CT-7691-Mobile Wireless Security 3-2-3

Chapter 11: Wireless Intrusion Detection

• Intrusion Detection
 Misuse detection
 Anomaly detection

• Vulnerability Analysis
 Network-Based Vulnerability Scanners
 Host-Based Vulnerability Scanners

• Credentialed and Non-Credentialed Methods

for Vulnerability Analysis
 Intrusion Detection
• Intrusion detection is the process of
- monitoring the events occurring in a computer system or network, and
- analyzing them for signs of possible incidents, which are violations or
imminent threats of violation of computer security policies, acceptable use
policies, or standard security practices.
i.e., IDSs can be defined as a group of hardware and software mechanisms
that tries to prevent actions leading to compromise confidentiality, integrity
and availability of network resources.

• Intrusions are caused by attackers accessing the systems from the Internet,
authorized users of the systems who attempt to gain additional privileges
for which they are not authorized, and authorized users who misuse the
privileges given them.
• By gathering and analyzing the data flows through the network, IDS can
detect potential attacks.
 …
 Incidents have many causes, such as
- malware (e.g., worms, spyware),
- attackers gaining unauthorized access to systems from the Internet, and
- authorized users of systems who misuse their privileges or attempt to gain
additional privileges for which they are not authorized.
i.e., many incidents are malicious in nature, many others are not.

• An intrusion detection system (IDS) is software that automates the intrusion

detection process.
• An intrusion prevention system (IPS) is software that has all the capabilities of
an intrusion detection system and can also attempt to stop possible
incidents.
• An intrusion detection and prevention system (IDPS) is a solution that
monitors a network for threats and then takes action to stop any threats that
are detected.
An IDPS is closely related to an intrusion detection system (IDS).
 …

Intrusion Detection Systems (IDSs)

• Detects “configuration” violation, sounds alarm
• IDSs inform admins of trouble via e-mail, pagers

IDS Terminology
• Alert, alarm: self-explanatory
• False negative: IDS fails to detect actual attack
• False positive: Attack alert when none occurred
• Confidence value: Estimate of attack probability
• Alarm filtering: self-explanatory
 Intrusion Detection Systems Classification

IDS Detection Methods

• IDPS technologies use many methodologies to detect incidents. The
primary classes of detection methodologies are :
 Misuse detection (also called as signature-based),
 Anomaly detection, and
 stateful protocol analysis.

• Most IDPS technologies use multiple detection methodologies, either

separately or integrated, to provide more broad and accurate detection.

Here, let’ focus on misuse detection and Anomaly detection techniques.

 …
 Misuse Detection (Signature-Based Detection )
• A signature is a pattern that corresponds to a known threat.
• Signature-based detection is the process of comparing signatures against
observed events to identify possible incidents.
i.e., compares the observed behavior with known attack patterns
(signatures).
- Action patterns that may pose a security threat have to be defined and
stored in the system.

Examples of signatures are as follows:

• An e-mail with a subject of “Free pictures!” and an attachment filename
of “freepics.exe”, which are characteristics of a known form of malware.
 …
 Signature-based detection is the simplest detection method because it just
compares the current unit of activity, such as a packet or a log entry, to a list
of signatures using string comparison operations.
Advantages : it can accurately and efficiently detect instances of known
attacks.

Disadvantage: it lacks an ability to detect an unknown type of attack. only

attacks which has an entry in the data base can be detected
i.e., largely ineffective at detecting
- previously unknown threats,
- threats disguised by the use of evasion techniques, and
- many variants of known threats. For example, if an attacker modified the
malware in the previous example to use a filename of “freepics2.exe”, a
signature looking for “freepics.exe” would not match it.
- IDS’s signature database must be updated to keep pace with new
attacks
- Malicious code authors intentionally use tricks to fool these IDSs
 …
 Anomaly-Based Detection (Anomaly Detection)
• Anomaly-based detection is the process of comparing definitions of what
activity is considered normal against observed events to identify significant
deviations.
- The detection is based on monitoring changes in behavior, rather than
searching for some known attack signatures.
- Intrusion detection systems try to detect abnormal actions either in host or
network.
- Using this technique, any action which is detected different from the usual
legitimate actions is seen as intrusion.
A statistical method is normally used in anomaly detection -
- Before the anomaly detection based system is deployed, it usually must be
taught to recognize normal system activity (usually by automated training),
where the normal user activities is defined first using statistical methods
like Hidden Markov Model (HMM), and saved in system’s database.
- The system then watches for activities that differ from the learned behavior
by a statistically significant amount.
 …
• That is , an IDPS using anomaly-based detection has profiles that represent
the normal behavior of such things as users, hosts, network connections,
or applications.
- The profiles are developed by monitoring the characteristics of typical
activity over a period of time.
- The IDPS uses statistical methods to compare the characteristics of current
activity to thresholds related to the profile.
- Profiles can be developed for many behavioral attributes, such as the
number of e-mails sent by a user, the number of failed login attempts for
a host, and the level of processor usage for a host in a given period of
time.
• Advantage: very effective at detecting previously unknown threats. i.e.,
can detect new types of attacks
• Disadvantages:
- Requires more overhead, compute power than signature-based IDSs
- May generate many false positives
- The system also assumes that there are no intruders during the learning phase.
 …

Table, shows basic comparison between misuse detection and anomaly

detection techniques.

