Presentation is loading. Please wait.

Presentation is loading. Please wait.

IDS Survey Based on Two Surveys

Published byKerrie Lawrence Modified over 5 years ago

Similar presentations

Presentation on theme: "IDS Survey Based on Two Surveys"— Presentation transcript:

1 IDS Survey Based on Two Surveys
References: 1.Stefan Axelsson, “Intrusion Detection Systems: A Survey and Taxonomy” {Main Reference for Slides} 2. Anita K Jones and Robert S. Sielken: “Computer System Intrusion Detection: A survey” 11/27/2018 CS795

2 Why Develop a Taxonomy Description of the field Prediction Explanation
Useful to understand complex phenomena Organize knowledge: threads become clearer and easier to grasp Easier to assess and compare “new” knowledge Prediction Holes in the knowledge space New threads and directions Potential for combining threads Explanation Derive underlying representations to assist in understanding of the phenomena 11/27/2018 CS795

3 Perimeter Defense Firewalls and IPS are used to defend the perimeter.
Objective is to keep the bad guys out. Intrusion avoidance. Better / strengthened perimeter defense is the objective. Moats. Old city walls. How complex is this problem? IDS focuses on detecting an intrusion, raising an alarm and undertaking remedial action. IDS is an add on component not replacement for IPS. Defense in depth. 11/27/2018 CS795

4 Types of Intrusions Steal credentials – masquerader.
Misuse of privileges. Pre-packed exploitation scripts. Definition of intrusion? Unauthorized actions. Willful or accidental. Typical response is passive. 11/27/2018 CS795

5 Anatomy of an Hack Identify Target Install Malicious Code
Foot print analysis Who is NSLookup Search Engines Enumeration Scanning Machines Ports Applications Exploitation Buffer Overflow Spoofing Password DOS Manual Approach Analyze publicly available info. Set scope of attack and identify key targets Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Check for vulnerabilities on each target Attack targets using library of tools and techniques Foot print analysis Who is NSLookup Search Engines Enumeration Automated Scanning Machines Ports Applications Deliver Payload Custom Trojan Rootkit Identify Target Install Malicious Code Hack Other Machines Take over Domain Controller Damage “Owning” IP Theft, Blackmail, Graffiti, Espoinage Destruction Automated Approach Attack targets using installed software Richard Stiennon, May 2006, 11/27/2018 CS795

6 Insider Attacks Anderson Combs Masqueraders
Clandestine: evade audit controls Legitimate Combs Internal users with accounts Internal users in the physical space but no accounts 11/27/2018 CS795

7 Anatomy of an Insider Attack
Reconnaissance Plant keystroke Lorgger or sniffer Execution Manual Approach Understand business process Determines who has credentials Escape Install hardware or software keystroke logger. Steal credentials. Move funds Ship products Steal data Plant time bomb Fly to Cayman Islands. 11/27/2018 CS795

8 Underlying Principles
Anomaly detection Flagging unexpected (abnormal) behavior False alarm rate is likely to be high for high probability of detection Signature detection Accepting behavior that is close to accepted norm Rely on well defined security policy – which may not be available. Unable to detection intrusions whose signatures are not available. IDS relies on an audit of the system, especially logs. Alerts provided. Identify the causes of alarms. 11/27/2018 CS795

9 Two Components Detectors Principles of operation ---------
Detection principles Source What an intruder does: actions or activity Principles of operation System characteristics One approach – study intrusions 11/27/2018 CS795

10 Intrusion Detection Principles
Anomaly detection Characterize Normal Behavior Uncertainty leads to false alarms Signature detection Compound detectors NORMAL uncertain ANOMALOUS 11/27/2018 CS795

11 Anomaly Detection Look for abnormalities – deviation from normal or expected. Focus on defining normal behavior. Computer X, user Y, etc How to characterize these behaviors? Shift focus away from intrusion scenarios. Define norms to measure distance from normal. Static: Parts of system (software is focus) are unchanged – system code and the static data. Dynamic: Sequence of different events. Audit logs. 11/27/2018 CS795

12 Static Anomaly Detection
Tripwire File integrity checker: signature and Unix file meta-data Baseline database: one record per file; signatures Periodically re-compute signatures and compare Virus checker Database of strings. Each string part of virus code Short strings Exact match – looking for virus infection [2] 11/27/2018 CS795

13 Dynamic Anomaly Detection
Base profile to characterize normal behavior of entities – users, workstations, remote hosts, etc Behavior in multiple dimensions for each entity Preferred choices – log-in times, log-in location, favorite editor Resources consumed cumulatively or per unit time – session duration, number of messages transmitted per unit time Representative sequences of actions, e.g system, procedure calls Profile is build incrementally Use norm to classify behavior [2] 11/27/2018 CS795

14 Anomaly Detection: Characterizing Normal Behavior
Self learning systems Use examples for installation normal behavior Static probabilistic model - non-time series Rule based Characterizes the traffics with a number of rules Build system profiles. For system variables determine parameter values. Measure distance from the norm and classify as normal or anomaly Time series models Artificial neural networks ANNs are examples of black box modeling 11/27/2018 CS795

15 Characterizing Normal Behavior
Programmed Descriptive statistics: profile normal statistical behavior Number of unsuccessful logins Number of network connections Simple stats: used as input to more abstract decision making Rule based – derived by user / programmer Threshold – maybe range 11/27/2018 CS795

16 Characterizing Normal Behavior
Default deny Describe normal behavior by a state transition model If transitions do not conform – raise alert 11/27/2018 CS795

17 Signature Detection Model the intrusive process. Programmed.
Determine the traces left in the system. Background traffic of normal behavior is ignored. Programmed. Default permit security policy. State modeling. Define intrusive states and the transitions between states. If a chain of states is traversed then intrusion. Petri nets are used for more complex environments – tree structures, with several start point potential. Expert Systems Forward chaining systems to include new facts from audits or detector input. String Matching Rather inflexible. Simple rule based systems Less scope than expert systems. Lower computations. 11/27/2018 CS795

18 Compound Detectors Signature inspired Include signatures and anomaly.
Normal behavior and predicted behavior of intruder. Typically the signatures play an important part – hence signature inspired. Self learning Automatic feature selection 11/27/2018 CS795

19 From Axelsson Presentation
11/27/2018 CS795

20 Analysis of Classification Approach
Orthogonal Concepts Anomaly / signature detection. Self learning / programmed. High level categories Well known intrusions Generalisable intrusions Unknown intrusions 11/27/2018 CS795

21 Mapping of detection principles to systems
11/27/2018 CS795

22 IDS Characteristics Time of detection: real-time, non-real-time
Data granularity: continuous / batch processing Data source: logs – network (Ethernet), host (OS, application, routers, firewalls, etc) Response: passive (call 911), active (alter system state/face, attack the attacker) Data collection: centralized, distributed Data processing: centralized, distributed Security: high, low Inter-operability 11/27/2018 CS795

23 Classification of surveyed IDS
11/27/2018 CS795

24 Challenges Volume of data is increasing
Increase probability of detection Decrease false alarms Detect intrusions as they happen React in real-time to contain damage Recovery and business continuity 11/27/2018 CS795

Download ppt "IDS Survey Based on Two Surveys"

Similar presentations

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Intrusion Detection CS461/ECE422 Spring 2012. Reading Material Chapter 8 of the text.

Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.

Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.

Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Similar presentations

Ads by Google