1 Intrusion Detection SystemsDr. X

2 Logistics Upcoming deadlines:Programming HW Feb. 9 Setup account on Global Environment for Network Innovations (GENI)

3 Outline Intrusion Detection Scanning Lab

4 Network Intrusion Detection Systems (NIDSs)Authorized eavesdropper that listens in on network traffic Makes determination whether traffic contains malware usually compares payload to virus/worm signatures usually looks at only incoming traffic If malware is detected, IDS somehow raises an alert Intrusion detection is a classification problem

5 Host Intrusion Detection Systems (HIDSs)Intrusion detection that takes place on a single host system. Agent monitors and reports on system configuration application activity log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting1. They often also have the ability to baseline a host system to detect variations in system configuration. In specific vendor implementations these HIDS agents also allow connectivity to other security systems. 

6 HIDS and Antivirus Are they the same? Do they have differences?Do they have overlap? Historically speaking: no. An anti-virus primary goal is to detect and block access to malicious files, while and HIPS solution has a broader goal: it may track changes on the file system (to detect changes not necessarily implying any malicious code, like an unexpected settings change for instance), analyze log filess (system and application logs), check the system components to detect any irregularities, and indeed also try to detect potential malware. An HIPS solution may be either composed of several different software and the anti-virus be only of them, or one may go toward all-in-one solutions where a single tool will bundle all these functions. The fact is that nowadays end-user's anti-virus are a bit more than simple anti-virus, over time they have accumulated a very large panel of features turning them more into security suites which can be indeed perceived as end-user's HIPS solutions. A basic anti-virus, whose only goal is to detect and block access to malicious files, is only a part of an HIPS solution, Current end-user's anti-virus go well over this, they are often renamed as security suites and are becoming end-user's HIPS solutions.

7 Example Setup Example setup: the position of the IDS is important!Where would we position the HIDS? Where do we prefer HIDS vs An

8 Detection via SignaturesSignature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

9 Detection via Machine LearningUnderlying assumption: Malware will look different from non-malware Anomaly in traffic will look different than regular traffic Supervised Learning: IDS requires learning phase in which operator provides pre-classified training data to learn patterns Sometimes called anomaly detection (systems) {good, 80, “GET”, “/”, “Firefox”} {bad, 80, “POST”, “/php-shell.php?cmd=’rm -rf /’”, “Evil Browser”} ML technique builds model for classifying never-before-seen packets Problem: is new malware going to look like training malware?

10 Confusion Matrix What constitutes an intrusion/anomaly is really just a matter of definition A system can exhibit all sorts of behavior Quality determined by the consistency with a given definition Context sensitive

11 Metrics True positives (TP): number of correct classifications of malware/anomaly True negatives (TN): number of correct classifications of non- malware/regular False positives (FP): number of incorrect classifications of non- malware as malware/anomaly False negatives (FN): number of incorrect classifications of malware as non-malware/regular False positives are disruptive for businesses. Why? What is worse, false positive or false negative?

12 Metrics False positive rate: 𝐹𝑃𝑅= 𝐹𝑃 𝐹𝑃+𝑇𝑁 = #𝑏𝑒𝑛𝑖𝑔𝑛_𝑚𝑎𝑟𝑘𝑒𝑑_𝑎𝑠_𝑚𝑎𝑙𝑖𝑐𝑖𝑜𝑢𝑠 #𝑡𝑜𝑡𝑎𝑙_𝑏𝑒𝑛𝑖𝑔𝑛 True negative rate: False negative rate: True positive rate: Derive the formulas for TNR, FNR, FPR

13 The Receiver Operating Characteristic Curve (ROC)Receiver Operating Characteristic (ROC) Curve that shows that detection/false positive ratio (for a binary classifier system as its discrimination threshold is varied) Axelsson talks about the real problem with some authority and shows how this is not unique to CS • Medical, criminology (think super-bowl), financial

14 Example ROC Curve You are told to design an intrusion detection algorithm that identifies vulnerabilities by solely looking at transaction length, i.e., the algorithm uses a packet length threshold T that determines when a packet is marked as an attack. More formally, the algorithm is defined: 𝐷 𝑘, 𝑇 → 0,1 where k is the packet length of a suspect packet in bytes, T is the length threshold, and (0,1) indicate that packet should or should not be marked as an attack, respectively. You are given the following data to use to design the algorithm. ➡ attack packet lengths: 1, 1, 2, 3, 5, 8 ➡ non-attack packet lengths: 2, 2, 4, 6, 6, 7, 8, 9 Draw the ROC curve.

