Ch.22 INTRUSION DETECTION 120060373 이상일
Principles Systems are not under attack exhibit 1. The action conform to a statically predictable pattern 2. The action not subvert the security policy 3. The action conform to specifications describing action
Basic Intrusion Detection Attack tool – Attack tool is an automated script designed to violate a security policy Attack tools do not change the nature of intrusion detection fundamentally
Goal of Intrusion Detection Detect a wide variety of intrusions. Detect intrusions in a timely fashion. Present the ananlysis in a simple, easy to understand format. Be accurate.
Models Anomaly modeling Misuse Modeling Specification Modeling
Anomaly modeling Analyze a set of characteristics of the system Compare their behavior with a set of expected values Report when the computed statistic do not match the expected measurement
Anomaly modeling Thresh hold metric minimum ~ maximum are expected Statistical moments standard deviation and other measures of correlation Markov model notion and state
Misuse Modeling Detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it report a potential intrusion
Misuse Modeling IDOT system audit log monitoring STAT system actual state and change them
Specification Modeling Determine whether or not a sequence of instruction violates a specification of how a program, or system, should excute. If so, it reports a potential intrusion
Architecture A,B,C – general purpose computer N – Network monitoring, Report data to Director
Agent An agent obtains information from a data source (log file, process, network) Goal : Provide the director with information
Agent Host based information gathering - use system and application logs to obtain record of events, and analyze Network based information gatering - use a device and software to monitor network traffic Combining source - to agent can report to the director and director can conclude form analyzing the information
Director Eliminate unnecessary and redundant record Use an analysis engine to determine if an attack is underway Director use asects of machine learning or planning Generally, Director uses a several of techinques
Notifier Accept information from the director Take the appropriate action Intrusion Response
Organization of Intrusion Detection Systems Monitoring Network Traffic for Intrusions: NSM Combining Host and Network Monitoring : DIDS Autonomous Agents: AAFID
NSM (Network Security Monitor) Monitoring Network Traffic for Intrusions Monitoring : source, destination, network traffic Assign Unique ID to each connection
NSM (Network Security Monitor) Use Matrix allowed simple signiture bases schema go look for misuse Specific rule 1. NSM served as the basis for a large number of intrusion detection system 2. NSM proved preforming intrusion detection on network was practical
DIDS (Ditributed Intrusion Detection Sysmem) Combining Host and Network Monitoring DIDS used a centralized analysis engine, and required that agents be placed on the system being monitored Problem – changing identity as an intruder moves form host to host
DIDS (Ditributed Intrusion Detection Sysmem) Expert system’s Six layer 1. Log records are all visible 2. Abstract relevant information from the Log record 3. Define a subject that capture all events associate with single user 4. Add contextual information 5. Deal with network threat which are combination of events in context 6. assign a score, 1~100, representing the security state of the network
AAFID Autonomouse Agent For Intrusion Detection An Autonomous Agents is a process can act independently of the system of which it is a part AAFID is in the cooperation of the agents. Each agent would have its own internal model.
AAFID Autonomouse Agent For Intrusion Detection One agent is compromissed, the others can continue. Making the agents small and simple Drawback : Overhead of the communication. An attendant increase overhead. Communication must secured.
Intrusion Response Goal is to handle the attack that demage is minimize 1. Incident Prevention 2. Intrusion Handling
Incident Prevention Ideally, detected and stopped before intrusion succeed It involves closely monitoring The attack must be identified before it completes Multilevel systems are excellent place Anomaly based method can detect in real time
Intrusion Handling Six Phase Preparation for an attack Identification of an attack Containment of the attack Eradication of the attack Recovery from the attack Follow up to the attack
Containment phase Two approaches 1. Passively monitoring attack - simply record attacker’s action 2. Constraining access - confinement the data or resources
Eradication phase Eradication means stopping attack Deny access or terminate the process Wrapper : to place around suspected targets, wrapper can control access Firewall : The firewall sit between an internal network and other external network, the firewall controls access IDIP protocol : a protocol for coordinated responses to attack
Follow up phase Counterattacking 1. A legal mechanism 2. A techincal attack Considering 1. The counterattack may harm an innocent party 2. Counterattack may have side effects 3. Counterattack is antithetical to the shared use of a network 4. The couterattack may be legally actionable