Dragan on Security

In its Magic Quadrant for Network Intrusion Prevention System Appliances, dated April 14, 2009 Gartner positioned TippingPoint and Juniper Networks as leaders in field, together with McAfee andSourcefire.

However, these days (December 2009), there are a lot of talks about not encouraging results of test done by NSS Labs related to IPS solutions of these companies.

An independent test and evaluation of 15 different network intrusion-protection system products from seven vendors showed none were fully effective in warding off attacks against Microsoft, Adobe and other programs. NSS Labs, which conducted the test without vendor sponsorship of any kind, also evaluated the 15 network IPS offerings for their capability in responding to “evasions,” attacks delivered in an obfuscated and stealthy manner in order to hide. In that arena, Juniper Networks and TippingPoint didn’t perform particularly well. Juniper IPS scored lowest at only 17% effectiveness. Here is article on NetworkWorld. In that arena, the McAfee and IBM IPS held up particularly well.

TippingPoint’s president Allan Kessler posted his view on blog. Also, this topic become active on SecurityFocus mail lists with Focus on IDS (here).

It is my belief that this report and tests will affect IPS market, but also trust into various reports from [independent] research and testing houses.

Updated on December 11th, 2009: Also see Rick Moy’s blog post “Network IPS Group Test Results Available“.

After quite some time of silence regarding my work on Wireless Intrusion Detection and Prevention Systems (WIDS / WIPS), I’m considering continuing that work. In past I have done research, published couple of papers on this topic at conferences and journals and also created concept, basic architecture and design of system and products. This possible “reactivation” of work is particularly pushed by recent increased interest of companies, organizations and institutions including commercial, government etc, who contacted me regarding it, and requirements of many production environments.

As you could have read earlier on this blog, that area has been one of my research interests for long time. Intrusion Detection and Prevention Systems (IDS/IPS), especially used in wireless and mobile networks, are becoming particularly interesting and important with increased usage of these types of networks. My research has been particularly oriented to usage artificial intelligence, fuzzy logic and neural networks to make these systems better, easier for use and more efficient.  At 19th Annual Computer Security Applications Conference ACSAC  (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published couple of papers on this topic. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS / IPS systems unnoticed.

Wireless Intrusion Detection and Prevention System, in architecture that I proposed many years ago, consist of:

• WIDS / WIPS Agent. It is software installed on mobile computer or device. It detects intrusions and attacks by analyzing traffic and behavior, making conclusions and denies it. It protects computer or computerized device. Agent works in contribution with WIDS / WIPS Sensor and Server if those are available in network and can be reached. Position of application is on Personal Computer (PC) including Pocket PC (PPC) and similar mobile devices.

• WIDS / WIPS Sensor. It is an appliance which sits in wireless network environment. It has embedded logic for detecting intrusions and alerting stations and servers about it. It alerts network users and/or administrators too. Sensor works in contribution with WIDS Agent and Server if it is available in same network. Position of application is area of wireless computer network.

• WIDS / WIPS Server. It is corporate software which integrates functions of previous two components and has additional mechanisms such as: collecting, analyzing, making conclusions (based on neural networks and fuzzy logic implementation), and giving support to WIDS Agent and Sensor. It can communicate with CERT centers and similar. It is responsible for contribution with other security software or devices (antivirus software firewalls…) Server collects information about WLAN security, events, incidents, and performance from the WIDS Sensors deployed throughout a WLAN. The server delivers the information to the WIDS Console in format that helps Network Administrators immediately identify problems. Position of application is in corporate network or remote for more mutually linked networks.

•WIDS / WIPS Console & Management, Reporting Tools. This is set of utilities intended to provide possibility of monitoring, management, tuning, and preparing various reports about WIDS / WIPS components activity. They are installed on Server, but could collect and show data from various components of WIDS / WIPS system. Single utilities could reside on Agent and Sensor devices and hey provide remote access and configuration capability too.

This is just brief description. If you are interested in more details or want to consider contribution or investment into this development send me e-mail.

Paper Reduction of False Positive Intrusions by using Neural Nets, which I worked on with colleagues, is now available at IEEE Digital Library.

Abstract

The main idea of this paper is to propose a new solution for a Wireless Intrusion Detection Prevention System (WIDPS). The proposed WIDPS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. Our focus was the reduction of detected false positive intrusion by implementing adaptive self-learning neural net in the system. Once it is fully developed and tested, this WIDPS would enable real-time response against threats, even to zero-day attacks.

Remark: Subscription to IEEE Digital Library required to download full paper in PDF format.

8th IEEE International Conference – TELSIKS 2007 will take place from September 26 – 28, 2007 in Nis, Serbia. Visit conference site here. Paper titled “Reduction of False Positive Intrusions by Using Neural Nets” which I worked on with couple of associates will be presented on this conference. It is scheduled for Wednesday, September 26th, 2007 in session Wireless Communications I as invited paper. Integral conference program document is here.

