intrusion detection monitoring

Information about intrusion detection monitoring

Published on October 7, 2007

Author: Wanderer

Source: authorstream.com

Content

Internet Security Monitoring:  Internet Security Monitoring Monitoring and Coordination of Intrusion Detection Security Monitoring:  Security Monitoring Network security is the most important problem of today’s network - Attacks and Intrusions: Virus, Worm, Spyware, Spam,… Function of security monitoring - To characterize, monitor, and track these threats - Critical to the smooth running of individual organizations and the Internet as a whole Current Practice for Protecting against Intrusions:  Current Practice for Protecting against Intrusions Firewalls - Choke points that filter traffic at network gateways based on local security policies, real-time filtering - Drawbacks: static strategy and can’t detect new types of threats Network Intrusion Detection System (NIDS) - Passively observe the local network traffic at network ingress/egress points - Use standard methods to detect intrusions, including misuse detection, statistical anomalies, information retrieval, data mining, inductive learning, … - Drawbacks: high false alarm rates and perspective from a single vantage point One Promising Approach of Network Monitoring:  One Promising Approach of Network Monitoring To collect data from traffic to unused (or dark) address space - Other than misconfigurations, packets destined to unused addresses are almost always malicious, thus false alarms (false positives) are minimized. - A detection tool that monitors unused addresses can actively respond to connection requests, thus enables the capture of data packets with attack-specific information. Selected Researches on Internet monitoring:  Selected Researches on Internet monitoring V Yegneswaran, etc. “On the Design and Use of Internet Sinks for Network Abuse Monitoring”, In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), 2004. - The Internet Sink system measures packet traffic on unused IP addresses. Michael Bailey, etc. “The Internet Motion Sensor: A Distributed Blackhole Monitoring System”, In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), 2005. - IMS has a distributed monitoring infrastructure, lightweight active responder, payload signatures and caching mechanism. V Yegneswaran, etc. “Global Intrusion Detection in the DOMINO Overlay System”, In Proceedings of NDSS, 2004. - An architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. V Yegneswaran, etc. “Internet Intrusions: Global Characteristics and Prevalence”, In Proceedings of ACM SIGMETRICS, June 2003. - Systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. “On the Design and Use of Internet Sinks for Network Abuse Monitoring”:  “On the Design and Use of Internet Sinks for Network Abuse Monitoring” Goal of iSink - To address the problem of designing and deploying a system for monitoring large unused address, such as class A telescopes with 16M IP addresses. - To create a highly scalable backplane with sufficient interactivity to filter out known worms, attacks and misconfiguration. Characteristics of iSink - Use both active and passive components - Maintain as little state as possible in active responders - Use sampling techniques in both active and passive components to increase scalability Internet Sink Implementation:  Internet Sink Implementation Passive Monitor - based on Argus, which allows for flow level monitoring of sink traffic Active Sink - based on Click modular, includes: Poll Device, IP Classifier and Windows Responder NAT Filter - reduce the volume of traffic generated by active responders; route requests to appropriate responders and filters requests that attempt to exploit known vulnerabilities or misconfiguration VMware Honeynets - commodity operating system running on VMware NIDS - used to evaluate the packet logs collected at the filter Campus Enterprise iSink Case Study:  Campus Enterprise iSink Case Study Campus-Enterprise Sink - located inside one AS, advised via the local interior routing protocol - sees traffic from local sources and from sources in remote networks - received unsolicited traffic destined for approximately 100,000 unused IPv4 addresses within 4 sparsely-moderately utilized class-B networks in campus Traffic observed from local sources - enterprise network management traffic - traffic from misconfigured hosts - malicious probes and worm traffic Campus Enterprise iSink (Cont.):  Campus Enterprise iSink (Cont.) Traffic observed from only remote sources Service Provider iSink Case Study:  Service Provider iSink Case Study Service-Provider Sink - an ISP router, located at the campus’ service-provider, served as the gateway - received unsolicited traffic destined for 16 million IPv4 address in one class A network Traffic observed in a typical week at the service-provider iSink Conclusion: the location of iSink in IP address space is important Service Provider iSink (Cont.):  Service Provider iSink (Cont.) Investigating Unique Periodic Probes - Most of the periodicity observed in the TCP flows could be isolated to sources scanning two services (port 139 and 445) simultaneously - Passive logs provided three additional clues: 1) scans typically involve 256 successive IP addresses that span a /24 boundary 2) the probes had a period of roughly 2.5 hours 3) the small timescale periodicity seemed to be super imposed over a diurnal periodic behavior at larger timescales. - Development of NetBIOS and SMB responders and observing the packet logs generated by the active response system Conclusion - Be able to isolate it to the LovGate worm - The scanning process is deterministic - Conjecture that gaps occur due to approximately synchronized clocks in the wide area Service Provider iSink (Cont.):  Service Provider iSink (Cont.) Analysis of Backscatter Packets - TCP packets with ACK/RST dominate as might be expected - Vertical lines that correspond to less common short duration spikes of SYN/ACK and SYN/ACK/RST. - ICMP TTL exceeded packets could be attributed to either loops or DoS floods with a low initial TTL. Backscatter made up a small percentage (under 5%) of the overall traffic seen on the service provider sink Service Provider iSink (Cont.):  Service Provider iSink (Cont.) SMTP Hot-spot - From passive measurements, they identified an SMTP hot-spot there was one IP address that was attracting a disproportionately large number of SMTP scans (20-50 