8/2/2019 Lecture8 IDS
1/40
H thng pht hin xmnhp(IDS)
Ng Vn Cng
8/2/2019 Lecture8 IDS
2/40
IDS(Intrusion detect system)
Pht hin ra cc cuc tn cng v thm dmy tnh Ngn chn Pht hin phng cc cuc tn cng nh gi thit hi
Instrution detection: quy trnh xc nhmt s xm nhp c th, ang xuthin, hay xut hin
8/2/2019 Lecture8 IDS
3/40
Cc thut ng
Pht hin xm nhp(Intrusion detection):Pht hin ra cc truy cp tri php vomy tnh
Pht hin s kin khng bnh
thng(Anomaly detection)
8/2/2019 Lecture8 IDS
4/40
IDS lm vic nh th no?
Pht hin ra xm nhp Trong qu kh
c tp tin log sinh ra bi cc h thng bo mt(firewall)
Ngy nay
Quy trnh xem xt cc tp tin log, theo di s hot ng cc
ti nguyn c lm bi IDS s s dng CPU, I/O a, b nh v cc thao tc ngi
dng, s ln ng nhp h thng
IDS
Duy tr mt c s d liu cc tp tin k hiu v cc c trngca cc cuc tn cng
Mi cuc tn cng u c: c tnh, mu v hnh vi->k hiu
Pht hin ra cuc tn cng hay xm nhp bng cch so khpcc du hiu ca cuc tn cng vi cc tp tin du hiu trong
csdl
8/2/2019 Lecture8 IDS
5/40
(tt)
Li False-positive pht sinh khi m IDSxem mt hnh vi bnh thng trn mngnh l mt s tn cng ca hacker
Li False-negative xut hin khi IDS b
qua mt cuc xm nhp vo h thng vxem xt n nh l hnh ng bnh thngtrong mng
8/2/2019 Lecture8 IDS
6/40
IDS vs Firewall
Thng c s nhm ln gia chc nngca IDS v FirewallFirewall hot ng bng cch ngn chn
mi th sau ngi dng s lp trnh
ch php mt s mc no c i quaFirewall cho php ngi dng ni b c th
truy cp ra bn ngoi nhng ngn chn
ngi dng bn ngoi truy cp vo hthng mng ni bFirewall khng phi l mt h thng ng
c th phn on mt cuc tn cng
ang c thc hin
8/2/2019 Lecture8 IDS
7/40
IDS vs Firewall(tt)
IDS l h thng ng hn, n c kh nng pht hinra cc cuc tn cng vo mng
Xem xt v d: Mt nhn vin ca cng ty nhn c email ca mt nhn vin
khc ni rng anh ta tm c mt ti liu b mt t lu, nhn
vin m email m nhp chut vo tp tin thc thi nh km, tiliu thc thi c mt Trojan nh km vi n, Trojan s m mtkt ni n my tnh ca hacker, lc ny firewall s khng ngnchn hacker thc hin cuc tn cng bng cng chung 80 Vfirewall ch cu hnh ngn chn cc kt ni ra bn ngoi ti
mt s port, n xem cc kt ni HTTP ti webserver ch l mtkt ni khc
Nu h thng IDS c ci t th n c th a ra cnhbo nh l hnh ng khng thng xuyn trong mng
8/2/2019 Lecture8 IDS
8/40
Cc loi IDS
pht hin c cc cuc xm nhp IDSthng da trn 2 k thut sauAnomaly-Detection Technique Misuse-Dectection Technique
8/2/2019 Lecture8 IDS
9/40
Anomaly-Detection Technique
Da trn gi thuyt l tt c cc hnh ng khngging vi mt tp cc mu hnh vi th l cc hnhng bt thng
IDS nhn bit tiu s cc hnh ng bnh thng trnmng nu bt k hnh vi no khng ging tiu s ny
thi l mt hnh vi khng bnh thng v a ra mtcnh bo To mt vch ranh gii cho cc hnh vi bnh thng,
thng c sinh ra da thng k ghi nhn t hnh vnhp/xut, s dng CPU, b nh, hot ng ca ngidng.
