CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.

Slides:



Advertisements
Similar presentations
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Advertisements

Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
IDPS (Intrusion Detection & Prevention System )
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Penetration Testing Security Analysis and Advanced Tools: Snort.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Hybrid Approaches Towards Optimized Network Discovery Techniques By David Meltzer.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Chapter 5: Implementing Intrusion Prevention
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
3 June, 2016 Toorcon Security Expo Hydra Intelligent Agent: Instrument for Security One Size Fits All Distributed Scanning Distributed IDS Distributed.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Network Security: Lab#5 Port Scanners and Intrusion Detection System
PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam.
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Blue Lane Technologies Best of Breed IPS April 29, 2008 Interop 2008.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
HONEYPOTS An Intrusion Detection System. Index Intrusion Detection System Host bases Intrusion Detection System Network Based Intrusion Detection System.
Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SIEM Rotem Mesika System security engineering
CSCE 548 Student Presentation By Manasa Suthram
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Configuring TMG as a Firewall
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection & Prevention
Gregory Morton COSC380 February 16, 2011
Yan Chen Department of Electrical Engineering and Computer Science
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Presentation transcript:

CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department of Systems and Computer Engineering, Carleton University Privacy, Security and Trust October 2005

Motivations  Current IDS Problems –Some IDS do not provide a declarative rule specification language Difficult to verify, compare and update attack scenarios –Many IDS only rely on one packet or on one TCP stream to identify intrusions More complex attacks need to be programmed (two specification systems) False negatives and false positives –Intrusion signatures do not include a precise network context Increases the number of false positives (session state not enough)  IDS functionality needed –The IDS signature language should be a declarative rule specification language be independent of the monitoring engine enable multi-packet rules specify network-context gathering other than alarms and session states be used on well-defined models (Packet Model and Network Model) –The IDS monitoring engine should be multi-packet maintain a network-context knowledge base

Our Contributions  A multi-packet monitoring engine  A declarative rule specification language that uses the Object Constraint Language  A formal packet model and a formal network model  A library of passive information gathering rules to acquire the network context  Missing : –A library of intrusion detection rules with network context Prove that these rules could be used to reduce the number of false positives Study the correlation potential and accuracy of freely available security databases

Rule Specification ?OCL Packet Stream Model Network Model alarmpacket

Network Model

IDS Rules with Network Context Packet characteristics p1.data.match(”/ˆ STAT \ s+[ˆ \ n]* \ x3f/smi”) p1.tcp.destinationPort = 21 and Session::sessionOpen(p1.ip.sourceAddress, p1.ip.destinationAddress, p1.tcp.sourePort, p1.tcp.destinationPort) and (IPStack::hasDaemonOnPort( p1.ip.destinationAddress, p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) or IPStack::hasDaemonOnPort( p1.ip.destinationAddress, p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”)) Session state Proper network context

IDS Rules with Network Context IDS RulesNetwork Context Bugtraq (VDB)Nessus (VDS)Snort (IDS) IDS Rules p1.data.match(”/ˆ STAT \ s+[ˆ \ n]* \ x3f/smi”) p1.tcp.destinationPort = 21 and Session::sessionOpen(p1.ip.sourceAddress, p1.ip.destinationAddress, p1.tcp.sourePort, p1.tcp.destinationPort) with Network Context (IPStack::hasDaemonOnPort(p1.ip.destinationAddress, p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.0”) or IPStack::hasDaemonOnPort(p1.ip.destinationAddress, p1.tcp.destinationPort, Port.TCP, ”IIS”, ”5.1”)) Context Packet inv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) and p1.tcp.destinationPort = 80 and... Context Packet inv: Packet.allInstances()->forAll(p1 | p1.data.match(”Microsoft IIS 5.0”) and p1.tcp.destinationPort = 80 and...

Snort References

Group 1: Direct and Indirect Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 2: Incomplete but Inferable Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 2: Incomplete but Inferable Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 3: Incomplete and Non- Inferable Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 4: No Reference Bugtraq (VDB)Nessus (VDS)Snort (IDS)

Group 1: Direct and Indirect

Results of Relationship Analysis  Only 16% of the Snort rules have references to Bugtraq and Nessus. –Only 11.4% have the same set of Bugtraq references whether we use the Snort to Bugtraq references or the Snort to Nessus to Bugtraq references. –29% of the Group 1 Snort rules present discrepancies, depending on whether we use the direct or indirect relationship to Bugtraq. –6% of Group 1 seem to refer to different Bugtraq vulnerabilities.

Results  Built a library of small IDS rules with network context using group 1 Snort rules  Tested 20 attack programs against 12 systems –Reduced the number of false positives, compared to Snort –Proved that network context is important to reduce false positives

Test Cases Attacker 1Attacker 2 Attack Snort Linux GB OS X Sun 4.x PNMT Attack Results Oracle vs

Conclusion  The relationships between Snort IDS signatures, Nessus and Bugtraq still need to be improved  Correlation systems using events for these systems only use a small proportion of relationship potential  For the small number of Snort rules that provide accurate relationships, network context is important to reduce false positives.  Future Work on IDS Rules –Test more context-based intrusion detection rules –Continue the development of a virtual exploit testing network –Test rules to identify more complex attacks such as DDOS and Network Discovery Techniques

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.