5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Slides:



Advertisements
Similar presentations
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Advertisements

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
BCIS 4630 Fundamentals of IT Security
Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSC8320. Outline Content from the book Recent Work Future Work.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Cryptography and Network Security Sixth Edition by William Stallings.
PERIMETER SECURITY Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Role Of Network IDS in Network Perimeter Defense.
Network Intrusion Detection System (NIDS)
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Securing the Network Perimeter with ISA 2004
Principles of Computer Security
Information Security Session October 24, 2005
Intrusion Detection Systems (IDS)
Intrusion Detection system
Intrusion Detection Systems
Presentation transcript:

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS

5/1/2006Sireesha/IDS2 Goals Identify types of network attacks Explore IDS details –Benefits, Categories, Detection Techniques, Performance measurements Snort –Why Snort, Components and operation, Snort Rules Future enhancements

5/1/2006Sireesha/IDS3 Network Attacks With ever-increasing Internet enabled services, a computer network should be guarded against network attacks. A few network threats –Worms Self-propagating malicious code, automatic distribution via network connections –Virus Self-replication code. Can be attached to any host application –Denial of Service Overloading of resources making them unavailable to legitimate users.

5/1/2006Sireesha/IDS4 IDS Details - Why an IDS? Firewalls - Though a valid first step, not enough –Attacks can happen before its rules are updated. –Laptops can be infected outside the network and then brought in. –Wireless accesses into a network. Benefits –Detection of Attacks –Enforcing policies –Audit trails

5/1/2006Sireesha/IDS5 IDS Details - Types Two types of IDS –Network-based IDS (NIDS) Analyze packets coming across a network connection. Logs for after attack analysis Real time alerts –Host-based IDS (HIDS) Monitors a single system File integrity checks Analyze system logs for unusual activities - multiple login attempts

5/1/2006Sireesha/IDS6 IDS Details - Detection Techniques Two techniques –Signature based Maintain a store of known attack signatures. Analyze new traffic against the contents of the store Only known attacks can be detected, so first occurrence of a new attack cannot be detected. –Anomaly based Create and maintain a profile based on normal behavior. Analyze new traffic against a model profile. New attacks can be detected.

5/1/2006Sireesha/IDS7 IDS Details - Performance Performance –Measured in terms of False positives –Alert generated on traffic that is not an attack. –Alert generated on attack not intended for the system being monitored. False negatives –Alerts not generated for real attacks. –Most dangerous leading to undetected attacks.

5/1/2006Sireesha/IDS8 Snort Open Source, Signature detecting, Network based IDS Passive - No changes required for the system being monitored. Versatile - Can be used as IDS, IPS (Intrusion Prevention System), Inline firewall. Available for all major operating systems. Logging to Oracle, SQL, MySQL, PostGre SQL Rules are very simple, easy to develop and effective.

5/1/2006Sireesha/IDS9 Snort Packet Processing A packet capture library captures raw data form network card and sends it to Snort. Snort decodes the packets based on protocol. Preprocessors applied to normalize traffic. Normalized traffic passed through detection engine. Alert generated if traffic matches a rule.

5/1/2006Sireesha/IDS10 Snort - Rules Snort Rule –Header Rule Action (log, alert, pass …) Protocol (IP, ICMP,TCP,UDP) Source Address and Port Flow Destination Address and Port –Body Output message Additional tests –Example alert tcp /32 any -> any 1:1023 (msg :”eBaying”; uricontent:”ebay.com”;)

5/1/2006Sireesha/IDS11 Research for enhancements Enhancement goals –Extend Snort to include a automatic signature generation component. –Extend Snort to detect anomaly based intrusions.

5/1/2006Sireesha/IDS12 Semantics-Aware Signatures Nemean -- Automatic generation of intrusion signatures from honeynet packet traces. –Aggregate and transform the packet trace into well-defined data structures and group packets into sessions and flows. –Generate clusters of sessions based on similarity analysis. –Normal traffic will not result in a cluster formation. –A cluster generated represents a single attack. Slight variations are accounted for. –An attack signature is generated from the generated clusters. Usenix security 2005 symposium

5/1/2006Sireesha/IDS13 Anomaly Detection Payload based Anomaly detection. Operates in two phases –Learning Phase A profile of expected payload is constructed during the normal operation by using a byte frequency distribution analysis of the payload. –Anomaly Detection Phase Incoming payload is compared against the profile. Statistical distributions are compared and alert generated when the comparison yields greater than a threshold value. Resistant to mimicry attacks, since payloads are compared.

5/1/2006Sireesha/IDS14 Resources Snort Page : Anomaly Detection on ITArchitect tml?articleID= More links to resources available in the project report.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.