages detected during the
kth time interval
• Let m be the average number of error messages generated in normal
usage
• Approach: CumSum
– S(k+1) = max(0, S(k) + N(k)-m)
– S(k) > T, then raise an alarm
– In many case, this algorithm (known as cumulative sum or cumsum) is the
optimal detector in terms of delay to detection and false alarm rate
– By adjusting the threshold, T, we get different false alarm rates and delay to
detection
 Cumsum-based detection
S(k+1) = max(0, S(k)+N(K)-m)
• Cumsum-based detect is easy to
implement and performs well
• But, thresholds need to be
selected and m needs to be 180

determined 160

140

120

100

80

Less false alarms 60

Low threshold
40

Low threshold 20

0
0 200 400 600 800 1000 1200 1400 1600 1800

Attack starts
 My Experience
• I use thresholds frequently
• Usually, careful detection is not required. Instead, detection is
obvious
• E.g.,
– My system can handle 1M new users/day.
– Usually, we have less than 100 new users/day
– Set a threshold on 10000 new users/day from a single IP address
 Markov Model
• Another statistical based method. But uses powerful
statistical techniques
• Assumption: Past state affects current transition
• Anomalies based upon sequences of events, and not
on occurrence of single event
• Problem: need to train system to establish valid
sequences
– Use known, training data that is not anomalous
– The more training data, the better the model
– Training data should cover all possible normal uses of system
 Markov Model of a Web Surfing
0.3 Gallery 0.4
0.699
New session
0.999
Home 0.599 Comments
null
Page page
0.001 0.001
Site
directory 0.001
1
page

The numbers are the probability that a user takes a particular action that leads to the next state
Markov Assumption: the probability of jumping from one state to the next only depends on the current state

The probability of jumping

from office to lunch should
At In At depend on whether the
home office lunch person has already visited the
at lunch state
This is not a Markov Model
 Markov Model of a Web Surfing
0.3 Gallery 0.4
0.699
New session
Home 0.999
null 0.599 Comments
Page page
0.001 0.001
Site directory
1 page 0.001

User’s sequence of events: Home Page; Gallery; Comments; Gallery; Site directory; Home page; Site directory

normal abnormal
Start page Next page Score (-log(p)) S=max(0,S+score-1) Above threshold 3?
Home page Gallery -log(0.3)=0.5 max(0,0+0.5-1)=0 No
Gallery Comments -log(0.699)=0.1 max(0,0+0.1-1)=0 No
Comment Gallery -log(0.4)=0.4 max(0,0+0.4-1)=0 No
Gallery Site Directory -log(0.001)=3 max(0,0+3-1)=2 No
Site Home page -log(1)=0 max(0,2+0-1)=1 No
Directory
Home page Site Directory -log(0.001)=3 max(1,1+3-1)=3 Yes
 Comparison and Contrast
• Signature-Based: Signature (e.g., a string at appears in a log, or a http
request) is used to detect the attack
– Pros: easy, fast to deploy, low false alarm (Often used for prevention)
– Cons: Cannot detect unknown attacks
• Specification-based: what the software is allowed to do is precisely
known. If it does something else, it is labeled as an attack
– Pros: Can detect many known attacks, since only what is specifically known
behaviors are permitted. Low false alarm
– Cons: In practice, it is difficult for the IDS to know what behaviors are possible
and allowed
• Anomaly detection: detects unusual events
– Pros: Can detect unknown attacks
– Cons: High false alarm probability since unknown events are not necessarily an
attack
 IDS Architecture
• Basically, an audit system
– Agent like logger; it gathers data for analysis
– Analyze data obtained from the agents according to its internal rules
– Takes some action
• May simply notify security officer
• May activate response mechanism

• Security information and event management (SIEM)

– Complete security event system

• What is the difference between a SIEM and IDS?

– An IDS is one of the inputs to a SIEM
• Some a SIEM does more things than an IDS
– SIEM can also provide some IDS functionality (so their differences are blurred)
 Where to get data
• Agents
– Host-based agents (software that runs on the machines to be
protected)
– Remote agents (software that runs on some other machine than the
ones to be protected)
– Network-based agents (collect data from the network only)
 Host-Based Agent
• Host-base agent runs on the user machines and on servers that are monitored
• Obtain information from logs
– May use many logs as sources
– May be security-related or not

• May create logs

– E.g., Collect network packets

• Other checks
– Check that patches are up to date
– Check that viruses detection is running (e.g., McAfee virus checking)
– Other rules

• Challenge: It can be difficult to install agents on all machines

– E.g., when someone visits
– Approach: when a user attempts to use the network, the agent must communicate with a server. If
the agent does not register, then the user can only access a web page to download the agent

