Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security Intrusion Detection. Intruders  A significant security problem for networked systems is hostile/unwanted, trespass by users or software.

Published byAlvin Gibson Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security Intrusion Detection. Intruders  A significant security problem for networked systems is hostile/unwanted, trespass by users or software."— Presentation transcript:

1 Computer Security Intrusion Detection

2 Intruders  A significant security problem for networked systems is hostile/unwanted, trespass by users or software. hostile/unwanted, trespass by users or software.  User trespass can take the form of unauthorized logon to a machine unauthorized logon to a machine or, in the case of an authorized user, acquisition of privileges or performance of actions beyond those that have been authorized. or, in the case of an authorized user, acquisition of privileges or performance of actions beyond those that have been authorized.  Software trespass can take the form of a virus, worm, or Trojan horse.

3 Intruders  Intruder attacks range from the benign to the serious.  At the benign end of the scale, there are many people who simply wish to explore internets and see what is out there. there are many people who simply wish to explore internets and see what is out there.  At the serious end are individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system individuals who are attempting to read privileged data, perform unauthorized modifications to data, or disrupt the system

4 Intruders  Three classes of intruders: Masquerader: An individual, likely an outsider, not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. Masquerader: An individual, likely an outsider, not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. Misfeasor: A legitimate user, generally an insider, who accesses data, programs, or resources for which such access is not authorized, or who misuses authorized access. Misfeasor: A legitimate user, generally an insider, who accesses data, programs, or resources for which such access is not authorized, or who misuses authorized access.

5 Intruders Clandestine user: An individual, either an outsider or an insider, who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection Clandestine user: An individual, either an outsider or an insider, who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection

6 Examples of Intrusion  remote root compromise  web server defacement  guessing / cracking passwords  copying viewing sensitive data / databases  running a packet sniffer  distributing pirated software  using an unsecured modem to access net  impersonating a user to reset password  using an unattended workstation

7 Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real- time or near real-time warning of attempts to access system resources in an unauthorized manner.

8 Hackers  motivated by thrill of access and status hacking community a strong meritocracy hacking community a strong meritocracy status is determined by level of competence status is determined by level of competence  benign intruders might be tolerable do consume resources and may slow performance do consume resources and may slow performance can’t know in advance whether benign or malign can’t know in advance whether benign or malign  IDS / IPS / VPNs can help counter  awareness led to establishment of CERTs collect / disseminate vulnerability info / responses collect / disseminate vulnerability info / responses

9 Hacker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network

10 Criminal Enterprise  organized groups of hackers now a threat corporation / government / loosely affiliated gangs corporation / government / loosely affiliated gangs typically young typically young often Eastern European or Russian hackers often Eastern European or Russian hackers common target credit cards on e-commerce server common target credit cards on e-commerce server  criminal hackers usually have specific targets  once penetrated act quickly and get out  IDS / IPS help but less effective

11 Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes.

12 Insider Attacks  among most difficult to detect and prevent  employees have access & systems knowledge  may be motivated by revenge / entitlement when employment terminated when employment terminated taking customer data when move to competitor taking customer data when move to competitor  IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data least privilege, monitor logs, strong authentication, termination process to block access & mirror data

13 Insider Behavior Example 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. e-mail former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. perform large downloads and file copying 7. access the network during off hours.

14 Intrusion Techniques  objective to gain access or increase privileges  initial attacks often exploit system or software vulnerabilities to execute code to get backdoor e.g. buffer overflow e.g. buffer overflow  or to gain protected information e.g. password guessing or acquisition e.g. password guessing or acquisition

15 Intrusion Detection Systems  Classification: Host-based IDS: monitor single host activity Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic Network-based IDS: monitor network traffic  logical components: sensors - collect data sensors - collect data analyzers - determine if intrusion has occurred analyzers - determine if intrusion has occurred user interface - manage / direct / view IDS user interface - manage / direct / view IDS

16 IDS Principles  assume intruder behavior differs from legitimate users expect overlap as shown expect overlap as shown observe deviations observe deviations from past history problems of: problems of: false positivesfalse positives false negativesfalse negatives must compromisemust compromise

17 IDS Requirements  run continually Minimal human intervention Minimal human intervention  be fault tolerant Able to recover from crash Able to recover from crash  resist subversion Able to monitor itself and detect if itself has been modified Able to monitor itself and detect if itself has been modified  impose a minimal overhead on system  configured according to system security policies  adapt to changes in systems and users  scale to monitor large numbers of systems

18 IDS Requirements  provide graceful degradation of service If one component fails, the others are not badly affected If one component fails, the others are not badly affected  allow dynamic reconfiguration Ability to be reconfigured without the need to be restarted Ability to be reconfigured without the need to be restarted

