Intrusion Detection Systems

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.
1 Reading Log Files. 2 Segment Format
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lecture 15 Denial of Service Attacks
Host Intrusion Prevention Systems & Beyond
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
FIREWALL Mạng máy tính nâng cao-V1.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Firewalls A note on the use of these ppt slides:
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Web Application Firewall (WAF) RSA ® Conference 2013.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.
An overview.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Denial of Service detection and mitigation on GENI
Denial of Service Mitigation with OpenFlow using SciPass
An Introduction To ARP Spoofing & Other Attacks
SDN and Security Security as a service in the cloud
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Denial of Service detection and mitigation on GENI
Cybersecurity + Liberal Arts Workshop
Intrusion Detection Systems
IT443 – Network Security Administration Instructor: Bo Sheng
Xenia Mountrouidou (Dr. X)
Chapter 7: Identifying Advanced Attacks
Firewalls.
Footprinting and Scanning
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Domain 4 – Communication and Network Security
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.
Chapter 4: Protecting the Organization
Intro Cyber Security Labs on GENI
Autonomous Network Alerting Systems and Programmable Networks
Statistical based IDS background introduction
Session 20 INST 346 Technologies, Infrastructure and Architecture
Intro Cyber Security Labs on GENI
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Intrusion Detection Systems Casey Wilson

Outline Start reserving your topology Learning goals Background Variations

Reserve topology Go to: https://goo.gl/zZF5j7 Use RSPEC http://mountrouidoux.people.cofc.edu/ CyberPaths/files/IDSLabEasyRSpec.txt

Learning Goals Setup an IDS and verify that it functions properly Study and understand IDS logs Apply concepts of intrusion detection in a real scenario Create a custom Intrusion Detection System (IDS) rule

Intrusion Detection Systems and Mitigation Goals: Install Snort IDS on monitor machine Duplicate all traffic to monitor Create a custom alert for Snort IDS Use mitigation script Drop malicious traffic Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client

Background Intrusion Detection and Prevention Systems Computer Networks Software Defined Networks Command Line GENI DoS

Detection via Signatures Signature checking: does packet match some signature? Payload, e.g., shellcode Header, e.g., SYN Problem: not so great for zero-day attacks -- Q: WHY?

DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

Snort Open source IDS Signature detection Lots of available rulesets alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)

Variations Two levels: one uses OpenFlow and one is not Different attacks: Slowloris Privilege escalation Advanced level: use the power of SDN to detect and mitigate the port(s) from which DoS is coming

Questions? And one last thing… go to nxt slide Let’s experiment!

Correlation and Mitigation Use monitor to alert correlator Correlator is logic that communicates with controller, gathers info about attack Correlator decides based on controller info if there is an attack Correlator logic is implemented in Python

Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

Monitor – real time snort alert monitoring

Monitor – send alert to correlator

Correlator Original Flow Table Flow Table Snapshot1 Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key Value port1 IP1 port2 IP12345 port3 IP3 portn IPn Key Value port1 IP1 port2 IP6789 port3 IP3 portn IPn Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Original Flow Table Flow Table Snapshot1 Flow Table Snapshot2

Correlator – parse and process flowdump

Correlator – block the port of attack

Role of SDN in Implementation Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

Questions? Let’s experiment!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.