Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 5 Intrusion Detection Systems

Published byPiers Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 5 Intrusion Detection Systems"— Presentation transcript:

1 Lesson 5 Intrusion Detection Systems

2 Overview History Definitions Common Commercial IDS Specialized IDS

3 Why Even Bother? “One of the problems with anomaly detection is that even the current best research systems have something like a 75% success rate.” Marcus Ranum Network Flight Recorder

4 Intrusion Detection Defined
The process of monitoring the events occuring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network.

5 General Thoughts about ID
No Defense is Impenetrable Vulnerabilities exist to bypass system security precautions Automated tools exist to find and exploit vulnerabilities A methodology to detect and report suspicious host and network activity must be implemented IDS Goal: to characterize attack manifestations to positively identify all true attacks without falsely identifying non-attacks ID is an instance of the general signal detection problem

6 Why use ID? Increase the perceived risk of discovery and punishment
To detect attacks not prevented by other means Detect and deal with probing Document existing threats QC for security design and admin Forensics for improved security or prosecution

7 Goals of IDS Accountability - “I can deal with security attacks that occur on my systems as long as I know who did it (and where to find them.)” Response - “I don’t care who attacks my system as long as I can recognize that the attack is taking place and block it.”

8 History of ID John Anderson’s: Computer Security Threat Monitoring and Surveillance Dorothy Denning: An Intrusion Detection Model Laid groundwork for commercial products First IDS, circa 1993: USAF ASIM

9 Generic Intrusion Detection Model
Activity Profile Design New Profiles Event Generator Update Profile State Create Anomaly Records Rule Set/ Detection Engine Define new & modify existing rules Audit trails, network packets application logs CLOCK

10 Model Components Rule Set - inference engine decides whether an intrusion has occurred or Generic detector examing events and state data using models, rules, patterns and statistics to flag intrusive behavior Activity Profile - Maintains state of system or network being monitored Feedback critical No architectural limitations Rule base can learn if programmed

11 Haystack Preprocessor Statistical Analysis Audit Data Reports
Canonical Audit trail 9-track Tape Preprocessor Statistical Analysis Z-248 PC Each record in the CAT file is processed in two ways. Each record is checked to see if it indicates a security relevant event and is logged if it does. Each record is also used to update a database which contains information on the user’s past behavior which is then used to determine if the event is outside of normal activity. Audit Data Reports Unisys 1100

12 Intrusion Detection Expert System (IDES)
Receiver Audit Records Audit Data Expert System Active Data Collector Active Data Anomaly Data Profile Updater Anomaly Detector Security Admin Interface Profile Data

13 Multics Intrusion Detection and Alerting System (MIDAS)
Command Monitor Audit Records Preprocessor Network Interface Multics Command monitor captures command data that is not audited by Multics. Preprocessor filters out data not used by MIDAS and formats the remaining info into an assertion for the fact base. Facts in the base may bind with a rule found in the rule base to indicated intrusive activity. Statistical database contains both user and system statistics and defines what normal activity is for Dockmaster (the Midas system). A fact may indicate activity outside of normal behavior and thus trigger a rule. Fact Base Statistical Data Base System Security Monitor Rule Base Symbolics

14 Network Security Monitor (NSM)
Network Traffic Packet Catcher Filter Object Detector & analyzer Report Generator Traffic Archive Network Profile – which systems normally connect to which others using what service. During a 2 month period, 110,000 connections analyzed at UC-Davis, NSM correctly identified over 300 intrusions, only 1% had been detected by admins.

