IIT Indore © Neminah Hubballi

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
IDS/IPS Definition and Classification
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Operating system Security By Murtaza K. Madraswala.
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Networks Management and Security Lecture 4.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Lesson Introduction
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security Methods and Practice CET4884
IDS Intrusion Detection Systems
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Intrusion Control.
Intrusion Detection Systems
NET 412 Network Security protocols
NET 412 Network Security protocols
Intrusion Detection Systems (IDS)
A survey of network anomaly detection techniques
Intrusion Detection Systems
Lecture 8: Intrusion Detection
Intrusion Detection system
Lecture 7: Intrusion Detection
Presentation transcript:

IIT Indore © Neminah Hubballi Intrusion Detection Dr. Neminath Hubballi IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi Intrusion When a user of an information system takes an action that; that user is not legally allowed to take, it is called intrusion. It attempts to compromise Confidentiality Integrity and/or Availability of a system resource. A second line of defense. The first one being intrusion prevention systems. can identify classes of intruders: Spoofing Illegal logins Worm propagations IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi Intrusion Detection Intrusion detection: Monitor the system execution for security violations and take corrective measures when a violation is detected. It involves determining that some entity has attempted or worse gained access to the system resources in a non diplomatic way. IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi IDS Taxonomy Detection Method: Characteristics of analyzer Behavior Based: uses info about normal behavior. Knowledge based: uses info about attacks. Behavior on Detection: the response of system Passive alerting. Active response. Audit source location: Host log files. Network packets. Usage frequency: Continuous monitoring Periodic monitoring IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi Host Based IDS Concerned about security of a single machine. Typically works by protecting the file system and other key data structures change detection. Uses the log information of system for analysis. Ex: syslog With some modification to OS kernel the IDS can be made to look into system calls and model them for intrusion detection. Tripwire is an example of the kind. IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi State Modeling Encodes the behavior as a set of states. An action in the system triggers the movement to next state. The state of a system is a function of all the users, processes, and data present at a given time. The system starts in a state representing the normal behavior and each illegal event takes it towards the state representing the intrusion. IIT Indore © Neminah Hubballi

Generic State Transition Diagram Sate Modeling Generic State Transition Diagram IIT Indore © Neminah Hubballi

Signature Based Detection General view Network Analysis Backend NIDS Sensor Packets Alerts Signature Database IIT Indore © Neminah Hubballi

Rule-Based Intrusion Detection Snort and Bro Ex1: log tcp any any -> 192.168.1.0/24 !6000:6010 Ex 2: alert icmp any any -> any any (msg: "Ping with TTL=100"; \ ttl: 100;) Ex 3: alert ip any any -> 192.168.1.0/24 any (content-list: \ "porn"; msg: "Porn word matched";) IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi Anomaly Detection Builds models of normal behavior, and automatically detects any deviation from it Collect data and determine the pattern of legitimate user Threshold detection Define thresholds for frequency of occurrence of events Profile based detection Develop profile of activity for each user. IIT Indore © Neminah Hubballi

Anomaly Detection Methods Statistical approach. A simple statistical count of activities decides the boundary of normal and abnormal. Relatively old method of IDS technology. Vague definition of system behavior but are still relevant. Number of false alarms if the system behavior is changing frequently. IIT Indore © Neminah Hubballi

Anomaly Detection Methods cont.. Machine learning techniques Classification: decision tree, SVM, neural network, fuzzy logic, etc. Clustering: based on the assumption that the normal and abnormal behaviors fall into two different clusters, hence grouping them is very easy. Hybrid: combining different classification techniques with an ambitious objective of achieving better classification efficiency. IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi IDS Terminology True Positive (TP): when the attack succeeded and the IDS was able to detect it (Success & Detection) True Negative (TN): when the attack failed and the IDS did not report on it (¬Success & ¬Detection) False Positive (FP): when the attack failed and the IDS reported on it (¬Success & Detection) False Negative (FN): when the attack succeeded and the IDS was not able to detect it (Success & ¬Detection) IIT Indore © Neminah Hubballi

Performance Metrics for IDS Accuracy: the proper detection of attacks and the absence of false alarms Performance: the rate at which traffic and audit events are processed To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream Fault tolerance: resistance to attacks Should be run on a single hardened host that supports only intrusion detection services Timeliness: time elapsed between intrusion and detection IIT Indore © Neminah Hubballi

Characterizing the IDS Effectiveness Efficiency Ease of use Security Interoperability Indian Institute of Technology Guwahati IIT Indore © Neminah Hubballi 22-04-2017

IIT Indore © Neminah Hubballi Base Rate Fallacy Hypothesize a figurative computer network with Tens of workstations A few servers Few dozens of users 1000000 audit records per day. 1 or 2 attempted attacks per day. 10 audit records per attack. IIT Indore © Neminah Hubballi

Bayesian Detection Rate True positive rate : False positive rate : False negative rate : True negative rate : Our interest is to Bayesian detection rate : Absence of an alarm i.e., has nothing to worry. IIT Indore © Neminah Hubballi

Bayesian Detection Rate IIT Indore © Neminah Hubballi

IDS Historical perspective IIT Indore © Neminah Hubballi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.