Built-in Intrusion Detection

Paladion
By Paladion

March 15, 2005

We've emphasized how to improve our applications' defenses in the pages of Palisade. Most of these have focused on building stronger defenses to prevent breaches. Today we look at ways to improve the monitoring capabilities in our applications

We've emphasized how to improve our applications' defenses in the pages of Palisade. Most of these have focused on building stronger defenses to prevent breaches. Today we look at ways to improve the monitoring capabilities in our applications

A surveillance strategy complements the prevention strategy and presents several advantages: Despite our best efforts, attackers might break through existing defenses. Monitoring helps detect and respond to that. Surveillance keeps us informed when the application is being attacked. Knowledge of the attacks the application has to withstand helps design stronger defenses. Traditionally, Network IDS formed the core of a surveillance strategy. While these are useful to detect attacks on the underlying web server or operating system, they are inadequate to detect application layer attacks for three reasons: Attacks that breach your business rules are not recognized by a traditional IDS. A Network IDS cannot spot attacks that are tunneled through SSL connections. Attacks at the application layer can evade network layer detection easily. Applications can take different approaches for detecting intrusions.

Signature matching: Maintain a list of well-known attack signatures or patterns. Check each input against this black list filter. The filter may be implemented as a plug-in for the web server, or as an integral component of the application. Attacks like SQL Injection, Brute force password guessing and Cross Site Scripting can be detected by this approach. These are easy to implement; but, they are also easy to bypass. These are useful to spot moderate skilled attackers and vulnerability scanners. mod_security (www.modsecurity.org) is an open source signature matching filter that's available for Apache.

Protocol violation: Define the rules for each input variable - max length, data type etc. This white list of what is acceptable defines the protocol rules for the application. When an attacker crafts an attack that defies these rules, a white list input filter can detect the violation. This is less susceptible to evasion, as all variations from the rule are spotted.

Anomaly Detection: Variations from the normal are interesting, and possibly suspicious. Applications can build a baseline of the normal activity pattern over time. Variations from that normal pattern signal interesting events. For instance, a surge in funds transfer transactions on a Sunday morning could be interesting for a banking application. An exceptional winning streak could raise a flag in a gaming application. These systems are more complex, but also more difficult to evade. However, abnormal doesn't mean intrusion always - it could be innocuous events that triggered an alert.

Integrity Verification: Periodically scanning master records in your production system against a trusted copy can alert you when they have been modified. Similarly, comparing the binaries deployed in production against the original frequently is a safeguard against them being modified by an attacker. These integrity checks are easy to implement and very effective if an attacker modifies parts of your application.

Application Honeypots: Applications can lay subtle traps to detect attackers. Parts of the application that are never used by normal users could be set up to trigger alerts when unexpected visitors arrive looking for vulnerabilities. In our next issue, we discuss several strategies used by application honey pots.

Architecture

IDS Architecture

An application layer IDS can be architected in multiple ways. The figure shows a clean and simple architecture where all activities are logged to a database. The IDS module scans the database periodically to detect intrusions. This architecture is effective to implement the five detection techniques we discussed earlier. Note however that this is not a real-time architecture as the IDS engine would detect an attack only during a periodic scan.


Tags: Features

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset