 So, to get back to the lecture, an intrusion is an act of gaining unauthorized access to a system or resource, so as to cause loss, harm or theft. Examples of intrusions are unauthorized logins into your system. For example, that is obviously an intrusion, installation of spyware into a victim's computer, infection of a machine with a worm or virus etcetera. So, all of these things would come under different kinds of intrusions. Intrusions are usually dealt with by a combination of preventive measures, detection followed by an appropriate response. So, either a preventive measure or detection and then of course, once you detect it then you have got to do something about it, but what distinguishes prevention from detection. So, for that purpose we have a couple of little examples. Inclusion prevention anticipates various kinds of attacks and takes steps to forestall their occurrence. Examples include the use of encryption, so I suspect that somebody is eavesdropping on my line, so I encrypt all the messages going back and forth. So, this is an example of prevention, encryption to prevent eavesdropping, then code auditing to minimize the chance of vulnerabilities such as buffer overflow or SQL injection. So, both of these encryption and code auditing are examples of preventive mechanisms. And detection system, first an IDS monitors events of interest, so there are three verbs out here monitors, analyzes and alerts. So, it monitors events of interest occurring in the target system or in the network. Now, of course, what is meant by an event of interest, an event of interest may be the opening of a file of any file in general or in particular a file containing sensitive data. So, if I look at every single file and all and try to analyze it, maybe there will be just too much of data, data overload. So, maybe I will be very selective in looking at only events that are of particular interest to me. So, for example, opening of a file containing sensitive data. An IDS generates a large amount of data which it then analyzes and converts into valuable information to be used by system administrators. So, there are very fancy analytical techniques that are used which are borrowed from say for instance machine learning. These techniques are then used to get valuable information from just this huge amount of data. So, analysis is an important aspect of an IDS and then an IDS raises an alert each time it observes anomalous or suspicious behavior. The IDS should be capable of learning what is normal behavior, detecting anomalous events when they occur and flagging such events. So, the first thing is when do I raise an alarm, if I raise it too often then of course, it is going to be a pain for the system administrator and if it is not raised when it should then it is going to constitute a false negative. So, both of these things false negatives and false positives should be minimized. Here is the block diagram of what an IDS does, first thing is monitoring various system and network variables. Let us look at, let us think about what these variables could possibly be then analyze the recent value or behavior of these variables what happened in the immediate past as far as these variables are concerned. First thing is is the value of the behavior does it look like some particular attack pattern does it match an attack pattern, does it match a signature, yes then raise an alarm. So, these would be signature based IDS's, alternatively you can look at the behavior and see whether it is anomalous, is it a departure from norm. Of course, the big question is what is really meant by normal behavior and then further more once we have decided what is normal behavior then is the current behavior a departure from the norm, if so raise an alarm or an alert. So, IDS's that do this thing are referred to as anomaly based IDS's and these are signature based IDS's. So, once again to distinguishing these two things prevention and detection some examples I thought of one is passwords, passwords should be stored securely not written on sticker pads for example and not communicated to friends relatives and co-workers. So, this is how you would prevent password abuse by a proactive kind of measure. On the other hand you can also have some detection measures an employee as for 10 years never logged in outside of office hours between 10 and 5 p.m today however this user logs in at 4 a.m. This is something very anomalous, so you are detecting strange behavior strange and anomalous behavior and you are causing the IDS to raise an alert. So, this is an example of detection, so you see the difference prevention and detection in the context of password protection we have seen this thing before buffer overflow. So, how do you prevent this one mechanism was making the stack non executable. So, you cannot execute the malcode on the stack. So, this is a preventive mechanism you prevent the exploitation of buffer overflow on the other hand detection use a canary variable on the stack to detect that the buffer is overflowed and thus help to thought it is exploitation. So, this is an example of detection, so here you absolutely prevent it because the code cannot execute and here you actually detect a buffer overflow condition using the canary which alerts you. Now, further going into some more details about IDS what are the different kinds of IDSs and what are the variables that the IDS should measure. So, it is not just monitoring every possible variable because one of the big problems in IDS design is you have got so much data how to make sense of that data. The system administrator cannot look at tons and tons of data every day, so there must be some kind of intelligence