We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBrook Evans
Modified about 1 year ago
1 Copyright © 2014 M. E. Kabay. All rights reserved. IDS & IDP CSH6 Chapter 27 “Intrusion Detection & Intrusion Prevention Devices” Rebecca Gurley Bace
2 Copyright © 2014 M. E. Kabay. All rights reserved. Topics Security Behind the Firewall Main Concepts Intrusion Prevention Information Sources Analysis Schemes Response Needs
3 Copyright © 2014 M. E. Kabay. All rights reserved. Security Behind the Firewall What is Intrusion Detection? What is Intrusion Prevention? Where Do ID & IP Fit in Security Management? Brief History of ID
4 Copyright © 2014 M. E. Kabay. All rights reserved. What is Intrusion Detection? Software or hardware Automate surveillance of computers and networks Collect & synchronize records Analyze data for evidence of security violations Intrusions = violations of security policy Attempts to compromise systems E.g., attempted or successful unauthorized penetrations of security barriers Includes denial-of-service (DoS) attacks
5 Copyright © 2014 M. E. Kabay. All rights reserved. What is Intrusion Prevention? Coupling ID with specified responses to detected-intrusion scenarios Triggering events Subset of intrusions Better understood / characterized than generic IDS triggers E.g., specific traffic > specified threshold → specific response Could limit traffic of that specific type Time limits on response
6 Copyright © 2014 M. E. Kabay. All rights reserved. Where Do ID & IP Fit in Security Management? Necessary function in system security strategies ID + vulnerability assessment (VA) → auditability Auditability = ability for independent review / examine system records to Determine adequacy of system controls Ensure compliance with policy / procedures Detect breaches in security Recommend indicated changes
7 Copyright © 2014 M. E. Kabay. All rights reserved. Audit & ID Functions Audit enables / supports many aspects of security management Incident handling System recovery ID Flexible way to accommodate user needs Retain ability to protect systems from specified threats
8 Copyright © 2014 M. E. Kabay. All rights reserved. Will IPS Replace IDS? Tight coupling between IPS & audit Need audit for root-cause analysis Measure effectiveness of security measures ID on outside & inside of firewalls Justify budgets by demonstrating scope of threats, reduction inside firewall Dead-chicken vs flying elephants analogy But IDS & IPS insufficient Also need VA, policy, controls, gateway security, I&A, access controls, encryption, file integrity checking, physical security
9 Copyright © 2014 M. E. Kabay. All rights reserved. Brief History of ID (1) ID = automation of system/security audits carried out manually from earliest days of computing in 1950s Auditability defined as essential in 1973 paper by J. P. Anderson for USAF Anderson (1980) proposed automated review of security audit trails Dorothy Denning & Peter G. Neumann studied ID from 1984-1986 w/ report in 1986
10 Copyright © 2014 M. E. Kabay. All rights reserved. Brief History of ID (2) Intrusion Detection Expert System (IDES, 1990) Prototype instantiation of Denning’s model Developed at Stanford Research Institute (SRI) International Hybrid system: Statistical profiles of user behaviors Derived from OS kernel audit logs Plus other system data sources Rule-based expert system Configurable by users Specified patterns to be flagged
11 Copyright © 2014 M. E. Kabay. All rights reserved. Brief History of ID (3) By 1994, flurry of developments Next Generation IDES (NIDES) Haystack (Haystack Labs & USAF) NADIR (Los Alamos*) Wisdom & Sense (Los Alamos & Oak Ridge*) ISOA (PRC, Inc) TIM (DEC) ComputerWatch (AT&T) Discovery (TRW) __________ * National Laboratories of the Department of Energy (DoE)
12 Copyright © 2014 M. E. Kabay. All rights reserved. Brief History of ID (4) Network-based IDS Late 1980s UCAL Davis Network Security Monitor, later NID Similar to many of today’s IDS Distributed Intrusion Detection System (DIDS) UCAL Davis, Haystack, Lawrence Livermore National Laboratory (DoE) Coordinated network-based & host-based IDS IPS proposed as logical next step from start of IDS research
13 Copyright © 2014 M. E. Kabay. All rights reserved. Main Concepts Process Structure Approach to Monitoring Architecture of IDS Frequency of Monitoring Strategy for Analysis
14 Copyright © 2014 M. E. Kabay. All rights reserved. Process Structure Monitoring and alarm-generating process: Information sources (AKA event generator) Network Host Application Analysis Engine Look for anomalies and attacks Response – range of possibilities Reports, logs, pagers, phone calls Automated disruption of attack or raising of security barriers
15 Copyright © 2014 M. E. Kabay. All rights reserved. Approach to Monitoring Collecting event data and conveying data to analysis engine Network-based Host-based Application-based
16 Copyright © 2014 M. E. Kabay. All rights reserved. Architecture of IDS Store and process audit data in different / separate environment to prevent intruder from Destroying data Subverting data collection and monitoring Also reduce load on target systems to prevent performance degradation CPU usage Disk I/O Memory usage Limited-resource usage (system tables, semaphores etc.)
