Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Published byLeonard Franklin Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,"— Presentation transcript:

1 Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU

2 Intrusion Detection Methods Tools Practices

3 Intrusion Detection Network Intrusion Detection is the process of searching network traffic for intrusions and signs of intrusions

4 Firewalls fail to prevent Intrusion Firewalls are designed to implement an access control policy E.g., a firewall policy might be: HTTP traffic to the Web server is good, while FTP traffic is bad Once a firewall has accepted a connection, it will not check that connection for signs of intrusion

5 Firewalls fail to prevent Intrusion Network Intrusion Detection Systems (NIDS) look for intrusions on your network and report whenever an intrusion is found Example: Snort at http://www.snort.org - an open source producthttp://www.snort.org

6 Snort Overview Many command line options to play with 3 modes of use: sniffer, packet logger, and network intrusion detection system 1.Sniffer: snort -v (show packets) or snort -vd (show packets and headers) 2.Packet Logger: snort -dev -l./log 3.Network Intrusion Detection (NIDS) mode: –snort -dev -l./log -c snort.conf ( snort.conf has the rules database)

7 Snort - Writing Rules http://www.snort.org/docs/lisapaper.txt - a simple intro http://www.snort.org/docs/writing_rules/

8 Preventing Intrusion Method 1: signature-based detection, which compares traffic to signatures of well-known intrusion techniques (like anti-virus software) Method 2: protocol anomaly detection, which compares the actual traffic on the network to the specifications of each protocol (such as HTTP and FTP) and reports anomalies

9 Detecting Intrusion A "root" login can be detected only with a signature, DNS cache poisoning can be detected only with protocol anomaly detection Hence, implement as many intrusion detection methods as possible

10 Errors A false-positive happens when an NIDS reports an intrusion in valid traffic Quality of the Signature Database has to do with this Snort, for example, would generate many false- positives, as opposed to some commercial products

11 Preventing Intrusion To prevent attacks, you need an IDP (intrusion detection and prevention) IDP is deployed in the line of packets and blocks intrusions as they are detected An IDP product can be found at http://www.onesecure.com http://www.onesecure.com

12 OneSecure Intrusion Detection and Prevention (IDP) System Accurate Attack Detection –Multiple Methods to detect more attacks –Stateful Signature to reduce false positives Prevention –Drop packets as they are detected Management –Easy rule-based approach

13 Multiple Methods of Attack Detection Stateful Signature Detection –IDP tracks the state of a connection and looks for attack patterns in only the relevant portions of the traffic Protocol Anomaly Detection –Protocol anomaly detection can be used to identify the attacks that deviate from the protocols that "normal" traffic follows

14 Multiple Methods of Attack Detection Backdoor Detection –IDP identifies the unique characteristics of the interactive traffic and sends an alarm for unexpected activity Traffic Anomaly Detection –Traffic anomaly detection can identify reconnaissance activity by comparing incoming traffic to "normal" traffic patterns, and identifying deviations

15 Multiple Methods of Attack Detection Network Honeypot –Network Honeypot sends fake information to people scanning the network to try an entice attackers to access the non-existent services. It identifies the attacker when they attempt to connect to the service

16 Prevention Drop malicious packets from the network during the detection process to ensure the attack never reaches its target "victim (active response) Avoiding TCP reset or Firewall signal ensures no time is lost and attack does not penetrate - so no investigation is needed (passive response) Avoids DoS attacks

Download ppt "Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,"

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.

IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google