TABLE. A Comparison Between Misuse and Anomaly Detection Techniques.

 …
• Types of IDS Technologies
There are many types of IDPS technologies. IDS can be divided into four categories,
depending on types of event they recognize:
 Network-Based IDS (NIDS),
 Network Behavior Analysis (NBA)
 Host-Based IDS (HIDS)
 Wireless
• Intrusion detection systems monitor the events occurring in a computer system
or networks for analyzing the patterns of intrusions. IDS examine a host or
network to spot the potential intrusions.
• Host-based IDS (HIDS) and network-based IDS (NIDS) are the basic two types of
intrusion detection system classes .
- HIDS watches particular host activities like system logs and process activities.
Host-based systems explore the system calls and process identifiers mainly
related to the operating system data.
- NIDS monitor and analyze the whole network’s traffic. Network-based systems
analyze network-related events like traffic volume, IP address, service ports, and
protocol used.

Figure. Illustrates the implementation of both NIDS and HIDS to protect the
network.
 …

Fig. Implementation of NIDS and HIDS in computer networks.

 …
 Network-Based IDS
• Monitors network traffic for particular network segments or devices and
analyzes the network and application protocol activity to identify suspicious
activity.
• It can identify many different types of events of interest.
- It is most commonly deployed at a boundary between networks, such as in
proximity to border firewalls or routers, virtual private network (VPN)
servers, remote access servers, and wireless networks.

NIDS

• Resides on computer or appliance connected to segment of an

organization’s network; looks for signs of attacks
• When examining packets, a NIDS looks for attack patterns
• Installed at specific place in the network where it can watch traffic going
into and out of particular network segment
 …
 Wireless IDS
• Monitors wireless network traffic and analyzes its wireless networking
protocols to identify suspicious activity involving the protocols themselves.
• It cannot identify suspicious activity in the application or higher-layer
network protocols (e.g., TCP, UDP) that the wireless network traffic is
transferring.
• It is most commonly deployed within range of an organization’s wireless
network to monitor it, but can also be deployed to locations where
unauthorized wireless networking could be occurring.

 Network Behavior Analysis (NBA) IDS

• Examines network traffic to identify threats that generate unusual traffic
flows, such as distributed denial of service (DDoS) attacks, certain forms of
malware (e.g., worms, backdoors), and policy violations (e.g., a client
system providing network services to other systems).
• NBA systems are most often deployed to monitor flows on an organization’s
internal networks, and are also sometimes deployed where they can
monitor flows between an organization’s networks and external networks
(e.g., the Internet, business partners’ networks).
 …

 Host-Based IDS
• Monitors the characteristics of a single host and the events occurring
within that host for suspicious activity.

Examples of the types of characteristics a host-based IDPS might monitor are

network traffic (only for that host), system logs, running processes,
application activity, file access and modification, and system and application
configuration changes.
• Host-based IDPSs are most commonly deployed on critical hosts such as
publicly accessible servers and servers containing sensitive information.
 …

IDS Control Strategies

An IDS can be implemented via one of three basic control strategies
– Centralized: all IDS control functions are implemented and managed in
a central location
– Fully distributed: all control functions are applied at the physical
location of each IDS component
– Partially distributed: combines the two; while individual agents can
still analyze and respond to local threats, they report to a hierarchical
central facility to enable organization to detect widespread attacks.
 …
Centralized IDS Control (Fig.)
• Under centralized control strategies, all monitoring, detection and
reporting is controlled directly from a central location
 …
Partially Distributed IDS Control (Fig.)
• Monitoring and detection is controlled from a local control node, with
hierarchical reporting to one or more central location(s).
 …
Fully Distributed IDS Control (Fig.)
• Monitoring and detection is done using an agent-based approach, where
response decisions are made at the point of analysis.
  Vulnerability Analysis
• A vulnerability assessment(VA) is the process of identifying and analyzing
those security vulnerabilities that might exist in an enterprise.
• Vulnerability assessments alone do not prevent security incidents.
- Conducting an assessment does not necessarily improve security on its own;
instead, it reflects a snapshot of the environment at a particular point in
time, and its goal is simply to identify and analyze weaknesses present in a
technical environment.
• Finding and closing the security holes in the network is the only way to
protect organization's network from any possible attack.

