1 / 44

HOST BASED IDS (HIDS)

HOST BASED IDS (HIDS). Objectives. Able to explain the role and different categories of the Host Based IDS. To understand and able to explain the log file monitors. HIDS Roles. 1) HIDS software – focuses on detecting attacks against a particular host.

zev
Download Presentation

HOST BASED IDS (HIDS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HOST BASED IDS(HIDS)

  2. Objectives • Able to explain the role and different categories of the Host Based IDS. • To understand and able to explain the log file monitors.

  3. HIDS Roles 1) HIDS software – focuses on detecting attacks against a particular host. • E.g: workstation or server - run from the host itself. 2) Malicious activity on a host can exhibit itself in multiple ways • monitor user-specific activity on the system • The software can observe the user's local activity because it has access to such host-specific information as process and service listings, local log files, and system calls. • optimized for monitoring individual hosts. • Network IDS sensors, on the other hand, have a hard time associating packets to specific users, especially when they need to determine whether commands in the traffic stream violate a specific user's access privileges.

  4. HIDS Roles 3) Monitor data exchanges of encrypted network streams by tapping in at the connection's endpoint • Running on the VPN's endpoint - • allows host-based IDS to examine packets in their clear-text form, • before the host encrypts outbound packets, or after it decrypts inbound packets • NIDS sensor – cannot examine the payload of an IPSec packet or the contents of a packet that is part of an SSL session. • The need to perform content analysis of network traffic at the hosts continues to increase as companies continue to deploy VPN solutions.

  5. HIDS Roles 4) Correlating attacks that are picked up by network sensors • Scenario 1: • If a network IDS sensor detected an attack that was directed at one of your hosts. • How would you know whether the attack was successful? • Solution: • host's IDS software can help to determine the effect of the attack on the targeted system • Of course, if the host is compromised, its logs might be altered or deleted. • But if you are automatically relaying all host IDS data to a central, dedicated centralized log server – to pickup all the IDS logs – you can use that data instead of the original IDS logs if they are unavailable or untrusted. • From an incident-handling perspective – HIDS logs are important in reconstructing an attack or determining the severity of an incident.

  6. IDS Components • Traffic collector collects activities/events for the IDS to examine. • On a host-based IDS, this could be log files, audit logs, or traffic coming to or leaving a specific system. • On a network-based IDS, this is typically a mechanism for copying traffic off the network link—basically functioning as a sniffer.

  7. Host-based IDS • A host-based IDS (HIDS) operates in: • Real time, looking for activity as it occurs. • Batch mode, looking for activity on a periodic basis.

  8. Host-based IDS • They may be self-contained, but many of the newer commercial products have been designed to report to and be managed by a central system. • Host-based systems use local system resources to operate.

  9. Host-based IDS • Host-based intrusion detection systems focus on the log files or audit trails from the local operating system. • The IDS looks for hostile actions or misuse activities, such as: • Logins at odd hours • Login authentication failures • Adding new user accounts • Modification or access of critical system files • Modification or removal of binary files (executables) • Starting or stopping processes • Privilege escalation • Using certain programs

  10. IDS Logical Layout • Host-based intrusion detection systems operate similarly. • An insight into how host-based intrusion detection systems operate can be obtained by considering the function and activity of each component.

  11. IDS Collector • The traffic collector pulls in information for the other components, such as the analysis engine. • It pulls already generated data from the local system – error messages, log files, and system files. • It is responsible for reading files, selecting items of interest, and forwarding them to the analysis engine. • On some host-based systems, it also examines specific attributes of critical files such as file size, date modified, or checksum.

  12. IDS Analysis Engine • It is a sophisticated decision and pattern-matching mechanism. • It looks at data given to it by the traffic collector and matches it to known patterns of activity stored in the signature database. • If the activity matches a known pattern, the analysis engine reacts with an alert or alarm.

  13. IDS Analysis Engine • An analysis engine is capable of remembering how the current activity compares to historic or future traffic, so that it may match more complicated, multi-step malicious activity patterns. • An analysis engine must also be capable of examining traffic patterns as quickly as possible. • The longer it takes to match a malicious pattern, the less time the IDS or human operator has to react to malicious traffic.

  14. IDS Signature Database • The signature database is a collection of predefined activity patterns that have already been identified and categorized as activity patterns typical of suspicious or malicious activity. • When the analysis engine has a traffic pattern to examine, it compares it to the signatures in the database.

  15. IDS User Interface • It is the visible component of the IDS—the part that humans interact with. • Independent of the type and complexity, the interface allows users to interact with the system by: • Changing parameters • Receiving alarms • Tuning signatures and response patterns

  16. Host-based Advantages • The advantages of host-based IDSs include: • Operating system-specific. • More detailed signatures. • Reduced false positive rates. • Examination of data after decryption. • Application specific. • Alarm may impact determination of a specific system.

  17. Host-based Disadvantages • Before deployment, weigh the disadvantages of this technology: • An IDS has a process on every system watched.  • An IDS has a high cost of ownership.  • An IDS uses local system resources.  • An IDS has a focused view and cannot relate to activity around it.  • A locally logged IDS may be compromised or disabled.

