Information Networking Security and Assurance Lab National Chung Cheng University How to Evaluate Network Intrusion Detection Systems?

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Intrusion Detection/Prevention Systems Charles Poff Bearing Point.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection Testing and Benchmarking Methodologies Nicholas Athanasiades,
Guide to Network Defense and Countermeasures Second Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Network Intrusion Detection Systems Presented by Keith Elliott.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Network Intrusion Detection David LaPorte
Survey – IDS Testing Marmagna Desai [ 592 Presentation]
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Chapter 6: Packet Filtering
Network Intrusion Detection Systems Ali Shayan October 2008.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Software Security Testing Vinay Srinivasan cell:
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Chapter 5: Implementing Intrusion Prevention
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
Some Great Open Source Intrusion Detection Systems (IDSs)
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Proventia Network Intrusion Prevention System
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
Intrusion Detection system
Statistical based IDS background introduction
Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University How to Evaluate Network Intrusion Detection Systems?

Information Networking Security and Assurance Lab National Chung Cheng University Outline Published IDS evaluations IDS Comparisons  NSS IDS Group Test  Carnegie Mellon Software Engineering Institute  Massachusetts Institute of Technology IDS Evaluation Methodologies  NFR Security  University of California, Davis Criteria for Evaluating Network Intrusion Detection Systems

Information Networking Security and Assurance Lab National Chung Cheng University Published IDS evaluations Evaluation:  Determination of the level to which a particular IDS meets specified performance targets. Comparison:  A process of 'comparing' two or more systems in order to differentiate between them. The majority of published documents claiming to evaluate IDSs are conducted as comparisons, rather than evaluations.

Information Networking Security and Assurance Lab National Chung Cheng University IDS Comparisons (1/3) The NSS Group. (2001). Intrusion Detection Systems Group Test (edition 2).  This is a comprehensive report on 15 commercial and open source Intrusion Detection Systems.  Background traffic: Smartbits SMB6000 and Adtech AX/4000 monitor system Advantage in background traffic: They are capable of generating sufficient traffic to saturate the network. Two disadvantage in background traffic: False positives being generated is reduced. The actual attacks would differ significantly to the background traffic.

Information Networking Security and Assurance Lab National Chung Cheng University NSS Performance Testing (edition 3) Network IDS Testing Procedure Test 1 – Attack Recognition Test 2 – Performance Under Load Test 3 – IDS Evasion Techniques Test 4 – Stateful Operation Test

Information Networking Security and Assurance Lab National Chung Cheng University NSS Test Environment Symantec Ghost Win2000 SP2 FreeBSD 4.5 RedHat 7.2 Solaris 8 Attacker DUT IDS Private Subnet IDS Console Switch Smartbit & WebAvalanche

Information Networking Security and Assurance Lab National Chung Cheng University Network Taps

Information Networking Security and Assurance Lab National Chung Cheng University WebAvalanche and WebReflector

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 1 – Attack Recognition Attack suite contains over 100 attacks covering the following areas:  Application bugs  Back Doors/Trojan/DDOS  Denial of Service  Finger  FTP  HTTP  ICMP  Mail (SMTP/POP3)  Malicious Data Input  Reconnaissance  SNMP  SANS Top 20

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 1 Result

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 2 – Performance Under Load Use boping / bosting tools. Small (64 byte UDP) packets with valid source/destination IP addresses and ports. 25 per cent network utilisation (37000pps) 50 per cent network utilisation (74000pps) 75 per cent network utilisation (111000pps) 100 per cent network utilisation (148000pps) “Real world” packet mix. 25 per cent network utilisation (10000pps - 60 conns/sec) 50 per cent network utilisation (20000pps conns/sec) 75 per cent network utilisation (30000pps conns/sec) 100 per cent network utilisation (40000pps conns/sec) Large (1514 byte) packets containing valid payload and address data. 25 per cent network utilisation (2044pps) 50 per cent network utilisation (4088pps) 75 per cent network utilisation (6132pps) 100 per cent network utilisation (8176pps)

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 2 Report Internet Security Systems RealSecure 7.0 Cisco Secure IDS 4230 Snort 1.8.6

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 3 – IDS Evasion Techniques (2/2) Using fragroute Ordered IP fragments of various sizes Out-of-order IP fragments of various sizes Duplicate fragments TCP segmentation overlap TCP and IP chaffing Whisker and Stealth Web Scanner URL encoding /./ directory insertion Premature URL ending Long URL Fake parameter TAB separation Case sensitivity Windows \ delimiter Session splicing

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 3 – IDS Evasion Techniques (2/2) Finally, we run several common exploits in their normal form, followed by the same exploits altered by various evasion techniques including:  RPC record fragging  Inserting spaces in command lines  Inserting non-text Telnet opcodes in data stream  Fragmentation  Polymorphic mutation (ADMmutate)

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 3 Report Internet Security Systems RealSecure 7.0 Cisco Secure IDS 4230 Snort 1.8.6

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 4 – Stateful Operation Test Test 1:  Use Stick and Snot to generate large numbers of false alerts on the protected subnet.  During the attack, we also launch a subset of our basic common exploits to determine whether the IDS sensor continues to detect and alert.  The effect on the overall sensor performance and logging capability is noted. Test 2:  Create FTP session.  Use the CAW WebAvalanche to open various numbers of TCP sessions from 10,000 to 1,000,000  If the IDS is still maintaining state on the first session established, the exploit will be recorded.  If the state tables have been exhausted, the exploit string will be seen as a non- stateful attack, and will thus be ignored.

