Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection. Intruders Classes (from [ANDE80]: Classes (from [ANDE80]: two most publicized threats to security are malware and intruders two most.

Published byRichard Godfrey Pearson Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Detection. Intruders Classes (from [ANDE80]: Classes (from [ANDE80]: two most publicized threats to security are malware and intruders two most."— Presentation transcript:

1 Intrusion Detection

2 Intruders Classes (from [ANDE80]: Classes (from [ANDE80]: two most publicized threats to security are malware and intruders two most publicized threats to security are malware and intruders generally referred to as a hacker or cracker generally referred to as a hacker or cracker masquerader likely to be an outsider an unauthorized individual who penetrates a system to exploit a legitimate user account misfeasor generally an insider legitimate user who misuses privileges clandestine user can be either insider or outsider individual who seizes supervisory control to evade auditing and access controls or to suppress audit collection

3 Examples of Intrusion remote root compromise remote root compromise web server defacement web server defacement guessing / cracking passwords guessing / cracking passwords copying databases containing credit card numbers copying databases containing credit card numbers viewing sensitive data without authorization viewing sensitive data without authorization running a packet sniffer running a packet sniffer distributing pirated software distributing pirated software using an unsecured modem to access internal network using an unsecured modem to access internal network impersonating an executive to get information impersonating an executive to get information using an unattended workstation using an unattended workstation

4 Hackers motivated by thrill of access and/or status motivated by thrill of access and/or status hacking community is a strong meritocracy hacking community is a strong meritocracy status is determined by level of competence status is determined by level of competence benign intruders consume resources and slow performance for legitimate users benign intruders consume resources and slow performance for legitimate users intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to help counter hacker threats intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to help counter hacker threats intruder problem led to establishment of computer emergency response teams (CERTs) intruder problem led to establishment of computer emergency response teams (CERTs)

5 1 select the target using IP lookup tools such as NSLookup, Dig, and othersselect the target using IP lookup tools such as NSLookup, Dig, and others 2 map network for accessible services using tools such as NMAPmap network for accessible services using tools such as NMAP 3 identify potentially vulnerable services (in this case, pcAnywhere)identify potentially vulnerable services (in this case, pcAnywhere) 4 brute force (guess) pcAnywhere passwordbrute force (guess) pcAnywhere password 5 install remote administration tool called DameWareinstall remote administration tool called DameWare 6 wait for administrator to log on and capture his passwordwait for administrator to log on and capture his password 7 use that password to access remainder of networkuse that password to access remainder of network

6 Criminals organized groups of hackers now a threat organized groups of hackers now a threat corporation / government / loosely affiliated gangs corporation / government / loosely affiliated gangs typically young typically young meet in underground forums meet in underground forums common target is credit card files on e-commerce servers common target is credit card files on e-commerce servers criminal hackers usually have specific targets criminal hackers usually have specific targets once penetrated act quickly and get out once penetrated act quickly and get out IDS / IPS can be used but less effective IDS / IPS can be used but less effective sensitive data should be encrypted sensitive data should be encrypted

7 Criminal Enterprise Patterns of Behavior act quickly and precisely to make their activities harder to detect exploit perimeter via vulnerable ports use Trojan horses (hidden software) to leave back doors for re-entry use sniffers to capture passwordsdo not stick around until noticed

8 Insider Attacks among most difficult to detect and prevent among most difficult to detect and prevent employees have access and systems knowledge employees have access and systems knowledge may be motivated by revenge/entitlement may be motivated by revenge/entitlement employment was terminated employment was terminated taking customer data when moving to a competitor taking customer data when moving to a competitor IDS / IPS can be useful but also need: IDS / IPS can be useful but also need: enforcement of least privilege, monitor logs, strong authentication, termination process enforcement of least privilege, monitor logs, strong authentication, termination process

9 Internal Threat Patterns of Behavior create network accounts for themselves and their friends access accounts and applications they wouldn't normally use for their daily jobs e-mail former and prospective employers conduct furtive instant-messaging chats visit web sites that cater to disgruntled employees, such as f'dcompany.com perform large downloads and file copying access the network during off hours

10 The following definitions from RFC 2828 (Internet Security Glossary) are relevant to our discussion: Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection : A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.