• Challenge: There are so many agents that a machine performance is degraded by all the
agents
 Remote Agent (as opposed to host-based)
• Agent runs an external machine
• Agent accesses data on monitored machine
– SNMP (Simple Network Management Protocol)
• Allows one to retrieve various types of information about the remote machine
• Agent runs small scripts on monitored machine
– E.g., ssh to a machine, run a few lines of bash code, retrieve and process the
results
• Host-base Agent • Remote Agent
– Can collect a high range of data – Collect only data that is
– Able to monitor and control the accessible from remote API
impact on the host – Difficult to control the impact the
– Requires software to be installed measurement has on the
– No ports need to be opened machine
– No change to firewall or VLAN – No software installed
– Ports must be opened, firewall
and VLANS must be adjusted
– Passwords stored on the
measurement machine
 Pseudo/Almost Host-Based
• Take snap-shot of the disk
– Easy in the cloud
• Process data on the disk
– Virus detection
– Installed programs
– System configuration
• Cons
– Cannot detect what is running
 Network-Based Agents
• Detects network-oriented attacks by
examining network traffic only
• E.g., see data collected by Wireshark
Host-based IDS Network-based IDS
• The agent must be installed on • The IDS only needs to be installed in LAN
switches or routers,
every host, which is difficult – Not too difficult in a datacenter
– Simple in the cloud

• Can watch everything that the

• Watches traffic on the network only
machine is doing – It is difficult/impossible to accurately know what
– Detailed understanding is possible is happening on the host
– Detailed understanding is not possible

• Comprehensive data collection is • Detailed signatures are difficult to construct

complicated
– E.g., host-IDS will not understand • Cannot be disabled by the attacker
your custom app
• Challenge: HTTPS encrypts traffic. If packet
contents need to be inspected, then monitor
• Can be disabled by the attacker must be placed after the proxy
 Where to place monitors

internet
Router

switch

End hosts, servers, network-based

appliance (e.g., storage)

• Traffic between host must pass through a switch • Traffic from/to the internet must pass through a router
• • A monitor can be placed in front of the router
A monitor can be placed at each switch
• • Does not need to be integrated into the router
Must be integrated into the switch
• • Only a single device is needed
Many monitors are required
• • Does not capture all traffic
Difficult to change monitors (since each switch would
be to be changed) • Integrated monitor is can monitor traffic between subnets
• Monitors all traffic
 NetFlow
• Standard for monitoring flows
– as oppose to deep packet inspection, which is covered soon
• A flow
– Defined by the end host IPs and the end host ports and protocol
– E.g., when you download a web page, each image is an individual flow
– A skype call is a flow
– Streaming a movie is a flow

• Developed by Cisco, but supported by most vendors

• Collected by routers and some switches
• Data collected
– Time
– Interface
– Source and Destination IP address
– Transport layer protocol
– Source and destination TCP or UDP port
– IP type of service
– Number of bytes and number of packets
– ICMP information
 Deep Packet Inspection (as oppose to netflow)
Source and destination
MAC address
• Networking protocol stack Ethernet header
• Link layer Source and destination IP
– ethernet, 802.11 IP header address
• Network layer
Source and destination port
– IP addresses, … Transport header (port implies the
• Transport layer application, web (80), mysql
– TCP database (3306), ..
http header
• Application layer
Some information about
– http, smtp, … data the application

details

Wireshark example
• Monitoring IP addresses and TCP ports is most popular and easiest
– Can track flows. Netflow
• Monitoring anything else is referred to deep packet inspection
– Monitor http request: which web page is requested (recall markov chain model of web
surfing)
– Monitor the application: classify the application as web (http), email, bit-torrent, skype, etc.
– Monitor email attachments for malware or phishing
• Requires reconstructing a message from many packets. Requires memory and computational resources
 Flow vs. packet level monitoring
Flow level monitoring Packet level monitoring
• Detect TCP-SYN attacks
– Too many TCP-SYNs and not enough TCP-SYN-ACKs • Detect applications
– Too many network error messages
– Detect bit-torrent, skype
• Detect scanning
– Too many connections • Skype is encrypted, by a signature is
– Too many network error messages possible, including that the host connects
• Detect machines running backdoors to a skype server
• Abnormal connections • Detect ARP-based attacks
– Many machines connecting
– from odd places • Detect machines in botnet
– at odd times of day
–
– Detect IRC commands/patterns
E.g., Shamoon
• Attacked 30,000 machines in a Saudi oil company • Malware detection
• Infected machines communicated with a particular
command-and –control server – Check signature (hash or regular
• Easy to detect this behavior
expression) on packet or message
• Detect machines in botnet
–
payload
Track communication: as server, connect to unusual
machines • Phishing detection
• Monitor surfing of unauthorized web sites
– Detect links in email
• Detect access control breach
– Detect that a host is connecting to a machine that it does • Computationally expensive
not have access to
• Access control policy is not applied to machines, but to – Packets cross an enterprise switch at
people/users many Gbs or even Tbs
– Tracking messages requires specialized
 Summary
• Host-based vs Network-based
• Switch-based vs router-based
• Flow-based vs deep packet inspection
LAN-based IPS/IDS
• Switch-based
• ASICs
– high throughput
– Deep packet inspection
– Message reconstruction
– Specialized regular expression checking
(checking for patterns)
• Check for .*45*27.*, where. * is any string
• Difficult. Once a 0x45 is detected, some state
is saved. This state needs to be saved for a
long time (e.g., until the end of the message)
• A packet can partially match many patterns
at the same time (causing the pattern
matcher to be overwhelmed)
• Centralized director-notifier (LANsight)
• Identity-based
– User logs in, so the user is known
– Network-based access control based on
user
• Which user can access which systems
– Identity-based IPS/IDS
• A profile (i.e., counts and thresholds) for
each user