Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
seminar on Intrusion detection system
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.
A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Intrusion Detection System [Snort]
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
FIREWALL Mạng máy tính nâng cao-V1.
Penetration Testing Security Analysis and Advanced Tools: Snort.
COEN 252 Computer Forensics
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
COEN 252 Computer Forensics Collecting Network-based Evidence.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Access Control List (ACL)
Linux Networking and Security
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Module 7: Advanced Application and Web Filtering.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Role Of Network IDS in Network Perimeter Defense.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Access control techniques
NETWORKS Fall 2010.
Principles of Computer Security
CompTIA Security+ Study Guide (SY0-401)
Security.
Firewalls.
Introduction to Network Security
Session 20 INST 346 Technologies, Infrastructure and Architecture
Intrusion Detection Systems
Presentation transcript:

Intrusion Detection - Arun Hodigere

Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion.

Different ways to intrude Buffer overflows Unexpected combinations Unhandled input Race conditions

Intrusion Detection Systems (IDS) Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.

Intrusion Detection Systems (IDS) Different ways of classifying an IDS IDS based on – anomaly detection – signature based misuse – host based – network based

Anomaly based IDS This IDS models the normal usage of the network as a noise characterization. Anything distinct from the noise is assumed to be an intrusion activity. –E.g flooding a host with lots of packet. The primary strength is its ability to recognize novel attacks.

Drawbacks of Anomaly detection IDS Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection. These generate many false alarms and hence compromise the effectiveness of the IDS.

Signature based IDS This IDS possess an attacked description that can be matched to sensed attack manifestations. The question of what information is relevant to an IDS depends upon what it is trying to detect. –E.g DNS, FTP etc.

Signature based IDS (contd.) ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets,as an attack. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack. Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.

Drawbacks of Signature based IDS They are unable to detect novel attacks. Suffer from false alarms Have to programmed again for every new pattern to be detected.

Host/Applications based IDS The host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.), file opens and program executions, admin activities etc. This audit is then analyzed to detect trails of intrusion.

Drawbacks of the host based IDS The kind of information needed to be logged in is a matter of experience. Unselective logging of messages may greatly increase the audit and analysis burdens. Selective logging runs the risk that attack manifestations could be missed.

Strengths of the host based IDS Attack verification System specific activity Encrypted and switch environments Monitoring key components Near Real-Time detection and response. No additional hardware

Stack based IDS They are integrated closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. This allows the IDS to pull the packets from the stack before the OS or the application have a chance to process the packets.

Network based IDS This IDS looks for attack signatures in network traffic via a promiscuous interface. A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.

Strengths of Network based IDS Cost of ownership reduced Packet analysis Evidence removal Real time detection and response Malicious intent detection Complement and verification Operating system independence

Commercial ID Systems ISS – Real Secure from Internet Security Systems: –Real time IDS. –Contains both host and network based IDS. Tripwire – File integrity assessment tool. Bro and Snort – open source public-domain system.

Bro: Real time IDS Network based IDS Currently developed for six Internet applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin.

Design goals for Bro High-speed, large volume monitoring No packet filter drops Real time notification Mechanism separate from policy Extensible Monitor will be attacked

Structure of the Bro System Network libcap Event engine Policy Script Interpreter Packet Stream Filtered Packet Stream Event Stream Real time notification Policy script Event Control Tcpdump filter

Bro - libcap It’s the packet capture library used by tcpdump. Isolates Bro from details of the network link technology. Filters the incoming packet stream from the network to extract the required packets. E.g port finger, port ftp, tcp port 113 (Ident), port telnet, port login, port 111 (Portmapper). Can also capture packets with the SYN, FIN, or RST Control bits set.

Bro – Event Engine The filtered packet stream from the libcap is handed over to the Event Engine. Performs several integrity checks to assure that the packet headers are well formed. It looks up the connection state associated with the tuple of the two IP addresses and the two TCP or UDP port numbers. It then dispatches the packet to a handler for the corresponding connection.

Bro – TCP Handler For each TCP packet, the connection handler verifies that the entire TCP Header is present and validates the TCP checksum. If successful, it then tests whether the TCP header includes any of the SYN/FIN/RST control flags and adjusts the connection’s state accordingly. Different changes in the connection’s state generate different events.

Policy Script Interpreter The policy script interpreter receives the events generated by the Event Engine. It then executes scripts written in the Bro language which generates events like logging real-time notifications, recording data to disk or modifying internal state. Adding new functionality to Bro consists of adding a new protocol analyzer to the event engine and then writing new events handlers in the interpreter.

Application Specific Processing - Finger Finger request Event Engine Generates Finger_request event Script interpreter Tests for buffer overflow, checks the user against sensitive ids, etc Event Engine Generates event controls based on the policy Finger reply

Future of IDS To integrate the network and host based IDS for better detection. Developing IDS schemes for detecting novel attacks rather than individual instantiations.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.