COMPUTER NETWORK

SECURITY
UE15CS331
Lecture 05
31 Jan 2018

HONNAVALLI B Prasad
General rules of engagement

31 Jan 2018 HB Prasad @ PESU 2

 INTRUDER BEHAVIOR,
IDS, IPS, HONEYPOTS, SNORT
 DOS / DDOS
MITIGATION
Goal: identify packet source

Ultimate goal: block attack at the source

 CAPTCHAs
■ Idea: verify that connection is from a human

■ Applies to application layer DDoS [Killbots ’05]

– During attack: generate CAPTCHAs and process request only if valid
solution
– Present one CAPTCHA per source IP address.

5 Jan 2018
31 HB Prasad @ PESU
Ingress filtering (RFC 2827, 3704)

■ Big problem: DDoS with spoofed source IPs

ISP Internet

■ Ingress filtering policy: ISP only forwards

packets with legitimate source IP (see also SAVE
protocol)

6 Jan 2018
31 HB Prasad @ PESU
Implementation problems
ALL ISPs must do this. Requires global trust.
– If 10% of ISPs do not implement ⇒ no defense
– No incentive for deployment

2017:
– 33% of Auto. Systems are fully spoofable
(spoofer.caida.org)
– 23% of announced IP address space is spoofable

Recall: 309 Gbps attack used only 3 networks (3/2013)

31 Jan 2018 HB Prasad @ PESU 7

 Traceback [Savage et al. ’00]

■ Goal:
– Given set of attack packets
– Determine path to source

■ How: change routers to record info in packets

■ Assumptions:
– Most routers remain uncompromised
– Attacker sends many packets
– Route from attacker to victim remains relatively stable

8 Jan 2018
31 HB Prasad @ PESU
DoS Attack

■ Single Master

■ Many bots to
generate flood

■ Zillions of reflectors to hide

bots
– Kills traceback and
pushback methods
Take home message:

■ Denial of Service attacks are real:

Must be considered at design time

■ Sad truth:
– Internet is ill-equipped to handle DDoS attacks
– Many commercial solutions: CloudFlare, Akamai, …

■ Many proposals for core redesign

10Jan 2018
31 HB Prasad @ PESU
 BEHAVIOR OF CYBER
CRIMINALS / INTRUDERS

31 Jan 2018 HB Prasad @ PESU 11

Classes of Intruders – Cyber Criminals

■ Individuals or members of an organized crime group with a goal

of financial reward. Their activities may include:
Identity theft
Theft of financial credentials
Corporate espionage
Data theft
Data ransoming
■ Typically they are young, often Eastern European, Russian, or southeast
Asian hackers, who do business on the Web
■ They meet in underground forums to trade tips and data and coordinate
attacks

31 Jan 2018 HB Prasad @ PESU 12

 Classes of Intruders – Activists
■ Are either individuals, usually working as insiders, or members of a
larger group of outsider attackers, who are motivated by social or
political causes
■ Also know as hacktivists
– Skill level is often quite low

■ Aim of their attacks is often to promote and publicize their cause

typically through:
– Website defacement
– Denial of service attacks
– Theft and distribution of data that results in negative publicity or compromise of
their targets

31 Jan 2018 HB Prasad @ PESU 13

Classes of Intruders –
State-Sponsored Organizations

■ Groups of hackers sponsored by governments to conduct espionage or sabotage

activities
■ Also known as Advanced Persistent Threats (APTs) due to the covert nature and
persistence over extended periods involved with any attacks in this class
■ Widespread nature and scope of these activities by a wide range of countries
from China to the USA, UK, and their intelligence allies

31 Jan 2018 HB Prasad @ PESU 14

Classes of Intruders – Others

■ Hackers with motivations other than those previously listed

■ Include classic hackers or crackers who are motivated by technical challenge or
by peer-group esteem and reputation
■ Many of those responsible for discovering new categories of buffer overflow
vulnerabilities could be regarded as members of this class
■ Given the wide availability of attack toolkits, there is a pool of “hobby hackers”
using them to explore system and network security

31 Jan 2018 HB Prasad @ PESU 15

Intruder Skill Levels – Apprentice

■ Hackers with minimal technical skill who primarily use existing attack toolkits
■ They likely comprise the largest number of attackers, including many criminal and
activist attackers
■ Given their use of existing known tools, these attackers are the easiest to defend
against
■ Also known as “script-kiddies” due to their use of existing scripts (tools)

31 Jan 2018 HB Prasad @ PESU 16

Intruder Skill Levels – Journeyman

■ Hackers with sufficient technical skills to modify and extend attack toolkits to use
newly discovered, or purchased, vulnerabilities
■ They may be able to locate new vulnerabilities to exploit that are similar to some
already known
■ Hackers with such skills are likely found in all intruder classes
■ Adapt tools for use by others