• Analysis is carried out to determine the vulnerability of a network.

For example, a vulnerability scanner might determine that a server is
missing critical operating system patches by detecting an outdated version
of the operating system during a network probe.
• Eliminating that weakness (i.e., the missing patches) may simply require a
software update and a reboot.
 …
• Vulnerability assessments identify and suggest fixes for possible
vulnerabilities that attackers might exploit in operating systems or in mail,
HTTP, and FTP servers.
• Moreover, they point out which systems are noncompliant with the
company security policies.

• Performing VAs on company systems provide three key pieces of

information necessary for improving their security:
1) It is easier to locate which systems are vulnerable,
2) it identifies what services/components are vulnerable, and
3) it suggests the best method for repairing the vulnerabilities (i.e. – it
recommends which patch or software version should be used/applied).
- Performing this procedure on a regular basis allows IT professionals to
find and repair possible security vulnerabilities before attackers find and
exploit them.
• Many analysis techniques / tools are available for conducting vulnerability
assessments.
 …

• Types of Vulnerability Assessment

There are four types of vulnerability assessment:
- network-based scan,
- host-based scan,
- wireless-based scan, and
- application-based scan vulnerability assessments .

Here, let’s focus on the two major parts (Network-based analysis , and host-
based analysis).

IT professionals can use both network- and host-based vulnerability

assessments (VAs) to obtain a complete evaluation of the security risks of the
system(s) under investigation.
 Network-based Vulnerability Assessments
• Network-based vulnerability assessment aims at
- compiling an inventory of systems and services attached to the network and,
for each system and service,
- identify the weaknesses and vulnerabilities visible and exploitable on the
network - by using methodologies such as network mapping, port
mapping, vulnerability programs, and stopping unneeded services .
 Network-based analysis identifies vulnerable systems on the entire network.
- This test should be conducted first to provide the immediate results of highly
severe vulnerabilities that needed a quick fix.
For instance, a firewall not configured correctly or vulnerable web server, which
is considered very severe vulnerabilities, can be detected easily by running a
network vulnerability test.
• Network-based VAs are accomplished through the use of network-based
scanners.
- Network scanners are able to detect open ports, identify services running on
these ports, simulate attacks, and reveal possible vulnerabilities associated
with these services.
 …
 Network-based vulnerability scanning programs or tools
Examples:
- ARC SARA – Security Auditor’s Research Assistant
- eEye Digital Security Retina
- CyberCop Scanner
- ISS Internet Security Scanner
- Nessus
- OpenVas
- Enterprise Configuration Manager
- Symantec Enterprise Security Manager
 Host-based Vulnerability Assessments
• Host-based analysis identifies vulnerabilities on the organization's internal
systems by providing an extra layer of security testing such as analyzing
access limits of the hosts from accessing confidential data of the
organization.
This analysis works on client-server model where client files should be
installed on every machine that you want to check.
• Host-based VAs are carried out through host-based scanners.
- Host-based scanners are able to recognize system-level vulnerabilities
including incorrect file permissions, registry permissions, and software
configuration errors.

• Host-based Vulnerability Assessment Tools

Examples:
- Internet Security Systems' (ISS) System Scanner™
- Symantec’s Enterprise Security Manager™
- Pedestal Software Inc.’s Security Expressions
  Credentialed and Non-Credentialed Methods
for Vulnerability Analysis

What Is The Difference Between

- Credentialed Scanning And - Uncredentialed Scanning?
• Credentialed scanning involves the use of privileged credentials to scan
systems and applications.
- This type of scanning provides an in-depth and comprehensive analysis of
vulnerabilities and provides more accurate results.
• Uncredentialed scanning is conducted without the use of privileged
credentials.
- This type of scanning is limited in its scope and provides less accurate
results compared to credentialed scanning.
- Despite its limitations, uncredentialed scanning is still useful for identifying
basic vulnerabilities that can be exploited by attackers.
 …

Credentialed and uncredentialed scanning can occur within internal, external,

and environmental scans.
 …
When Do You Need A Credentialed Or Uncredentialed Scan?

• Credentialed scans are ideal for use in the following scenarios:

 When you need a complete and accurate view of the vulnerabilities in a
system.
 When you want to verify that your security measures are working effectively.
 When you need to identify and prioritize vulnerabilities based on their
severity and risk level.

• Uncredentialed scans are ideal for use in the following scenarios:

 When you want a quick overview of the potential vulnerabilities of a system.
 When you do not have administrative access to the target system.
 When you need to perform a preliminary scan before conducting a
comprehensive credentialed scan.
 …
.