Presentation is loading. Please wait.

Presentation is loading. Please wait.

Survey of Information Assurance Intrusion Detection systems.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Survey of Information Assurance Intrusion Detection systems."— Presentation transcript:

1 Survey of Information Assurance Intrusion Detection systems

2 Agenda The Early Systems Network Based Detection – Architecture – Benefits – Challenges Host Based Detection – Architecture – Benefits – Challenges Detection Mechanisms

3 Scope of Discussions Details of signature matching algorithms not covered. Validity of data collected by an IDS from legal point of view not discussed. Data Mining Techniques and data refinement is not discussed. Business aspect of Intrusion detection not covered.

4 IDS – systems that collect information from a variety of system & network resources, and then analyze the information for signs of intrusion and misuse.

5 The Early Systems 1980 James P. Anderson wrote a technical report “Computer Security Threat Monitoring and Surveillance” 1985 US Navy funded development of IDES (Intrusion Detection Expert System) 1986 Dorothy Denning published “An Intrusion Detection Model” 1987 First Annual Intrusion Detection Workshop held for experts to share ideas. 1989 Todd Heberlien wrote “A Network Security Monitor” (NSM). NSM is capable of detecting anomalous activity in heterogeneous network by monitoring TCP/IP packets 1990 US Navy completes study of IDS research and examines 5 systems in detail.

6 The Early Systems (continued..) 1992 CMDS (Computer Misuse Detection System) by Screen Application international Corporation. Stalker is developed by Haystack Labs. These are first commercial Host based IDS and are targeted at UNIX 1994 Researchers at Air Force Cryptological Support Center create ASIM, a robust IDS and later commercialize it through a company they formed, i.e. Wheelgroup 1997 Cisco acquires Wheelgroup and starts a program to build Network IDS. Internet Security Systems releases Realsecure for Windows NT 1998 Creators of Stalker and CMDS join into Centrax corporation and release eNTrax for Windows NT. 1999 FIDNet (Federal Intrusion Detection Network) is created to protect government sites.

7 Capabilities Comparison among early IDS EFFECTIVENESS Type 1 Detection (Automatic) Type 1 Detection (SSO Defined) Type 2 Detection (Dynamic) Type 2 Detection (Static) Online Exception Handling Long Term Behavior Profile Operational Enrichment Data Processed Expeditiously Tested with Real Data Multiple Methods Serial Methods ClydeSENTRY  IDES    ISOA    Haystack     Wisdom and Sense    NADIR   

8 Capabilities Comparison among early IDS (contd…) INTERFACE Event Record Retention Printed Report Mature SSO Interface Understandable Results Ease of Operation Adjustable Sensitivity Control Damage Assessment Report ADAPTABILITY Product Dev Environment Extensible Architecture Multiple Targets Government Product Target VMS CMDS Host ClydeSENTRY      IDES     ISOA     Haystack   Wisdom and Sense    NADIR    

9 Flaws of early IDS No platform independence - IDS could not analyze data from systems other than the one it was designed for. i.e. the systems were OS specific. No system independence – IDS could not process data from systems other than the original targets to which they had been designed. Bad UI – The user interfaces were far from intuitive due to research nature of these projects.

10 Types of IDS Network Based Intrusion Detection Systems – System is used to analyze network packets, i.e. the data sent out of the host interface. – Packets are usually “sniffed” off the network. – The IDS is uniquely positioned to detect access attempts and DOS attacks originating from outside Host Based Intrusion Detection Systems – Analyze data originating at the host – Have no access/monitoring for data in the network or data originating at other hosts.

11 Network Based IDS Unauthorized access – Unauthorized login – Jump-off Point for other Attacks Data/Resource Theft – Password Downloads – Bandwidth Theft DOS – denial of service – Malformed Packets – Packet Flooding – Distributed DOS

12 A B C of NETWORK BASED IDS A – Architecture B – Benefits C – Challenges

13 Network Based IDS - Architecture Sensors are deployed across the network that report to a central console. Sensors: Self contained detection engines that obtain packets in the network, search for intrusion-like behavior and send information back to central console. Types: – Traditional Sensor: sensors monitor network segments, not individual machines. – Network Node: An agent is placed on each machine in the network, which monitors only traffic received by given machine.

14 A Standard Network IDS Network sensor Command Console 1 2 7 Data Base 4 6 Response Subsystem 8 Data Forensics 5 Security Officer 3 Log 9 Report TCP/IP Records Network Packets Detection Engine Alert

15 Traditional Sensor based Architecture Steps: – A packet is sent (by anyone) on or outside the network. – It is sniffed by the sensor – The sensor-resident detection engine examines the packet for pre- defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. – Security Officer is notified. – A response is generated. It may be automated or directed by security officer. It may include reconfiguration of sensor/router/firewall. – A log entry is made. – A comparison is made with data base and report is created. – The incident is stored in data base to establish any long-term trend using Data Forensics.

16 A Sensor Based Network IDS Network sensor Command Console 12 7 Data Base 3 6 Response Subsystem 8 Data Forensics 5 Security Officer 4 Log 9 Report TCP/IP Records Network Packets Detection Engine Alert

17 Distributed Network-Node Architecture Steps: – A packet is sent (by anyone) on or outside the network. – It is sniffed by the sensor placed on destination machine. – The sensor-resident detection engine examines the packet for pre- defined misuse patterns. When some pattern is detected, an “Alert” is sent to central console. – Security Officer is notified. – A local response is generated. – A log entry is made. – A comparison is made with data base and report is created. – The incident is stored in data base to establish any long-term trend using Data Forensics.

