Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Published byAudra Powell Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03."— Presentation transcript:

1 Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03

2 Introduction 3 fundamental needs of Computer Security –Prevention –Detection –Response All 3 components are needed for Comprehensive Protection.

3 Security in Business You can lock all the doors and stay safe or you can open the doors and do some business.

4 What is Intrusion Detection (ID)? ID is the art of detecting and responding to computer misuse. Selection of ID system should be based on environment-specific requirements. (How do you want to define an Intrusion?)

5 Terms you should know ID – Detecting unauthorized access to a computer and/or a network. Misuse Detection – Detecting behavior that matches patterns of misuse. Anomaly Detection – Detecting deviations from acceptable behavior profiles.

6 Terms you should know (contd.) False-positive – An alarm that is not misuse. False-negative – Misuse that is not detected or alarmed. IDS – System that collects information from a variety of systems and network sources, and then analyze the information for signs of intrusion and misuse.

7 In general we can say.. Intrusion – Attacks originating outside the organization. Misuse – Attacks originating inside the organization.

8 Lets take a step back ! ID – A historical perspective. ID has exploded in recent years, but the roots of ID are considerably more humble. Initially focused on host-based event log analysis.

9 Brief Timeline of ID research 1980 – A technical report said that audit records can be used to identify misuse. 1985 – SRI was funded by US Navy to build prototype of ID Expert System. (IDES) 1986 – First paper “An ID model” 1987 – First annual ID workshop at SRI. 1989 – Student at UCD wrote Network Security Monitor. (NSM)

10 Timeline (Contd.) 1990 – US Navy completed study of ID research projects and selected one. 1992 – Computer Misuse Detection System (CMDS) developed by SAIC. 1994 – A research group at Air force created ASIM, a robust IDS. 1997 – Cisco began building network ID into Cisco router.

11 Timeline (Contd.) 1999 – Federal ID Network (FIDNet) was created to detect network infrastructure attacks against government sites. After that – A lot of research papers and implementations.

12 Network v/s Host based ID All ID methods are basically based on analysis of a set of discrete, time-sequenced events for patterns of misuse. - Host based ID – examine event like file access, application execution. - Network based ID – examine network traffic.

13 Which one do you need? For comprehensive detection? BOTH ! Each has pros and cons that should be measured against the requirements of the environment. Systems using both detections are called “Hybrid Systems”.

14 Anatomy of IDS ID Systems have 2 main tasks - Detecting - Responding

15 Command Console Authority for controlling the entire system. (nerve system). “remote” feature? It has tools for setting policies and processing collected alarms. –Assessment manager – controls the collection of static configuration info. –Target manager – maintains connection with components on target side. –Alert manager – collects and maintains Alert data.

16 Network Sensors Basically 2 types Promiscuous-mode sensors reside on dedicated machines. Network-node sensors run on the machines they monitor.

17 Alert Notification System Basic task is to notify security officer How ?? -On-screen Alerts -Audible Alerts -Paging -e-mail -SNMP (wow !)

18 Response Subsystem Take actions based on threats to the target systems. - automatic - system operator (manual) What actions? - reconfiguration - shut down connection

19 Database Repository for statistics Useful for damage assessment and investigation.

20 ID Process Have a simple but effective policy Policy defines acceptable activity. e.g. ping sweep, packet from outside coming in with source address as that on inside. Policies make rules for IDS.

21 Traditional audit v/s ID Understanding the difference will influence requirement definition. Traditional Audit -Counting and confirming periodically -Password policies -Security patches -Guest account enabled (Shouldn’t be!!) -Locking screen-savers enabled (Shouldn’t be!!)

22 Then what is the difference? ID Systems look for differences in patterns of behavior as opposed to the state of control. e.g. - A configuration scanner will check for password policy. - An IDS looks for 3 failed login attempts

23 Integrity Checkers Use MD5 or CRC - Tripwire -Tools in COPS IDS can track the exact modification information. It is used for mission critical files only.

24 Un/acceptable behavior Infinite possibilities Breaking down “misuse” in categories can help - unauthorized access/reading - unauthorized modification - DoS

25 Detecting deviation from acceptable behavior There is no HARD line between un/acceptable behavior. 3 models - Perfect acceptable behavior model - Real world behavior model - Perfect unacceptable behavior model

26 So, ID: Science or Art?? Factor to be considered here is noise from ID ID tools are really best used as support systems as opposed to definitive measuring devices. So its more of an Art of defining rules. p.s. Researchers don’t like their projects being compared with ‘Art’.

27 Questions ?

28 Until then..

Download ppt "Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Survey of Information Assurance Intrusion Detection systems.

Survey of Information Assurance Intrusion Detection systems.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.

Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google