17 Copyright © 2014 M. E. Kabay. All rights reserved. Frequency of Monitoring Batch-mode Send data in blocks or files Results after intrusion has started (or finished) Typical of early systems due to resource limitations Continuous AKA “real-time” data collection / analysis Immediate analysis and alerts / response Support intervention to reduce damage or to collect additional data (e.g., for prosecution) Most common today
18 Copyright © 2014 M. E. Kabay. All rights reserved. Strategy for Analysis Misuse detection Filter event streams Match patterns against attack signatures Anomaly detection Statistical or AI techniques to spot deviations from norm Definition of normal behavior becomes crucial for successful operations Extremely dangerous to incorporate abnormal / unauthorized behavior into “normal” or standard data set
19 Copyright © 2014 M. E. Kabay. All rights reserved. Intrusion Prevention General Concept IPS often considered IDS + automated responses But additional specifications have evolved IP System Architecture Most IPS separate their functions from target (monitored) system Some separate monitoring/ analysis from response platform (“stand-alone”) vs “integrated” units
20 Copyright © 2014 M. E. Kabay. All rights reserved. IP Analysis Strategy Strategy similar to IDS but nomenclature differs Rate-based analysis to block specific traffic Primarily focus on network load Connect rates Connection counts Particularly useful for detecting DDoS Content-based analysis Anomalous packets Specific content (e.g., IDS signatures) Useful for malformed-packet DDoS
21 Copyright © 2014 M. E. Kabay. All rights reserved. Information Sources for IDS Network Monitoring Operating Systems Applications Other Monitoring Information Source Issues
22 Copyright © 2014 M. E. Kabay. All rights reserved. Network-Based Monitoring Set data-gathering station to promiscuous mode Capture all packets going by Specialized devices Spanning ports gather data from all ports on a switch Specialized Ethernet network taps (sniffers) to capture network traffic
23 Copyright © 2014 M. E. Kabay. All rights reserved. Operating Systems Collect data from internal sources Host-based monitoring can use OS data Often use audit-trail data (log files) Image used with permission of Berthou.com
24 Copyright © 2014 M. E. Kabay. All rights reserved. Application-Based IDS Monitoring Instrument running applications to produce data for analysis Application event logs Application configuration info Growing in importance System complexity increasing Object-oriented programming Data objecting naming conventions Make analysis of file-access logs more difficult Extrusion detection systems are special case Monitor data transfers Look for anomalies in movement across policy boundaries Increasingly popular for compliance
25 Copyright © 2014 M. E. Kabay. All rights reserved. Other IDS Monitoring Can improve success rates of VAS by using data from other security tools Network firewalls Anti-virus software File-integrity checkers IDS MK adds: Coordination of multiple data sources leads to cyber situational awareness (cyber SA)
26 Copyright © 2014 M. E. Kabay. All rights reserved. Information Source Issues for IDS Balance detail against performance degradation Can overwhelm resources with data Monitoring appropriate areas or functions Chain of custody for IDS data Protect sensitive data in IDS data stream / collections Comply with legal & ethical standards
27 Copyright © 2014 M. E. Kabay. All rights reserved. Analysis Schemes Analysis engine Accepts event data from source(s) Examines for symptoms of security problems Key issues Detecting Misuse Detecting Anomalies Hybrid Approaches Issues in Analysis
28 Copyright © 2014 M. E. Kabay. All rights reserved. Detecting Misuse Filter event streams for known attack signatures Assumes knowledge to distinguish forbidden and authorized behaviors Atomic (single events) vs composite (sequences of events) Recognizing deviations from norm Complex mathematical and statistical methods Packet analysis – recognize malformed packets associated with attacks such as DoS and DDoS
29 Copyright © 2014 M. E. Kabay. All rights reserved. Detecting Anomalies Quantitative analysis Numeric rules – triggers, thresholds Statistical analysis – early applications to IDS Calculate various statistical measures, compare to norm Learning (heuristic) techniques – still under development Allow system to adapt to normal environment, recognize abnormal changes by itself Neural networks, fuzzy logic don’t usually tell security user why they identified behavior as suspicious Advanced techniques – R&D stage Genetic algorithms Data mining Autonomous agents Immune system
30 Copyright © 2014 M. E. Kabay. All rights reserved. Hybrid Approaches Combining misuse detection with anomaly detection has been productive approach Anomaly detection engine can let IDS detect new or unknown attacks or policy violations Particularly useful for Internet-visible systems Especially important to fight DDoS Misuse detection engine helpful to prevent slow modification of baseline Attacker can gradually alter statistical norms But misuse detector can use definitions to prevent anomaly detection engine from being subverted