19 Host-Based IDS  specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions can detect both external and internal intrusions  two approaches, often used in combination: anomaly detection - defines normal/expected behavior anomaly detection - defines normal/expected behavior threshold detectionthreshold detection profile basedprofile based signature detection - defines attack patterns signature detection - defines attack patterns

20 Audit Records  a fundamental tool for intrusion detection  two variants: native audit records - provided by O/S native audit records - provided by O/S always available but may not be optimumalways available but may not be optimum detection-specific audit records - IDS specific detection-specific audit records - IDS specific additional overhead but specific to IDS taskadditional overhead but specific to IDS task often log individual elementary actionsoften log individual elementary actions e.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stampe.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp

21 Anomaly Detection  threshold detection checks excessive event occurrences over time checks excessive event occurrences over time must determine both thresholds and time intervals must determine both thresholds and time intervals  profile based characterize past behavior of users / groups characterize past behavior of users / groups then detect significant deviations then detect significant deviations based on analysis of audit records based on analysis of audit records

22 Signature Detection  observe events on system and applying a set of rules to decide if intruder  approach: rule-based penetration/misuse identification rule-based penetration/misuse identification rules identify known penetrations / weaknessesrules identify known penetrations / weaknesses often by analyzing attack scripts from Internetoften by analyzing attack scripts from Internet supplemented with rules from security expertssupplemented with rules from security experts

23 Distributed Host-Based IDS

24  Host-based IDSs focused on single-system stand-alone facilities.  A more effective defense of a distributed collection of hosts supported by a LAN or internetwork can be achieved by coordination and cooperation among IDSs across the network.

25 Distributed Host-Based IDS  The overall architecture, which consists of three main components: Host agent module: An audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security- related events on the host and transmit these to the central manager. Host agent module: An audit collection module operating as a background process on a monitored system. Its purpose is to collect data on security- related events on the host and transmit these to the central manager. LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager. LAN monitor agent module: Operates in the same fashion as a host agent module except that it analyzes LAN traffic and reports the results to the central manager.

26 Distributed Host-Based IDS Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion. Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion.

27 Network-Based IDS  network-based IDS (NIDS) monitor traffic at selected points on a network monitor traffic at selected points on a network in (near) real time to detect intrusion patterns in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems may examine network, transport and/or application level protocol activity directed toward systems  comprises a number of sensors inline (possibly as part of other net device) inline (possibly as part of other net device) Might cause delay and confuse normal-abnormal trafficMight cause delay and confuse normal-abnormal traffic passive (monitors copy of traffic) - offline passive (monitors copy of traffic) - offline

28 Honeypots  are decoy systems filled with fabricated info filled with fabricated info instrumented with monitors / event loggers instrumented with monitors / event loggers divert and hold attacker to collect activity info divert and hold attacker to collect activity info without exposing production systems without exposing production systems  initially were single systems  more recently are/emulate entire networks

29 Honeypot Deployment

30 SNORT  lightweight IDS real-time packet capture and rule analysis real-time packet capture and rule analysis passive or inline passive or inline

31 SNORT Rules  use a simple, flexible rule definition language  with fixed header and zero or more options  header includes: action, protocol, source IP, source port, direction, dest IP, dest port  many options  example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;)

32 Summary  introduced intruders & intrusion detection hackers, criminals, insiders hackers, criminals, insiders  intrusion detection approaches host-based (single and distributed) host-based (single and distributed) Network Network  honeypots  SNORT example

Download ppt "Computer Security Intrusion Detection. Intruders  A significant security problem for networked systems is hostile/unwanted, trespass by users or software."

Similar presentations

Intrusion Detection CS461/ECE422 Spring 2012. Reading Material Chapter 8 of the text.

Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 6 – Intrusion Detection.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 6 – Intrusion Detection.
Network Security Essentials Chapter 9 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 9 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 8 “Intrusion Detection”.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 8 “Intrusion Detection”.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 14 Intrusion Detection

Lecture 14 Intrusion Detection
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Eng. Hector M Lugo-Cordero, MS April 2012 Intrusion Detection, Firewalls, and Intrusion Prevention CIS 4361.

Eng. Hector M Lugo-Cordero, MS April 2012 Intrusion Detection, Firewalls, and Intrusion Prevention CIS 4361.
Department Of Computer Engineering

Department Of Computer Engineering
CS 432 – Computer and Network Security Sabancı University

CS 432 – Computer and Network Security Sabancı University

Similar presentations

Ads by Google