scans per second). - Hot-spots in unused address space are typically good indicators of misconfiguration. - Set up an SMTP responder on the target IP address and captured the incoming email. - This revealed the source of the email to be misconfigured wireless-router/firewall systems from a major vendor. The emails are actual firewall logs! Service Provider iSink (Cont.):  Service Provider iSink (Cont.) Experiences with Recent Worms - Detected the advent of recent worms such as Sasser - Due to the Active Sink, it is possible to distinguish existing worm traffic on the commonly exploited ports such as port 445 from new worm activity “The Internet Motion Sensor: A Distributed Blackhole Monitoring System”:  “The Internet Motion Sensor: A Distributed Blackhole Monitoring System” The Internet Motion Sensor - A globally scoped Internet monitoring system whose goal is to measure, characterize, and track a broad range of Internet threats - Based on the monitoring of unused or dark address space Difference - While iSink has combined sensors of different measurement fidelities, the goal of IMS is to gain global threat visibility rather than in-depth information on the specific mechanisms of a threat Challenges :  Challenges Sensor coverage - IPv4 space is limited and there are a small number of large unused address blocks available for instrumentation - It has been shown that address blocks in different networks see different threat traffic Thus, sensor size and topological location are important components of sensor coverage. Service emulation - If the sensors do not directly involve live hosts, then what services to emulate and at what level to emulate them? - The immense number services on the Internet today So, there must be a tradeoff. Three Novel Components of IMS:  Three Novel Components of IMS A distributed monitoring infrastructure - increases visibility into global threats A lightweight active responder - provides enough interactivity that traffic on the same service can be differentiated independent of application semantics A payload signatures and caching mechanism - avoids recording duplicated payloads - reduces overhead and assists in the identification of new payloads Distributed Blackhole Network:  Distributed Blackhole Network Consists of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space Built from address blocks of various sizes Placed in a variety of topologically diverse locations Current distributed IMS deployment consists of 28 distinct address blocks at 18 physical installations Packet observed by a Collection of Sensors:  Packet observed by a Collection of Sensors Different blackholes observe different magnitudes and types of traffic Lightweight Responder:  Lightweight Responder Main responsibility: to elicit payloads for TCP connections An Blaster example Deployment:  Deployment Current distributed IMS deployment consists of 28 distinct address blocks at 18 physical installations Contains lightweight responders across all ports and a data query engine to support distribution A portal server acts as a query aggregator forwarding queries to each sensor and forwarding back the responses, and provide real-time views of threat traffic Lightweight Responder: Differentiate Services:  Lightweight Responder: Differentiate Services Extraction and classification of a new threat for a highly trafficked service Lightweight Responder: Service Agnostic:  Lightweight Responder: Service Agnostic To enable insight into less popular services - A management application that may not be widely deployed. The population deploying this service might only be several thousand hosts on the global Internet and the obscurity of the service may mean it is unmonitored. - Many Backdoor ports on existing worms and viruses are less well know services. MD5 Checksuming and Caching of Request Payloads:  MD5 Checksuming and Caching of Request Payloads When a blackhole sensor receives a packet with a payload it first computes the MD5 checksum of the payload (without network headers) and compares it against the checksum of all the other packets it has seen If the checksum, or signature, has already been recorded, the passive capture component logs the signature but does not store the payload If the signature is new, the payload is stored and the signature is added to the database of signatures seen Advantages - provides a factor of two in storage savings - a simple, fast signature mechanism Observations and Experiences:  Observations and Experiences Internet Worms - The 7-day period of observations surrounding the release of the Blaster worm indicates a clear 3-phased cycle. - The first worm phase is the growth phase in which the number of scans increased from a baseline rate to hundreds of thousands per hour. The second phase is the decay phase in which in the number of observed probes drops as large-scale filtering was implemented to halt the worm’s spread and cleanup started. The third phase of worm activity is the persistence phase which for the Blaster worm has continued through 2004. Observations and Experiences (Cont.):  Observations and Experiences (Cont.) Scanning - One artifact of more recent worms is that after compromising a system, these worms commonly install backdoors in the system they infect - The IMS has the ability to respond as if these new services were running, allowing the collection of the scan payload - Starting on approximately March 20, 2004, IMS began tracking significant amounts of scanning on backdoor ports left by widespread variants of the Bagle and My-Doom mail-based worms. Observations and Experiences (Cont.):  Observations and Experiences (Cont.) Distributed Denial of Service Attacks - On December 10, 2003, shortly after 4PM EST a long lived denial of service attack began against a single web server address for The SCO Group (www.sco.com) - Because these attacks utilized spoofed source addresses, the IMS system was able to observe some of the backscatter from the attacks Distributed Denial of Service Attacks (Cont.) :  Distributed Denial of Service Attacks (Cont.) Denial of service attacks represent an interesting demonstration of the utility of the IMS and the need for address diversity Because attacks may randomize their sources addresses over the entire Internet, smaller swaths of address space may not be able to accurately determine the scope and magnitude of an attack (e.g. a /24 may only see .000005% of the backscatter, while a /8 may see .5%).