My paper Network Systems Intrusion: Concept, Detection, Decision, and Prevention is published here, go to page 40.

Abstract:

This paper analyzes concepts for intrusion detection processes; building decision making (DM) criteria on the bases of intrusion detection, and prevention based on DM as a last level of protection in computer systems and networks. The second part of the paper discusses a practical implementation for Intrusion Detection and Prevention Systems (IDPS), based on Wireless technology (WIDPS). Basically paper concentrates on the problems/answers of how to differentiate between legal and illegal access, i.e. intrusion and what are the key and root causes of this difference. Two issues are differenced: finding the set of concepts needed for detection and a set of criteria for DM in IDPS. Paper concludes with achieved results and future goals related to automated DM process in wireless technology.

If you want to reference or cite this paper, here are data:

• Dragan Pleskonjic, Sanida Omerovic, Saso Tomazic, “Network Systems Intrusion: Concept, Detection, Decision, and Prevention”, IPSI BgD Transactions on Internet Research, January 2007, Volume 3, Number 1, ISSN 1820-4503, pages 40-49.

One of my research interests for last couple years are Intrusion Detection and Prevention Systems (IDS/IPS), especially wireless and mobile. I call them (WIDS/WIPS and MIDS/MIPS). My work on research in this area is also considering usage of artificial intelligence to make better IDS/IPS systems. At 19th Annual Computer Security Applications Conference (December 8-12, 2003, Las Vegas, Nevada, USA) I talked about Wireless Intrusion Detection System (WIDS) and proposed multilevel and multidimensional system with next components: agent, sensor, server and management and reporting tools. Also I talked at some other conferences and published papers on this topic. More about this work you can see here and here. There are different approaches to intrusion detection and prevention, but very common for commercially available IDS/IPS is that they suffer many false alarms (positive and negative) and problems with performances. Separate problem are so called “zero-day” attacks that pass majority of today’s IDS systems unnoticed.

Stefano Zanero from Dipartmento di Elettronica e Informazione Politecnico di Milano Technical University presented paper “360° Anomaly-Based Unsupervised Intrusion Detection” at Black Hat conference. In Youtube video he provides an overview of his research into the subject by illustrating how he worked trying to find ways to detect intruders without relying on signatures.  See his whitepaper and his presentation from Black Hat Europe 2007.

Availability of new version of OSSEC (Open Source Host-based Intrusion Detection System) has been announced today at SecurityFocus mail list dedicated to intrusion detection systems.

OSSEC performs log analysis, file integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This new version comes with lots of new features, including:

• Support for OpenBSD PF logs.
• Support for compiled (c-based) decoders.
• New options for composite rules.
• Additional granular e-mail options: http://www.ossec.net/dcid/?p=75
• Option of SMS format in the e-mail output. 
• Support for Zeus WebServer logs.
• Support for daily/chained checksum of alert logs: http://www.ossec.net/wiki/index.php/Know_How:LogSign

A large re-design of the internal architecture of analysisd (ossec process responsible for decoding and analysis) has been completed, greatly improving performance and organization.

• More information at: http://www.ossec.net/wiki/index.php/News
• Changelog: http://www.ossec.net/announcements/v1.2-2007-05-16.txt
• Download the new version: http://www.ossec.net/en/downloads.html

A week ago, Neel Mehta from IBM Internet Security Systems X-Force has reported a vulnerability in Snort, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent over a network that is monitored by Snort .

Successful exploitation allows execution of arbitrary code.

The vulnerability reportedly affects the following versions:

• Snort 2.6.1, 2.6.1.1, and 2.6.1.2
• Snort 2.7.0 beta 1

Solution is to update to version 2.6.1.3. The vendor recommends that beta users disable the DCE/RPC preprocessor.

This problem has been reported on Snort web site (here) and on Slashdot (here). Sourcefire has not received any reports that this vulnerability has been exploited.

10th International Symposium on Recent Advances in Intrusion Detection 2007 (RAID 2007) will be held on September 5-7, 2007 in Crowne Plaza Hotel, Gold Coast, Queensland, Australia. Symposium is hosted by Information Security Institute, Queensland University of Technology, Brisbane, Australia.

This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

• Intrusion detection and prevention techniques
• High-performance intrusion detection
• Intrusion detection in special environments (e.g., mobile networks)
• IDS cooperation and event correlation
• Formal models and analysis
• Attack response, countermeasures, and intrusion tolerance
• Survivability and self-protection
• Attacks against IDS and evasion
• Insider threat detection and mitigation
• Deception systems and honeypots
• Malicious code detection and containment
• Visualization techniques
• Intrusion detection assessment and benchmarking
• IDS interoperability standards and standardization
• Vulnerability analysis and risk assessment
• Legal and social issues

Visit RAID 2007 website here.