Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ch.22 INTRUSION DETECTION

Published byDominick Carroll Modified over 6 years ago

Similar presentations

Presentation on theme: "Ch.22 INTRUSION DETECTION"— Presentation transcript:

1 Ch.22 INTRUSION DETECTION
이상일

2 Principles Systems are not under attack exhibit 1. The action conform to a statically predictable pattern 2. The action not subvert the security policy 3. The action conform to specifications describing action

3 Basic Intrusion Detection
Attack tool – Attack tool is an automated script designed to violate a security policy Attack tools do not change the nature of intrusion detection fundamentally

4 Goal of Intrusion Detection
Detect a wide variety of intrusions. Detect intrusions in a timely fashion. Present the ananlysis in a simple, easy to understand format. Be accurate.

5 Models Anomaly modeling Misuse Modeling Specification Modeling

6 Anomaly modeling Analyze a set of characteristics of the system
Compare their behavior with a set of expected values Report when the computed statistic do not match the expected measurement

7 Anomaly modeling Thresh hold metric minimum ~ maximum are expected
Statistical moments standard deviation and other measures of correlation Markov model notion and state

8 Misuse Modeling Detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it report a potential intrusion

9 Misuse Modeling IDOT system audit log monitoring
STAT system actual state and change them

10 Specification Modeling
Determine whether or not a sequence of instruction violates a specification of how a program, or system, should excute. If so, it reports a potential intrusion

11 Architecture A,B,C – general purpose computer
N – Network monitoring, Report data to Director

12 Agent An agent obtains information from a data source (log file, process, network) Goal : Provide the director with information

13 Agent Host based information gathering - use system and application logs to obtain record of events, and analyze Network based information gatering - use a device and software to monitor network traffic Combining source - to agent can report to the director and director can conclude form analyzing the information

14 Director Eliminate unnecessary and redundant record
Use an analysis engine to determine if an attack is underway Director use asects of machine learning or planning Generally, Director uses a several of techinques

15 Notifier Accept information from the director
Take the appropriate action Intrusion Response

16 Organization of Intrusion Detection Systems
Monitoring Network Traffic for Intrusions: NSM Combining Host and Network Monitoring : DIDS Autonomous Agents: AAFID

17 NSM (Network Security Monitor)
Monitoring Network Traffic for Intrusions Monitoring : source, destination, network traffic Assign Unique ID to each connection

18 NSM (Network Security Monitor)
Use Matrix allowed simple signiture bases schema go look for misuse Specific rule 1. NSM served as the basis for a large number of intrusion detection system 2. NSM proved preforming intrusion detection on network was practical

19 DIDS (Ditributed Intrusion Detection Sysmem)
Combining Host and Network Monitoring DIDS used a centralized analysis engine, and required that agents be placed on the system being monitored Problem – changing identity as an intruder moves form host to host

20 DIDS (Ditributed Intrusion Detection Sysmem)
Expert system’s Six layer 1. Log records are all visible 2. Abstract relevant information from the Log record 3. Define a subject that capture all events associate with single user 4. Add contextual information 5. Deal with network threat which are combination of events in context 6. assign a score, 1~100, representing the security state of the network

21 AAFID Autonomouse Agent For Intrusion Detection
An Autonomous Agents is a process can act independently of the system of which it is a part AAFID is in the cooperation of the agents. Each agent would have its own internal model.

22 AAFID Autonomouse Agent For Intrusion Detection
One agent is compromissed, the others can continue. Making the agents small and simple Drawback : Overhead of the communication. An attendant increase overhead. Communication must secured.

23 Intrusion Response Goal is to handle the attack that demage is minimize 1. Incident Prevention 2. Intrusion Handling

24 Incident Prevention Ideally, detected and stopped before intrusion succeed It involves closely monitoring The attack must be identified before it completes Multilevel systems are excellent place Anomaly based method can detect in real time

25 Intrusion Handling Six Phase Preparation for an attack
Identification of an attack Containment of the attack Eradication of the attack Recovery from the attack Follow up to the attack

26 Containment phase Two approaches 1. Passively monitoring attack - simply record attacker’s action 2. Constraining access - confinement the data or resources

27 Eradication phase Eradication means stopping attack
Deny access or terminate the process Wrapper : to place around suspected targets, wrapper can control access Firewall : The firewall sit between an internal network and other external network, the firewall controls access IDIP protocol : a protocol for coordinated responses to attack

28 Follow up phase Counterattacking 1. A legal mechanism 2. A techincal attack Considering 1. The counterattack may harm an innocent party 2. Counterattack may have side effects 3. Counterattack is antithetical to the shared use of a network 4. The couterattack may be legally actionable

Download ppt "Ch.22 INTRUSION DETECTION"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Network security policy: best practices

Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.

Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.

Similar presentations

Ads by Google