Download presentation
Presentation is loading. Please wait.
1
Shell Based Intrusion Detection System Amit Mathur Amit@veritas.com Section 2
2
Types of IDSs Signiture Based –pre-defined list of attacks that are defended against Anomaly Based –determine whether the behavior of the system deviates from the norm
3
This approach Uses the UNIX shell for information gathering Is anomaly based
4
Mis-use case diagram
5
Architecture Idsh (the shell interface) IDS engine (the brains) Notifier (the alerting engine)
6
Architecture Diagram
7
Idsh A small shell-like utility with the minimal functionality required for IDS. Can easily be incorporated into existing shells.
8
IDS engine The brains Operates in 2 phases –the training (or learning) phase –The production phase
9
The training phase Responsible for cataloging normal behavior User must execute enough commands to get a good command distribution
10
Sample training phase distribution
11
The production phase Responsible for ensuring that the current behavior statistically mirrors trained bahavior
12
Sample production command distribution
13
Possible attack sequence
14
Tolerance
15
Sample Alert ANOMALY DETECTED - Fri Apr 2 12:23:48 PST 2004 User 500 (bob) Command dump: ls 2% => netstat <= 25% …
16
Attacks against the IDS Copy 1 program to another –Use of checksums Launch a non-ids-ized shell –Administrators job that regular users do not use other shells normally
17
Limitations Command Sequences not detected Tolerance Limit not adaptive Does not detect application level anomalies No support for GUI interfaces Training period risk Loss of connection to IDS server
18
References [1] Bishop, Matt Computer Security – Art and Science. © 2003 [2] Big Brother Network Monitor – http://bb4.com [3] Sindre, Guttorm, and Opdahl, Andreas. Templates for Misuse Case Description. Dept of Computer and Information Science, Norwegian Univ of Sciene and Technology.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.