Survey – IDS Testing Marmagna Desai [ 592 Presentation]

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection Testing and Benchmarking Methodologies Nicholas Athanasiades,
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Intrusion Detection Systems and Practices
Information Networking Security and Assurance Lab National Chung Cheng University How to Evaluate Network Intrusion Detection Systems?
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
MSF Testing Introduction Functional Testing Performance Testing.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.
Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
Honeypot and Intrusion Detection System
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Configuration Management (CM)
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Building Quality into Web Applications - Meeting the Challenges of Testing and Usability Paula Duchnowski CQA, CSTE (608)
Contents 1.Introduction, architecture 2.Live demonstration 3.Extensibility.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence Shane Singh | COMPSCI 726.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Intrusion Detection System
Performance Testing Test Complete. Performance testing and its sub categories Performance testing is performed, to determine how fast some aspect of a.
Role Of Network IDS in Network Perimeter Defense.
The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System Authors : Martin Botha, Rossouw von Solms, Kent Perry, Edwin Loubser.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Tool Support for Testing
CompTIA Security+ Study Guide (SY0-401)
An assessment framework for Intrusion Prevention System (IPS)
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
Intrusion Detection system
Performance And Scalability In Oracle9i And SQL Server 2000
Presentation transcript:

Survey – IDS Testing Marmagna Desai [ 592 Presentation]

Contents Introduction Introduction Paper I – A methodology for Testing IDS Paper I – A methodology for Testing IDS Paper II- Intrusion Detection Testing and Benchmarking Methodology Paper II- Intrusion Detection Testing and Benchmarking Methodology Summary – Paper I Summary – Paper I Summary – Paper II Summary – Paper II Conclusion Conclusion Reference Reference

Introduction IDS development and The PROBLEMS. False Positives Misses Realistic Traffic Generation Need for Generalized Testing Methodology. Paper I – Individual attempt to solve above Problems. Paper II – A commentry on such past attempts and future need for development. This Survey summarized both papers with conclusive remarks.

Introduction... A Methodology for Testing IDS One of the many early attempts made in 90's [1996] Can be viewed as One Methodology for testing Network based IDS. Based on Software Engineering Test concepts. Identifies set of general IDS performance Objectives. UNIX tool: Expect used and enhanced for traffic generation Experimental IDS: NSM(Network Security Monitor)

Introduction ID testing and Benchmarking Methodologies Commentary on major attempts to design Evaluation Environment for ID Testing. Existing Tools and Methodologies. DARPA and LARIAT [Environments] TCPReplay, IDSWakeup, WebAvalanche, HPING2 etc. [Tools] Issues in developing such environment Background Traffic Database for attacks Testing limited by case-by-case scenarios. High Costs and Security problems.

Introduction... ID Testing and Benchmarking Methodologies Examples of Evaluation Environments Environment based on DARPA Custom Software [ Reference: Paper I ] Vendor Independent LAB Comments on the shortcomings on all such attempts and proposes a need for very general approach to build such environment.

Summary – Paper I Custom Software approach to build evaluation environment – w.r.t. Paper II Facts: One test-bed for one set of related attacks. IDS affected by system conditions – Stress. NOT general environment – w.r.t. IDS performance Objectives. Simulation of User-Behaviours Software Engineering approach.

Software Platform – Paper I Unix tool EXPECT: Simulation of “normal” and “intruder” behaviour. Extends TCL interpreter to provide simulation scripts. Authors have extended the Expect for to include: Concurrent scripts Synchronized and Communicative scripts Interleaving of execution commands by users. Replaying

Performance Objectives – Paper I IDS Objectives – Necessary but not sufficient. Broad Detection Range Economy in Resource Usage Resilience to Stress Test – Case Selection Based on “equivalence partitioning” of set of intrusions. [Software Engg approach] Based on Taxonomy of Vulnerabilities – IDS might or might not detect intrusions within class. Based on Signatures – Very small classes.

Test-Case Selection Ideal test case: Combine all three approaches to meet the need of particular site on which IDS is employed!!

Testing Methodology - Paper I General Methodology: Create and select test scripts [normal/intrusion scripts] Establish desired conditions – perf. Objectives. Start IDS Run Test Scripts Analyse the IDS's output

Testing Methodology... (PI) Conditions Intrusion Identification – Basic IDS test Resource Usage – how much resources used by IDS. Stress Load – Testing IDS as low CPU priority task.[nice] Intensity- Lot of activities generated in short time. Background Noise  Always created by “NORMAL” users.  e.g. Telnet Sessions associated with IDS host.

Limitations – Paper I Scripts can not simulate users in GUI environment. Designed to test systems that perform “misuse detection” - Anomaly detection is not considered. Not generalized for all possible attacks [??] Limited in Performance Objectives Replaying can be more Realistic

Summary – Paper II DARPA approach Government undertaking – private and secure Generate background traffic interlaced with intrusions. Traffic can be generated by... Collect real data and attack actual org. Sanitize data and introduce attack in data itself Synthesize non-sensitive traffic from scratch

DARPA... This approach had many shortcomings.. No effort to detect false positives. Data rates and variation with time never considered. [stress] Attacks were evenly distributed. Size of training data may be insufficient. Yet, DARPA was major effort to build such generalized Evaluation Environment for IDS testing.

LARIAT Lincoln Adaptable Real-Time Information Assurance Test-Bed Emulates the Network Traffic from a small organization connected to Internet. This was another attempt to build evaluation methodology. Features: High Throughput capabilities. Various attack scenarios Windows Traffic in to account. More Realistic and fully Automated

Tools TCPReplay: Provides background traffic by replaying pre-recorded traffic from network links. IDSWakeup: Generates false attacks, in order to determine if IDS produces alerts. WebAvalanche: Stress-Testing appliance for web applications and servers. HPING2: Command line packet assembler and analyser. Fragrouter: Routes network traffic such that it elude most NIDS.

Issues Traffic generation Background Traffic: contains non-malicious data. Attack traffic: actual testing data for IDSs. Databases Attacks intensity can vary in real-time Databases need to be maintained and updated. High cost Effects of networking elements – Security Issue Firewalls, proxy server, ACLs etc.

Present Evaluation Environments DARPA – Environment Attack injection programs used to place attacks. Traffic generation was similar to early effort. Victim computer was anonymous FTP server. Environment focused on DOS attack.

Environments.... Custom Software.. Same as Paper I approach. Vendor Independent Testing Lab. Created by NSS group Build specialized lab to perform attacks on IDS Provides reports conversing large range of attacks. Focuses on user-interface, forensics and log management.

Conclusion Evaluation Environment – NOT just a Tool. No single methodology for testing IDS for every Attack. The BEST way: Evaluate IDS using live or recorded real – site specific traffic. DARPA experiment was significant Provides realistic evaluation environment Require lot of rework and not generalized.

Survey Comments Development of IDS testing Methodology is in process. General, open-source and realistic Evaluation Environment is needed – NOT just a tool. Unless general methodology developed, IDS design and implementation will face problems.. False positive and Misses Failure in Stress Conditions. IDS – Only a Part of Security!!

References Pieta, Nicholas J.; Chung, Mandy;, Olsson, Ronald A and Mukherjee, Biswanath. “A methodology for testing Intrusion Detection Systems”, IEEE Transactions on Software Engineering, 22, 1996, ppl Athanasiades, Nicholas;Abler, Randal;Levine, John; Owen, Henry;Riley, George. “Intrusion Detection Testing and Benchmarking Methodologies”, IEEE International Information Assurance Workshop, 2003

Thank You!! Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.