Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Slides:



Advertisements
Similar presentations
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Design of an Intrusion Response System using Evolutionary Computation Rohit Parti.
School of Computer Science and Information Systems
Data Security in Local Networks using Distributed Firewalls
DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
EDUCAUSE Security 2006 Internet John Brown University.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.
Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.
Distributed Denial of Service Attacks
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Module 11: Designing Security for Network Perimeters.
Cryptography and Network Security Sixth Edition by William Stallings.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.
Role Of Network IDS in Network Perimeter Defense.
Volunteer-based Monitoring System Min Gyung Kang KAIST.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
SIEM Rotem Mesika System security engineering
IDS Intrusion Detection Systems
NETWORKS Fall 2010.
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Protection Mechanisms in Security Management
Presentation transcript:

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610

2 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

3 IDS Definitions Definition of intrusion detection: identifying computing activity that is malicious or unauthorized. Also: identifying individuals or machines that perform or attempt intrusion. IDS: performs intrusion detection by comparing observable behavior against suspicious patterns.

4 Anatomy of an IDS Agent/Monitor/Sensor Data Sources: network traffic, system calls, system logs Detection Algorithms: simple to sophisticated signature matching, behavior analysis, heuristics Responses: automatic filtering, /pager notification Management System: data analysis, type, frequency, source of attacks, administrative configuration

5 dIDS Definition Distributed IDS: multiple IDSes spread over a large network, all of which communicate with each other, or with a central server that facilitates advanced network monitoring, incident analysis, and instant attack data.

6 Why dIDS? More data: collecting data from multiple viewpoints gives a better view of attack behavior. Fewer false positives: a wider range of behavior is monitored and evaluated. Better against automated attacks: collaboration allows agents to pass on attack information to other agents. (Indra)

7 Approaches to dIDS Central Analysis Server (CAS): large database with aggregated attack data from individual IDS agents. Distributed Analysis: IDS agents share attack information with each other, and do not rely on a central server. May use hierarchies as in GrIDS or loose P2P relationships as in Indra.

8 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

9 Examples of dIDS with a CAS Internet Storm Center (isc.incidents.org): Analogous to a weather report. Tracks trends in port scanning activity. DShield: One source of ISC data. Runs on a large range of IDSes. Submission of logs via or web can be automatic. “FightBack” program sends summary attack analysis to ISPs. MyNetWatchman: Collects from agents. Automatically sends incident reports to ISPs. Also provides attack trends.

10 Internet Storm Center

11 CAS Usefulness Good for detecting new trends. Potentially good for identifying infected hosts. Logically similar to NetBait. Can be tailored to deliver information specific to your network (DeepSight). Does the “distributedness” really make your network any more secure?

12 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

13 Other Approaches Indra: INtrusion Detection and Rapid Action Distributes attack information among interested peers in a P2P network. Claim: The more participating hosts and the more heterogeneous the mix of hosts, the more likely it is to detect an attack. Opinions?

14 Indra daemons Watch for intrusion attempts Enforce access control based on memory of previous intrusion attempts (proactive) Share intrusion attempt warnings with other neighbors

15 Indra Example Does host C need to be able to listen to B’s network traffic?

16 Component Questions Communication –How do the Indra nodes talk to each other? Trust –How can the Indra nodes trust each others’ messages? Policy –How do Indra nodes react to intrusion attempts or reports of intrusions?

17 Communication Handled by Scribe on top of Pastry Scribe: Topic-based publish-subscribe multicast mechanism –Relationship to Sequoia? Pastry: P2P network

18 Web of Trust Nodes connected by trust relationships Edges weighted by degree of trust Trust metrics are an active area of research

19 Indra Daemon Components Watchers: monitor network activity and identify suspicious activity Access Controllers: filter access using an (account, machine) combination determined by IDENT. Requires IDENT? Listeners: listen to the watchers for reports of suspicious activity. Act as filters of watchers' information. Reporters: Communicate with the rest of the Indra network. Aggregates warnings, passes warnings to other listeners, receiving warnings.

20 Indra Daemons

21 Questions & Concerns Web of Trust or other trust mechanism needs to be defined. IDENT questions: –Is IDENT required? –If so, how secure is IDENT? Can an attacker spoof a victim’s IDENT and DOS the victim by attacking the Indra network using the stolen IDENT? Access Control: Can we trust Indra daemons to make these decisions?

22 Outline IDS/dIDS Overview dIDS using a CAS dIDS using a distributed model (Indra) Discussion

23 (More) Discussion Questions The focuses of the CAS and distributed analysis approaches seem quite different. Are there inherent advantages and disadvantages to each? Human response times are not fast enough to stop attacks such as fast moving worms. Does this mean that we need to allow detection systems to respond automatically to attacks? What are the ramifications of this?

24 Thursday GrIDS discussion Brief discussion on Communications article.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.