IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Reading Log Files. 2 Segment Format
Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL
Sniffing the sniffers - detecting passive protocol analysers John Baldock, Intel Corp Craig Duffy, Bristol UWE.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
IPD - November 3, 2001John Kristoff - DePaul University1 Computer and Network Security John Kristoff DePaul University Chicago,
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Network Intrusion Detection David LaPorte
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 5 – Implementing Intrusion Prevention.
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
COEN 252 Computer Forensics
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IIT Indore © Neminah Hubballi
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
COEN 252 Computer Forensics Collecting Network-based Evidence.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FORESEC Academy FORESEC Academy Security Essentials (III)
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Chapter 5: Implementing Intrusion Prevention
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Detection Intrusion, Malware, and Fraud. 2 Intrusion Detection Systems Development of IDSs is to address increasing numbers of network attacks An IDS.
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
James Logan CS526 Dr. Chow April 29, 2009
CompTIA Security+ Study Guide (SY0-401)
Intrusion Detection Systems (IDS)
Intrusion Detection Systems
Intrusion Detection Systems
Presentation transcript:

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University Chicago, IL 60604

IDS Colloquium 2001John Kristoff - DePaul University2 Why IDS? • Interesting, but immature technology • Provides lots of data/information • Generally doesn't interfere with communications • Anything that improves security...

IDS Colloquium 2001John Kristoff - DePaul University3 What is IDS? • Ideally, immediately identifies successful attacks • Should have a immediate notification system • Out-of-band from the attack if possible • Probably can also monitor attack attempts too • Might have attack diagnosis, recommendation and/or automated attack mitigation response • Lofty goals: • 0% false positive rate • 0% false negative rate

IDS Colloquium 2001John Kristoff - DePaul University4 Privacy issues • Does an IDS violate privacy? • Are packet headers (protocols) private? • Is identification (an address) private? • Are packet contents private (payload)? • Are communications (flows/sessions) private? • Where is the IDS? • Who manages the IDS? • How is the IDS data handled and managed?

IDS Colloquium 2001John Kristoff - DePaul University5 Storage, mining and presentation • IDSs can collect LOTS of information • What is useful data? • What are you looking for? • Data correlation within/outside of the IDS? • What does the admin see? • Where and for how long do you keep data? • How do you secure access to IDS data?

IDS Colloquium 2001John Kristoff - DePaul University6 Host IDS • An integral part of an end-system • System log monitor • Kernel level packet monitor • Application specific • A very good place to put security • Distributed management issues • Not all end systems will support an IDS • Will be as useful as the end user is cluefull

IDS Colloquium 2001John Kristoff - DePaul University7 Network IDS • An add-on to the communications system • Generally passive and invisible to the ends • May see things a host IDS cannot easily see • Fragmentation, other host attacks (correlation) • May not understand network traffic • Unknown protocols/applications, encryption • May miss things that don't cross its boundary

IDS Colloquium 2001John Kristoff - DePaul University8 Anomaly detection • A form of artificial intelligence • Learn what is normal for a network/system • If an event is not normal, generate alert • May catch new attacks not seen before • For a simple, but effective example see: • Detecting Backdoors, Y. Zhang and V. Paxson, 9 th USENIX Security Symposium • An area of active research

IDS Colloquium 2001John Kristoff - DePaul University9 Signature matching • Know what an attack looks like and look for it • Very easy to implement • Low false positive rate • Most current IDSs are of this type • Easy to fool • Signatures must be added/updated regularly

IDS Colloquium 2001John Kristoff - DePaul University10 Honeypots • A system that welcomes attacks • Unbeknownst to the attacker generally • The system is very closely monitored • Can be used to test new technology/systems • Generally educational in nature • Helpful as trend monitor for that system type • Be careful honeypot doesn't become liability

IDS Colloquium 2001John Kristoff - DePaul University11 Possible IDS failure modes • Fragmentation, state and high-speeds • Requires lots of CPU, memory and bandwidth • Inability to decode message/transaction  t^Hrr^Hm56^H^H //^H -u^Hrf • Background noise • Tunnelling/encryption • IDS path evasion • Stupid user tricks

IDS Colloquium 2001John Kristoff - DePaul University12 The poor man's Network IDS • Setup a router subnet and unix host • Block all outgoing/incoming packets  access-list 100 deny ip any any log • Log packets (filter matches) with syslog • Use perl/grep/uniq/... to build simple reports  Total violations: 468  Top source host:badguy.org  Top dest. TCP port:21 (ftp)

IDS Colloquium 2001John Kristoff - DePaul University13 The poor man's host IDS • Use snort ( or... • Turn on all logging and do log reporting • Install fake service and monitor • tcp_wrappers, back officer friendly • Use diff (or equivalent), monitor file changes • Keep copies of data/configs elsewhere • Use Tripwire or equivalent

IDS Colloquium 2001John Kristoff - DePaul University14 References • Network Intrusion Detection, An Analyst's Handbook, by Stephen Northcutt • • • in body put "help" • • •

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.