Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University."— Presentation transcript:

1 IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604

2 IDS Colloquium 2001John Kristoff - DePaul University2 Why IDS? • Interesting, but immature technology • Provides lots of data/information • Generally doesn't interfere with communications • Anything that improves security...

3 IDS Colloquium 2001John Kristoff - DePaul University3 What is IDS? • Ideally, immediately identifies successful attacks • Should have a immediate notification system • Out-of-band from the attack if possible • Probably can also monitor attack attempts too • Might have attack diagnosis, recommendation and/or automated attack mitigation response • Lofty goals: • 0% false positive rate • 0% false negative rate

4 IDS Colloquium 2001John Kristoff - DePaul University4 Privacy issues • Does an IDS violate privacy? • Are packet headers (protocols) private? • Is identification (an address) private? • Are packet contents private (payload)? • Are communications (flows/sessions) private? • Where is the IDS? • Who manages the IDS? • How is the IDS data handled and managed?

5 IDS Colloquium 2001John Kristoff - DePaul University5 Storage, mining and presentation • IDSs can collect LOTS of information • What is useful data? • What are you looking for? • Data correlation within/outside of the IDS? • What does the admin see? • Where and for how long do you keep data? • How do you secure access to IDS data?

6 IDS Colloquium 2001John Kristoff - DePaul University6 Host IDS • An integral part of an end-system • System log monitor • Kernel level packet monitor • Application specific • A very good place to put security • Distributed management issues • Not all end systems will support an IDS • Will be as useful as the end user is cluefull

7 IDS Colloquium 2001John Kristoff - DePaul University7 Network IDS • An add-on to the communications system • Generally passive and invisible to the ends • May see things a host IDS cannot easily see • Fragmentation, other host attacks (correlation) • May not understand network traffic • Unknown protocols/applications, encryption • May miss things that don't cross its boundary

8 IDS Colloquium 2001John Kristoff - DePaul University8 Anomaly detection • A form of artificial intelligence • Learn what is normal for a network/system • If an event is not normal, generate alert • May catch new attacks not seen before • For a simple, but effective example see: • Detecting Backdoors, Y. Zhang and V. Paxson, 9 th USENIX Security Symposium • An area of active research

9 IDS Colloquium 2001John Kristoff - DePaul University9 Signature matching • Know what an attack looks like and look for it • Very easy to implement • Low false positive rate • Most current IDSs are of this type • Easy to fool • Signatures must be added/updated regularly

10 IDS Colloquium 2001John Kristoff - DePaul University10 Honeypots • A system that welcomes attacks • Unbeknownst to the attacker generally • The system is very closely monitored • Can be used to test new technology/systems • Generally educational in nature • Helpful as trend monitor for that system type • Be careful honeypot doesn't become liability

11 IDS Colloquium 2001John Kristoff - DePaul University11 Possible IDS failure modes • Fragmentation, state and high-speeds • Requires lots of CPU, memory and bandwidth • Inability to decode message/transaction  t^Hrr^Hm56^H^H //^H -u^Hrf • Background noise • Tunnelling/encryption • IDS path evasion • Stupid user tricks

12 IDS Colloquium 2001John Kristoff - DePaul University12 The poor man's Network IDS • Setup a router subnet and unix host • Block all outgoing/incoming packets  access-list 100 deny ip any any log • Log packets (filter matches) with syslog • Use perl/grep/uniq/... to build simple reports  Total violations: 468  Top source host:badguy.org  Top dest. TCP port:21 (ftp)

13 IDS Colloquium 2001John Kristoff - DePaul University13 The poor man's host IDS • Use snort (http://www.snort.org) or...http://www.snort.org • Turn on all logging and do log reporting • Install fake service and monitor • tcp_wrappers, back officer friendly • Use diff (or equivalent), monitor file changes • Keep copies of data/configs elsewhere • Use Tripwire or equivalent

14 IDS Colloquium 2001John Kristoff - DePaul University14 References • Network Intrusion Detection, An Analyst's Handbook, by Stephen Northcutt • http://www.cerias.purdue.edu http://www.cerias.purdue.edu • http://www.usenix.org http://www.usenix.org • ids-request@uow.edu.au in body put "help" ids-request@uow.edu.au • http://www.research.att.com/~smb/ http://www.research.att.com/~smb/ • http://www.cert.org http://www.cert.org • http://networks.depaul.edu http://networks.depaul.edu

Download ppt "IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Intrusion Detection CS461/ECE422 Spring 2012. Reading Material Chapter 8 of the text.

Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.

Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
IPD - November 3, 2001John Kristoff - DePaul University1 Computer and Network Security John Kristoff +1 312 362-5878 DePaul University Chicago,

IPD - November 3, 2001John Kristoff - DePaul University1 Computer and Network Security John Kristoff DePaul University Chicago,
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

Similar presentations

Ads by Google