Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

Published byLesley McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom."— Presentation transcript:

1 Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom

2 Thesis’s subject: An analysis of IDSs difficulties and how to solve them. Two approaches are explored:  Designing efficient filters  Improving IDS architecture (MIDS) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

3 Plan of Presentation  Introduction to IDSs  IDS challenges  solution 1: Efficient filter design  solution 2: MIDS, an alternative IDS architecture Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

4 Introduction to IDSs IDSs are programs monitoring a computer system (network, host) to detect intrusion attempts. Typically made of a sensor, some filters, an alert-flow and a monitoring center. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Host / Network SENSOR SENSOR API filter Monitoring Center Alert-flow Filter Sensor Monitored Data Monitored System

5 Sensors: host based / network based Filters: small programs analyzing sensor data to detect intrusions. Detection Strategies:  Signature  Anomaly detection (protocol anomaly) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Protocol Standard Pratical Usage Attaques

6 IDS Challenges Insertion & Evasion Alert-flow control Encrypted traffic Learning from antiviruses Technical obstacles Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

7 Insertion & Evasion Efficient detection theoretically implies knowledge of monitored system’s state and rules Despite standards, systems are implemented differently. Ex: different TCP/IP stack implementation => always make false assumptions on monitored system’s reactions => possible to shape the traffic so that the IDS accepts a packet but not the monitored system (Insertion) or the contrary (Evasion) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

8 Alert-flow control challenges  False positives Can not be avoided Increase with traffic  Hiding attacks  IDS evasion  Alert flood  Slow rate attacks  Distributed attacks Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 need for intelligent alert-flow processing components

9 Encrypted Traffic Network based IDS can’t monitor encrypted traffic Only known solution = decryption proxy but hard to deploy ex: https Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Client HTTPS Decryption Proxy HTTP/SSL clear HTTP HTTP Server Network Based IDS

10 Learning from Antivirus Virus/Antivirus similar to Attacks/IDS similar techniques (signature, anomaly) probably similar results, but antivirus are more mature Evasion race (IDS evasion, polymorphism, etc.) need for reactive/automated filter updating process Anomaly detection effective if used with signatures Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

11 Technical obstacles resistance to fragmentation/insertion/evasion => efficient TCP/IP stack monitoring high rate traffic => load balancing Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

12 Solutions ? approach 1: improving filters approach 2: alternative IDS architectures Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

13 Efficient filters: improves detection & alert-flow control how ? mixing signature & anomaly detection protocol anomaly analysis engine enables efficient signature matching internal caching and filtering of alert-flow reduces volume of alert-flow more acurate analysis (corelation) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

14 Efficient filters: Telnet filter example Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

15 Efficient filters: TCP filter example Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

16 Alternative IDS structure IDSs are alert-flow management systems. Focus on: multiplying alert sources merging alert-flows from different sources processing intelligently the alert-flow Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

17 Suggested Architecture: Multi IDS Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08 Monitored System snort ISS NFR Host / Network Monitoring Center Monitored Data alert flow merger Corelation Engine IDS alert-flow multiple IDSs host & network based multiple filtering techniques alert-flow corelation

18 Host based sensors: detect the host side of an attack hidden to network based IDS (evasion, encryption, etc.) Multiple different network based sensors: Many different TCP/IP stack implementation => reduce risk of evasion/insertion Alert-flow merging and processing Merging alert-flow Shaping alert-flow to increase its informational load Alert corelation Data mining solve evasion/insertion, alert flow control & encryption problems Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

19 Remaining problems: reactive/automated filter updating process => by out-sourcing IDS management to a specialized entity alert-flows corelation: we are now working on it ! Conclusion Intelligent data and alert-flow processing is the future of IDSs. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier - 2001/10/08

Download ppt "Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
seminar on Intrusion detection system

seminar on Intrusion detection system

Similar presentations

Ads by Google