Ch.22 INTRUSION DETECTION

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Intrusion Detection Systems and Practices
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
What is FORENSICS? Why do we need Network Forensics?
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
Kittiphan Techakittiroj (25/10/58 12:06 น. 25/10/58 12:06 น. 25/10/58 12:06 น.) Intrusion Detection System Kittiphan Techakittiroj
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Chapter 5: Implementing Intrusion Prevention
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System Authors : Martin Botha, Rossouw von Solms, Kent Perry, Edwin Loubser.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12 April 10, 2013 Intrusion Detection, Firewalls & VPN Auditing.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Some Great Open Source Intrusion Detection Systems (IDSs)
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SIEM Rotem Mesika System security engineering
Application Intrusion Detection
Chapter 22: Intrusion Detection
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Chapter 22. Intrusion Detection
Intrusion Detection 박재현.
NETWORKS Fall 2010.
Intrusion Control.
Security Methods and Practice CET4884
Principles of Computer Security
Evaluating a Real-time Anomaly-based IDS
SECURITY INFORMATION AND EVENT MANAGEMENT
IS 2150 / TEL 2810 Introduction to Security
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Chapter 22 – Intrusion Detection
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Intrusion Detection Systems
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection.
Intrusion Detection Systems
Presentation transcript:

Ch.22 INTRUSION DETECTION 120060373 이상일

Principles Systems are not under attack exhibit 1. The action conform to a statically predictable pattern 2. The action not subvert the security policy 3. The action conform to specifications describing action

Basic Intrusion Detection Attack tool – Attack tool is an automated script designed to violate a security policy Attack tools do not change the nature of intrusion detection fundamentally

Goal of Intrusion Detection Detect a wide variety of intrusions. Detect intrusions in a timely fashion. Present the ananlysis in a simple, easy to understand format. Be accurate.

Models Anomaly modeling Misuse Modeling Specification Modeling

Anomaly modeling Analyze a set of characteristics of the system Compare their behavior with a set of expected values Report when the computed statistic do not match the expected measurement

Anomaly modeling Thresh hold metric minimum ~ maximum are expected Statistical moments standard deviation and other measures of correlation Markov model notion and state

Misuse Modeling Detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it report a potential intrusion

Misuse Modeling IDOT system audit log monitoring STAT system actual state and change them

Specification Modeling Determine whether or not a sequence of instruction violates a specification of how a program, or system, should excute. If so, it reports a potential intrusion

Architecture A,B,C – general purpose computer N – Network monitoring, Report data to Director

Agent An agent obtains information from a data source (log file, process, network) Goal : Provide the director with information

Agent Host based information gathering - use system and application logs to obtain record of events, and analyze Network based information gatering - use a device and software to monitor network traffic Combining source - to agent can report to the director and director can conclude form analyzing the information

Director Eliminate unnecessary and redundant record Use an analysis engine to determine if an attack is underway Director use asects of machine learning or planning Generally, Director uses a several of techinques

Notifier Accept information from the director Take the appropriate action Intrusion Response

Organization of Intrusion Detection Systems Monitoring Network Traffic for Intrusions: NSM Combining Host and Network Monitoring : DIDS Autonomous Agents: AAFID

NSM (Network Security Monitor) Monitoring Network Traffic for Intrusions Monitoring : source, destination, network traffic Assign Unique ID to each connection

NSM (Network Security Monitor) Use Matrix allowed simple signiture bases schema go look for misuse Specific rule 1. NSM served as the basis for a large number of intrusion detection system 2. NSM proved preforming intrusion detection on network was practical

DIDS (Ditributed Intrusion Detection Sysmem) Combining Host and Network Monitoring DIDS used a centralized analysis engine, and required that agents be placed on the system being monitored Problem – changing identity as an intruder moves form host to host

DIDS (Ditributed Intrusion Detection Sysmem) Expert system’s Six layer 1. Log records are all visible 2. Abstract relevant information from the Log record 3. Define a subject that capture all events associate with single user 4. Add contextual information 5. Deal with network threat which are combination of events in context 6. assign a score, 1~100, representing the security state of the network

AAFID Autonomouse Agent For Intrusion Detection An Autonomous Agents is a process can act independently of the system of which it is a part AAFID is in the cooperation of the agents. Each agent would have its own internal model.

AAFID Autonomouse Agent For Intrusion Detection One agent is compromissed, the others can continue. Making the agents small and simple Drawback : Overhead of the communication. An attendant increase overhead. Communication must secured.

Intrusion Response Goal is to handle the attack that demage is minimize 1. Incident Prevention 2. Intrusion Handling

Incident Prevention Ideally, detected and stopped before intrusion succeed It involves closely monitoring The attack must be identified before it completes Multilevel systems are excellent place Anomaly based method can detect in real time

Intrusion Handling Six Phase Preparation for an attack Identification of an attack Containment of the attack Eradication of the attack Recovery from the attack Follow up to the attack

Containment phase Two approaches 1. Passively monitoring attack - simply record attacker’s action 2. Constraining access - confinement the data or resources

Eradication phase Eradication means stopping attack Deny access or terminate the process Wrapper : to place around suspected targets, wrapper can control access Firewall : The firewall sit between an internal network and other external network, the firewall controls access IDIP protocol : a protocol for coordinated responses to attack

Follow up phase Counterattacking 1. A legal mechanism 2. A techincal attack Considering 1. The counterattack may harm an innocent party 2. Counterattack may have side effects 3. Counterattack is antithetical to the shared use of a network 4. The couterattack may be legally actionable