  18. Active vs. Passive IDS • Intrusion detection systems can be distinguished by how they examine the activity around them and whether or not they interact with that activity.

  19. Active vs. Passive IDS Passive HIDS Active HIDS • A passive system watches the activity, analyzes it, and generates alarms. • It does not interact with the activity itself in any way. • It does not modify the defensive posture of the system to react to the traffic. • An active IDS contains the same components and capabilities as the passive IDS. • However, the active IDS reacts to the activity it is analyzing.

  20. IDS Components • Analysis engine:  • Examines the collected network traffic and compares it to known patterns of suspicious or malicious activity stored in the signature database

  21. IDS Components • User interface and reporting:  • Is the component that interfaces with the human element, providing alerts when appropriate and giving the user a means to interact with and operate the IDS.

  22. Tuning an IDS • Most IDSs can be “tuned” to fit a particular environment. • Signatures may be turned off – the IDS will not look for certain types of traffic. • Alarm levels can be adjusted depending upon certain types of traffic. • Some IDS also allow users to “exclude” certain patterns of activity from specific hosts.

  23. Types of HIDS • There are several types of host-based IDS software products. • Log analyzers • File integrity checkers • The host's file system: AIDE, OSIRIS, Samhain, Tripwire • The host's network connections: BlackICE, PortSentry • The host's log files: LANguard, Logcheck, OsHids, Swatch

  24. Example: LANguard

  25. Types of HIDS • File integrity checkers • alert if particular files are altered, which might indicate a successful attack. • Log analyzers : • monitor OS & application logs • looking for entries that might be related to attacks or security violations.

  26. File Integrity Checker • Detect unauthorized changes to the host's file system. • Operate by taking a "snapshot" of the file system in a trusted state, when all the files are considered to be valid. • During subsequent scans, these tools compare the system's files to the initial baseline and report noteworthy deviations.

  27. File Integrity Checker • To tune the integrity checking mechanism: • So that it only monitors relevant aspects of files • can specify what file attributes are allowed to change, or what files can be ignored altogether. • For example, applications frequently create temporary files in C:\WINNT\Temp or /tmp directories; • alerting the administrator every time a new file appears or disappears from these directories would generate too many false positives. • On the other hand, contents of core system libraries rarely change, and it is normal for the host's log files to grow in size while retaining initial ownership and access permissions.

  28. File Integrity Checker - Alternative Ways • Increasing the difficulty of tampering with the database of baseline signatures can be accomplished in several ways: • Obfuscate /conceal the contents of the baseline database by using a proprietary binary format instead of plain text when saving the database to disk. • Although this mechanism makes it more difficult to tamper with the database, it hardly prevents the attacker from discovering the obfuscation scheme or from using the integrity checker to update the baseline.

  29. File Integrity Checker - Alternative Ways 2. Place the baseline database onto read-only media, such as a write-protected floppy disk or a CD-ROM. • This method requires that the disk or the CD be accessible to the integrity checker when it performs the verification scan. • This method is reliable and is most useful for hosts whose baseline does not need to be frequently updated. • Keep in mind, though, that even if the attacker is unable to modify the baseline database, he might be able to change the integrity checker or modify its configuration to use an unauthorized baseline. • Placing the checker onto the read-only media helps defend against some attacks of this nature, but having access to the host might allow the attacker to modify the system's kernel or file system drivers to conceal his presence on the host anyway.

  30. File Integrity Checker - Alternative Ways • Digitally sign the baseline database. • In this scenario, updating the program's baseline typically requires the administrator to present the appropriate cryptographic keys and supply the necessary passwords. • This technique achieves a good balance between the first two approaches. • It is frequently used in environments that need to be able to remotely update the baseline periodically, such as when installing system patches or otherwise updating the host's configuration.

  31. File Integrity Checker: Tripwire • Best-known file integrity checking utility. • It is a benchmark against which other tools in this category are measured. • The original version of Tripwire was developed in 1992 at Purdue University in West Lafayette, Indiana • Free open source (academic version) - http://www.tripwire.org. • It is included with many Linux distributions, including Red Hat Linux. • Despite its age, this version of Tripwire is still effective at detecting unauthorized changes to the host's files, although it is no longer being actively maintained.

  32. File Integrity Checker: Tripwire • Full commercial versions of Tripwire for servers and network devices are not free. (http://www.tripwire.com/products/servers/) • Runs on both Windows and UNIX hosts. • The Windows version of the tool can monitor the system's Registry in addition to the file system. • The commercial software Tripwire for Network Devices can monitor the integrity of configuration files on routers and switches. • Multiple hosts and devices monitored by the commercial versions of Tripwire can be controlled centrally through a unified configuration and reporting interface through Tripwire Manager.