31 Jan 2018 HB Prasad @ PESU 17

Intruder Skill Levels – Master

■ Hackers with high-level technical skills capable of discovering brand new categories of
vulnerabilities
■ Write new powerful attack toolkits
■ Some of the better known classical hackers are of this level
■ Some are employed by state-sponsored organizations
■ Defending against these attacks is of the highest difficulty

31 Jan 2018 HB Prasad @ PESU 18

Examples of Intrusion
■ Remote root compromise
■ Web server defacement
■ Guessing/cracking passwords
■ Copying databases containing credit card numbers
■ Viewing sensitive data without authorization
■ Running a packet sniffer
■ Distributing pirated software
■ Using an unsecured modem to access internal network
■ Impersonating an executive to get information

■ Using an unattended workstation

31 Jan 2018 HB Prasad @ PESU 19

Intruder Behavior

Target
acquisition and Privilege
Initial access
information escalation
gathering

Information
Maintaining
gathering or Covering tracks
access
system exploit

31 Jan 2018 HB Prasad @ PESU 20

 Examples of Intruder Behavior

31 Jan 2018 HB Prasad @ PESU 21

Behavior profiles of Intruders and Authorised Users

Probability
density function
profile of
profile of authorized user
intruder behavior behavior

overlap in observed
or expected behavior

average behavior average behavior Measurable behavior

of intruder of authorized user parameter

31 Jan 2018 Figure 8.1 Profiles of Behavior

HB Prasadof Intruders and Authorized Users
@ PESU 22
INTRUSION DETECTION AND
PREVENTION
Guide to Computer Network Security
 Intrusion

■ An intrusion is a deliberate unauthorized attempt,

successful or not, to break into, access,
manipulate, or misuse some valuable property and
where the misuse may result into or render the
property unreliable or unusable.

■ The person who intrudes is an intruder.

31 Jan 2018 HB Prasad @ PESU 24

Intrusion Detection

§ Host-based
§ HIDS
§ Network-based
§ NIDS

§ Reports attacks against monitored systems/networks

§ Alarm system
§ Mature technology that has significant utilization
What IDS is NOT?

§ Not a replacement for the following:

§ Firewalls
§ Strong Policies
§ System Hardening
§ Timely Patching
§ Other DiD Techniques
§ Not a low maintenance tool
§ Not an inexpensive tool
§ Not a silver bullet
IDS in Action

§ Attacker used nmap to scan a host for open ports

§ Attacker managed to scan and find the open ports already
§ Victim used Wireshark that logged the attacker’s:
§ Activity
§ IP address
§ This IDS tool just presented data to an analyst to take action
§ Alerts can be helpful to stop further advance
IDS Alerts

§ Alerts are generated from Events of Interest EOI

§ Rules specify which events generate alerts
§ Four Types of events:
§ True Positive
§ True Negative
§ False Positive
§ False Negative
§ Which one is the worst to have on your network?
§ Alerts can be: line on screen, beep, email, SMS, or phone call
 Types of Intrusion
There are six types of intrusions:
■ Attempted break-ins, which are detected by atypical behavior profiles or
violations of security constraints.
– An intrusion detection system for this type is called anomaly-based IDS.
■ Masquerade attacks, which are detected by atypical behavior profiles or
violations of security constraints.
– These intrusions are also detected using anomaly-based IDS.
■ Penetrations of the security control system, which are detected by
monitoring for specific patterns of activity.
■ Leakage, which is detected by atypical use of system resources.
■ Denial of service, which is detected by atypical use of system resources.
■ Malicious use, which is detected by atypical behavior profiles, violations
of security constraints, or use of special privileges.
31 Jan 2018 HB Prasad @ PESU 29
 Intrusion Detection
■ Intrusion detection is a technique of detecting unauthorized access
to a computer system or a computer network.

■ An intrusion into a system is an attempt by an outsider to the

system to illegally gain access to the system. Intrusion prevention,
on the other hand, is the art of preventing an unauthorized access
of a system’s resources.

■ The two processes are related in a sense that while intrusion

detection passively detects system intrusions, intrusion prevention
actively filters network traffic to prevent intrusion attempts.

31 Jan 2018 HB Prasad @ PESU 30

 Intrusion Detection Systems (IDS)
■ An intrusion detection system (IDS) is a system used to
detect unauthorized intrusions into computer systems
and networks. Intrusion detection as a technology is
not new, it has been used for generations to defend
valuable resources.
■ These are three models of intrusion detection
mechanisms: anomaly-based detection, signature-based
detection, and hybrid detection.