31 Copyright © 2014 M. E. Kabay. All rights reserved. Issues in ID Analysis Signature-based misuse detection cannot recognize new attacks Anomaly detection systems may have high false-positives – users turn off or ignore the alerts AI-based systems depend absolutely on adequate training data to distinguish normal from abnormal behavior Malefactors with access privileges during training can covertly teach system to accept unauthorized actions as normal
32 Copyright © 2014 M. E. Kabay. All rights reserved. Response (1) Passive Responses: Announce / alarm, let user handle it Produce reports Active Responses: Person-in-the-loop Automated Responses Collect more info about intruder / attack Change environment Act against intruder (hack-back) [DON’T!] Investigative Support – computer forensics
33 Copyright © 2014 M. E. Kabay. All rights reserved. Response (2) Stand-alone responses Use features entirely within IDS Activate special rules More sensitive than normal More detailed Thus apply focus only when appropriate & reduce false positives during normal times
34 Copyright © 2014 M. E. Kabay. All rights reserved. Response (3) Integrated responses Change systems settings to block attacker’s actions E.g., increase logging, alter analysis engine settings, check for vulnerabilities Can instruct target system to fix known vulnerabilities (immune function) Deploy decoy system (honey pots) to deflect attacks Reconfigure switch or router to divert attacks
35 Copyright © 2014 M. E. Kabay. All rights reserved. Problems in Responses Needs are highly variable False-positive rates must be tunable Automated responses can cause self-directed DoS E.g., shutting off access to apparent source of attack But attacker can spoof source in IP packets
36 Copyright © 2014 M. E. Kabay. All rights reserved. Needs Assessment and Product Selection Matching Needs to Features Specific Scenarios Deployment of IDS
37 Copyright © 2014 M. E. Kabay. All rights reserved. Matching Needs to Features Reduce incidence of problem behavior by increasing likelihood of discovery Detect security violations Documenting existing threats Detect and reduce attack preambles (probes, scans etc.) Diagnose problems (e.g., bad configurations) Test effects of upgrades and maintenance on security Provide forensic evidence of crimes
38 Copyright © 2014 M. E. Kabay. All rights reserved. Specific Scenarios Establishing threat levels for new networks Protecting Web servers Informational Transactional (harder to protect) Monitoring specific applications or servers E.g., particular databases
39 Copyright © 2014 M. E. Kabay. All rights reserved. Deployment of IDS (1) Location of sensors Outside main firewall In DMZ Behind internal firewalls In critical subnets Scheduling integration Don’t rush the installation Let system accumulate knowledge of normal patterns – will reduce false alarms
40 Copyright © 2014 M. E. Kabay. All rights reserved. Deployment (2): Adjusting alarm settings May suspend alarms for weeks of months Allow adaptation of the IDS to monitored system Allow operators to learn how to work with IDS
41 Copyright © 2014 M. E. Kabay. All rights reserved. DISCUSSION
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems and Practices
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems CS391. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion.
Department Of Computer Engineering
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
seminar on Intrusion detection system
John Felber. Sources What is an Intrusion Detection System Types of Intrusion Detection Systems How an IDS Works Detection Methods Issues.
Lecture 11 Intrusion Detection (cont)
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Cryptography and Network Security Sixth Edition by William Stallings.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Security Guidelines and Management
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
COEN 252 Computer Forensics
COEN 252 Computer Forensics Collecting Network-based Evidence.
IDS/IPS Definition and Classification
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
IIT Indore © Neminah Hubballi
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Security Technology: Intrusion Detection and Prevention Systems, and Other Security Tools Ch7 Part I Principles of Information Security, Fourth Edition.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
1. To analyze and explain the IDS placement in network topology To explain the relationship between honey pots and IDS To explain, analyze and evaluate.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Some Great Open Source Intrusion Detection Systems (IDSs)
Host Intrusion Prevention Systems & Beyond
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Chapter 5: Implementing Intrusion Prevention
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Firewalls Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Guide to Network Defense and Countermeasures Third Edition
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
APA of Isfahan University of Technology In the name of God.
© 2017 SlidePlayer.com Inc. All rights reserved.