Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse.

Published byCora Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse."— Presentation transcript:

1 Intrusion Detection Karthikeyan Mahadevan

2 Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse your system What is an ID? An intrusion detection system, or IDS for short, makes an attempt to find out these illegal exploits made on the system

3 Types of IDS Host Based ID Network Based ID Layered Defense Knowledge Based ID Behavior Based ID

4 Host Based ID It involves loading piece/pieces of software on a system to be monitored i.e. the data source is the host. Detected by: An audit file produced by the software Enables administrator to be informed of any attack that the system may have suffered...

5 Network Based Id These type of systems monitor the traffic on a particular network segment. Detection is based on this network info. It can be effectively seen as a packet monitoring system. In lay-man terms, it is similar to a sensor monitoring the packets. Sensor considers a packet as a potential threat iff its signature is pre-classified. The primary signatures of interest in Network Based Ids are string signatures, port signatures, and header condition signatures.

6 Signatures String Signatures : Packet has a text string that indicates a possible attack. e.g “cat”++” > /.rhosts Port Signatures: monitor the well known and/or frequently attacked ports. e.g telnet (TCP 23), FTP (TCP 20/21) etc. Header signatures: Look for dangerous or/and illogical combinations in packet header e.g A TCP packet with SYN and FIN flag set

7 Layered Defense Multiple “Layers” of security is employed Most popular misconception: A Firewall can thwart intrusions. But… it could protect only a part of the system. So? - A security model is needed. Following are the layers: –Security policy of your organization –Host system security –Auditing –Router security –Firewalls –Intrusion detection systems –Incident response plan

8 Knowledge Based ID Apply the knowledge accumulated about specific attacks and system vulnerabilities. ID has prior knowledge about what these attacks look like. Completeness and competency of such a system depends on the knowledge base.

9 Behavior Based ID Underlying assumption: Intrusion can be detected based on a deviation from normal or expected behavior. Again, success of such a system depends on the definition of “normal” or “expected”. The data pertaining to what constitutes normal behavior is gathered.

10 Computer Security Breaches- Statistics Denial of service attacks - 32%. Sabotage of data or networks - 19%. Financial fraud - 14%. Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of e-mail systems) - 97%. –This increase indicates that the danger of entanglement in civil liability suits is also on the rise. Virus contamination - 90%. Laptop theft - 69%.

11 Types of Attacks I Denial of Services (DoS) : On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have DDoS: On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users

12 Types of Attacks II Buffer Overflow: Occurs when a program or process tries to store more data in a buffer than it was intended to hold. Buffers are defined to hold limited data. If the limit is exceeded, data can overflow into adjacent buffers, thereby corrupting or overwriting valid data held in them. Could be unintentional through programming error. Buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer

13 Sample Code - Buffer Over Flow char shellcode[] = Architecture Dependent Shell Code char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); }

14 Why is the previous code dangerous?? What we have done above is filled the array large_string[] with the address of buffer[], which is where our code will be. Then we copy our shellcode into the beginning of the large_string string. strcpy() will then copy large_string onto buffer without doing any bounds checking, and will overflow the return address, overwriting it with the address where our code is now located. Once we reach the end of main and it tried to return it jumps to our code, and execs a shell. -- CERT Reports say 65 % of threats are buffer overflows

15 Other attacks There are innumerable types of other attacks. Focus is on the two discussed here, since they constitute many of the major headlines today. A vast majority of other types of attacks are caused by programming flaws. –Bad programming in C is also a reason, there are functions that don’t check bounds.

16 Solutions - Existing There are infinite (exaggeration!!) number of ID’s available in the market. Approach –is to monitor the network traffic. Packet Signature analysis –based on a database with information about all the known types of attacks and signatures

17 Secure Programming This is one of the hottest field of research in the security area. There are compilers available, that test code and mark out the parts that are insecure e.g Cyclone Focus: Make the existing code error free. That is, the libraries which use functions that don’t check bounds.

18 System Call traces Any task performed on a system is a sequence of system calls. The task is cut out. We have to build a profile (into a database) with the known sequences of system calls. Based on this knowledge we can deterministically say whether or not a sequence of calls is a intrusion or not.

19 System Call Traces - Cont’d Profiling a database with normal sequences is easy. Then we have to develop synthetically, a database that has profiles of unused programs or those rarely used. The next step is categorization of normal and deviation from normal.

20 Future Work How effectively this can be done in order that there is no false alarm (report a normal event as intrusion-false negative),. and no intrusion is missed (false positive) Existing methods trigger a human intervention - Automated ID’s

Download ppt "Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Similar presentations

Ads by Google