Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Slides:



Advertisements
Similar presentations
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Advertisements

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
IDS In Depth Search: Ideas, Descriptions, and Solutions Presentation by Marshall Washburn November 30 th, 2010 CPSC 420/620 w/ Dr. Grossman.
1 Reading Log Files. 2 Segment Format
IDPS (Intrusion Detection & Prevention System )
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Chapter 12.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Lesson Introduction
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Snort – IDS / IPS.
Principles of Computer Security
James Logan CS526 Dr. Chow April 29, 2009
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Presentation transcript:

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering, WVU

Intrusion Detection Methods Tools Practices

Intrusion Detection Network Intrusion Detection is the process of searching network traffic for intrusions and signs of intrusions

Firewalls fail to prevent Intrusion Firewalls are designed to implement an access control policy E.g., a firewall policy might be: HTTP traffic to the Web server is good, while FTP traffic is bad Once a firewall has accepted a connection, it will not check that connection for signs of intrusion

Firewalls fail to prevent Intrusion Network Intrusion Detection Systems (NIDS) look for intrusions on your network and report whenever an intrusion is found Example: Snort at - an open source producthttp://

Snort Overview Many command line options to play with 3 modes of use: sniffer, packet logger, and network intrusion detection system 1.Sniffer: snort -v (show packets) or snort -vd (show packets and headers) 2.Packet Logger: snort -dev -l./log 3.Network Intrusion Detection (NIDS) mode: –snort -dev -l./log -c snort.conf ( snort.conf has the rules database)

Snort - Writing Rules - a simple intro

Preventing Intrusion Method 1: signature-based detection, which compares traffic to signatures of well-known intrusion techniques (like anti-virus software) Method 2: protocol anomaly detection, which compares the actual traffic on the network to the specifications of each protocol (such as HTTP and FTP) and reports anomalies

Detecting Intrusion A "root" login can be detected only with a signature, DNS cache poisoning can be detected only with protocol anomaly detection Hence, implement as many intrusion detection methods as possible

Errors A false-positive happens when an NIDS reports an intrusion in valid traffic Quality of the Signature Database has to do with this Snort, for example, would generate many false- positives, as opposed to some commercial products

Preventing Intrusion To prevent attacks, you need an IDP (intrusion detection and prevention) IDP is deployed in the line of packets and blocks intrusions as they are detected An IDP product can be found at

OneSecure Intrusion Detection and Prevention (IDP) System Accurate Attack Detection –Multiple Methods to detect more attacks –Stateful Signature to reduce false positives Prevention –Drop packets as they are detected Management –Easy rule-based approach

Multiple Methods of Attack Detection Stateful Signature Detection –IDP tracks the state of a connection and looks for attack patterns in only the relevant portions of the traffic Protocol Anomaly Detection –Protocol anomaly detection can be used to identify the attacks that deviate from the protocols that "normal" traffic follows

Multiple Methods of Attack Detection Backdoor Detection –IDP identifies the unique characteristics of the interactive traffic and sends an alarm for unexpected activity Traffic Anomaly Detection –Traffic anomaly detection can identify reconnaissance activity by comparing incoming traffic to "normal" traffic patterns, and identifying deviations

Multiple Methods of Attack Detection Network Honeypot –Network Honeypot sends fake information to people scanning the network to try an entice attackers to access the non-existent services. It identifies the attacker when they attempt to connect to the service

Prevention Drop malicious packets from the network during the detection process to ensure the attack never reaches its target "victim (active response) Avoiding TCP reset or Firewall signal ensures no time is lost and attack does not penetrate - so no investigation is needed (passive response) Avoids DoS attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.