8/2/2019 Lecture8 IDS
10/40
Misuse-Detection Technique
Xem cc cuc tn cng nh cc mu v du hiu Duy tr mt c s d liu cc du hiu ca cc cuc
tn cng Mt cnh bo pht sinh khi mt t tn cng no
ging vi mu trong csdl. Hot ng ging nh h thng antivirus Khng pht sinh li false-positive nhng khng pht
hin c cc kiu tn cng cha c pht hin trc
8/2/2019 Lecture8 IDS
11/40
Cc kiu IDS khc nhau
IDS mng(Network-based intrusion-detection systems)IDS Host(Host-based intrusion-detection
systems)IDS lai(Hybrid intrusion-detection
systems)
8/2/2019 Lecture8 IDS
12/40
Mt s thut ng dng trong IDS
Mn hnh dng lnh(Command console) trung tm iu khin ca IDS
gm cc cng c thit lp cc chnh sch
B cm bin(Sensor) Tm kim gi tin
Alert Notification Cnh bo v mt cuc tn cng(hin thng bo ln mn hnh,
gi mail)
Response Subsystem Khi pht hin tn cng c cc hnh ng phn hi li
Database H thng lu tr tt c cc hot ng ghi nhn t IDS
8/2/2019 Lecture8 IDS
13/40
IDS mng
Bao gm cc b cm bin c trin khaitrn ton b mng theo di v phntch cc gi tin i qua mng sau chuynkt qu v cho mn hnh dng lnh
Traditional Sensor Architecture Distributed network-node architecture
Traditional Sensor
B cm bin gn vo mng v bt cc gi tinca mng
8/2/2019 Lecture8 IDS
14/40
Traditional sensor architecture
Cc bc mt gi tin i qua IDS mng1. Khi my tnh mun trao i d liu vi my tnh khc th qu
trnh trao i d liu bt u
2. Cc gi tin s c lng nghe trn mng thng qua cc bcm bin trn mng
3. B phn pht hin xm nhp s so snh cc gi tin vi ccmu nh ngha trc, nu ging nhau th mt cnh bo sc a ra v chuyn n mn hnh dng lnh
4. Thng qua mn hnh dng lnh b phn bo mt s cnhbo thng qua cc phng thc khc nhau: email, SNMP.
5. Mt cu tr li s c pht sinh mt cch t ng hoc bib phn bo mt
6. Mt mu s c lu tr sau ny c th xem li v nhgi
7. To ra bo co tm tt cc hnh ng ca tin tc
8/2/2019 Lecture8 IDS
15/40
IDS mng
8/2/2019 Lecture8 IDS
16/40
Distributed Network-Node Architecture
B cm bin gn vo mi my tnh trnmngMi b cm bin ch quan tm n cc gi
tin n my ca mnhB cm bin sau s giao tip vi mn
hnh dng lnh a ra cc cnh bo
8/2/2019 Lecture8 IDS
17/40
(tt)
Cc bc gi tin trong gii php th 21. Khi mt my tinh mun giao tip vi my tnh khc, gitin s c trao i
2. Gi tin sau s b lng nghe trn mng bng cc bcm bin gn trn my tnh ch
3. B phn pht hin xm nhp s so snh cc gi tin nyvi cc mu nh ngha trc, nu tng ng th mtcnh bo s c a ra
4. Thng qua mnh hnh dng lnh, b phn bo mt se
thng bo cho ngi dng5. Mt cu tr li s c pht sinh t ng bi h thng
tr li
6. Lu tr cnh bo(mu) xem li v nh gi sau ny
7. To ra bo co tng kt c tnh ca hot ng
8/2/2019 Lecture8 IDS
18/40
(tt)
8/2/2019 Lecture8 IDS
19/40
Cch thc hot ng IDS mng
