Intrusion Detection Systems

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
BUSINESS B1 Information Security.
Signature Based and Anomaly Based Network Intrusion Detection
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
CSC8320. Outline Content from the book Recent Work Future Work.
Operating system Security By Murtaza K. Madraswala.
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Computer Security By Duncan Hall.
Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Ch.22 INTRUSION DETECTION
NETWORKS Fall 2010.
Intrusion Control.
Security Methods and Practice CET4884
Intrusion Detection Systems
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Operating system Security
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
NET 412 Network Security protocols
Intrusion Detection & Prevention
NET 412 Network Security protocols
INFORMATION SYSTEMS SECURITY and CONTROL
Lecture 8: Intrusion Detection
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion.
6. Application Software Security
Lecture 7: Intrusion Detection
Challenges Of Network Security
Presentation transcript:

Intrusion Detection Systems

Overview of Topics Discussed in Text Security threat analysis Design and Implementation Architecture Encryption Strong Authentication Access Controls (such as Firewalls) Alarms and alerts (such as IDS) Honeypots Traffic flow security Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Intrusion Control Prevent unauthorized users from accessing system Prevent damage from unauthorized users Repair damage from unauthorized users Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Need: Intrusion Prevention: protect system resources Intrusion Detection: (second line of defense) discriminate intrusion attempts from normal system usage Intrusion Recovery: cost effective recovery models Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

It is better to prevent something than to plan for loss. Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Misuse Prevention Prevention techniques: first line of defense Secure local and network resources Techniques: cryptography, identification, authentication, authorization, access control, security filters, etc. Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Problem: Losses occur! Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Contributing Factors for Misuse Many security flaws in systems Secure systems are expensive Secure systems are not user-friendly “Secure systems” still have flaws Insider Threat Hackers’ skills and tools improve Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Why Intrusion Detection? Second line of defense Deter intruders Catch intruders Prevent threats from occuring (real-time IDS) Improve prevention/detection techniques Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Intrusion Detection Milestones 1980: Deviation from historical system usage (Anderson) 1987: framework for general-purpose intrusion detection system (Denning) 1988: intrusion detection research splits Attack signatures based detection (MIDAS) Anomaly detection based detection (IDES) Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Intrusion Detection Milestones Early 1990s: Commercial installations IDES, NIDES (SRI) Haystack, Stalker (Haystack Laboratory Inc.) Distributed Intrusion Detection System (Air Force) Late 1990s - today: Integration of audit sources Network based intrusion detection Hybrid models Immune system based IDS Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Terminology Audit: activity of looking at user/system behavior, its effects, or the collected data Profiling: looking at users or systems to determine what they usually do Anomaly: abnormal behavior Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 More Terminology Misuse: activity that violates the security policy Outsider: someone without access right to the system Insider: someone with access right to the system Intrusion: misuse by outsiders and insiders Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Phases of Intrusion Intelligence gathering: attacker observes the system to determine vulnerabilities Planning: attacker decide what resource to attack (usually least defended component) Attack: attacker carries out the plan Hiding: attacker covers tracks of attack Future attacks: attacker installs backdoors for future entry points Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Real-time Intrusion Detection Advantages: May detect intrusions in early stages May limit damage Disadvantages: May slow down system performance Trade off between speed of processing and accuracy Hard to detect partial attacks Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Off-line Intrusion Detection Advantages: Able to analyze large amount of data Higher accuracy than real-time ID Disadvantages: Mostly detect intrusions after they occurred Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Audit Data Format, granularity and completeness depend on the collecting tool Examples System tools collect data (login, mail) Additional collection at low system level “Sniffers” as network probes Application auditing Needed for Establishing guilt of attackers Detecting subversive user activity Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Audit-Based Intrusion Detection Profiles, Rules, etc. Audit Data Intrusion Detection System Need: Audit data Ability to characterize behavior Decision Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Anomaly versus Misuse Non-intrusive use Intrusive use False negative Non-anomalous but Intrusive activities Looks like NORMAL behavior Does NOT look Like NORMAL behavior False positive Non-intrusive but Anomalous activities Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 False Positives False positive: non-intrusive but anomalous activity Security policy is not violated Cause unnecessary interruption May cause users to become unsatisfied Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 False Negatives False negative: non-anomalous but intrusive activity Security policy is violated Undetected intrusion Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Intrusion Detection Techniques Anomaly Detection Misuse Detection Hybrid Misuse/Anomaly Detection Immune System Based IDS Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Rules and Profiles How do you know what is anomalous? First define what is normal. Statistical techniques Rule-based techniques Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Two Kinds of Detection Anomaly-based: standards for normal behavior. Warning when deviation is detected Misuse-based: standards for misuse. Warning when phases of an identified attack are detected Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Statistical Techniques Collect usage data to statistically analyze data Good for both anomaly-based and misuse-based detection: Threshold detection E.g., number of failed logins, number of accesses to resources, size of downloaded files, etc. Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Rule-based Techniques Define rules to describe normal behavior or known attacks Good for both anomaly-based and misuse-based detection Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Anomaly Detection Assume that all intrusive activities are necessarily anomalous  flag all system states that very from a “normal activity profile” . Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Anomaly Detection Techniques Selection of features to monitor Good threshold levels to prevent false-positives and false-negatives Efficient method for keeping track and updating system profile metrics Update Profile Deviation Attack State Audit Data System Profile Generate New Profile Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Misuse Detection Techniques Represent attacks in the form of pattern or a signature (variations of same attack can be detected) Problem! Cannot represent new attacks Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Misuse Detection Techniques Expert Systems Model Base Reasoning State Transition Analysis Neural Networks Modify Rules Attack State Rule Match Audit Data System Profile Add New Rules Timing Information Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Hybrid Detection Anomaly and misuse detection approaches together Example: Browsing using “nuclear” is not misuse but might be anomalous Administrator accessing sensitive files is not anomalous but might be misuse Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Immune System Based ID Detect intrusions by identifying suspicious changes in system-wide activities. System health factors: Performance Use of system resources Need to identify system-wide measurements Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Immune System IDS Features Principal features of human immune system that are relevant to construct robust computer systems: Multi-layered protection Distributed detection Diversity of detection Inexact matching ability Detection of previously unseen attacks Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Intrusion Types Doorknob rattling Masquerade attacks Diversionary attack Coordinated attacks Chaining Loop-back Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Doorknob Rattling Attack on activity that can be audited by the system (e.g., password guessing) Number of attempts is lower than threshold Attacks continue until All targets are covered or Access is gained Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Masquerading Target 2 Target 1 Change identity: I’m Y Login as Y Login as X Y Legitimate user Attacker Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Diversionary Attack Create diversion to draw TARGET attention away from real target TARGET Real attack Fake attacks Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Coordinated attacks Target Attacker Compromise system to attack target Multiple attack sources, maybe over extended period of time Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Chaining Move from place to place To hide origin and make tracing more difficult Attacker Target Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

CSCE 522 - Eastman/Farkas - Fall 2005 Intrusion Recovery Actions to avoid further loss from intrusion. Terminate intrusion and protect against reoccurrence. Reconstructive methods based on: Time period of intrusion Changes made by legitimate users during the effected period Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll-back for recovery. Intrusion Detection Systems CSCE 522 - Eastman/Farkas - Fall 2005

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.