Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems Francis Chang Systems Software Lab OGI.

Published bySharlene Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems Francis Chang Systems Software Lab OGI."— Presentation transcript:

1 Intrusion Detection Systems Francis Chang Systems Software Lab OGI

2 The Papers [1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection" [2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems" [3] Y. Zhang, W. Lee, "Intrusion Detection in Wireless Ad-Hoc Networks" [4] G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large"

3 A building Block Approach to Intrusion Detection Let’s first look at the first paper… [1] M. Crosbie, B. Kuperman, "A Building Block Approach to Intrusion Detection"

4 A new spin on how to build an IDS – “..motors the system looking for misuse actions that are indicative of attack. These misuses actions are called building blocks.” Need for a better data source for IDS (IDDS – Intrusion Detection Data Source) A building Block Approach to Intrusion Detection

5 Examples of building blocks: A building Block Approach to Intrusion Detection Modification of a system file Unexpected change user privileges of a running process Modify log files Change a global symbolic link Creating setuid programs

6 So what did they do? Build an in-kernel IDDS. A building Block Approach to Intrusion Detection

7 Crosbie/Kuperman argue that traditional IDS data sources are insufficient – let’s take a look at their argument. A building Block Approach to Intrusion Detection

8 syslogd: A building Block Approach to Intrusion Detection Often a popular IDS data source Often syslogd is used when a daemon “starts up, change configuration, encounter an error, or some other unusual behaviour occurs”

9 syslogd: (continued) A building Block Approach to Intrusion Detection Crosbie/Kuperman argues that the quality of the log messages is completely dependent on the programmers who wrote the system daemons. Early versions of syslogd could be attacked – buffer overflows, abnormal exits

10 Network Packet Traces: A building Block Approach to Intrusion Detection If only using network packet traces, you often lose context, and thus, cannot detect certain types of attacks.

11 Why is an in-kernel approach good? A building Block Approach to Intrusion Detection Time inside the kernel is “frozen” In-kernel design is more resilient to attack

12 Interfacing Trusted Apps The next paper - [2] M. Wetz, Andrew Hutchison, "Interfacing Trusted Applications with Intrusion Detection Systems"

13 This is funny: Interfacing Trusted Apps

14 The basic suggestion: Rewrite existing applications to take advantage of a syslogd/IDS system. Interfacing Trusted Apps

15

16 Intrusion Detection in Wireless Ad-hoc Networks Open Medium – attacks can come from anywhere, an go anywhere No clear topology – network is continually changing – no central points The problem:

17 Intrusion Detection in Wireless Ad-hoc Networks The solution: An IDS at every node Let’s take a closer look at the IDS…

18 Intrusion Detection in Wireless Ad-hoc Networks

19 Detecting Abnormal Routing Updates – Give each IDS a built-in GPS, and watch for unexpected # of route changes. (Statistical analysis)

20 Intrusion Detection in Wireless Ad-hoc Networks Detecting abnormal activities in other layers: Various independent monitors to detect anomolies in other protocol layers, and combine results into a confidence rating.

21 Intrusion Detection in Wireless Ad-hoc Networks Respond to intrusion detection by reconstructing the routing tables, and routing around the compromised node.

22 Towards Trapping Wily Intruders in the Large G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y. Nemoto, "Towards Trapping Wily Intruders in the Large" The Basics: Monitor the network, and collect statistics. When the statistics deviate from “normal” behaviour, flag it. Extend SNMP to allow various networks to collaborate to track down the intruder

23 Towards Trapping Wily Intruders in the Large When a network is under attack, there is often a lot of suspicious network traffic – There are usually more: TCP-RESET packets ICMP echo & response ICMP Destination unreachable messages

24 Towards Trapping Wily Intruders in the Large ICMP Echo: Often occur in high volume when a network is under attack: Mapping out a network DDOS attacks SMURF Attacks – let’s take a look

25 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.23.3.3.3 SMURF Attack Ping 1.1.1.255 from 3.3.3.3

26 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.23.3.3.3 SMURF Attack Ping 1.1.1.255 from 3.3.3.3

27 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.23.3.3.3 SMURF Attack Echo Reply

28 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.23.3.3.3 SMURF Attack Many Echo Responses

29 Towards Trapping Wily Intruders in the Large TCP Resets: They do not occur too frequently in normal network traffic – but very often when a network is being attacked. Eg. Port Scanning Inverse Mapping – let’s take a look at this.

30 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 ACK from 1.1.1.2 Inverse Mapping (Successful routing)

31 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 TCP Reset Inverse Mapping (Successful routing)

32 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 TCP Reset Inverse Mapping (Successful routing)

33 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 No Response Inverse Mapping (Successful routing)

34 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 ACK from 1.1.1.4 Inverse Mapping (Unsuccessful routing)

35 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 TCP Reset Inverse Mapping (Unsuccessful routing)

36 Towards Trapping Wily Intruders in the Large 1.1.1.1 1.1.1.21.1.1.3 2.2.2.22.2.2.3 Inverse Mapping (Unsuccessful routing) ICMP No Route to Host

37 Towards Trapping Wily Intruders in the Large So, now that we know what we’re looking for, how do we find it? Let’s just use some simple math – isolate patterns with least-squares curve fitting, and find corelations between network traffic.

38 Towards Trapping Wily Intruders in the Large

39 Tracing an attack

40 Towards Trapping Wily Intruders in the Large This system does not rely on specific types of attack/patterns/signatures, and does not attempt to reconstruct a detailed transaction log, relying only on statistics. Can traceback the flow of the attack

Download ppt "Intrusion Detection Systems Francis Chang Systems Software Lab OGI."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.

1 CCNA 2 v3.1 Module 4. 2 CCNA 2 Module 4 Learning about Devices.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.
COS 338 Day 16. 2 DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.

COS 338 Day DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.

Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.

Similar presentations

Ads by Google