Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slides:



Advertisements
Similar presentations
Chapter 1  Introduction 1 Chapter 1: Introduction.
Advertisements

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Intrusion Detection Systems and Practices
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Lecture 17 Page 1 CS 236 Online Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.
Lecture 13 Page 1 CS 136, Fall 2010 Network Security: Virtual Private Networks, Wireless Networks, and Honeypots CS 136 Computer Security Peter Reiher.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Cryptography and Network Security Sixth Edition by William Stallings.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.
Role Of Network IDS in Network Perimeter Defense.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Lecture 11 Page 1 CS 136, Fall 2014 Intrusion Detection Computer Security Peter Reiher November 18, 2014.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 14 Page 1 CS 136, Fall 2010 Intrusion Detection Systems CS 136 Computer Security Peter Reiher November 16, 2010.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Outline Basic concepts in computer security
Port Knocking Benjamin DiYanni.
Access control techniques
Styles of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Firewall Configuration and Administration
Outline Introduction Characteristics of intrusion detection systems
Computer Data Security & Privacy
Outline Basics of network security Definitions Sample attacks
Basics of Intrusion Detection
Click to edit Master subtitle style
Outline Introduction Characteristics of intrusion detection systems
Introduction to Networking
Intrusion Detection Computer Security Peter Reiher May 10, 2016
Intrusion Detection CS 136 Computer Security Peter Reiher May 13, 2014
Outline Introduction Characteristics of intrusion detection systems
6. Application Software Security
Outline Basics of network security Definitions Sample attacks
Outline Introduction Characteristics of intrusion detection systems
Presentation transcript:

Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Lecture 13 Page 2 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems

Lecture 13 Page 3 CS 236 Online Introduction Many mechanisms exist for protecting systems from intruders –Access control, firewalls, authentication, etc. They all have one common characteristic: –They don’t always work

Lecture 13 Page 4 CS 236 Online Intrusion Detection Work from the assumption that sooner or later your security measures will fail Try to detect the improper behavior of the intruder who has defeated your security Inform the system or system administrators to take action

Lecture 13 Page 5 CS 236 Online Why Intrusion Detection? If we can detect bad things, can’t we simply prevent them? Possibly not: –May be too expensive –May involve many separate operations –May involve things we didn’t foresee

Lecture 13 Page 6 CS 236 Online For Example, Your intrusion detection system regards setting uid on root executables as suspicious –Yet the system must allow the system administrator to do so If the system detects several such events, it becomes suspicious –And reports the problem

Lecture 13 Page 7 CS 236 Online Couldn’t the System Just Have Stopped This? Perhaps, but - The real problem was that someone got root access –The changing of setuid bits was just a symptom And under some circumstances the behavior is legitimate

Lecture 13 Page 8 CS 236 Online Intrusions “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource” 1 Which covers a lot of ground –Implying they’re hard to stop 1 Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990.

Lecture 13 Page 9 CS 236 Online Is Intrusion Really a Problem? Is intrusion detection worth the trouble? Yes, at least for some installations Consider the experience of NetRanger intrusion detection users

Lecture 13 Page 10 CS 236 Online The NetRanger Data Gathered during 5 months of 1997 From all of NetRanger’s licensed customers A reliable figure, since the software reports incidents to the company Old, but things certainly haven’t gotten any better

Lecture 13 Page 11 CS 236 Online NetRanger’s Results 556,464 security alarms in 5 months Some serious, some not –“Serious” defined as attempting to gain unauthorized access For NetRanger customers, serious attacks occurred.5 to 5 times per month –Electronic commerce sites hit most

Lecture 13 Page 12 CS 236 Online Kinds of Attacks Seen Often occurred in waves –When someone published code for a particular attack, it happened a lot –Because of “Script Kiddies” 100% of web attacks were on web commerce sites

Lecture 13 Page 13 CS 236 Online Where Did Attacks Come From? Just about everywhere 48% from ISPs But also attacks from major companies, business partners, government sites, universities, etc. 39% from outside US –Only based on IP address, though

Lecture 13 Page 14 CS 236 Online What’s Happening Today? More of the same But motivated by criminals –Who have discovered how to make money from cybercrime Most aren’t sophisticated –But they can buy powerful hacking tools –Starting to be a commodity market in such things

Lecture 13 Page 15 CS 236 Online Kinds of Intrusions External intrusions Internal intrusions

Lecture 13 Page 16 CS 236 Online External Intrusions What most people think of An unauthorized (usually remote) user trying to illicitly access your system Using various security vulnerabilities to break in The typical case of a hacker attack

Lecture 13 Page 17 CS 236 Online Internal Intrusions An authorized user trying to gain privileges beyond those he is entitled to No longer the majority of problems –But often the most serious ones More dangerous, because insiders have a foothold and know more

Lecture 13 Page 18 CS 236 Online New Information From 2010 Verizon Report 1 Combines Verizon data with US Secret Service data Indicates external breaches still most common But insider attacks components in 48% of all cases –Some involved both insiders and outsiders 1 data-breach-report_en_xg.pdf

Lecture 13 Page 19 CS 236 Online Basics of Intrusion Detection Watch what’s going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost

Lecture 13 Page 20 CS 236 Online Intrusion Detection and Logging A natural match The intrusion detection system examines the log –Which is being kept, anyway Secondary benefits of using the intrusion detection system to reduce the log

Lecture 13 Page 21 CS 236 Online On-Line Vs. Off-Line Intrusion Detection Intrusion detection mechanisms can be complicated and heavy-weight Perhaps better to run them off-line –E.g., at nighttime Disadvantage is that you don’t catch intrusions as they happen

Lecture 13 Page 22 CS 236 Online Failures In Intrusion Detection False positives –Legitimate activity identified as an intrusion False negatives –An intrusion not noticed Subversion errors –Attacks on the intrusion detection system itself

Lecture 13 Page 23 CS 236 Online Desired Characteristics in Intrusion Detection Continuously running Fault tolerant Subversion resistant Minimal overhead Must observe deviations Easily tailorable Evolving Difficult to fool

Lecture 13 Page 24 CS 236 Online Host Intrusion Detection Run the intrusion detection system on a single computer Look for problems only on that computer Often by examining the logs of the computer

Lecture 13 Page 25 CS 236 Online Advantages of the Host Approach Lots of information to work with Only need to deal with problems on one machine Can get information in readily understandable form

Lecture 13 Page 26 CS 236 Online Network Intrusion Detection Do the same for a local (or wide) area network Either by using distributed systems techniques Or (more commonly) by sniffing network traffic

Lecture 13 Page 27 CS 236 Online Advantages of Network Approach Need not use up any resources on users’ machines Easier to properly configure for large installations Can observe things affecting multiple machines

Lecture 13 Page 28 CS 236 Online Network Intrusion Detection and Data Volume Lots of information passes on the network If you grab it all, you will produce vast amounts of data Which will require vast amounts of time to process

Lecture 13 Page 29 CS 236 Online Network Intrusion Detection and Sensors Use programs called sensors to grab only relevant data Sensors quickly examine network traffic –Record the relevant stuff –Discard the rest If you design sensors right, greatly reduces the problem of data volume

Lecture 13 Page 30 CS 236 Online Wireless IDS Observe behavior of wireless network –Generally Look for problems specific to that environment –E.g., attempts to crack WEP keys Usually doesn’t understand higher network protocol layers –And attacks on them

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.