Tip-off Pht hin ra xm nhp vo mng ti thi imm n c thc hin
Surveillance Quan st cc hnh vi ca mt tp cc thnh
phn trn mng
8/2/2019 Lecture8 IDS
20/40
Li ch t IDS mng
Cn tr(Deterrence)Pht hin(Detection)C ch thng bo v tr li t ng
Cu hnh li firewall/router Hy b kt ni
8/2/2019 Lecture8 IDS
21/40
IDS Host
IDS Host dng cc thng tin ca my tnhch(host)D liu ngun Cc s kin h thng(System event log) Cc s kin ng dng(Application Log)
Hiu qu pht hin cc xm nhp bntrong mng
8/2/2019 Lecture8 IDS
22/40
Tn cng c pht hin bi IDS host
Lm dng c quyn(misuse of privilegedrights): xut hin khi ngi dng c cpquyn root, admin v dng quyn ny vomc ch khng hp php
S dng sai c quyn cao:Qun tr hthng thng cp c quyn cao chongi dng h c th ci t cc ngdng c bit
8/2/2019 Lecture8 IDS
23/40
Kin trc IDS host
C hai kin trc cho IDS host Target Agent L mt chng trnh nh chy trn my ch.
agent trn my ch cho php h thng ch thc
hin cc hat ng c c quyn cc b Chy nh tin trnh nn trong Unix v nh dch v
trong window Chy mt hoc nhiu agent trn h thng ch
Centralized Host-Based Architecture
8/2/2019 Lecture8 IDS
24/40
Centralized Host-Based Architecture
8/2/2019 Lecture8 IDS
25/40
Cch thc hot ng
1. Khi mt hnh ng c thc hin trong h
thng(file ang c truy cp hay l mt chng trnhang chy) th mt s kin c to ra 2. Agent ca h thng ch s gi tp ti trung tm
iu khin cch mt khong thi gian v trn ngtruyn bo mt
3. B my pht hin s so snh mu hnh vi ca tptin vi nhng hnh vi c nh ngha trc 5. Nu nh hnh vi m trng vi cc mu hnh vi
nh ngha trc, mt cnh bo s c sinh ra vchuyn cho cc h thng con a ra cc thng bo,tr li v lu tr
6. Vn phng bo mt s a ra thng bo thng wacc phng tin truyn thng(giy t, email...) 7. a ra mt cu tr li 8. Cnh bo c lu trong csdl 10. Report s c pht sinh, tng kt cnh bo v
cc s kin
8/2/2019 Lecture8 IDS
26/40
Thun li ca IDS host
Pht hin ra lm dng ti nguynCn tr, ngn chn s xm phmnh gi mc thit hiNgn chn xm hi t bn trong
8/2/2019 Lecture8 IDS
27/40
Cc nh gia v IDS host
Hiu nng(Performance):L c ch phntn, x l d liu bt ngun t cc host.Do kin trc ca IDS host m hiu nngca host c th b vi phm
window NT workstation:1MB, window NTserver:8MB, Unix 20MB, xem xt mtmng gm 10 windowNT server, 5 Unixserver, 200 window NT workstation, 50unix workstation. tng tan b d liupht sinh ln n 800 MB mt ngy
8/2/2019 Lecture8 IDS
28/40
(tt)
Trin khai v bo tr Kh v l h thng phn tn cn c c ch cp nht t xa
D b tn thng
Mc ch ca vic ci t IDS s b tht bi nu nhhacker c th xm nhp vo h thng ch v ttcc agent.
IDS thng khng hiu qu trong ln xm nhp utin ca hacker, ch hiu qu pht hin cc hnh vi c nh ngha trc.
Thao tc vi cc bn ghi ca Agent hacker c th xm nhp vo cc agent v thay i
thng tin bn trong.
