Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Survey of Information Assurance Intrusion Detection systems.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network security policy: best practices
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
COEN 252 Computer Forensics
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Operating system Security By Murtaza K. Madraswala.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Intrusion Detection Presentation : 3 OF n by Manish Mehta 02/21/03.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security Methods and Practice CET4884
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
IDS Intrusion Detection Systems
Ch.22 INTRUSION DETECTION
NETWORKS Fall 2010.
Managing Secure Network Systems
Security Methods and Practice CET4884
Operating system Security
Intrusion Detection Systems (IDS)
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Intrusion Detection system
6. Application Software Security
Presentation transcript:

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03

Introduction 3 fundamental needs of Computer Security –Prevention –Detection –Response All 3 components are needed for Comprehensive Protection.

Security in Business You can lock all the doors and stay safe or you can open the doors and do some business.

What is Intrusion Detection (ID)? ID is the art of detecting and responding to computer misuse. Selection of ID system should be based on environment-specific requirements. (How do you want to define an Intrusion?)

Terms you should know ID – Detecting unauthorized access to a computer and/or a network. Misuse Detection – Detecting behavior that matches patterns of misuse. Anomaly Detection – Detecting deviations from acceptable behavior profiles.

Terms you should know (contd.) False-positive – An alarm that is not misuse. False-negative – Misuse that is not detected or alarmed. IDS – System that collects information from a variety of systems and network sources, and then analyze the information for signs of intrusion and misuse.

In general we can say.. Intrusion – Attacks originating outside the organization. Misuse – Attacks originating inside the organization.

Lets take a step back ! ID – A historical perspective. ID has exploded in recent years, but the roots of ID are considerably more humble. Initially focused on host-based event log analysis.

Brief Timeline of ID research 1980 – A technical report said that audit records can be used to identify misuse – SRI was funded by US Navy to build prototype of ID Expert System. (IDES) 1986 – First paper “An ID model” 1987 – First annual ID workshop at SRI – Student at UCD wrote Network Security Monitor. (NSM)

Timeline (Contd.) 1990 – US Navy completed study of ID research projects and selected one – Computer Misuse Detection System (CMDS) developed by SAIC – A research group at Air force created ASIM, a robust IDS – Cisco began building network ID into Cisco router.

Timeline (Contd.) 1999 – Federal ID Network (FIDNet) was created to detect network infrastructure attacks against government sites. After that – A lot of research papers and implementations.

Network v/s Host based ID All ID methods are basically based on analysis of a set of discrete, time-sequenced events for patterns of misuse. - Host based ID – examine event like file access, application execution. - Network based ID – examine network traffic.

Which one do you need? For comprehensive detection? BOTH ! Each has pros and cons that should be measured against the requirements of the environment. Systems using both detections are called “Hybrid Systems”.

Anatomy of IDS ID Systems have 2 main tasks - Detecting - Responding

Command Console Authority for controlling the entire system. (nerve system). “remote” feature? It has tools for setting policies and processing collected alarms. –Assessment manager – controls the collection of static configuration info. –Target manager – maintains connection with components on target side. –Alert manager – collects and maintains Alert data.

Network Sensors Basically 2 types Promiscuous-mode sensors reside on dedicated machines. Network-node sensors run on the machines they monitor.

Alert Notification System Basic task is to notify security officer How ?? -On-screen Alerts -Audible Alerts -Paging - -SNMP (wow !)

Response Subsystem Take actions based on threats to the target systems. - automatic - system operator (manual) What actions? - reconfiguration - shut down connection

Database Repository for statistics Useful for damage assessment and investigation.

ID Process Have a simple but effective policy Policy defines acceptable activity. e.g. ping sweep, packet from outside coming in with source address as that on inside. Policies make rules for IDS.

Traditional audit v/s ID Understanding the difference will influence requirement definition. Traditional Audit -Counting and confirming periodically -Password policies -Security patches -Guest account enabled (Shouldn’t be!!) -Locking screen-savers enabled (Shouldn’t be!!)

Then what is the difference? ID Systems look for differences in patterns of behavior as opposed to the state of control. e.g. - A configuration scanner will check for password policy. - An IDS looks for 3 failed login attempts

Integrity Checkers Use MD5 or CRC - Tripwire -Tools in COPS IDS can track the exact modification information. It is used for mission critical files only.

Un/acceptable behavior Infinite possibilities Breaking down “misuse” in categories can help - unauthorized access/reading - unauthorized modification - DoS

Detecting deviation from acceptable behavior There is no HARD line between un/acceptable behavior. 3 models - Perfect acceptable behavior model - Real world behavior model - Perfect unacceptable behavior model

So, ID: Science or Art?? Factor to be considered here is noise from ID ID tools are really best used as support systems as opposed to definitive measuring devices. So its more of an Art of defining rules. p.s. Researchers don’t like their projects being compared with ‘Art’.

Questions ?

Until then..