Related presentations


Other presentations created by Wanderer

RCM2 Ganesan
17. 08. 2007
0 views

RCM2 Ganesan

System Architect
21. 09. 2007
0 views

System Architect

Customer Retention
28. 09. 2007
0 views

Customer Retention

baptista
10. 10. 2007
0 views

baptista

YoungEntrepreneurs China
11. 10. 2007
0 views

YoungEntrepreneurs China

presentation proposed programme
12. 10. 2007
0 views

presentation proposed programme

ch19 lecture
12. 10. 2007
0 views

ch19 lecture

balla reinhart F100 1 pres
18. 10. 2007
0 views

balla reinhart F100 1 pres

Erasmus Charte Universitarie
23. 10. 2007
0 views

Erasmus Charte Universitarie

essayformatTHESIS
26. 08. 2007
0 views

essayformatTHESIS

Sharon
26. 08. 2007
0 views

Sharon

7 Panama Esp
22. 10. 2007
0 views

7 Panama Esp

preference
07. 11. 2007
0 views

preference

Go Forth
17. 08. 2007
0 views

Go Forth

sf wireless
29. 10. 2007
0 views

sf wireless

Convulsoes Neonatais e Epilepsia
28. 12. 2007
0 views

Convulsoes Neonatais e Epilepsia

ch7F07govt2302
31. 12. 2007
0 views

ch7F07govt2302

Presidential character
03. 01. 2008
0 views

Presidential character

potma
03. 01. 2008
0 views

potma

Maitland
09. 10. 2007
0 views

Maitland

overweight obesity
08. 08. 2007
0 views

overweight obesity

Minority Stress Gray APA2006
08. 08. 2007
0 views

Minority Stress Gray APA2006

MoAc0304
08. 08. 2007
0 views

MoAc0304

japanese02s gyro
26. 08. 2007
0 views

japanese02s gyro

Bjorn AFCEATTN CDRNeurath
19. 11. 2007
0 views

Bjorn AFCEATTN CDRNeurath

Rosenzweig Presentation
29. 12. 2007
0 views

Rosenzweig Presentation

martin weller lams
20. 07. 2007
0 views

martin weller lams

26221
26. 08. 2007
0 views

26221

NAATPN Presentation
11. 12. 2007
0 views

NAATPN Presentation

D Levy Transp
21. 09. 2007
0 views

D Levy Transp

NicosiaRaymondPawson
26. 08. 2007
0 views

NicosiaRaymondPawson

646family
24. 02. 2008
0 views

646family

AfricanSlaveTrades
26. 02. 2008
0 views

AfricanSlaveTrades

mms 04 13 elearning
27. 06. 2007
0 views

mms 04 13 elearning

Mathematical Moodle final
27. 06. 2007
0 views

Mathematical Moodle final

inbrieffeb07
28. 02. 2008
0 views

inbrieffeb07

LaWeyl
08. 08. 2007
0 views

LaWeyl

hurricane katrina
13. 03. 2008
0 views

hurricane katrina

meaning
27. 11. 2007
0 views

meaning

transparents Berleur
18. 03. 2008
0 views

transparents Berleur

ChinaandJapanPt2
25. 03. 2008
0 views

ChinaandJapanPt2

BroadbandServies
26. 03. 2008
0 views

BroadbandServies

sinclair prc precip
03. 10. 2007
0 views

sinclair prc precip

8 Mru Patel
07. 04. 2008
0 views

8 Mru Patel

COE 9 Jan 06
28. 03. 2008
0 views

COE 9 Jan 06

060928 Energy Challenges Thun
30. 03. 2008
0 views

060928 Energy Challenges Thun

program
27. 11. 2007
0 views

program

adam smith
09. 04. 2008
0 views

adam smith

crcagu03
10. 04. 2008
0 views

crcagu03

Susan Wachter
13. 04. 2008
0 views

Susan Wachter

