Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems

Published byHengki Sanjaya Modified over 4 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems"— Presentation transcript:

1 Intrusion Detection Systems
Casey Wilson

2 Outline Start reserving your topology Learning goals Background
Variations

3 Reserve topology Go to: https://goo.gl/zZF5j7
Use RSPEC CyberPaths/files/IDSLabEasyRSpec.txt

4 Learning Goals Setup an IDS and verify that it functions properly
Study and understand IDS logs Apply concepts of intrusion detection in a real scenario Create a custom Intrusion Detection System (IDS) rule

5 Intrusion Detection Systems and Mitigation
Goals: Install Snort IDS on monitor machine Duplicate all traffic to monitor Create a custom alert for Snort IDS Use mitigation script Drop malicious traffic Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client

6 Background Intrusion Detection and Prevention Systems
Computer Networks Software Defined Networks Command Line GENI DoS

7 Detection via Signatures
Signature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

8 DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs
Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

9 Snort Open source IDS Signature detection Lots of available rulesets
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A |root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

10 Variations Two levels: one uses OpenFlow and one is not
Different attacks: Slowloris Privilege escalation Advanced level: use the power of SDN to detect and mitigate the port(s) from which DoS is coming

11 Questions? And one last thing… go to nxt slide Let’s experiment!

12 Correlation and Mitigation
Use monitor to alert correlator Correlator is logic that communicates with controller, gathers info about attack Correlator decides based on controller info if there is an attack Correlator logic is implemented in Python

13 Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec
Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

14 Monitor – real time snort alert monitoring

15 Monitor – send alert to correlator

16 Correlator Original Flow Table Flow Table Snapshot1
Key Value port1 IP1 port2 IP2 port3 IP3 portn IPn Key Value port1 IP1 port2 IP12345 port3 IP3 portn IPn Key Value port1 IP1 port2 IP6789 port3 IP3 portn IPn Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Original Flow Table Flow Table Snapshot1 Flow Table Snapshot2

17 Correlator – parse and process flowdump

18 Correlator – block the port of attack

19 Role of SDN in Implementation
Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

20 Questions? Let’s experiment!

Download ppt "Intrusion Detection Systems"

Similar presentations

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Similar presentations

Ads by Google