15 Problems with IDSs VERY difficult to get both good recall and precision Malware comes in small packages Looking for one packet in a million (billion? trillion?) If insufficiently sensitive, IDS will miss this packet (low recall) If overly sensitive, too many alerts will be raised (low precision)

16 Snort Open source IDS Signature detection Lots of available rulesetsalert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A |root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

17 How can we study attacks?Honeypots! collection of decoy services (fake mail, web, ftp, etc.) decoys often mimic behavior of unpatched and vulnerable services A controlled environment constructed to trick malware into thinking it is running in an unprotected system

18 Honeypots Three main uses:forensic analysis: better understand how malware works; collect evidence for future legal proceedings risk mitigation: provide “low-hanging fruit” to distract attacker while safeguarding the actually important services tarpits: provide very slow service to slow down the attacker malware detection: examine behavior of incoming request in order to classify it as benign or malicious

19 Honeypots Low Interaction: emulated servicesinexpensive may be easier to detect High Interaction: no emulation; honeypot maintained inside of real OS Expensive good realism

20 Example Honeypot Workflow

21 Examining malware Trace system calls:most OSes support method to trace sequence of system calls e.g., ptrace, strace, etc. all “interesting” behavior (e.g., networking, file I/O, etc.) must go through system calls capturing sequence of system calls (plus their arguments) reveals useful info about malware’s behavior

22 Examining malware Observe filesystem changes and network IO:“diff” the filesystem before and after which files are the malware reading/ writing? capture network packets to whom is the malware communicating Utilize hidden kernel module: capture all activity challenge: encryption

23 Challenges Honeypot must resemble actual machinesimulate actual services (Apache, MySQL, etc.) but not too much... bad form to actually help propagate the worm (legal risks!) Some worms do a reasonably good job of detecting honeypots

24 Honeynets Honeynet: also called honeyfarmsCollection of honeypots that simulate a network; or Single honeypot that emulates services on multiple emulated “machines” (that is, on a network)

25 Example Deployment

26 honeyd Open-source virtual honeynet creates virtual hosts on networkservices actually run on a single host scriptable services

27 Internet Background RadiationInternet Background Radiation or Backscatter: Traffic that is sent to addresses on which no device is set up (these unused portions of the Internet are called darknets) Backscatter primarily originates from spam, worms, and port scans Estimated at 5.5Gbps Estimated that 70% of background radiation due to Conficker Worm

28 Virtual Machines Virtual machine: isolated virtual hardware running within a single operating system i.e., a software implementation of hardware usually provides emulated hardware which runs OS and other applications i.e., a computer inside of a computer What’s the point? extreme software isolation -- programs can’t easily interfere with one another if they run on separate machines much better hardware utilization than with separate machines power savings easy migration -- no downtime for hardware repairs/ improvements

29 Virtual Machines

30 Honeypots and VMs Most virtual machines provide checkpointing featuresCheckpoint (also called snapshot) consists of all VM state (disk, memory, etc.) In normal VM usage, user periodically creates snapshots before making major changes Rolling back (“restoring”) to snapshot is fairly inexpensive Checkpointing features are very useful for honeypots Let malware do its damage Pause VM and safely inspect damage from virtual machine monitor To reset state, simply restore back to the checkpoint

31 Detecting VMs Lots of research into detecting when you’re in a virtual machine examine hardware drivers time certain operations look at ISA support Malware does this too! if not in VM, wreak havoc if in VM, self-destruct

32 Sources Computer and Network Security, William EnckS. Axelsson, “The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection”, in Proceedings of the ACM Conference on Computer and Communication Security, November, 1999

33 Create cloud account: GENIHave you received an ? Have you joined the project: CSIS490S17?

34 GENI Create an account: Join the project CSIS490S17Windows: Mac: tml Join the project CSIS490S17