  33. File Integrity Checker: AIDE • AIDE - Advanced Intrusion Detection Environment. • A free integrity checker with similar features to the academic release of Tripwire. • http://sourceforge.net/projects/aide

  34. File Integrity Checker: AIDE • The differences between AIDE and various Tripwire versions: • AIDE is maintained through a steadier development cycle than the academic version of Tripwire, which is no longer maintained. The commercial version of Tripwire is being developed much more actively. • AIDE runs on a wide range of UNIX platforms, but unlike the commercial version of Tripwire, it does not run on Windows. • AIDE does not cryptographically sign its baseline database, making • it more difficult to ensure the integrity of its findings. (The academic version of Tripwire does not do this either.)

  35. Network Connection Monitors • Now that you know how to detect unauthorized changes to the host's file system, let's switch our attention to monitoring another critical aspect of the host's operation: its network connectivity. • Specifically, we want to use available data about network connections that attempts to initiate or terminate on the host to detect malicious behavior. • The impetus behind connection monitoring is similar to the one in network IDS products that run in promiscuous mode to examine network streams for multiple hosts and devices. • A host-based IDS, however, can also associate network sockets with specific processes and users on the system, and it can be tuned to the exact characteristics of the host. • Additionally, host-based network-monitoring software is unlikely to be overwhelmed by the voluminous network traffic that continues to push the limits of network IDS performance.

  36. Network Connection Monitors: BlackICE • One popular HIDS product for monitoring the system's network connections is BlackICE(http://blackice.iss.net/), produced by Internet Security Systems (ISS). • There are two versions of the software: • BlackICE PC Protection runs on Windows-based operating systems and is optimized for protecting a workstation, • BlackICE Server Protection offers similar capabilities for servers.

  37. Network Connection Monitors: BlackICE • Whenever BlackICE observes a suspicious network connection that targets its host, it creates a log for this event. • A host-based firewall would typically create an individual record for each blocked packet. • The IDS mechanism in BlackICE is able to group events associated with multiple offending packets into a single log entry that identifies the attack. • For example, BlackICE can correlate several suspicious packets as being a single port scan. Instead of logging each packet that comprised the scan, BlackICE creates a single entry in the log. • However, BlackICE can be configured to capture full packets that it identifies as belonging to an attack sequence and log them for future analysis. • In addition to performing IDS services, BlackICE comes with a built-in host-based firewall that can block unauthorized inbound and outbound connections.

  38. Demo on BlackICE • You can see a demo how the BlackICEworks at http://blackice.iss.net/demo.php

  39. Network Connection Monitors: PortSentry • PortSentry (http://sourceforge.net/projects/sentrytools/) • It can detect port scans and other unauthorized connection attempts to the system. • Freely available, and can run on most UNIX operating systems. • When PortSentry detects a network-based attack, it can block the attacking host by automatically reconfiguring the compatible firewall on the local host or by placing an appropriate entry into the hosts.denyfile used by TCP Wrappers.

  40. Network Connection Monitors: PortSentry • For example, the following are Syslog records that document PortSentry actions when it detects a port scan coming from 192.168.44.1: Jan 19 10:35:57 localhostportsentry[1252]: attackalert: TCP SYN/Normal scan from host: 192.168.44.1/192.168.44.1 to TCP port: 13 Jan 19 10:35:57 localhostportsentry[1252]: attackalert: Host 192.168.44.1 has been blocked via wrappers with string: "ALL: 192.168.44.1“ Jan 19 10:35:57 localhostportsentry[1252]: attackalert: TCP SYN/Normal scan from host: 192.168.44.1/192.168.44.1 to TCP port: 21 Jan 19 10:35:57 localhostportsentry[1252]: attackalert: Host: 192.168.44.1/192.168.44.1 is already blocked Ignoring • PortSentry detected an unauthorized connection to TCP port 13 on the local host. It responded by reconfiguring TCP Wrappers in an attempt to block subsequent connections from the offender.

  41. Log File Monitors • Host's log files – include system, audit, authentication, and application events. • Log file monitors observe the contents of logs and alert administrators when suspicious events are detected. • have the benefit of being able to observe events generated by multiple security components on the host.

  42. Log File Monitors: Example Tools • Swatch • (its name stands for "simple watcher") and is available at http://swatch.sourceforge.net/. • free and runs on most UNIX operating systems. • configure Swatch to email the administrator when it locates a line with the string attack alert in a Syslog record. • Logcheck • (http://sourceforge.net/projects/sentrytools/). • Unlike Swatch, it does not monitor logs in real time; it runs periodically and emails alerts in batches. • This helps the administrator to limit the number of email messages that he receives, but it might also delay the administrator's response to an attack.

  43. Log File Monitors: Example Tools • Log file monitoring utilities are available for Windows platforms as well: • TNT ELM Log Manager (http://www.tntsoftware.com/) • LANguard Security Event Log Monitor (http://www.gfi.com/lanselm)

  44. Summary • Now that you understand the roles that host-based IDS plays when operating as part of a network's security perimeter and different types of host-based IDS solutions. • Multiple sources for data can be used to perform intrusion detection at the host level. • The primary reason for wanting to look at the host's file system, log files, and network connections is because the malicious activity on a host can exhibit itself in multiple ways.

More Related