Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD.

Published byRandolph Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD."— Presentation transcript:

1 Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD

2 Resources B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1. E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: 0-9666700-7-8 R. G. Bace, 2000, Intrusion Detection, Macmillan Technical Publishing, ISBN: 1-57870-185-6 We will mostly follow Schneier in this lecture.

3 Intrusion Detection Systems (IDS) Network Monitors—watch your network looking for suspicious behavior Often but not always based on Audit Provide reactive rather than proactive security Alert on successful and ongoing attacks Need to be accurate in detecting attacks and in determining that an attack is not underway. Also may provide diagnosis tools.

4 The False Alarm Problem Base rate fallacy—suppose you have a test that is 99% accurate. Is this good? Not necessarily! Suppose the real attack rate is 1x10 -6. This test will generate 10,000 false positives for every real attack it detects. (Work it out…) If network attacks are rare, a test has to be powerful to be useful.

5 The Timely Notification Problem You may want to be warned in time to do something, but… What about slow attacks? When should the IDS become suspicious and tell you? What about ambiguous evidence? Do you want to be warned about borderline cases?

6 The Response Problem What do you do if you do hear an alarm? I.e., the problem with giving out general warnings of terrorist activity. Options include: –Wait –Collect more information –Do something –Hope it goes away You may be too busy fighting alligators to do anything intelligent about draining the swamp.

7 Approaches to Building an IDS Misuse detection –IDS knows what an attack looks like and looks for it. –“Network virus scanner” –Fast, easy to build, has a low false positive rate. –Misses a lot and is easy to fool. –Probably will get better over time.

8 Approaches to Building an IDS (II) Anomaly detection –Generates a statistical or neural network model of the network to figure out what is normal –Sounds an alarm for abnormal activity –Uses AI: Bayesian statistics Neural networks Expert systems

9 Problems with Anomaly Detection Does the training data include an attack? Then hacking will be considered normal. 8( New things happen on networks all the time. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD. 8( How can it categorize attacks? That requires expert input. 8( False positives are much higher. 8( Attack indicators are brittle, so that hackers can sneak past them. 8(

10 Inline versus Audit-Based IDS Should the IDS detect attacks in real-time or using audit log processing? –Inline will have incomplete data. –Inline is also computationally expensive. –Audit log processing is after the fact. –Audit log formats vary quite a bit. –A combined approach is feasible, but costly.

11 Host-Based versus Network- Based IDS Network-based IDS is basically wire- tapping –Stealthy –Operating-system independent Host-based IDS uses audit logs –From workstations, servers, switches, routers, etc. –Product-specific.

12 Make or Buy Do your own monitoring or pay someone else? –Counterpane –Qinetiq –Other vendors important, too. –SRM is a local company that does this. Trust issues particularly important. Inhouse expertise requirement.

13 Honey Pots and Burglar Alarms Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. Honey pots are burglar alarms dressed up to look attractive. May incorporate subnetworks and dummy computers. –Costly –Have to look real to the attackers –Legality important. Entrapment may be an issue, so intruders must be warned. Read http://csrc.nist.gov/publications/secpubs/berferd.ps http://csrc.nist.gov/publications/secpubs/berferd.ps See also http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM

14 Incident Handling Issues Be prepared Have procedures Don’t panic Call in the police? Expectation management Damage control Dealing with witch hunts

15 IDS Requirements Must be: –Effective –Easy to use –Adaptable –Robust –Fast –Efficient –Safe

16 Future IDS Needs Should be: –Accommodating –Security enhancing –Scalable –Realistic –Hardened

17 Conclusions We aren’t there yet, But any IDS system is better than none at all. This is the place to be if you want to work on secure systems development.

Download ppt "Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.

How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

Similar presentations

Ads by Google