11 Intrusion Detection Systems (IDSs) comprises three logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - view output or control system behavior host-based IDS monitors the characteristics of a single host for suspicious activity network-based IDS monitors network traffic and analyzes network, transport, and application protocols to identify suspicious activity

12 IDS Principles assume intruder behavior differs from legitimate users assume intruder behavior differs from legitimate users overlap in behaviors causes problems overlap in behaviors causes problems false positives false positives false negatives false negatives

13 IDS Requirements run continuallybe fault tolerantresist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration

14 Host-Based IDS adds a specialized layer of security software to vulnerable or sensitive systems adds a specialized layer of security software to vulnerable or sensitive systems monitors activity to detect suspicious behavior monitors activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions can detect both external and internal intrusions

15 Host-Based IDS Approaches to Intrusion Detection anomaly detection threshold detection involves counting the number of occurrences of a specific event type over an interval of time profile based profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts signature detection involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder

16 multiuser operating systems include accounting software that collects information on user activity advantage is that no additional collection software is needed disadvantage is that records may not contain the needed information or in a convenient form native audit records collection facility that generates records containing only information required by the IDS advantage is that it could be made vendor independent and ported to a variety of systems disadvantage is the extra overhead of having, in effect, two accounting packages running on a machine detection-specific audit record

17 Table 8.2 Measures That May Be Used For Intrusion Detection

18 Signature Detection rule-based anomaly detection rule-based anomaly detection historical audit records are analyzed to identify usage patterns historical audit records are analyzed to identify usage patterns rules are generated that describe those patterns rules are generated that describe those patterns current behavior is matched against the set of rules current behavior is matched against the set of rules does not require knowledge of security vulnerabilities within the system does not require knowledge of security vulnerabilities within the system a large database of rules is needed a large database of rules is needed rule-based penetration identification key feature is the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses rules can also be defined that identify suspicious behavior typically rules are specific to the machine and operating system

19 Table 8.3 USTAT Actions vs. SunOS Event Types

20 Distributed Host-Based IDS

21

22 Network-Based IDS (NIDS) monitors traffic at selected points on a network examines traffic packet by packet in real or close to real time may examine network, transport, and/or application-level protocol activity comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface analysis of traffic patterns may be done at the sensor, the management server or a combination of the two

23 NIDS Sensor Deployment inline sensor inserted into a network segment so that the traffic that it is monitoring must pass through the sensor passive sensors monitors a copy of network traffic

24

25 Intrusion Detection Techniques signature detection signature detection at application, transport, network layers; unexpected application services, policy violations at application, transport, network layers; unexpected application services, policy violations anomaly detection anomaly detection denial of service attacks, scanning, worms denial of service attacks, scanning, worms when a sensor detects a potential violation it sends an alert and logs information related to the event when a sensor detects a potential violation it sends an alert and logs information related to the event used by analysis module to refine intrusion detection parameters and algorithms used by analysis module to refine intrusion detection parameters and algorithms security administration can use this information to design prevention techniques security administration can use this information to design prevention techniques

26

27 Honeypot decoy systems designed to: decoy systems designed to: lure a potential attacker away from critical systems lure a potential attacker away from critical systems collect information about the attacker’s activity collect information about the attacker’s activity encourage the attacker to stay on the system long enough for administrators to respond encourage the attacker to stay on the system long enough for administrators to respond filled with fabricated information that a legitimate user of the system wouldn’t access filled with fabricated information that a legitimate user of the system wouldn’t access resource that has no production value resource that has no production value incoming communication is most likely a probe, scan, or attack incoming communication is most likely a probe, scan, or attack outbound communication suggests that the system has probably been compromised outbound communication suggests that the system has probably been compromised once hackers are within the network, administrators can observe their behavior to figure out defenses once hackers are within the network, administrators can observe their behavior to figure out defenses

28 Honeypot Deployment

29 SNORT lightweight IDS lightweight IDS real-time packet capture and rule analysis real-time packet capture and rule analysis easily deployed on nodes easily deployed on nodes uses small amount of memory and processor time uses small amount of memory and processor time easily configured easily configured

30 SNORT Rules use a simple, flexible rule definition language use a simple, flexible rule definition language each rule consists of a fixed header and zero or more options each rule consists of a fixed header and zero or more options

31 Examplesof SNORT Rule Options

Download ppt "Intrusion Detection. Intruders Classes (from [ANDE80]: Classes (from [ANDE80]: two most publicized threats to security are malware and intruders two most."

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 6 – Intrusion Detection.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 6 – Intrusion Detection.
Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 13 Intrusion Detection modified from slides of Lawrie Brown.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 8 “Intrusion Detection”.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 8 “Intrusion Detection”.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Lecture 14 Intrusion Detection

Lecture 14 Intrusion Detection
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Similar presentations

Ads by Google