that takes that data and converts it into valuable and very valuable information. So, the first thing is what are the variables that it should monitor, then when should an alert be raised, when should an alarm be sounded, so not only which variables, but what do you do with those variables, how do you take data and convert it into useful and valuable information, then when should an alert be raised or an alarm be sounded and alarm would be a more significant kind of a thing compared to an alert. And then the placement of the IDS where should it be placed, so talking about which variables should be monitored, let us look at some of the things that you might want to look at, some of the things that you might want to monitor. The login frequency to a particular account, why is this important, suppose for example you find that there is a unusually high frequency of logins to that particular account, then this suggests that there is probably an attempted break in. So, we would like to know which variable you are trying to monitor and then in particular what is the event of interest and what does that seem to portend, does it seem to say it is a denial of service attack or a worm attack or what. You might want to look at the percentage of half open TCP connections, the event of interest is a sudden surge, so you suddenly find there are very many half open TCP connections compared to the normal number, so what does that suggest, a possible DOS or DDoS attack the onset of such an attack, you might see certain, you might want to monitor combinations of TCP header flags in incoming packets and you are particularly looking at an invalid combination, some very strange combination of those six flags, what that might suggest is that there is an attacker trying to fingerprint the operating system on your machine, operating system fingerprinting. You might want to monitor TCP connection establishment and in particular if it is to an unused destination port, now based on your discussion of Nessus and Nmap, you know that that probably is a port scan, if there are many connection attempts to invalid ports probably somebody is doing a port scan and then you alert the system and say that an attacker from so and so place is probably trying to launch a port scan against your system. You look at the payload of incoming packet, what do you look specifically for, for a particular byte sequence, now if it is a non polymorphic worm, then byte sequences could constitute attack signatures. So, by looking at specific byte sequences in the worm, you conclude that there is a specific worm in the payload of this packet, you might look at something that is entered into your system and you might look at monitoring the operating system calls. So, this is the way by making an operating system calls, software gets to use special services like printing or reading files, accessing disks etcetera it is through the operating system call. So, you look at the various operating system calls and in particular the sequence of operating system calls and that might suggest that there is a specific virus that is entered your system. Various viruses, various malware will have different sequences of operating system calls very specific to that species. So, from that by observing that sequence of system calls, you can conclude what that particular malware is. Two types of IDS is anomaly based versus signature based, so this is one dimension of comparison, here we are looking for a departure from normal behavior, here we are looking for a specific pattern of behavior, if this and this happens, then I suspect it is this particular worm, while over here you are saying if this does not happen, if there is not normal behavior, then I suspect there is an attack on the system. So, anomaly based versus signature based, this is like a positive kind of thing, have I seen this sequence of bits or this sequence of operating system calls etcetera etcetera, then I alert the system over here it is like a negative thing, have I not seen normal behavior, there is a departure from norm, then I conclude it must be some attack underway. The other dimension of comparing IDS is network based versus host based, so here it is working it is looking primarily at network based variables and here it is looking primarily at host based IDS's, so you have seen one of these HIDS's in the lab already. So, once again an anomaly based IDS involves making a determination whether the behavior of the system is a statistically significant departure from normal, the IDS will have to learn over time what constitutes normal activity usage and behavior. The definition of what is normal may vary as a function of time of day, day of the week etcetera etcetera. So, on Sunday for example the load might be much less than on a week day and so on and so forth. So, what is normal on a Sunday may not be normal on another day and vice versa. Signature based intrusion detection systems also called misuse detection works by identifying specific patterns of events or behavior that pretend or accompany an attack, such a pattern is called a signature. An example of a signature is a specific byte sequence in worm payload. So, the more modern IDS's would look not just that simple things like byte sequences, but also sequences of operating system calls and also dependencies between operating system calls. A signature based IDS maintains the database of known signatures. It attempts to perform a match between currently observed behavior and an entry in this database. A typical real world signature based IDS will have thousands of attack signatures against which to make a comparison. Now, network based IDS an IDS that captures