31 Jan 2018 HB Prasad @ PESU 31

NIDS

§ Deployed as a passive sensor at network aggregation points

§ Captures traffic like a sniffer
§ Detects EOI on the network
§ Uses the analysis of
§ Signature
§ Anomaly
§ Application/protocol
Application/Protocol Analysis

§ IDS has understanding of the logic for a specific application or protocol

§ Any protocol activity that is not known as normal is flagged
§ Difficult to implement
§ Few protocol implementations are standard
§ Usually an exclusive detection method
NIDS Challenges

§ Deployment challenges including deployment and access limitations

§ Analyzing encrypted traffic
§ Quantity Vs quality of signatures
§ Performance limitations (Speed of Processing, and Size of Storage)
§ Very costly for proper management
Deep Vs Shallow Inspection

§ Shallow
§ Fast, but provides little fidelity
§ Examines header information, limited payload data

§ Deep
§ Slow, requires stateful tracking of data
§ Inspects all fields including variable length fields
NIDS Placement
NIDS Pros and COns

§ PROS
§ Fairly easy to setup
§ Does not affect the speed of the network or add load to the systems it monitors
§ CONS
§ Sensors have limited speed
§ Almost impossible to detect attacks not in rule set
§ Very susceptible to “low” and “slow” attacks

§ NIDS is an important part of a robust perimeter defense

Signature Analysis

§ Rules indicate criteria in packet that represent EOI

§ Rules are applied to packets as they are received by the IDS
§ Alerts are created when matches are found
§ Protocol
§ IP address
§ port information
§ Payload contents
§ String matching
§ Traffic flow analysis
§ Flags in protocol headers
 Anomaly Detection
■ Anomaly based systems are “learning” systems in a sense
that they work by continuously creating “norms” of activities.
■ These norms are then later used to detect anomalies that
might indicate an intrusion.
■ Anomaly detection compares observed activity against
expected normal usage profiles “leaned”.
■ The profiles may be developed for users, groups of users,
applications, or system resource usage.
■ These are good candidates for applying ML/DL techniques.

31 Jan 2018 HB Prasad @ PESU 39

Anomaly Analysis

§ Flags anomalous conditions in traffic on the network

§ Unexpected conditions are identified as suspicious
§ Requires understanding of what “normal” is
§ Usually based on good traffic as baseline for future analysis
§ Usually an inclusive detection method
 Misuse Detection
■ The misuse detection concept assumes that each intrusive
activity is representable by a unique pattern or a signature so
that slight variations of the same activity produce a new
signature and therefore can also be detected.
■ Misuse detection systems, are therefore commonly known as
signature systems.
■ They work by looking for a specific signature on a system.
■ Identification engines perform well by monitoring these
patterns of known misuse of system resources.

31 Jan 2018 HB Prasad @ PESU 41

 Hybrid Detection

■ Because of the difficulties with both the anomaly-

based and signature-based detections, a hybrid
model is being developed.
■ Much research is now focusing on this hybrid
model.

31 Jan 2018 HB Prasad @ PESU 42

 Types of Intrusion Detection Systems
■ Intrusion detection systems are classified based on their monitoring
scope. There are:
– Network-based intrusion detection and
– Host-based detections.

■ Network-Based Intrusion Detection Systems (NIDS)

– NIDSs have the whole network as the monitoring scope.
– They monitor the traffic on the network to detect intrusions.
– They are responsible for detecting anomalous, inappropriate, or other data
that may be considered unauthorized and harmful occurring on a network.
– There are striking differences between NIDS and firewalls.

31 Jan 2018 HB Prasad @ PESU 43

Host-Based Intrusion Detection Systems (HIDS)
■ Recent studies have shown that the problem of organization information misuse
is not confined only to the “bad” outsiders but the problem is more rampart
within organizations.
– To tackle this problem, security experts have turned to inspection of systems within an
organization network.
– This local inspection of systems is called host-based intrusion detection systems (HIDS).
■ Host-based intrusion detection is the technique of detecting malicious activities
on a single computer.
■ A host-based intrusion detection system, is therefore, deployed on a single target
computer and it uses software that monitors operating system specific logs
including system, event, and security logs on Windows systems and syslog in
Unix environments to monitor sudden changes in these logs.
■ When a change is detected in any of these files, the HIDS compares the new log
entry with its configured attack signatures to see if there is a match.
■ If a match is detected then this signals the presence of an illegitimate activity.

31 Jan 2018 HB Prasad @ PESU 44

The Hybrid Intrusion Detection System
■ Both NIDS and HIDS are each patrolling its own area of the network for
unwanted and illegal network traffic. They, however, complement each other.
■ Both bring to the security of the network their own strengths and weaknesses
that nicely complement and augment the security of the network.
■ Hybrids are new and need a great deal of support to gain on their two
cousins.
■ However, their success will depend to a great extent on how well the interface
receives and distributes the incidents and integrates the reporting structure
between the different types of sensors in the HIDS and NIDS spheres.
■ Also the interface should be able to smartly and intelligently gather and
report data from the network or systems being monitored.