8/2/2019 Lecture8 IDS
29/40
So snh IDS mng v IDS host
MnhYunh gi
thit hi
thi gian thc i vixm nhp bn trong
Thi gian thc ivi cc xm nhpbn ngoi
Tr li
Pht hin yu ccxm nhp bn ngoi
Pht hin yu ccxm nhp bn trong
Pht hin tt xmnhp t bn trongPht hin tt /vixm nhp t bnngoi
Pht hin
Ngn cn mnh ivi xm nhp bntrong
Ngn cn yu i vixm nhp bn trong
Ngn cn
IDS HostIDS MngThun li
8/2/2019 Lecture8 IDS
30/40
Honeypot: Cng c b sung cho IDS
Cng c khc dng pht hin ra cc cuc xmnhp vo h thng
Hot ng da trn nguyn tc la diMc ch nhm la tin tc bng cch gi lp mt
my tnh c th b xm nhp trn mng.Honeypot dng bi IDS pht hin ra cc cch
khc nhau lm tn thng h thng Khi tin tc tn cng th cc hot ng ca n s ghi trong log file.
IDS da trn log file ny pht hin cc kiu tn cng tng
t.
8/2/2019 Lecture8 IDS
31/40
Cc kiu honeypot
Production honeypot H tr pht hin xm nhp m h thng IDSkhng pht hin c.
Research honeypot Dng cho mc ch nghin cu Trin khai phn tch cc hot ng tn
cng ca tin tc
8/2/2019 Lecture8 IDS
32/40
S dng honeypot
Port monitor L chng trnh gi dng to ra cc by cho tin tcbng cch cho php anh ta thit lp mt kt ni n.
Deception sytem
Gi lp mi trng cho tin tc c th tng tc viMuti-protocol deception system
H thng cung cp c ch gi lp cc h thng khc,honeypot chy trn window NT c th gi lp mitrng ca h iu hnh Unix
Full system: IDS lm vic vi honeypot
8/2/2019 Lecture8 IDS
33/40
Snort
C bn Rule header Alert tcp any any -> 192.112.12.0/24 111
Rule Option: (Content:foobar;msg:example)
8/2/2019 Lecture8 IDS
34/40
L thuyt
K hiu(signatures) m bo cnh bo chc a ra khi c tn cng thc s.Vit ra cc k hiu rt l dMulti pattern matching: Cho php so snh
nhiu mu cng mt thi im
8/2/2019 Lecture8 IDS
35/40
Thc t
C nhiu l do khc nhau c th dn ticnh bo saiVit cc k hiu tt -> rt khKhng ch c Snort Hu ht cc sn phm khc khng tt hn
Snort v mt vi ci th yu hn.
8/2/2019 Lecture8 IDS
36/40
Content
T kha Content tm mt t kha trong phn d liuVn Tham s ca n c th l d liu ASCII hay
binary
8/2/2019 Lecture8 IDS
37/40
Depth, Offset
T kha Depth cho php ngi vit lutch ra bao xa trong gi tin m snort tmcho mt mu(pattern) no .
T kha offset cho php ngi vit lut ch
ra ni bt u tm mu trong gi tin Gim thi gian tm kim
8/2/2019 Lecture8 IDS
38/40
Ty chn
Bn cnh t kha content, c mt s ty chnkhc trong phn u ca gi tin c th c dng lc li cc tin hiu
Tuy nhin nhng ty chn ny ch c kim trasau khi kim tra trong phn ni dung
Mt vi ty chn dsize: kim tra kch thc phn d liu(payload size) Flags: kim tra c s hin din ca mt s TCP bit
Flow: p dng lut cho nhng lu thng c kt ni
8/2/2019 Lecture8 IDS
39/40
Cc lut
Alert tcp $out any -> $in any(msg:SCAN cybercop os PA12 attempt;content:AAAAAAAAAAAAAAAA;depth:16)
alert icmp any any -> any any (msg: "Pingwith TTL=100;
ttl: 100)Rt nhiu lut ang tn ti
8/2/2019 Lecture8 IDS
40/40
www.themegallery.com