Chapter 13  Intrusion Detection 1 Overview  What is an Intrusion Detection System? o Definition o Characteristics o Examples of existing IDSs  Tripwire.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Chapter 19: Network Management Business Data Communications, 5e.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition
Intrusion Detection Systems and Practices
File Management Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
IIT Indore © Neminah Hubballi
Intrusion Detection Sytems
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
1 Network Management: SNMP The roots of education are bitter, but the fruit is sweet. - Aristotle.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Overview Managing a DHCP Database Monitoring DHCP
Firewall Security.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
JMU GenCyber Boot Camp Summer, 2015
Intrusion Detection System
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Introduction
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Working at a Small-to-Medium Business or ISP – Chapter 8
Principles of Computer Security
CompTIA Security+ Study Guide (SY0-401)
A Real-time Intrusion Detection System for UNIX
Intrusion Detection system
Intrusion Detection Systems
Presentation transcript:

Chapter 13  Intrusion Detection 1 Overview  What is an Intrusion Detection System? o Definition o Characteristics o Examples of existing IDSs  Tripwire  NIDES  INBOUNDS

Chapter 13  Intrusion Detection 2 What is an IDS?  An Intrusion Detection System (IDS) is: o Software and/or hardware o Monitors a computer system to detect:  Intrusion: unauthorized attempts to use the system  Misuse: abuse of existing privileges o Responds:  Log activity  Notify a designated authority  Take appropriate countermeasures

Chapter 13  Intrusion Detection 3 Why Use an IDS?  Security is often expensive/cumbersome: o Cost o Restrictions on users/functionality  Designers try to offer users “reasonable” levels of security  Security breaches will still occur  Detection allows: o Finding and fixing the most serious security holes o Perhaps holding intruders responsible for their actions o Limiting the amount of damage an attacker can do

Chapter 13  Intrusion Detection 4 Why Use an IDS? (cont)  The number of attacks climbing  The damage caused by these attacks is also rising  From CERT:

Chapter 13  Intrusion Detection 5 Goals of an IDS  Be difficult to fool o Minimize false positives - legitimate actions that causes an alert o Minimize false negatives - intrusions that do not result in alerts  Also: o Run continually o Be fault tolerant o Resist subversion o Minimize overhead o Be easily configurable o Cope with changing system behavior

Chapter 13  Intrusion Detection 6 IDS Characteristics  Detection Model o Misuse detection vs. anomaly detection  Scope o Host based, multihost based, network based  Operation o Off-line vs. real-time  Architecture o Centralized vs. distributed

Chapter 13  Intrusion Detection 7 IDS Detection Model  Misuse detection - recognize known attacks o Define a set of attack signatures o Detect actions that match a signature o Add new signatures often  Anomaly detection - recognize atypical behavior o Define a set of metrics for the system o Build a statistical model for those metrics during “normal” operation o Detect when metrics differ significantly from normal  Hybrid

Chapter 13  Intrusion Detection 8 IDS Scope  Host based o Scrutinize data from a single host  Multihost based o Analyze data from multiple hosts  Network based o Examine network traffic (and possibly data from the connected hosts)

Chapter 13  Intrusion Detection 9 IDS Operation  Off-line o Inspect system logs at set intervals o Report any suspicious activity that was logged  Real-time o Monitor the system continuously o Report suspicious activity as soon as it is detected

Chapter 13  Intrusion Detection 10 IDS Architecture  Centralized o Data collected from single or multiple hosts o All data shipped to a central location for analysis  Hierarchical o Data collected from multiple hosts o Data is analyzed as it is passed up through the layers  Distributed o Data collected at each host o Distributed analysis of the data

Chapter 13  Intrusion Detection 11 Case Study: Tripwire  A file integrity-checking tool o Developed at Purdue university (released in 1993) o Off-line, centralized, host-based, misuse detection o Utilizes digital signatures to check for added, deleted, modified files o Popular  Portable  Configurable  Scalable  Manageable  Automated  Secure

Chapter 13  Intrusion Detection 12 Background – File Systems  Provide long-term storage for: o User data and programs o System programs and databases  A popular target for attackers: o Unauthorized access to user or system files to uncover private information o Modify system databases to allow future entry (e.g. /etc/passwd) o Modify system programs to allow future entry (e.g. back doors) o Cleansing of system logs to thwart detection

Chapter 13  Intrusion Detection 13 Tripwire - Overview  A checklist is created which contains one entry for each file being monitored  Checklist should: o Be secure against unauthorized modifications  Each entry in the checklist is a fingerprint for the corresponding file  Fingerprints should: o Be efficient to compute o Be hard to invert o Depend on the entire contents of the file o Be very likely to change if the file changes o Be very unlikely to match fingerprints from other files

Chapter 13  Intrusion Detection 14 Tripwire – Overview (cont)

Chapter 13  Intrusion Detection 15 Tripwire Database  Unencrypted and world-readable  To prevent the database from being tampered with, it is recommended it be: o Installed and updated in a secure manner (e.g. single-user mode) o Stored either:  On a read-only media  On a write-protected disk  On a “secure server” (e.g. read-only NFS)

Chapter 13  Intrusion Detection 16 Tripwire Configuration Files  Contains: o A list of directories (or files) to be monitored o A mask for each that describes which attributes can change without being reported  Mask bits (all fields stored in a file’s inode): o p: permissions o i: inode number o n: number of links o u: user id o g: group id o s: size of file o m: modification timestamp o a: access timestamp o [1-10]: signature #1, signature #2, etc.  Signature algorithms supported (MD5, MD4, MD2, Snefru, SHA, CRC-32, CRC-16)

Chapter 13  Intrusion Detection 17 Tripwire Configuration Files (cont)  Using masks: o Fields can be added (“+”) or subtracted (“-”) from the set of items to be examined for a file o Example: +pinugsm12-a = report changes to all fields except access timestamp  Mask templates: o R = +pinugsm12-a = read-only files; only access timestamp is ignored o L = +pinug-sma12 = log files; changes to file size, access time, modification time, and signatures are ignored o N = +pinugsma12 = ignore nothing o E = -pinugsma12 = ignore everything

Chapter 13  Intrusion Detection 18 Tripwire Configuration File - Example  All files in the /bin directory are read-only  Printer logs under /etc/lp/logs are log files, do not report changes in: o Size, access or modification time, or contents  Report all changes in /etc/passwd

Chapter 13  Intrusion Detection 19 Tripwire Reports  New database is computed and compared with the old one  Any differences are passed through the masks in the configuration file  If not masked out differences are written to a report:

Chapter 13  Intrusion Detection 20 Limitations of Host Based Intrusion Detection  No global knowledge or context information  Must run IDS on host being monitored o Overhead o Host compromise = IDS compromise  Recovery options are limited

Chapter 13  Intrusion Detection 21 NIDES  A collection of target hosts collect system audit data and transfer it to a NIDES host for analysis and intrusion detection  Developed at SRI International (released in 1994)  Real-time, centralized, multihost-based anomaly and misuse detection  Next-generation Intrusion Detection Expert System (NIDES) – a follow-on to SRI’s Intrusion Detection Expert System (IDES)

Chapter 13  Intrusion Detection 22 NIDES - Overview  Data collection is performed by target hosts connected by a network o Agend daemon started on each target host a boot time  Receives requests to start and stop the agen process on that host o Agen process:  Collects system audit data  Converts it into a system-independent format  Sends it to the arpool process on the NIDES host  Data analysis is performed on a NIDES host (which is not monitored)  The arpool process collects audit data from the target hosts and provides it to the analysis components o Statistical analysis component (anomaly) o Rulebased analysis component (misuse)

Chapter 13  Intrusion Detection 23 NIDES – Overview (cont)

Chapter 13  Intrusion Detection 24 NIDES – Statistical Analysis  Adaptive historical profiles for each “user” are maintained o Updated regularly o Old data “aged” out during profile updates  Alert raised whenever observed behavior differs significantly from established patterns o Parameters and thresholds can be customized

Chapter 13  Intrusion Detection 25 NIDES – Rulebased Analysis  NIDES comes with a basic rulebase for SUN UNIX o Encoded in rulebase:  Known attacks and intrusion scenarios  Specific actions or patterns of behavior that are suspicious or known security violations o Expert system looks for matches between current activity and rules in the rulebase and raises alerts  Rulebase can also be extended and updated by sites using NIDES

Chapter 13  Intrusion Detection 26 NIDES – Resolver  Filters alerts to: o Remove false alarms o Remove redundancies o Direct notification to the appropriate authority

Chapter 13  Intrusion Detection 27 Limitations of Multihost Based Intrusion Detection  Much larger volume of data  No information about communications: o Data o Patterns  Centralized detection might be fooled by data cleansing  Distributed detection might be fooled by lack of agreement

Chapter 13  Intrusion Detection 28 INBOUNDS  The Integrated Network-Based Ohio University Network Detective Service (INBOUNDS) o Developed at Ohio University in 1999 o A network-based, real-time, centralized IDS that performs anomaly detection o Designed to detect:  New variants of network-based attacks  Never-before-seen network-based attacks

Chapter 13  Intrusion Detection 29 TCPTrace  Reads network dump files  Groups packets into connections o Groups of packets that are part of the same conversation  Performs advanced operations o TCP-level analysis, including  Piecing together conversations  Detecting retransmissions  Calculates round trip times (RTT) o Traffic analysis  Aggregate throughput  Retransmission rates

Chapter 13  Intrusion Detection 30 TCPTrace: Output Example TCP connection 1: host a: :1084 host b: :79 first packet: Wed Jul 20 16:40: last packet: Wed Jul 20 16:40: elapsed time: 0:00: total packets: 13 a->b: b->a: total packets: 7 total packets: 6 unique bytes sent: 11 unique bytes sent: 1152 actual data pkts: 2 actual data pkts: 1 actual data bytes: 11 actual data bytes: 1152 rexmt data pkts: 0 rexmt data pkts: 0 rexmt data bytes: 0 rexmt data bytes: 0 ttl stream length: 11 bytes ttl stream length: 1152 bytes missed data: 0 bytes missed data: 0 bytes truncated data: 0 bytes truncated data: 0 bytes truncated packets: 0 pkts truncated packets: 0 pkts idletime max: ms idletime max: ms throughput: 1 Bps throughput: 110 Bps

Chapter 13  Intrusion Detection 31 Real-Time TCPTrace  Extension to TCPTrace  Captures packets from a network in real-time  Sends messages to an intrusion detection module: o Open messages - every time a connection is opened o Close messages - every time a connection is closed o Activity messages – periodically computes statistics for all currently open connections

Chapter 13  Intrusion Detection 32 Open Messages  Generated when a new connection is opened  Contents: o The time at which the connection was opened o The source and destination IP addresses of the connection o The source and destination port numbers of the connection o Status field indicating whether or not the opening SYN was seen

Chapter 13  Intrusion Detection 33 Close Messages  Generated when a connection is closed  Contents: o The time at which the connection was closed o The source and destination IP addresses of the connection o The source and destination port numbers of the connection o Status field indicating whether the connection was closed by:  Two FINs  A RST  A timeout

Chapter 13  Intrusion Detection 34 Activity Messages  Generated every sixty seconds (one per open connection)  Contents: o Timestamp o Source and destination IP addresses o Source and destination port numbers o Dimensions:  Interactivity – the average number of “questions” per second  ASOQ - Average size of “questions”  ASOA - Average size of “answers”  QAIT - Average question-to-answer idle time  AQIT - Average answer-to-question idle time

Chapter 13  Intrusion Detection 35 A Sample Conversation

Chapter 13  Intrusion Detection 36 Activity Messages – Example (cont)  Time interval: T1 to T2  Three questions (of sizes Q1, Q2, and Q3)  Three answers (of sizes A1, A2, and A3)  Dimensions: o Interactivity = 3/(T2-T1) o ASOQ = (Q1+Q2+Q3)/3 o ASOA = (A1+A2+A3)/3 o QAIT = (QAIT1+QAIT2+QAIT3)/(T2-T1) o AQIT = (AQIT1+AQIT2+AQIT3)/(T2-T1)

Chapter 13  Intrusion Detection 37 INBOUNDS  Integrated Network-Based Ohio University Network Detective Service  Training: o Receives messages from Real-Time TCPTrace o Build profiles of each different network service  Detection: o Receives messages from Real-Time TCPTrace o Identify connections behaving abnormally

Chapter 13  Intrusion Detection 38 INBOUNDS Detection: Example #1  A connection to port 79 (finger daemon)  Normal profile: o Interactivity is low o Question and the answer sizes are small o Idle times should be small (unless the system is severely overloaded)  Profile during a buffer overflow attack (spawns an interactive shell): o Interactivity is high o Average sizes of questions and answers are large

Chapter 13  Intrusion Detection 39 INBOUNDS Detection: Example #2  A connection to port 25 (SMTP)  “Normal” profile: o Interactivity (ave = 10 questions, sd = 10) o Question size (ave = 400 bytes, sd = 800) o Answer size (ave = 50 bytes, sd = 10) o Idle times (average less than one second)  Profile observed during a mailbomb attack: o Interactivity (ave = 250 questions) o Question size (ave = 2000 bytes) o Answer size (ave = 3500 bytes) o Idle times (up to 8 seconds)

Chapter 13  Intrusion Detection 40 Limitations of Network-Based Intrusion Detection  Network data rates are very high  Encryption of network traffic is becoming more popular  Switched environments are becoming more popular  Difficult to insure that network IDS sees the same data as the end hosts

Chapter 13  Intrusion Detection 41 Summary  An Intrusion Detection System (IDS) is a piece of software that monitors a computer system to detect: o Intrusion (unauthorized attempts to use the system) and misuse (abuse of existing privileges)  And responds by: o Logging activity, notifying a designated authority, or taking appropriate countermeasures  Many different IDSs are available and they can be categorized according to their: o Detection model (misuse detection, anomaly detection, hybrid) o Scope (host based, multihost based, network based) o Operation (off-line vs. real-time) o Architecture (centralized, hierarchical, distributed)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.