31 Jan 2018 HB Prasad @ PESU 45

 The Changing Nature of IDS Tools
■ Recent studies have shown that the majority of system intrusion actually come
from insiders.
■ So newer IDS tools are focusing on this issue and are being built to counter
systems intrusion, new attack patterns are being developed to take this human
behavior unpredictability into account.
■ To keep abreast of all these changes, ID systems are changing constantly.
■ The primary focus of ID systems has been on a network as a unit where they
collect network packet data by watching network packet traffic and then
analyzing it based on network protocol patterns “norms,” “normal” network
traffic signatures, and network traffic anomalies built in the rule base.
■ But since networks are getting larger, traffic heavier, and local networks more
splintered, it is becoming more and more difficult for the ID system to “see” all
traffic on a switched network such as an Ethernet.
■ This is leading to new designs of IDS.

31 Jan 2018 HB Prasad @ PESU 46

 Other Types of Intrusion Detection Systems

■ Although NIDS and HIDS and their hybrids are the most
widely used tools in network intrusion detection, there are
others that are less used but more focused and, therefore,
more specialized.
■ Because many of these tools are so specialized, many are
still not considered as being intrusion detection systems
but rather intrusion detection add-ons or tools.

31 Jan 2018 HB Prasad @ PESU 47

Other Types of Intrusion Detection Systems
■ System Integrity Verifiers (SIVs)
– Monitor critical files in a system, such as system files, to find whether an
intruder has changed them.
– They can also detect other system components’ data; for example, they
detect when a normal user somehow acquires root/administrator level
privileges.
– In addition, they also monitor system registries in order to find well known
signatures.

■ Log File Monitors (LFM)

– LFMs first create a record of log files generated by network services.
– Then they monitor this record, just like NIDS, looking for system trends,
tendencies, and patterns in the log files that would suggest an intruder is
attacking.

31 Jan 2018 HB Prasad @ PESU 48

 Response to System Intrusion
■ A good intrusion detection system alert should
produce a corresponding response.
■ A good response must consist of pre-planned
defensive measures that include an incident
response team and ways to collect IDS logs for
future use and for evidence when needed.

31 Jan 2018 HB Prasad @ PESU 49

Incident Response Team

■ An incident response team (IRT) is a primary and centralized

group of dedicated people charged with the responsibility of
being the first contact team whenever an incidence occurs. An
IRT must have the following responsibilities:
– keeping up-to-date with the latest threats and incidents,
– being the main point of contact for incident reporting,
– notifying others whenever an incident occurs,
– assessing the damage and impact of every incident,
– finding out how to avoid exploitation of the same vulnerability, and
– recovering from the incident.

31 Jan 2018 HB Prasad @ PESU 50

IDS Logs as Evidence

■ IDS logs can be kept as a way to protect the organization in case of

legal proceedings. If sensors to monitor the internal network are to be
deployed, verify that there is a published policy explicitly stating that
use of the network is consent to monitoring.

31 Jan 2018 HB Prasad @ PESU 51

 Challenges to Intrusion Detection Systems
■ There is an exciting future and challenges for IDS as the marriage
between it and artificial intelligence takes hold
■ Although there are also IDS challenges in many areas including in the
deployment of IDSes in switched environments.
■ Deploying IDS in Switched Environments
– Network-based IDS sensors must be deployed in areas where they can “see”
network traffic packets.
Ø However, in switched networks this is not possible because by their very nature, sensors in
switched networks are shielded from most of the network traffic.
Ø Sensors are allowed to “see” traffic only from specified components of the network.
– One way to handle this situation has traditionally been to attach a network
sensor to a mirror port on the switch.
Ø But port mirroring, in addition to putting an overhead on the port, gets unworkable when there is
an increase in traffic on that port because overloading one port with traffic from other ports
may cause the port to bulk and miss some traffic.

31 Jan 2018 HB Prasad @ PESU 52

Other issues still limiting IDS technology are:
■ False alarms.
– Though the tools have come a long way, and are slowly gaining acceptance as they
gain widespread use, they still produce a significant number of both false positives and
negatives,
■ The technology is not yet ready to handle a large-scale attack.
– Because of its very nature it has to literally scan every packet, every contact point, and
every traffic pattern in the network. For larger networks and in a large-scale attack, it
is not possible that the technology can be relied on to keep working with acceptable
quality and grace.
■ Unless there is a breakthrough today, the technology in its current state
cannot handle very fast and large quantities of traffic efficiently.
■ Probably the biggest challenge is the IDS’s perceived and sometimes
exaggerated capabilities.
– The technology, while good, is not the cure of all computer network ills that it is
pumped up to be.
– It is just like any other good security tool.