Information Networking Security and Assurance Lab National Chung Cheng University NIDS Test 4 Report Internet Security Systems RealSecure 7.0 Cisco Secure IDS 4230 Snort 1.8.6

Information Networking Security and Assurance Lab National Chung Cheng University IDS Comparisons (2/3) Allen, J. Christie, A. William, F. McHugh, J. Pickel, J. Stoner, E. (2000) State of the Practice of Intrusion Detection Technologies. Carnegie Mellon Software Engineering Institute.  This publication covers a wide range if issues facing Intrusion Detection Issues: Functionality Performance Implementation  This document provides useful insights to important weaknesses of IDSs and a plethora of links to further information.  This publication also includes a list of recommended IDS selection criteria as a appendix.

Information Networking Security and Assurance Lab National Chung Cheng University IDS Comparisons (3/3) Richard P. Lippmann, Robert K. Cunningham, David J. Fried, Issac Graf, Kris R. Kendall, Seth E. Webster, Marc A. Zissman(1999). Results of the DARPA 1998 Offline Intrusion Detection Evaluation, slides presented at RAID 1999 Conference, September 7-9, 1999, West Lafayette, Indiana. Haines, J, W. Lippmann, R, P. Fried, R, P. Korba, J. & Das, K. (1999) The 1999 DARPA Off-Line Intrusion Detection Evaluation. Haines, J, W. Lippmann, R, P. Fried, R, P. Zissman, M, A. Tran, E. & Bosswell, S, B. (1999) DARPA Intrusion Detection Evaluation: Design and Procedures. Lincoln Laboratory, Massachusetts Institute of Technology.  This series of publications is a combined research effort from Lincoln Laboratory, DARPA and the American Air force.  These combined publications refer to two comprehensive evaluations of IDSs and IDS technologies.  These evaluations attempted to quantify specific performance measures of IDSs and test these against a background of realistic network traffic.

Information Networking Security and Assurance Lab National Chung Cheng University MIT Test Methodology A ratio of attack detection to False positive Ability of anomaly detection techniques to detect new attacks A comparison of host vs. network based systems to detect different types of attacks Ability to detect new and stealthy attacks

Information Networking Security and Assurance Lab National Chung Cheng University IDS Evaluation Methodologies (1/2) Ranum, M, J. (2001). Experiences Benchmarking Intrusion Detection Systems. NFR Security  This article discusses a number of issues relating to techniques used to benchmark IDSs.  Highly critical of many published IDS comparison for their lack of understanding of IDS techniques, and thus ability to design appropriate testing methodologies.  Discusses the various measures that can be and have been used measure the performance of IDSs. The importance of using real life traffic and attacks in the evaluation process, rather than simulated traffic and attacks.

Information Networking Security and Assurance Lab National Chung Cheng University IDS Evaluation Methodologies (2/2) Puketza, N. Chung, M. Olsson, R, A. & Mukherjee, B. (1996). Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions. University of California, Davis. Puketza, N. Zhang, K. Chung, M. Olsson, R, A. & Mukherjee, B. (1996). A Methodology for Testing Intrusion Detection Systems. University of California, Davis. Puketza, N. Chung, M. Olsson, R, A. & Mukherjee, B. (1997). A Software Platform for testing Intrusion Detection Systems. University of California, Davis.  Puketza have developed a application to simulate specific attacks against a target system. These attacks can be scripted to run concurrently or in a specific sequence.  The advantage of this methodology is that each test can easily be repeated for each device under test.  One disadvantage of this application is that it does target older vulnerabilities in UNIX systems, which should not apply to a current operating system.

Information Networking Security and Assurance Lab National Chung Cheng University Criteria for Evaluating Network Intrusion Detection Systems Ability to identify attacks  Known vulnerabilities and attacks  Unknown attacks  Relevance of attacks Stability, Reliability and Security Information provided to analyst  Severity, potential damage  Outcome of attack  Legal validity of data collected Manageability  Ease or complexity of configuration  Possible configuration options Scalability and interoperability Vendor support  Signature updates

Information Networking Security and Assurance Lab National Chung Cheng University Reference r028/99tr028abstract.html r028/99tr028abstract.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.