information about flak packets flowing through the network is referred to as an NIDS. Examples of information captured might be the number of half open TCP connections, the ratio of ARP requests to ARP response packets, the percentage of Htt packets you know in comparison with the total number of networking packets. So, network variables are monitored here. In the case of a host based IDS this is typically implemented in software and resides on top of the host's operating system. Its main job unlike the network based IDS is to monitor the internal behavior of the host such as the sequence of system calls made, the files accessed, who is logged in etcetera etcetera. It makes use of system logs, application logs and operating system audit trails to identify events related to an intrusion. So, you have seen some of this logging business in yesterday's lab and you also see it in tomorrow's lab. So, logs are very important for intrusion detection systems. They try to use logs and make sense of these logs and even they try to correlate these logs. Sometimes just looking at one set of logs isn't going to give you the whole story. Just looking at email logs alone may not help. Just looking at application system logs may not help. It is looking and correlating information from different kinds of logs that will actually help. Two terms that are very widely used in the context of IDS's are false positives and false negatives. An undetected intrusion is referred to as a false negative. So, this is the first thing you look at. How many false negatives does this IDS have? In other words, how many times has it failed to alert you when an attack is in progress? On the other hand, there's another thing called a false positive. An IDS generates a false positive if it raises an alarm even though there is no intrusion currently occurring or about to occur. That is an unnecessary false alarm. So, two aspects of IDS you will see in the literature. These two words are used often. One is sensitivity and the other is selectivity. Now, just think a little bit what corresponds to what? One of these corresponds to false negatives and the other corresponds to false positives. So, high sensitivity implies a low false negative rate. It's highly sensitive to intrusions. It is detected that correctly. That is high sensitivity which is synonymous with a low false negative rate. On the other hand, selectivity. It doesn't just simply shout all the time false alarm, false alarm, false alarm. It doesn't keep shouting intrusion, intrusion, intrusion without anything happening. If it did, then it would be many false positives. So, it's very selective about what it shouts and when it shouts. In other words, it's got a low false positive rate. So, high selectivity is related to having a low false positive rate and high sensitivity is related to having a low false negative rate. So, one IDS is that have been built by many universities and companies around the world are what are called honey pots. So, what is a honey pot? It's a closely monitored network decoy that can distract adversaries from more valuable machines of the network. So, the first thing is when somebody is attacking me, I want to distract its attention so that it looks somewhere else. So, a decoy that can distract adversaries from more valuable machines on a network can provide early warning about new attack and exploitation trends or allow in-depth examination of adversaries during and after the exploitation of a honey pot. So, honey pot is the word suggests is something that attracts. So, honey attracts bees. The same way, a honey pot attracts attackers. So, attackers see this as low hanging fruit, some sort of a soft target and they try to attack it and when they attack it, you have trapped them. You actually see them attacking it, you see what kinds of payloads they generate and so on. Maybe this is a new worm for example, you study it. Don't react immediately, just keep studying it. Who is attacking you, what sort of payload are they sending etcetera etcetera and then you calmly surround and analyze what is actually happening. So, this is basically low hanging fruit. It is somewhere in some way in which you attract the attacker to actually. So, you pretend that you are a very vulnerable system. So, that it is using Nmap NSSU find out what are the vulnerabilities try to simulate or emulate those vulnerabilities on this machine. So, they will be actually lured into attacking this machine and once they start attacking this machine, you figure out what is the kind of attack, what are the kinds of packets they are sending you, where is it coming from etcetera etcetera. So, it is like a decoy, a decoy is like a goat that is tied to a tree to attract the tiger. So, the tiger comes there to eat the goat and then you strap the tiger and take remedial action. So, that is what basically honey pot is. Another definition, it is a security resource whose value lies in being probed, attacked or compromised. So, you invite attackers to actually probe this thing, try to get their attention to this thing and distract them by just looking at this rather than anything else. So, there are a couple of case studies in the interest of time, we will just take one case study which is DDoS. There are several measures over here for defending against DDoS. So, one is for example, packet discarding, another is the use of SIN cache and SIN cookies which are used on many modern operating systems, another is egress filtering, distributed route filtering, various detection techniques IP trace back and so on and so forth. So, let us look at some of these. So, the first one packet discarding. So, categorize all incoming packets, the