Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610."— Presentation transcript:

1 Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610

2 2 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

3 3 IDS Definitions Definition of intrusion detection: identifying computing activity that is malicious or unauthorized. Also: identifying individuals or machines that perform or attempt intrusion. IDS: performs intrusion detection by comparing observable behavior against suspicious patterns.

4 4 Anatomy of an IDS Agent/Monitor/Sensor Data Sources: network traffic, system calls, system logs Detection Algorithms: simple to sophisticated signature matching, behavior analysis, heuristics Responses: automatic filtering, email/pager notification Management System: data analysis, type, frequency, source of attacks, administrative configuration

5 5 dIDS Definition Distributed IDS: multiple IDSes spread over a large network, all of which communicate with each other, or with a central server that facilitates advanced network monitoring, incident analysis, and instant attack data.

6 6 Why dIDS? More data: collecting data from multiple viewpoints gives a better view of attack behavior. Fewer false positives: a wider range of behavior is monitored and evaluated. Better against automated attacks: collaboration allows agents to pass on attack information to other agents. (Indra)

7 7 Approaches to dIDS Central Analysis Server (CAS): large database with aggregated attack data from individual IDS agents. Distributed Analysis: IDS agents share attack information with each other, and do not rely on a central server. May use hierarchies as in GrIDS or loose P2P relationships as in Indra.

8 8 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

9 9 Examples of dIDS with a CAS Internet Storm Center (isc.incidents.org): Analogous to a weather report. Tracks trends in port scanning activity. DShield: One source of ISC data. Runs on a large range of IDSes. Submission of logs via email or web can be automatic. “FightBack” program sends summary attack analysis to ISPs. MyNetWatchman: Collects from agents. Automatically sends incident reports to ISPs. Also provides attack trends.

10 10 Internet Storm Center

11 11 CAS Usefulness Good for detecting new trends. Potentially good for identifying infected hosts. Logically similar to NetBait. Can be tailored to deliver information specific to your network (DeepSight). Does the “distributedness” really make your network any more secure?

12 12 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

13 13 Other Approaches Indra: INtrusion Detection and Rapid Action Distributes attack information among interested peers in a P2P network. Claim: The more participating hosts and the more heterogeneous the mix of hosts, the more likely it is to detect an attack. Opinions?

14 14 Indra daemons Watch for intrusion attempts Enforce access control based on memory of previous intrusion attempts (proactive) Share intrusion attempt warnings with other neighbors

15 15 Indra Example Does host C need to be able to listen to B’s network traffic?

16 16 Component Questions Communication –How do the Indra nodes talk to each other? Trust –How can the Indra nodes trust each others’ messages? Policy –How do Indra nodes react to intrusion attempts or reports of intrusions?

17 17 Communication Handled by Scribe on top of Pastry Scribe: Topic-based publish-subscribe multicast mechanism –Relationship to Sequoia? Pastry: P2P network

18 18 Web of Trust Nodes connected by trust relationships Edges weighted by degree of trust Trust metrics are an active area of research

19 19 Indra Daemon Components Watchers: monitor network activity and identify suspicious activity Access Controllers: filter access using an (account, machine) combination determined by IDENT. Requires IDENT? Listeners: listen to the watchers for reports of suspicious activity. Act as filters of watchers' information. Reporters: Communicate with the rest of the Indra network. Aggregates warnings, passes warnings to other listeners, receiving warnings.

20 20 Indra Daemons

21 21 Questions & Concerns Web of Trust or other trust mechanism needs to be defined. IDENT questions: –Is IDENT required? –If so, how secure is IDENT? Can an attacker spoof a victim’s IDENT and DOS the victim by attacking the Indra network using the stolen IDENT? Access Control: Can we trust Indra daemons to make these decisions?

22 22 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

23 23 (More) Discussion Questions The focuses of the CAS and distributed analysis approaches seem quite different. Are there inherent advantages and disadvantages to each? Human response times are not fast enough to stop attacks such as fast moving worms. Does this mean that we need to allow detection systems to respond automatically to attacks? What are the ramifications of this?

24 24 Thursday GrIDS discussion Brief discussion on Communications article.

Download ppt "Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610."

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.

Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
DIDS part II The Return of dIDS 2/12 CIS 610. 2 GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google