18 A Distributed Network Node IDS Network sensor Command Console 1 2 6 Data Base 4 7 Data Forensics Security Officer 8 Report TCP/IP Records Network Packets Detection Engine Alert 3 Local Response 5

19 Network Based IDS: Benefits Outsider Deterrence – Responding to attack attempt with Legal Notice, e-mail warning etc. Detection – Signature matching – Statistical behavioral analysis Automated Response and Notification – Notify System Administrator – Reconfigure router/firewall to block attacking Source Address

20 Network Based IDS: Challenges Packet Reassembly – 1998 Ptacek and Newsham’s paper “Insertion, Evasion, and DOS: Eluding Network Intrusion Detection” High Speed Networks Sniffer Detection Programs – Antisniff (1999) Switched Networks – ATM Encryption

21 Host Based IDS Abuse of privilege – Administrative lapse (incorrect privilege assignment, domain addition, ex-employee – Privileged user disclosing data Changes in Security Configuration – Admin rights to user, WFH user laptops – Guest Account – Open registry (windows NT defaults) – Legal Notice Missing

22 A B C of HOST BASED IDS A – Architecture B – Benefits C – Challenges

23 Host Based IDS - Architecture Usually Agent based Agent: An executable that runs on target host and communicates with a Central Command Console. Types: – Centralized Host Based Architecture – Distributed Real-Time Architecture – Agentless Host-Based Intrusion Detection

24 Centralized Host Based Architecture Steps: – An event record is created (a program executed, a file accessed, etc.) – The agent centralizes the audit file to CC (Command Console) – Detection engine processes the file – Log is created – Alert is generated

25 Centralized Host Based Architecture (contd…) – Security Officer is notified – Response is generated – The alert is stored – Raw data is moved to data archive – Reports are generated

26 A Centralized Host Based IDS Target Host Command Console 1 2 7 Data Base 4 6 Response Subsystem 8 Data Forensics 5 Security Officer 3 Log 9 Report Audit Subsystem Audit Data Detection Engine Alert Collector Raw Data Centralized

27 Distributed Real-Time Architecture Steps: – An event record is born – The file is read in REAL-TIME and processed through target-resident engine – Security Officer is notified – Response is generated – The alert is generated and sent to central console – Data Forensics is used to look for long term trends; no raw data archive or statistical data – Reports are generated

28 A Distributed Real-Time Host IDS Target Host Command Console 1 2 6 Data Base 4 7 Data Forensics Security Officer 8 Report Audit Subsystem Audit Data Detection Engine Alert 3 Local Response 5 Collector

29 Agent Less Architecture There are no host-based agents The Central console monitors systems through API that provides it with a “remote control” of the data source Example: Windows NT/2000 has an API with such capabilities. Kane Security Monitor makes use of this facility.

30 Host Based IDS: Benefits Insider Deterrence Detection Notification and Response – Log off user/Disable account – Execute local script Damage Assessment Attack Anticipation Prosecution Support

31 Host Based IDS: Challenges Performance – Case of Distributed Real-Time Architecture Deployment/Maintenance Compromise – Disabling or shutting of user agent Spoofing – Inserting into audit records – Erasing audits

32 DETECTION MECHANISMS Network Based Signatures Host Based Signatures

33 Network Based Signatures (1 of 2) Packet Content Inspection – The packet data (payload) is inspected for patterns or signatures. – Example: FTP Site Exec Pattern within data (c7a5 db87 c7a5 db01) exec cat /etc/passwd\r\n

34 Network Based Signatures (2 of 2) Packet Header Inspection – The packet header is inspected for patterns or signatures. – Example: Broadcast Attack Land Attack

35 Host Based Signatures Single Event Signatures – Writing to an executable Access flags “WriteData” “WriteAttributes” “WriteEA” “AppendData” etc. Multi Event Signatures – Repeated Failed Logins Multi-Host Signatures – Events distributed over multiple hosts

36 Limitations of IDS Not an answer to primary network security issues Requires a standard firewall and malware protection system May not be able to detect new attack but does provide data to trace such activity.

37 Latest trends: IDS and IPS IPS – Intrusion prevention systems. IPS is much more active when compared to IDS and hence seen as better security technology. IDS/IPS functionality is usually incorporated into the firewall or VPN. These technologies can be used for rate- limiting a particular kind of data. More of L7 analysis being incorporated into IDS/IPS systems

38 Questions?

39 References Content and Diagram-references from The Practical intrusion Detection Handbook by Paul E. Proctor http://www.sans.org/resources/idfaq/what_is_id.ph p?portal=3ddecea0aa1dd75e13d0c7f68b7a57eb http://www.sans.org/resources/idfaq/what_is_id.ph p?portal=3ddecea0aa1dd75e13d0c7f68b7a57eb http://www.networksecurityjournal.com/intrusion- detection/ http://www.networksecurityjournal.com/intrusion- detection/ http://www.networksecurityjournal.com/features/cu rrent-trends-in-ids-ips-052907/ http://www.networksecurityjournal.com/features/cu rrent-trends-in-ids-ips-052907/

Download ppt "Survey of Information Assurance Intrusion Detection systems."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.

Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lesson 5 Intrusion Detection Systems

Lesson 5 Intrusion Detection Systems
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Similar presentations

Ads by Google