STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works
Information Security Policies and Standards
The Role of Intrusion Detection Systems (IDSs) Article Authors: - John McHugh - Alan Christie - Julia Allen Presentation: - Ali Ardalan - October 12 th,
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
The IS Security Problem GP Dhillon, Ph. D. Associate Professor of IS, VCU
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Test Organization and Management
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
What is FORENSICS? Why do we need Network Forensics?
Introduction to Computer Ethics
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Operating system Security By Murtaza K. Madraswala.
Chapter 5: Implementing Intrusion Prevention
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Cryptography and Network Security Sixth Edition by William Stallings.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Computer Security By Duncan Hall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security Methods and Practice CET4884
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
IDS Intrusion Detection Systems
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Security Methods and Practice CET4884
Operating system Security
I have many checklists: how do I get started with cyber security?
How to Detect Attacks and Supervise Rail Systems?
Intrusion Detection system
Security week 1 Introductions Class website Syllabus review
Presentation transcript:

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI

SEI Report  Technical REPORT CMU/SEI-99-TR-028  To provide an unbiased assessment of publicly available Intrusion Detection (ID) technology

Roadmap 1.An overview of ID from perspective of the CERT Coordination Center 2.Examine the current state of ID technology 3.Issues surrounding ID technology 4.Recommendations for ID sponsor, user, vendor, and research communities

Growth in Number of Incidents Handled by the CERT/CC

Dimensions of Intrusion Detection  ID technology is immature and dynamic  ID system describe a system designed to detect attacks regardless of their success  Fundamentally, two approaches: 1.Signature detection identifies patterns corresponding to know attacks 2.Anomaly detection identifies any unacceptable deviation from expected behavior

State of the ID Market What can ID systems do? ID Product claims: Lend a greater degree of integrity to the rest of your security infrastructure Make sense of often obtuse system information sources Relieve system management staff of the task of monitoring the Internet searching for latest hacker attacks Make the security mgmt of your systems by non-expert staff possible Provide guidelines that assist in establishing a security policy Trace user activity from the point of entry to point of exit or impact Recognize activity patterns reflecting known attacks and alert proper staff Statistical analysis for abnormal activity patterns Operating-system audit trail mgmt, recognition of of user activity reflecting policy violations Based on ICSA paper titled “An Introduction to Intrusion Detection and Assessment”

State of the ID Market What can ID systems do? ID Experts: Detect common attacks in a reasonably timely manner View network and system activity in real-time, identify unauthorized activity and provide a near-real-time automated response Ability to analyze today’s activity in view of yesterday’s activity to identify larger trends and problems Designed to be operated at the technician level but still requires considerable expertise to understand the data and know what to do in response Discovery and detection tools that guide further investigation Customers should not expect IDS to offer 100% protection Gather hard data about what’s being directed at your site from remote locations, and you can use that knowledge to make informed decisions about what security controls need to be deployed Based on 1998 Computer Security Institute round table discussion

Current IDS Market Position  “The use of IDS rose from 35% in 1998 to 42% in 1999” (CSI/FBI Computer Crime Survey 1999)  2,700 executives, security professionals, and technology managers from 49 countries concluded that more companies are using IDS (Information Week Survey 1999) Alerted by colleague4748 Analysis of server, firewall logs4145 Intrusion detection systems2938 Data or material damage4137 Alerted by customer, supplier1415

CERT/CC IDS Team Observations CERT examined ISS RealSecure, Cisco NetRanger, Network Flight Recorder, and Shadow  IDS products based on current signature- based analysis approaches do not provide a complete intrusion detection solution but do produce useful results in specific situations and configurations

Issues Surrounding ID Technology  Increases in the types of intruder goals, intruder abilities, tool sophistication, and diversity as well as the use of more complex, subtle, and new attack scenarios  The use of encrypted messages to transport malicious information  The need to interoperate and correlate data across infrastructure environments with diverse technologies and policies  Ever increasing network traffic  The lack of widely accepted ID terminology and conceptural  Volatility in the ID marketplace which makes the purchase and maintenance of ID systems difficult

Issues Surrounding ID Technology  Risks inherent in taking inappropriate automated response actions  Attack on the ID systems themselves  Unacceptably hi-levels of false positives and false negatives, making it difficult to determine true positives  The lack of objective ID system evaluation and test information  The fact that most computing infrastructures are not designed to operate securely  Limited network traffic visibility resulting from switched local area networks. Faster networks preclude effective real-time analysis of all traffic on large pipes

ID Technology Recommendations For sponsors:  Supporting ongoing, comprehensive testing of commercial IDS and making test results publicly available  Emphasizing research funding directed towards reducing false alarms

ID Technology Recommendations For users:  Implementing a security architecture that reflects a defense-in-depth or layered approach in protecting an organization’s assets, whether or not the organization chooses to deploy an IDS  Developing clear, concise IDS requirements based on security policy and organizational needs  Configuring the IDS to maximize performance. This includes selective deployment to monitor critical assets as well as signature tuning to prevent excessive false alarms

ID Technology Recommendations For vendors:  Support initiatives to create open source signatures  Move towards the distribution model used by the anti- virus community  Spend more time and resources testing signatures and making results public  Provide measures that represent the level of confidence a user should place in an IDS’s ability to report an intrusion by type of signature or attack  Integrate human analysis as part of event diagnosis  Integrate available data sources more effectively to include information from different sensors and from different ID systems

ID Technology Recommendations For vendors:  Increase efforts to detect malicious code ( attachments, Java, ActiveX)  Increase interaction with the research community

ID Technology Recommendations For research community:  Emphasizing the integration of diverse sources of available date to reduce false alarms  Providing credible, defensible test data to support test and evaluation of IDS  Providing a taxonomy of vulnerabilities base on victim perspective rather than intruder perspective  Developing approaches for defending against sophisticated attacks such as denial of service, distributed, coordinated attacks, etc.  Developing approaches that integrate human analysis as part of even diagnosis  Developing approaches that support better detection of malicious code  Increase interaction with vendor community

State of the Practice of Intrusion Detection Technologies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.