MickLilley MacquarieBank
14. 04. 2008
0 views

MickLilley MacquarieBank

experiencia
19. 06. 2007
0 views

experiencia

Europa desde el Cielo 2126
19. 06. 2007
0 views

Europa desde el Cielo 2126

Estrategia empresarial
19. 06. 2007
0 views

Estrategia empresarial

Estadio Allianz Arena 2125
19. 06. 2007
0 views

Estadio Allianz Arena 2125

Esculturas hechas con Arena 2124
19. 06. 2007
0 views

Esculturas hechas con Arena 2124

sesame
26. 11. 2007
0 views

sesame

pierre danon
22. 04. 2008
0 views

pierre danon

Globos Aerostaticos 2133
19. 06. 2007
0 views

Globos Aerostaticos 2133

Gaturro oficina
19. 06. 2007
0 views

Gaturro oficina

Frases para reflexionar 2131
19. 06. 2007
0 views

Frases para reflexionar 2131

Football
19. 06. 2007
0 views

Football

twilight
26. 08. 2007
0 views

twilight

WW
04. 01. 2008
0 views

WW

EvidenceMatters
19. 06. 2007
0 views

EvidenceMatters

p6 alina
26. 08. 2007
0 views

p6 alina

Fantasia 2042
19. 06. 2007
0 views

Fantasia 2042

older adults nut
08. 08. 2007
0 views

older adults nut

mellange presentation en
27. 06. 2007
0 views

mellange presentation en

SH Presentation Sunny Hills
26. 08. 2007
0 views

SH Presentation Sunny Hills

lecture23
08. 08. 2007
0 views

lecture23

IAFC IndiaPresentation
17. 08. 2007
0 views

IAFC IndiaPresentation

00017079
26. 08. 2007
0 views

00017079

04RandomVariables
07. 12. 2007
0 views

04RandomVariables

Lecture 24 Muhammed and Islam
17. 08. 2007
0 views

Lecture 24 Muhammed and Islam

00 norby
26. 08. 2007
0 views

00 norby

CN7 Learning2
14. 12. 2007
0 views

CN7 Learning2

Fumar Mata
19. 06. 2007
0 views

Fumar Mata

do dont show
16. 06. 2007
0 views

do dont show

Direc TV
16. 06. 2007
0 views

Direc TV

BAM CIDOC 2006 folien
16. 06. 2007
0 views

BAM CIDOC 2006 folien

Dr Anwar1
16. 06. 2007
0 views

Dr Anwar1

biouml gcb 2003
16. 11. 2007
0 views

biouml gcb 2003

PPConference 28 02 07 E Marcova
14. 03. 2008
0 views

PPConference 28 02 07 E Marcova

dominguezhills
26. 08. 2007
0 views

dominguezhills

Festival de hielo Harbin
19. 06. 2007
0 views

Festival de hielo Harbin

ePHocus update Rebecca Hills
26. 08. 2007
0 views

ePHocus update Rebecca Hills

Gerenciamiento 2132
19. 06. 2007
0 views

Gerenciamiento 2132

30 mw a si machine
26. 08. 2007
0 views

30 mw a si machine

excursions
19. 06. 2007
0 views

excursions

tl outcomes
12. 10. 2007
0 views

tl outcomes

MIC 03 Dodge WebQuest
27. 06. 2007
0 views

MIC 03 Dodge WebQuest

mms 04 16 dim
27. 06. 2007
0 views

mms 04 16 dim

PRESENTACION PROGRESO
22. 10. 2007
0 views

PRESENTACION PROGRESO

Errores irreparables 1988
19. 06. 2007
0 views

Errores irreparables 1988

EDLafcoPresent092805 chew
26. 08. 2007
0 views

EDLafcoPresent092805 chew

AH summer 07
26. 08. 2007
0 views

AH summer 07

1 Intro class1
26. 08. 2007
0 views

1 Intro class1

Murrieta PKS
08. 08. 2007
0 views

Murrieta PKS