IP addresses on those incoming packets as almost certainly genuine. So, based on your knowledge of all these packets that you have been receiving over an extended period of time, you can figure out which of these IP addresses are almost certainly genuine which are probably spoofed etcetera. Now, under moderate load conditions, do not take any action, allow all incoming SIN requests to be entertained because there is no problem, there is no overload on your system, allow everything and be liberal. But under rapidly increasing load, when you suspect there might be a DDoS attack in progress, then packets with unfamiliar source addresses should be discarded with high probability. So, the ones that you are familiar with, you allow them to go in those packets with familiar IP addresses and the others are discarded. So, that you bring down the load to a reasonable level. So, this is a very simple kind of technique. The next one little bit more fancy is a use of SIN cookies. So, you have seen cookies in various context, for example, HTTP cookies, but this is a different kind of cookie, a SIN cookie. The responding machine places a SIN cookie, so a very interesting idea. The responding machine places a SIN cookie in the sequence number field of the second handshake message. So, this responding message is basically the potential victim. The attacker is the initiating machine and the victim is the responding machine. So, if I suspect that I am going to be a victim of a DDoS attack or a DDoS attack, what I do is, I place a SIN cookie, you know the in the TCP header, there is a sequence number field and both the initiator and the responder initialize it to a random number. There were security problems, because these were not initialized to random numbers in the past. So, most modern operating systems will initialize these things to random numbers, the sequence number on the responder side, the sequence number on the initiator side. You can put any number you want. So, why not do the following? Why not compute the SIN cookie and put the SIN cookie in a sequence number field, but what is the SIN cookie? This cookie is computed as a hash function of the source address, destination address, source port and destination port and some ephemeral secret. So, the function of all these things, not just any function, but a hash function of all these things, you compute the hash value and you put that hash value inside this SIN cookie field. Now, the initiator of the connection dispatches the cookie, it just received in its ACK message, the third message of the three-way handshake. Upon receiving the ACK, the responder recalculates the cookie and verifies that it matches the value enclosed in the received ACK. Only then does it reserve buffer space for the connection. So, what is the meaning of this? So, let us just draw a little picture here. So, this is the initiator and this is the responder. So, you send an initial packet to this guy and then he responds. Now, what he does is, so this is the potential victim, this is the potential attacker in a DDoS attack. So, he is bombarding him let us say with SIN packets. Now, what he does is he puts a SIN cookie over here. So, let us suppose there is a single attacker in this case. He puts the victim puts in the sequence number field, this is a 16 bit number and over here he puts sequence is equal to the hash of source address, the IP's IP address of the initiator, the IP address of the receiver and the port numbers and not just this, but some secret. So, this thing could only be computed by this guy, this particular value, the hash of all these things. So, he puts it in this thing and then when it responds, he expects that that sequence number as we have seen before in the 3-way handshake that sequence number will be incremented by 1 in the acknowledgement field. Now, what happens is typically in a DDoS attack, this guy is going to spoof the IP address. So, he cannot actually continue the conversation, he cannot continue this because this sequence number has to be placed which is this hash value has to be placed in the ACK field and this guy cannot spoof this packet because this acknowledgement has gone to a different address, the attacker has spoofed the source address. So, this responding packet will go all together somewhere else all too and with it will go this value, the attacker will not be able to compute this value, why because there is a secret known only to the victim. So, he will not be able to spoof the third packet of this 3-way handshake. So, that is one way the use of sin cookies where you try to reduce the probability and the severity of a DDoS attack, the use of sin cookies. So, many operating systems will actually support this. Basically, the idea is in the sequence field you initialize it with the hash of all of these things. So, that is the idea of a sin cookie and in addition to the sin cookie another thing that is used by many operating systems, what is the sin cache? So, while the connection is in half open state, minimal information about it is stored in a hash table called the sin cache. So, you do not reserve for example, 300 bytes of space, but a much less amount of space for example, just 30 bytes which just stores things like the TCP sequence numbers, source destination addresses and ports. So, you require just a few tens of bytes rather than hundreds of bytes for that and only when you know that the initiator is an authentic client, then and only then do you reserve all the rest of that 300 bytes. So, this becomes basically like a little cache storing only the most valuable and important information. So, this is the idea of sin cache another idea besides sin cookies.