31 Jan 2018 HB Prasad @ PESU 53

 Implementing an Intrusion Detection System
■ An effective IDS does not stand alone.
– It must be supported by a number of other systems.
■ Among the things to consider, in addition to the IDS, in setting up a
good IDS are:
– Operating Systems. A good operating system that has logging and auditing
features.
Ø Most of the modern operating systems including Windows, Unix, and other variants of Unix
have these features.
Ø These features can be used to monitor security critical resources.
– Services.
Ø All applications on servers such as Web servers, e-mail servers, and databases should
include logging/auditing features as well.
– Firewalls.
Ø A good firewall should have some network intrusion detection capabilities.
– Network management platform.
Ø Whenever network management services such as OpenView are used, make sure that they
do have tools to help in setting up alerts on suspicious activity.
31 Jan 2018 HB Prasad @ PESU 54
 Intrusion Detection System (IDS)

■ Host-based IDS (HIDS)

Comprises three ■ Monitors the characteristics of a single host for
logical suspicious activity

components: ■ Network-based IDS (NIDS)

■ Monitors network traffic and analyzes network,
• Sensors - collect data transport, and application protocols to identify
suspicious activity
• Analyzers - determine if intrusion
has occurred ■ Distributed or hybrid IDS

• User interface - view output or ■ Combines information from a number of sensors,

often both host and network based, in a central
control system behavior analyzer that is able to better identify and
respond to intrusion activity
IDS Requirements

Resist
Run continually Be fault tolerant subversion

Impose a Configured
minimal according to Adapt to changes
overhead on system security in systems and
system policies users

Scale to monitor Provide graceful Allow dynamic

large numbers of degradation of reconfiguration
systems service
31 Jan 2018 HB Prasad @ PESU 56
 Analysis Approaches

Anomaly detection Signature/Heuristic detection

■ Involves the collection of data ■ Uses a set of known malicious data

relating to the behavior of patterns or attack rules that are
legitimate users over a period compared with current behavior
of time
■ Also known as misuse detection
■ Current observed behavior is
analyzed to determine whether ■ Can only identify known attacks for
this behavior is that of a which it has patterns or rules
legitimate user or that of an
intruder

HB Prasad @ PESU
31 Jan 2018 57
 Anomaly Detection

A variety of classification approaches are used:

Statistical Knowledge based Machine-learning

•Analysis of the •Approaches use •Approaches

observed an expert system automatically
behavior using that classifies determine a
univariate, observed suitable
multivariate, or behavior classification
time-series according to a set model from the
models of of rules that training data
observed metrics model legitimate using data mining
behavior techniques

31 Jan 2018 HB Prasad @ PESU 58

 Signature or Heuristic Detection
Rule-based heuristic
Signature approaches identification

Match a large collection of known patterns of Involves the use of rules for identifying known
malicious data against data stored on a penetrations or penetrations that would exploit
system or in transit over a network known weaknesses

The signatures need to be large enough to Rules can also be defined that identify
minimize the false alarm rate, while still suspicious behavior, even when the behavior is
detecting a sufficiently large fraction of within the bounds of established patterns of
malicious data usage

Widely used in anti-virus products, network

traffic scanning proxies, and in NIDS Typically rules used are specific

SNORT is an example of a rule-based NIDS

31 Jan 2018 HB Prasad @ PESU 59
Host-Based Intrusion Detection (HIDS)

■ Adds a specialized layer of security software to

vulnerable or sensitive systems
■ Can use either anomaly or signature and heuristic
approaches
■ Monitors activity to detect suspicious behavior
– Primary purpose is to detect intrusions, log suspicious events, and
send alerts
– Can detect both external and internal intrusions

31 Jan 2018 HB Prasad @ PESU 60

 Data Sources and Sensors

Common data
sources include:
A fundamental •System call traces
•Audit (log file) records
component of •File integrity
intrusion detection checksums
is the sensor that •Registry access
collects data

31 Jan 2018 HB Prasad @ PESU 61

Network-Based IDS (NIDS)

May examine network,

Monitors traffic at selected Examines traffic packet by
transport, and/or
points on a network packet in real or close to real application-level protocol
time
activity

Comprised of a number of
sensors, one or more Analysis of traffic patterns
servers for NIDS
may be done at the sensor,
management functions, and the management server or a
one or more management combination of the two
consoles for the human
interface

31 Jan 2018 HB Prasad @ PESU 65

Passive NIDS Sensor

Network traffic

Monitoring interface
(no IP, promiscuous mode)

NIDS
sensor

Management interface
(with IP)

