Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Published byAllison Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00."— Presentation transcript:

1 Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00

2 Introduction Intrusion is when the user takes an action that the user was not legally allowed to take. Intrusion attempt (Anderson,1980) is defined to be potential possibility of an unauthorized attempt to - Access information - Manipulate information, or - Render a system unreliable or unusable.

3 Introduction (cont) Intruder detection involves determining that an intruder has tried to gain or has gained unauthorized access to the system. Most intrusion detection systems attempt to detect a presumed intrusion and alert a system administrator. System administrators take action to prevent intrusion. Audit record is a record of activities on a system that are logged to a file in sorted order.

4 From Lincoln Laboratory Massachusetts Institute of Technology

5 Intrusion Classification The COAST group at Purdue University defined an intruder as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. There are two techniques of intrusion detection 1.Anomaly Detection – based on observations of deviations from normal system usage patterns. 2.Misuse Detection – attacks on weak point of a system.

6 Anomaly Detection Try to detect the complement of bad behavior. This system could verify a normal activity profile for a system and flag all states altering from the verified profile. Must be able to distinguish between anomalous and normal behavior.

7 Anomaly Detection A block diagram of a typical anomaly detection system

8 Misuse Detection Try to recognize known bad behavior. This system detects by using the form of pattern or a signature, so that variations of the same attack can be detected. Concerned with catching intruders who are attempt to break into a system by exploiting some known vulnerability.

9 Misuse Detection A block diagram of a typical misuse detection system

10 Intruder Classification Intruders are classified into two groups. 1.External intruders – who are unauthorized users of the systems they attacks. 2.Internal intruders – who have some authority - Masqueraders – external intruders who have succeeded in the gaining access to the system.(credit card defrauder) - Legitimates – intruders who have access to sensitive data, but misuse this access. - Clandestine – intruders who have the power to control the system and have power to turn off audit control for themselves.

11 Problem Description An Application Intrusion Detection System will be concerned with anomaly detection more than misuse detection. Since OS Intrusion Detection and Application Intrusion Detection have many relations on the same basic observation entity, there should be some correlation between events at the operating system and application levels. Is it possible to have these two systems cooperate in order to improve the effectiveness of Intrusion Detection System.

12 Research Objectives The goal of this research is to try to improve the effectiveness of Intruder Detection and to see the possibilities of how the OS Intrusion Detection System might cooperate with Application Intrusion Detection System to achieve this goal.

13 OS Intrusion Detection System Detects external intruders Organizes in such a way that the process the user that started the process or whoever the process was executed is associated with each event. Lower resolution Views the file as a container whose contents cannot be deciphered except for changes in size. Can only define a relation on a file as a whole, such as whether or not it was changed in the last period of time. The different between an OS and an Application

14 Application Intrusion Detection System Only detects internal intruders after they either penetrated the operating system to get access to the application,or they were given some legitimate access to the application. May not be set up to perform mapping between the event and the event causing entity. Higher resolution Can define a relation on the different records of fields of the file.

15 Similarities Attempts to detect intrusion by evaluating relations to differentiate between anomalous and normal behavior. The database file are the same size. Could build event records containing listings of all events and associated event causing entities of the application using whatever form of identification available. Structure.

16 Literature review The COAST laboratory at Purdue University characterized a good Intrusion Detection System as having the following qualities -Run continually -The system must be reliable enough to allow it to run in the background of the system being observed. -Fault tolerant -The system must survive a system crash and not have its knowledge-base rebuilt at start. -Resist subversion -The system can monitor itself to ensure that it has not been subverted

17 Literature Review (cont) -Minimal overhead -The system that slows a computer to a creep will not be used. -Observe deviations (from normal behavior.) -Easily tailored -Every system has a different usage pattern, and the defense mechanism should be easily adapt to the patterns. -Changing system behavior -The system profile will change over time, and the Intrusion Detection System must be able to adapt. -Difficult to fool

18 Literature Review (cont) The Information Systems Technology Group of MIT Lincoln Laboratory, under Defense Advanced Research Projects Agency (DARPA) Information Technology Office and Air Force Research Laboratory (AFRL/SNHS) sponsorship, has collected and evaluated computer network intrusion detection systems since 1998 - 1999.

19 Benefits of this Research We will know the ability of application intrusion detection system cooperate with OS Intrusion Detection System and improve ability of Intrusion Detection Systems to defend against intruders.

20 Research Design Case study of Application Intrusion Detection System Study the differences and cooperation between the Application Intrusion Detection System and the OS Intrusion Detection System Research the possibility of the two systems working cooperatively.

21 Conclusion The Application Intrusion Detection System can be more effective in detecting intruders than the OS Intrusion Detection System because Application Intrusion Detection operates with a higher resolution. Since the Application Intrusion Detection System depends on OS Intrusion Detection System and only OS Intrusion Detection System can detect the external intruders, we need both an OS Intrusion Detection System and an Application Intrusion Detection System to cooperate for increased potential in detecting intruders.

22 Thank you.

Download ppt "Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00."

Similar presentations

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Validating the Evaluation of Adaptive Systems by User Profile Simulation Javier Bravo and Alvaro Ortigosa {javier.bravo, Universidad.

Validating the Evaluation of Adaptive Systems by User Profile Simulation Javier Bravo and Alvaro Ortigosa {javier.bravo, Universidad.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Similar presentations

Ads by Google