Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline Introduction Characteristics of intrusion detection systems

Published byMildred Walters Modified over 5 years ago

Similar presentations

Presentation on theme: "Outline Introduction Characteristics of intrusion detection systems"— Presentation transcript:

1 Intrusion Detection Advanced Network Security Peter Reiher August, 2014

2 Outline Introduction Characteristics of intrusion detection systems
Some sample intrusion detection systems

3 Introduction Many mechanisms exist for protecting systems from intruders Access control, firewalls, authentication, etc. They all have one common characteristic: They don’t always work

4 Intrusion Detection Work from the assumption that sooner or later your security measures will fail Try to detect the improper behavior of the intruder who has defeated your security Inform the system or system administrators to take action

5 Why Intrusion Detection?
If we can detect bad things, can’t we simply prevent them? Possibly not: May be too expensive May involve many separate operations May involve things we didn’t foresee

6 For Example, Your intrusion detection system regards setting uid on root executables as suspicious Yet the system must allow the system administrator to do so If the system detects several such events, it becomes suspicious And reports the problem

7 Couldn’t the System Just Have Stopped This?
Perhaps, but - The real problem was that someone got root access The changing of setuid bits was just a symptom And under some circumstances the behavior is legitimate

8 Intrusions “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”1 Which covers a lot of ground Implying they’re hard to stop 1Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990.

9 Kinds of Intrusions External intrusions Internal intrusions

10 External Intrusions What most people think of
An unauthorized (usually remote) user trying to illicitly access your system Using various security vulnerabilities to break in The typical case of a hacker attack

11 Internal Intrusions An authorized user trying to gain privileges beyond those he should have Used to be most common case No longer the majority of problems But often the most serious ones More dangerous, because insiders have a foothold and know more

12 Information From 2010 Verizon Report1
Combines Verizon data with US Secret Service data Indicates external breaches still most common But insider attack components in 48% of all cases Some involved both insiders and outsiders 1

13 Basics of Intrusion Detection
Watch what’s going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost

14 On-Line Vs. Off-Line Intrusion Detection
Intrusion detection mechanisms can be complicated and heavy-weight Perhaps better to run them off-line E.g., at nighttime Disadvantage is that you don’t catch intrusions as they happen

15 Failures In Intrusion Detection
False positives Legitimate activity identified as an intrusion False negatives An intrusion not noticed Subversion errors Attacks on the intrusion detection system

16 Tradeoffs in Failures Generally, decreasing false negatives (“I didn’t catch an attack”) Increases false positives (“I labeled legitimate activity as an attack”) And vice versa Not a hard and fast rule, but it usually works that way Subversion errors are different Merely bugs/flaws in the system Reduced by good coding and testing

17 Desired Characteristics in Intrusion Detection
Continuously running Fault tolerant Subversion resistant Minimal overhead Must observe deviations Easily tailorable Evolving Difficult to fool

18 Host Intrusion Detection
Run the intrusion detection system on a single computer Look for problems only on that computer Often by examining the logs of the computer

19 Advantages of the Host Approach
Lots of information to work with Only need to deal with problems on one machine Can get information in readily understandable form

20 Network Intrusion Detection
Do the same for a local (or wide) area network Either by using distributed systems techniques Or (more commonly) by sniffing network traffic

21 Advantages of Network Approach
Need not use up any resources on users’ machines Easier to properly configure for large installations Can observe things affecting multiple machines

22 Network Intrusion Detection and Data Volume
Lots of information passes on the network If you grab it all, you will produce vast amounts of data Which will require vast amounts of time to process

23 Network Intrusion Detection and Sensors
Use programs called sensors to grab only relevant data Sensors quickly examine network traffic Record the relevant stuff Discard the rest If you design sensors right, greatly reduces the problem of data volume

24 Wireless IDS Observe behavior of wireless network Generally 802.11
Look for problems specific to that environment E.g., attempts to crack WEP keys Usually doesn’t understand higher network protocol layers And attacks on them

25 Application-Specific IDS
An IDS system tuned to one application or protocol E.g., SQL Can be either host or network Typically used for machines with specialized functions Web servers, database servers, etc. Possibly much lower overheads than general IDS systems

26 Conclusion We can’t prevent all bad things
If we can’t prevent them, we need to detect our failures Intrusion detection systems perform this function We can use them to protect our networks

Download ppt "Outline Introduction Characteristics of intrusion detection systems"

Similar presentations

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.

Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS-2010 13 Sept 2004.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Intrusion Detection System

Intrusion Detection System
Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.

Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.
Lecture 11 Page 1 CS 136, Fall 2014 Intrusion Detection Computer Security Peter Reiher November 18, 2014.

Lecture 11 Page 1 CS 136, Fall 2014 Intrusion Detection Computer Security Peter Reiher November 18, 2014.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 14 Page 1 CS 136, Fall 2010 Intrusion Detection Systems CS 136 Computer Security Peter Reiher November 16, 2010.

Lecture 14 Page 1 CS 136, Fall 2010 Intrusion Detection Systems CS 136 Computer Security Peter Reiher November 16, 2010.

Similar presentations

Ads by Google