31 Jan 2018 HB Prasad @ PESU 66

Example of NIDS Sensor Deployment

internal server
and data resource Internet
networks

3 LAN switch internal

or router firewall 2

LAN switch
or router external
firewall
1
workstation
networks
service network
(Web, Mail, DNS, etc.)
4 LAN switch internal
or router firewall

31 Jan 2018 HB Prasad @ PESU 67

Intrusion Detection Techniques

Attacks suitable for Attacks suitable for

Signature detection Anomaly detection
■ Application layer reconnaissance and attacks ■ Denial-of-service (DoS)
■ Transport layer reconnaissance and attacks attacks
■ Network layer reconnaissance and attacks ■ Scanning
■ Unexpected application services ■ Worms
■ Policy violations

31 Jan 2018 HB Prasad @ PESU 68

Stateful Protocol Analysis (SPA)

■ Subset of anomaly detection that compares

observed network traffic against predetermined
universal vendor supplied profiles of benign
protocol traffic
– This distinguishes it from anomaly techniques trained with
organization specific traffic protocols
• Understands and tracks network, transport, and application
protocol states to ensure they progress as expected
■ A key disadvantage is the high resource use it
requires

31 Jan 2018 HB Prasad @ PESU 69

 Logging of Alerts

■ Typical information logged by a NIDS sensor

includes:
– Timestamp
– Connection or session ID
– Event or alert type
– Rating
– Network, transport, and application layer protocols
– Source and destination IP addresses
– Source and destination TCP or UDP ports, or ICMP types and codes
– Number of bytes transmitted over the connection
– Decoded payload data, such as application requests and responses
– State-related information

31 Jan 2018 HB Prasad @ PESU 70

 HONEY POT

31 Jan 2018 HB Prasad @ PESU 74

What IS Honey Pot?

■ Host trap
– Run real services on a sacrificial computer or simulated
instrumented services
■ Network trap
– The intruder thinks they found a vulnerable organization
■ A decoy - if a machine becomes hot for attackers
– Change the IP address and name
– Put in a honeypot
■ DNS, Mail, Web servers make great honeypots on their unused ports

31 Jan 2018 HB Prasad @ PESU 75

Honeypots

■ A honeypot is a system designed to look like something that an intruder can hack.
■ They are built for many purposes but the overriding purpose is to deceive attackers
and learn about their tools and methods.
■ Honeypots are also add-on/tools that are not strictly sniffer-based intrusion
detection systems like HIDS and NIDS.
■ However, they are good deception systems that protect the network in much the
same way as HIDS and NIDS.
■ Since the goal for a honeypot is to deceive intruders and learn from them without
compromising the security of the network, then it is important to find a strategic
place for the honeypot.
– In the DMZ for those networks with DMZs or
– behind the network firewall if the private network does not have a DMZ.

31 Jan 2018 HB Prasad @ PESU 76

When To USE Honey Pot?

31 Jan 2018 HB Prasad @ PESU 77

Why Honey Pots?

■ Name servers, mail servers, and web servers attract the most fire
on the Internet
■ What if they had their non-service ports instrumented (monitored)?
■ The end result could be to slow down the pace of attacks and
increase arrests
■ Honeypot is an advanced technique
■ Do everything else first before it
■ Best way to capture new worms for analysis
■ Risk of having attacker use a Honeypot if they break the controls

31 Jan 2018 HB Prasad @ PESU 78

Honey Pot Products

■ DTK (Deception Toolkit)

■ Symantec Decoy Server (previously ManTrap)

■ Honeynet

■ Honeyd

31 Jan 2018 HB Prasad @ PESU 79

Honeypots
■ Decoy systems designed to:
– Lure a potential attacker away from critical systems
– Collect information about the attacker’s activity
– Encourage the attacker to stay on the system long enough for administrators to
respond
■ Systems are filled with fabricated information that a legitimate user of
the system wouldn’t access
– Resources that have no production value
– Therefore incoming communication is most likely a probe, scan, or attack
– Initiated outbound communication suggests that the system has probably been
compromised

31 Jan 2018 HB Prasad @ PESU 80

Honeypot Classifications
■ Low interaction honeypot
– Consists of a software package that emulates particular IT services or systems well enough to
provide a realistic initial interaction, but does not execute a full version of those services or
systems
– Provides a less realistic target
– Often sufficient for use as a component of a distributed IDS to warn of imminent attack
■ High interaction honeypot
– A real system, with a full operating system, services and applications, which are instrumented
and deployed where they can be accessed by attackers
– Is a more realistic target that may occupy an attacker for an extended period
– However, it requires significantly more resources
– If compromised could be used to initiate attacks on other systems

31 Jan 2018 HB Prasad @ PESU 81

Honey Pot Deployment
Internet

Honeypot

3 External
LAN switch firewall
or router

Honeypot
LAN switch
or router

Internal
network Honeypot
Service network
(Web, Mail, DNS, etc.)

