1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Anomaly Based Intrusion Detection System
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lesson 5 Intrusion Detection Systems
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
IDS SOEN321, Fall 2004 Serguei Mokhov. Contents IDS intro What it is good for How can you do it (anomaly detection, misuse detection) How it can be compromised.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.
1 Intrusion Detection Auditing, Watermarking Dec 7, 2006 Lecture 10 IS 2150 / TEL 2810 Introduction to Security.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 11 Nov 22, 2011 Intrusion Detection, Firewalls & VPN Auditing.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 10 Nov 06, 2012 Intrusion Detection, Firewalls & VPN Auditing.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Presented by Nathalie Baracaldo Lecture 3 Sept 18, 2013 Intrusion Detection,
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12 April 10, 2013 Intrusion Detection, Firewalls & VPN Auditing.
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Chapter 22: Intrusion Detection
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Ch.22 INTRUSION DETECTION
Intrusion Control.
Intrusion Detection Systems
Evaluating a Real-time Anomaly-based IDS
IS 2150 / TEL 2810 Introduction to Security
Intrusion Detection Systems (IDS)
Intrusion Detection Systems
Intrusion Detection system
Intrusion Detection.
Intrusion Detection Systems
Presentation transcript:

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004

2 Acknowledgements Many of these slides came from Chris Clifton and Matt Bishop, author of Computer Security: Art and Science

3 Intrusion Detection/Response Characteristics of systems not under attack: 1. Actions of users/processes conform to statistically predictable patterns 2. Actions of users/processes do not include sequences of commands to subvert security policy 3. Actions of processes conform to specifications describing allowable actions Denning: Systems under attack fail to meet one or more of these characteristics

4 Intrusion Detection Idea: Attack can be discovered by one of the above being violated  Problem: Definitions hard to make precise  Automated attack tools Designed to violate security policy Example: rootkits: sniff passwords and stay hidden Practical goals of intrusion detection systems:  Detect a wide variety of intrusions (known + unknown)  Detect in a timely fashion  Present analysis in a useful manner Need to monitor many components; proper interfaces needed  Be (sufficiently) accurate Minimize false positives and false negatives

5 IDS Types: Anomaly Detection Compare characteristics of system with expected values  report when statistics do not match Threshold metric: when statistics deviate from normal by threshold, sound alarm  E.g., Number of failed logins Statistical moments: based on mean/standard deviation of observations  Number of user events in a system  Time periods of user activity  Resource usage profiles Markov model: based on state, expected likelihood of transition to new states  If a low probability event occurs then it is considered suspicious

6 Anomaly Detection: How do we determine normal? Capture average over time  But system behavior isn’t always average Correlated events  Events may have dependencies Machine learning approaches  Training data obtained experimentally  Data should relate to as accurate normal operation as possible

7 IDS Types: Misuse Modeling Does sequence of instructions violate security policy?  Problem: How do we know all violating sequences? Solution: capture known violating sequences  Generate a rule set for an intrusion signature But won’t the attacker just do something different? Often, no: kiddie scripts, Rootkit, … Alternate solution: State-transition approach  Known “bad” state transition from attack (e.g. use petri-nets)  Capture when transition has occurred (user  root)

8 Specification Modeling Does sequence of instructions violate system specification?  What is the system specification? Need to formally specify operations of potentially critical code  trusted code Verify post-conditions met

9 IDS Systems Anomaly Detection  Intrusion Detection Expert System (IDES) – successor is NIDES  Network Security MonitorNSM Misuse Detection  Intrusion Detection In Our Time- IDIOT (colored Petri-nets)  USTAT?  ASAX (Rule-based) Hybrid  NADIR (Los Alamos)  Haystack (Air force, adaptive)  Hyperview (uses neural network)  Distributed IDS (Haystack + NSM)

10 IDS Architecture Similar to Audit system  Log events  Analyze log Difference:  happens in real-time (Distributed) IDS idea:  Agent generates log  Director analyzes logs May be adaptive  Notifier decides how to handle result GrIDS displays attacks in progress Host 1 Agent Host 1 Agent Host 1 Agent Notifier Director

11 Where is the Agent? Host-based IDS  watches events on the host  Often uses existing audit logs Network-based IDS  Packet sniffing  Firewall logs

12 IDS Problem IDS useless unless accurate  Significant fraction of intrusions detected  Significant number of alarms correspond to intrusions Goal is  Reduce false positives Reports an attack, but no attack underway  Reduce false negatives An attack occurs but IDS fails to report

13 Intrusion Response Incident Prevention  Stop attack before it succeeds  Measures to detect attacker  Example: Jailing (also Honeypots) Make attacker think they are succeeding and confine to an area Intrusion handling 1. Preparation for detecting attacks 2. Identification of an attack 3. Contain attack 4. Eradicate attack 5. Recover to secure state 6. Follow-up to the attack - Punish attacker

14 Containment Passive monitoring  Track intruder actions  Eases recovery and punishment Constraining access  Downgrade attacker privileges  Protect sensitive information  Why not just pull the plug?  Example: Honeypots

15 Eradication Terminate network connection Terminate processes Block future attacks  Close ports  Disallow specific IP addresses  Wrappers around attacked applications

16 Follow-Up Legal action  Trace through network Cut off resources  Notify ISP of action Counterattack  Is this a good idea?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.