Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
HOST BASED INTRUSION DETECTION SYSTEMS
Transcript of HOST BASED INTRUSION DETECTION SYSTEMS
Monitors the characteristics of a single host and the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity
Data sources and Sensors
Adds a specialized layer of security software to
vulnerable or sensitive systems , like database servers and administrative systems.
Monitors activity to detect suspicious behavior
– primary purpose is to detect intrusions, log
suspicious events, and send alerts
– can detect both external and internal
A record of the sequence system calls by processes on a system is preferred data source for HIDS.
AUDIT(LOG FILE) RECORDS
work well on Unix and Linux systems
but not on Windows systems due to DLLs(Dynamic Link Libraries) that obscure which processes use specific system calls
SYSTEM CALL TRACES
Most operating systems include accounting software that collects information on user activity
• advantage is that no additional collection software is needed
• disadvantage is that records may not contain the needed information or may not contain it in a convenient form, and that intruders may attempt to manipulate these records to hide their actions.
native audit records
collection facility that generates records containing only
information required by the IDS
• advantage is that it could be made vendor independent and
ported to a variety of systems
• disadvantage is the extra overhead of having, in effect, two
accounting packages running on a machine
Detection-specific audit record
Periodically scan critical files for changes from the desired baseline, by comparing a current cryptographic checksums for these files, with the record of known good values.
Disadvantage - need to generate and protect checksums.
Tripewire system uses this approach
Used on windows systems.
monitors access to the registry.
Disadvantage - windows specific and limited success
and LINUX systems
Majority work on anomaly based HIDS done on these systems.
Earlier work used audit records but now majority based on system call traces
System call traces provide detailed information on process activity that can be used to classify it as normal or anomalous.
These are then analyzed by a suitable decision engine which may be based on STIDE, Hidden Markov Model, Artificial Neural Networks ,Support Vector Machines or Extreme Learning Machines.
consider normal/expected behavior over
a period of time and then apply statistical tests to detect intruder
(Sequence Time Delay Embedding)
Compares observed sequence of system calls with the sequence from training phase to obtain a mismatch ratio that determines whether the sequence is normal or not
Windows systems traditionally did not use anomaly based HIDS because of DLLs. Some work was done using audit log entries, registry file updates but wasn't successful.
New approach- using traces of key DLL functions.
Advantage-This should lead to effective windows HIDS, capable of detecting zero day attacks.
Disadvantage- impose moderate load on the monitored system to gather and classify this data
Approach- Look for changes to important files on the monitored host by using cryptographic checksum.
Program binaries, scripts and configuration files are monitored, either on each access or on periodic scan of the file system.
Available for Linux, Mac OSX and Windows.
Advantage - Sensitive to changes in monitored files, as a result of intruder activity or for any other reason,
Disadvantage - cannot detect changes made to process one they are running on the system.
Other difficulties - is to decide which files to monitor; Having access to a known good copy to establish the baseline value; and protecting the database of file signatures.
Uses a set of known malicious data patterns or attack rules that are compared with current behavior
They either use database of file signatures(patterns of data found in malicious software) or heuristic rules that characterize known malicious behavior
Also known as misuse detection and are very commonly used in windows systems and also incorporated into mail and web application proxies on firewalls and also in network based IDSs.
Can only identify known attacks for which it has patterns or rules (signature)
Very similar to anti-virus and more correctly viewed as anti-malware.
Rule-based penetration identification
rules identify known penetrations/weaknesses
Motivation - traditional HIDS focused on single system stand alone operation but an organization needs to defend a distributed collection of hosts
ISSUES IN THE DESIGN OF DISTRIBUTED IDS :
D-IDS may need to deal with different sensor data formats
Integrity and confidentiality of raw sensor data or summary data must be ensured during transmission.
Integrity is required to prevent an intruder from masking his/her activities by altering the transmitted audit information.
Confidentiality is required because the transmitted audit information could be valuable.
Two possible architectures - centralized or distributed.
Centralized arch - eases the task of correlating incoming reports but creates a potential bottleneck and single point of failure.
Decentralized arch - more than one analysis center hence coordination in activities and exchange of information is required.
Architecture for D-IDS
Three main components :
Host Agent Module - Its a audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security related events
on the host and transmit these to central manager.
LAN monitor agent module - operated in background and analyzes LAN traffic and reports the result to the central manager.
Central manger module - Receives reports from LAN monitor and host agents and processes and correlated these reports to detect intrusion
captures each audit record
produced by the native audit collection system.
is applied that retains only those records that are of security interests.
These records are then
into a standardized format referred to as the
host audit record (HAR)
A template driven logic module analyzes the records for suspicious activity
At lowest level , the agent scans for notable events that are of interest independent of any past events. For example - failed files, accessing system files
At next higher level, the agent looks for sequences of events, such as known attack patterns.
finally , agent looks for anomalous behavior of an individual user based on historical profile of that user, such as number of programs executed, number of files accessed.
If a suspicious activity is detected, an alert is sent to central manger. Central manger includes an expert system that can draw inferences from received data.
The LAN monitor agent also supplies information to the central manager. It audits host host connections, services used, and volume of traffic. It searches for significant events, such as sudden changes in network load, the use of security-related services, and suspicious network activities.
This architecture is foundation for a machine independent approach
Mayoori Nautiyal (23)