31 Jan 2018 HB Prasad of

Figure 8.8 Example @ PESU
Honeypot Deployment 82
 INTRUSION PREVENTION

31 Jan 2018 HB Prasad @ PESU 83

What is IPS?

§ IPS stops attacks on systems and networks from being effective

§ NIPS and HIPS
§ Technology more recent than IDS
§ Rapidly maturing
Intrusion Prevention Systems (IPSs)
■ Although IDS have been one of the cornerstones of network
security, they have covered only one component of the total
network security picture
– They are a passive component which only detects and reports without
preventing.
■ A promising new model of intrusion is developing and picking up
momentum. It is the intrusion prevention system (IPS) which, is to
prevent attacks.
■ Like their counterparts the IDS, IPS fall into two categories:
network-based and host-based.

31 Jan 2018 HB Prasad @ PESU 85

Intrusion Prevention Systems - (IPS)
■ Also known as Intrusion Detection and Prevention System (IDPS)
■ Is an extension of an IDS that includes the capability to attempt to
block or prevent detected malicious activity
■ Can be host-based, network-based, or distributed/hybrid
■ Can use anomaly detection to identify behavior that is not that of
legitimate users, or signature/heuristic detection to identify known
malicious behavior can block traffic as a firewall does, but makes use
of the types of algorithms developed for IDSs to determine when to
do so

31 Jan 2018 HB Prasad @ PESU 86

Network-Based Intrusion Prevention Systems (NIPSs)

■ Because NIDSs are passively detecting intrusions into the network without
preventing them from entering the networks, many organizations in recent times
have been bundling up IDS and firewalls to create a model that can detect and
then prevent.
■ The bundle works as follows:
– The IDS fronts the network with a firewall behind it.
– On the detection of an attack, the IDS then goes into the prevention mode by altering the
firewall access control rules on the firewall.
– The action may result in the attack being blocked based on all the access control regimes
administered by the firewall.
– The IDS can also affect prevention through the TCP resets;
Ø TCP utilizes the RST (reset) bit in the TCP header for resetting a TCP connection, usually sent as a
response request to a non-existent connection.
Ø But this kind of bundling is both expensive and complex, especially to an untrained security team.
– It suffers from latency
Ø the time it takes for the IDS to either modify the firewall rules or issue a TCP reset command. This
period of time is critical in the success of an attack.

31 Jan 2018 HB Prasad @ PESU 87

Host-Based Intrusion Prevention Systems (HIPS)

■ Most HIPSs work by sand-boxing, a process of restricting the

definition of acceptable behavior rules used on HIPSs.
■ HIPS prevention occurs at the agent residing at the host. The agent
intercept system calls or system messages by utilizing dynamic
linked libraries (dll) substitution.
■ The substitution is accomplished by injecting existing system dlls
with vendor stub dlls that perform the interception.

31 Jan 2018 HB Prasad @ PESU 88

Host-Based IPS - (HIPS)
■ Can make use of either signature/heuristic or anomaly detection
techniques to identify attacks
– Signature: focus is on the specific content of application network traffic, or of
sequences of system calls, looking for patterns that have been identified as
malicious
– Anomaly: IPS is looking for behavior patterns that indicate malware
■ Examples of the types of malicious behavior addressed by a HIPS
include:
– Modification of system resources
– Privilege-escalation exploits
– Buffer-overflow exploits
– Access to e-mail contact list
– Directory traversal
31 Jan 2018 HB Prasad @ PESU 89
HIPS
■ Capability can be tailored to the specific platform
■ A set of general purpose tools may be used for a desktop or server system
■ Some packages are designed to protect specific types of servers, such as Web
servers and database servers
– In this case the HIPS looks for particular application attacks

■ Can use a sandbox approach

– Sandboxes are especially suited to mobile code such as Java applets and scripting languages
– HIPS quarantines such code in an isolated system area then runs the code and monitors its
behavior

■ Areas for which a HIPS typically offers desktop protection:

– System calls
– File system access
– System registry settings
– Host input/output

31 Jan 2018 HB Prasad @ PESU 90

The Role of HIPS
■ Many industry observers see the enterprise endpoint, including
desktop and laptop systems, as now the main target for hackers and
criminals
– Thus security vendors are focusing more on developing endpoint security
products
– Traditionally, endpoint security has been provided by a collection of distinct
products, such as antivirus, antispyware, antispam, and personal firewalls
■ Approach is an effort to provide an integrated, single-product suite of
functions
– Advantages of the integrated HIPS approach are that the various tools work
closely together, threat prevention is more comprehensive, and management
is easier
■ A prudent approach is to use HIPS as one element in a defense-in-
depth strategy that involves network-level devices, such as either
firewalls or network-based IPSs
31 Jan 2018 HB Prasad @ PESU 91
Network-Based IPS. - (NIPS)
■ Inline NIDS with the authority to modify or discard packets and tear
down TCP connections
■ Makes use of signature/heuristic detection and anomaly detection
■ May provide flow data protection
– Requires that the application payload in a sequence of packets be
reassembled
■ Methods used to identify malicious packets:

