Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer & Network Forensics

Published byLaura Berry Modified over 5 years ago

Similar presentations

Presentation on theme: "Computer & Network Forensics"— Presentation transcript:

1 91.580.203 Computer & Network Forensics
Overview of Intrusion Detection/prevention Xinwen Fu

2 Outline What is intrusion detection
Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

3 A Big Picture of Cyber Space
TAMU Internet Firewall Intrusion Detection System Router Switch UML By Dr. Xinwen Fu

4 What is Intrusion Detection?
"a process of identifying and responding to malicious activity targeted at computing and networking resources" Incident occurs: Point-in-Time or Ongoing pre-incident preparation Detection of Incidents Initial Response Formulate Strategy Data Collection Analysis Reporting Investigate the incident Resolution, Recovery, Implement Security Measures CSIRT: Computer Security Incident Team A sensor (an analysis engine) that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions. By Dr. Xinwen Fu

5 A Brief History of Intrusion Detection
1970s – Rudimentary audit-trail analysis 1980s – Signature-Based expert systems 1990s – Explosion of available IDS systems 2000s Emergence of Active IDS Intrusion Detection and Prevention (IDP) Intrusion Prevention Systems (IPS) Convergence of Technologies Firewall + IDP + Anti-Virus Appliances and Security Switches Host => Network => Perimeter Network based IDS’s can be Signature-Based or Behavior Based. Signature based IDS’s are based on the fact that attacks have certain patterns or signatures. Vendors do updates on this IDS’s similar to Antivirus software makers, when new attacks are discovered, they are added to the signature base. This type is also called rules based IDS. Signature-Based == rules based By Dr. Xinwen Fu

6 A Sample Intrusion Detection System (IDS)
By Dr. Xinwen Fu

7 Outline What is intrusion detection
Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

8 Internet Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

9 HIDS: Host-Based Intrusion Detection System
HIDS resides on a single host system System analyzes: Network packets entering and leaving the host Audit trails and log files on the host Processes and systems running on the host Recent advances in Intrusion Prevention: Protocol enforcement Stack enforcement File checksum monitoring All these attempt to protect against exploitation of software vulnerabilities by buffer overflow or protocol anomalies By Dr. Xinwen Fu

10 Buffer overflows void main(int argc, char *argv[]) { char buffer[512];
if (argc > 1) strcpy(buffer,argv[1]); } char *strcpy(char *dest, const char *src); DESCRIPTION The strcpy() function copies the string pointed to by src (including the terminating `\0' character) to the array pointed to by dest. The strings may not overlap, and the destination string dest must be large enough to receive the copy. By Dr. Xinwen Fu

11 What is happening within your code?
Stack is used to store local variables and the return address (where your function should return when it finishes) An attacker’s input consists of A malicious code A new return address (pointing to the malicious code) By Dr. Xinwen Fu

12 Where is the HIDS on the Internet?
Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

13 NIDS: Network-Based Intrusion Detection System
NIDS listens to the entire network segment System analyzes: Network packets passing along the network cable Audit trails and log files sent to NIDS by hosts Processes and systems running on the network hosts Recent advances in Intrusion Prevention: “Active” rules to shutdown connections “Integration” to firewalls to disable attackers “Data Mining” to summarize the events By Dr. Xinwen Fu

14 Where is the NIDS on the Internet?
Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

15 PIDS: Perimeter-Based Intrusion Detection System
PIDS resides on a gateway/edge router System analyzes: Network packets passing through the gateway Audit trails and log files on the gateway Processes and systems running on the gateway Recent advances in Intrusion Prevention: Actively blocking known malicious attacks Zero-latency blocking By Dr. Xinwen Fu

16 Where is PIDS on the Internet?
Mid-Continent Prairiewave TAMU DSU By Dr. Xinwen Fu

17 Outline What is intrusion detection
Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

18 Throughput - Real Time Intrusion Detection
Current technology can perform at gigabit speeds To exceed that speed, there are various options: Software Signature sets, based on protocol Optimization; reduction in requirement to scan Hardware Co-processor chips: ASIC (application-specific integrated circuit) or others Faster main processors This is important for host and network IDP But for perimeter IDP, how fast is your ISP link? An ASIC (application-specific integrated circuit) By Dr. Xinwen Fu

19 The Emergence of Intrusion Prevention
If you detect an attack and know it's an attack It seems sensible to block it However, three problems are apparent: False Positives (false alarm) – Blocking normal traffic Denial Of Service – Blocking spoofed hosts Latency – Delays in blocking limit effectiveness Evolution of the technology, and merging of firewall and IDP functionality is solving these problems By Dr. Xinwen Fu

20 A Big Picture of Intrusion Detection and Prevention Being Together
By Dr. Xinwen Fu

21 Outline What is intrusion detection
Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

22 SQL Slammer Worm The Fastest Internet Worm in History Time line:
July 24th 2002, Microsoft announced vulnerability January 25th 2003, SQL Slammer worm unleashed 05:29:36GMT first detection It infected more than 90 percent of vulnerable hosts within 10 minutes The Worm: 376 byte viral payload in a single UDP packet Infects machines with a single packet over UDP/1434 UDP is a broadcast protocol: Possible to infect multiple hosts with 1 packet By Dr. Xinwen Fu

23 Hosts infected With Slammer
A before-and-after animation showing the number of infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC. By Dr. Xinwen Fu

24 How to stop SQL Slammer? Patch Firewall / VPN:
Block UDP/1434 (inbound and outbound) Use a VPN for access to sensitive services Intrusion Detection and Prevention: UDP/1434 is a well known protocol: Well known vulnerability, 6 months before exploit IDP signatures can detect and block exploits of this vulnerability The size of the packet is anomalous behavior Zero-Latency Active IDS/IDP is the only way of blocking this worm By Dr. Xinwen Fu

25 Outline What is intrusion detection
Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

26 Future Directions What do you think? By Dr. Xinwen Fu

27 Intrusion Detection Approach
IDS Classification Intrusion Detection Approach Intrusion detection approach Protected Systems Structure Data Sources Behavior after an Attack Analysis Timing HIDS NIDS Hybrids Audit Trail Network Packets System State Analysis (Kernel, Services, File, etc.) On-the-fly Processing Interval Based IDS Anomaly detection Signature detection Centralized System Distributed System Agent System Active IDS Passive IDS By Dr. Xinwen Fu

28 Terms Anomaly detection: explores issues in intrusion detection associated with deviations from normal system or user behavior Signature detection: discriminates between anomaly or attack patterns (signatures) and known intrusion detection signatures (also called rules based detection) HIDS: uses information derived from a single host NIDS: exploits information obtained from a whole segment of a local network Passive IDS: simply generate alerts and log network packets Active IDS: detect and respond to attacks, attempt to patch software holes before getting hacked or act proactively by logging out potential intruders, or blocking services By Dr. Xinwen Fu

29 References Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture), Apr 07, 2003 Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part 2 - Classification; methods; techniques, Jun 15, 2004 Cisco IDS Solution, Randy Stauber, Defense In Depth, 19/05/04 By Dr. Xinwen Fu

30 Cat with Boots By Dr. Xinwen Fu

Download ppt "Computer & Network Forensics"

Similar presentations

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system

seminar on Intrusion detection system
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google