15 Distributed IDS (DIDS)
Unmonitored host Monitored Host Monitored Host DIDS Director Unmonitored host Monitored Host LAN Monitor

16 Cooperating Security Monitors (CSM)
Command Monitor User Interface Other CSM’s Local IDS CSM Intruder Handler

17 Current IDS Trends Maturing Manpower needs reducing
False alarm rates dropping Dynamic, high-speed…stable Integrating with other technology

18 Type of IDS Signature based system Anomaly based detectors
Attack description that can be matched to sense attack manifestations Anomaly based detectors equate “unusual” or “abnormal” as intrusions

19 IDS Classification Can base classification on what they sense
Network based systems (NIDS) Sense packets on a network segment Easy to deploy, but they suffer throughout problems Host-based systems (HIDS) Inspect audit or log data Can affect performance on host Hybrids Combine the best of both

20 System--Network Based “A Layer in the Defense”
Intrusion Detection System--Network Based “A Layer in the Defense” Adversary INTERNET External ROUTER FIREWALL Intrusion Detection System Other Network Defense Tools DMZ Server(s) INTERNAL NETWORK

21 Network Based IDS Some detect intrusions after the bad guy is inside….but at least you know Others detect attacks (attack detect systems) Location in architecture determines which one you have Number of IDSes in architecture can add protetection Balance comes between being inundated with false alarms or alert conditions requiring action Ideal NIDs installation: start buy adding as few sensors as possible

22 Host based IDS Setup a HIDs like a selective burglar alarm
Deploy HIDs on critical servers devoid of interactive users Configuration optios Critical file modification When log files get smaller Process table grows larger than normal or too fast

23 What the different levels of IDS do
Host-based Intrusion Detection Will catch users logged directly into a system Will miss network actions (the network as a whole) Network-based Intrusion Detection Will miss individual actions on the host the user is logged directly into. Will be able to see attacks on multiple hosts (“door knob rattling”). Where do you place the IDS? On the LAN or on the outside of the router (the connection to the Internet)?

24 Five Functional Areas of HIDS
Log/Event Monitoring File Integrity Checking Policy Compliance Network Traffic Monitoring System Monitoring Ref: Rasmussen, ISSA, Mar 02

25 And what about IDS and the PSTN?
Two aspects Detection of intrusions into the IP network from the PSTN Detection of intrusions into the PSTN and its systems Do you Have a separate system, or Feed current IDS with data from the PSTN?

26 Strengths of IDSes Monitor and analysis of system events and user behaviors Testing security states of system configurations Recognizing known attack patterns Recognizing anomalies Measuring security policy enforcement Managing Data Flow

27 Weaknesses of IDSes Compensating for weak or missing security mechanisms Instantaneous detection, reporting, and attack response Detecting newly published attacks Compensating for info source fidelity Reducing manpower needs

28 IDS Adjusted Expectations
Consider a building with motion detectors Works great when building is empty But if activated during day many false positives Building managers don’t expect them to work during the day Its possible to set up network-based IDS (NIDS) and a host-based IDS (HIDS) to limit false positives

29 Monitoring and the Law Issue is expectation of privacy – does the individual have one? You generally need to inform individuals using the system that their actions are subject to monitoring. Government systems have the warning banner. This advice also issued by CERT (CA-92:19) for anybody wanting to monitor keystrokes. Note that it is considered not enough to notify all authorized users (when they are issued their initial password for example), it must be displayed each time at login.

30 An IDS Taxonomy 1. Source of Audit 7. Intrusion Prevention
2. Layout Technology 3. Data Processing 4. Structure or Arrangment 5. Data Collection 6. Time of Detection 7. Intrusion Prevention 8. Detection Paradigm 9. Detection Technique 10. Response Type 11. Placement of IDS 12. Usage Frequency Ref: IDS Taxonomy, Data & Analsys Center for Software June 2010, Amer and Hamilton

31 IDS Fad “ People buy the hottest IDS tool that will be very good about telling them about DOS in the network, but is useless detecting problems inside the host.” Matt Bishop, UC Davis

32 Detection of Incidents Basic IDS Model-History
Summary Detection of Incidents Basic IDS Model-History IDS Types and Classification

Download ppt "Lesson 5 Intrusion Detection Systems"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
The Role of Intrusion Detection Systems (IDSs) Article Authors: - John McHugh - Alan Christie - Julia Allen Presentation: - Ali Ardalan - October 12 th,

The Role of Intrusion Detection Systems (IDSs) Article Authors: - John McHugh - Alan Christie - Julia Allen Presentation: - Ali Ardalan - October 12 th,
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Similar presentations

Ads by Google