Pattern Stateful Protocol Traffic Statistical

matching matching anomaly anomaly anomaly

31 Jan 2018 HB Prasad @ PESU 92

Digital Immune System
■ Comprehensive defense against malicious behavior caused by
malware
■ Developed by IBM and refined by Symantec
■ Motivation for this development includes the rising threat of Internet-
based malware, the increasing speed of its propagation provided by
the Internet, and the need to acquire a global view of the situation
■ Success depends on the ability of the malware analysis system to
detect new and innovative malware strains

31 Jan 2018 HB Prasad @ PESU 93

NIPS challenges

§ False positives
§ May supports a limited suite of network applications
§ Requires more system resources
§ Can you afford false positives?
§ Keeping up with traffic demands
§ Tend to have less expensive rule-base
NIPS Recommendations

§ Learning Mode
§ IPS should support the network learning mode to learn more about “normal”
§ Traffic
§ Topology
§ Architecture
§ Trained analysts
§ Not a replacement for firewalls
IPS Products

§ IDS Plus Something

§ Firewall Plus Something
§ Antivirus Plus Something
§ An Extra Widget
Snort

§ Low cost
§ Light weight
§ Suitable for monitoring multiple
§ Sites
§ Sensors
§ Low false alarm rate
§ Low effort for reporting
Snort Capture
Snort Architecture

Log

Detection
Packet Decoder Engine

Alert

Figure 8.9 Snort Architecture

31 Jan 2018 HB Prasad @ PESU 99

 Snort Rule Formats

Source Source Dest Dest

Action Protocol Direction
IP address Port IP address Port

(a) Rule Header

Option Option
• • •
Keyword Arguments

(b) Options

Figure 8.10 Snort Rule Formats

31 Jan 2018 HB Prasad @ PESU 100

Basic Snort Rule

§ Rule :
§ alert tcp any any -> 192.168.1.0/24 80 (msg: "Inbound HTTP Traffic"; )

§ Output:
§ [**] [1:0:0] Inbound HTTP Traffic [**] 09/02-13:03:22.734392 192.168.1.104:1460 ->
192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:28581 IpLen:20 DgmLen:48 DF ******S*
Seq: 0x2550D716 Ack: 0x0 Win: 0x4000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP
NOP SackOK
Advanced Snort Rule

§ Rule:
§ alert tcp any any -> 192.168.1.0/24 80 (content: "/cgibin/ test.cgi"; msg: "Attempted CGI-
BIN Access!!";)
§ Output :
§ [**] [1:0:0] Attempted CGI-BIN Access!! [**] 09/02-13:18:30.550445
192.168.1.104:1472 -> 192.168.1.103:80 TCP TTL:128 TOS:0x0 ID:29951 IpLen:20
DgmLen:466 DF ***AP*** Seq: 0x32D8E9C1 Ack: 0xB427699E Win: 0x4470
TcpLen:20
Snort Rule Actions
Action Description
alert Generate an alert using the selected alert method, and then log the packet.
log Log the packet.
pass Ignore the packet.
activate Alert and then turn on another dynamic rule.
dynamic Remain idle until activated by an activate rule , then act as a log rule.
drop Make iptables drop the packet and log the packet.
Make iptables drop the packet, log it, and then send a TCP reset if the
reject protocol is TCP or an ICMP port unreachable message if the protocol is
UDP.
sdrop Make iptables drop the packet but does not log it.

31 Jan 2018 HB Prasad @ PESU 103

Examples of Snort Rule Options

(Table can be found on page 299 in textbook.)

31 Jan 2018 HB Prasad @ PESU 104

Snort Inline
■ Enables Snort to function as an
intrusion prevention system
■ Includes a replace option which Drop Reject Sdrop
allows the Snort user to modify
packets rather than drop them
Snort
rejects a Packet is
– Useful for a honeypot
packet rejected
implementation
based on and result
is logged Packet is
– Attackers see the failure but
the rejected
cannot figure out why it occurred
options and an but not
defined in error logged
the rule message
and logs is
returned
the result
Summary
■ Intruders ■ Honeypots
– Intruder behavior ■ Intrusion Prevention
■ Intrusion detection – Host Based
– Basic principles – Network Based
– The base-rate fallacy ■ Snort rules
– Requirements
– Analysis approaches
– Host-based
– Network-based
THANK YOU