Intrusion Detection Sytems

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection Systems and Practices
File Management Systems
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Chapter 13  Intrusion Detection 1 Overview  What is an Intrusion Detection System? o Definition o Characteristics o Examples of existing IDSs  Tripwire.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Maintaining and Updating Windows Server 2008
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Installing Samba Vicki Insixiengmay Jonathan Krieger.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Oppenheimer.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
An Approach To Automate a Process of Detecting Unauthorised Accesses M. Chmielewski, A. Gowdiak, N. Meyer, T. Ostwald, M. Stroiński
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
1 Network Management: SNMP The roots of education are bitter, but the fruit is sweet. - Aristotle.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 11: Monitoring Server Performance.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Cryptography and Network Security Sixth Edition by William Stallings.
JMU GenCyber Boot Camp Summer, 2015
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Maintaining and Updating Windows Server 2008 Lesson 8.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Some Great Open Source Intrusion Detection Systems (IDSs)
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Intrusion Control.
Security Methods and Practice CET4884
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
CompTIA Security+ Study Guide (SY0-401)
A Real-time Intrusion Detection System for UNIX
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Intrusion Detection Systems
Intrusion Detection system
Intrusion Detection Systems
Presentation transcript:

Intrusion Detection Sytems What is an IDS? Definition Characteristics Examples of existing IDS Strengths/weaknesses of IDS

What is an IDS? Definition: A piece of software Monitors a computer system to detect: Intrusion: unauthorized attempts to use the system Misuse: abuse of existing privileges Responds: Log activity Notify a designated authority Take appropriate countermeasures

Why Use an IDS? Security is often expensive/cumbersome: Cost Restrictions on users/functionality Designers try to offer users “reasonable” levels of security Security breaches will still occur Detection allows: Finding and fixing the most serious security holes Perhaps holding intruders responsible for their actions Limiting the amount of damage an attacker can do

Goals of an IDS Run continually Be fault tolerant Resist subversion Minimize overhead Be easily configurable Cope with changing system behavior Be difficult to fool Minimize false positives and false negatives

IDS Characteristics Detection Model Scope Operation Architecture Misuse detection vs. anomaly detection Scope Host based, multihost based, network based Operation Off-line vs. real-time Architecture Centralized vs. distributed

IDS Detection Model Misuse detection - recognize known attacks Define a set of attack signatures Detect actions that match a signature Add new signatures often Examples: ARMD, ASIM, Bro, CSM, CyberCop, GRIDS, Stalker, Tripwire Anomaly detection - recognize atypical behavior Define a set of metrics for the system Build a statistical model for those metrics during “normal” operation Detect when metrics differ significantly from normal Examples: AAFID, MIDAS, NADIR, UNICORN Hybrid Examples: CMDS, DIDS, EMERALD, INBOUNDS, NIDES, RealSecure

IDS Scope Host based Multihost based Network based Scrutinize data from a single host Examples: ARMD, MIDAS, Tripwire Multihost based Analyze data from multiple hosts Examples: AAFID, DIDS, CMDS, CSM, NIDES, Stalker Network based Examine network traffic (and possibly data from the connected hosts) Examples: ASIM, Bro, CyberCop, EMERALD, GRIDS, INBOUNDS, NADIR, RealSecure, UNICORN

IDS Operation Off-line Real-time Inspect system logs at set intervals Report any suspicious activity that was logged Examples: ASIM, NADIR, Stalker, Tripwire Real-time Monitor the system continuously Report suspicious activity as soon as it is detected Examples: AAFID, ARMD, Bro, CMDS, CSM, CyberCop, DIDS, EMERALD, GRIDS, INBOUNDS, MIDAS, NIDES, RealSecure, UNICORN

IDS Architecture Centralized Hierarchical Distributed Data collected from single or multiple hosts All data shipped to a central location for analysis Examples: ARMD, ASIM, Bro, CMDS, CSM, CyberCop, DIDS, MIDAS, NADIR, NIDES, RealSecure, Stalker, Tripwire, UNICORN Hierarchical Data collected from multiple hosts Data is analyzed as it is passed up through the layers Examples: EMERALD, INBOUNDS Distributed Data collected at each host Distributed analysis of the data Examples: AAFID, CSM, GRIDS

Case Study: Tripwire A file integrity-checking tool Developed at Purdue university (released in 1993) Off-line, centralized, host-based, misuse detection Utilizes digital signatures to check for added, deleted, modified files Popular Portable Configurable Scalable Manageable Automated Secure

Background – File Systems Provide long-term storage for: User data and programs System programs and databases A popular target for attackers: Unauthorized access to user or system files to uncover private information Modify system databases to allow future entry (e.g. /etc/passwd) Modify system programs to allow future entry (e.g. back doors) Cleansing of system logs to thwart detection

Tripwire - Overview A checklist is created which contains one entry for each file being monitored Checklist should: Be secure against unauthorized modifications Each entry in the checklist is a fingerprint for the corresponding file Fingerprints should: Be efficient to compute Be hard to invert Depend on the entire contents of the file Be very likely to change if the file changes Be very unlikely to match fingerprints from other files

Tripwire – Overview (cont) generate New database Config file Old database compare Apply masks Report Files residing on file system

Tripwire Database Unencrypted and world-readable To prevent the database from being tampered with, it is recommended it be: Installed and updated in a secure manner (e.g. single-user mode) Stored either: On a read-only media On a write-protected disk On a “secure server” (e.g. read-only NFS)

Tripwire Configuration Files Contains: A list of directories (or files) to be monitored A mask for each that describes which attributes can change without being reported Mask bits (all fields stored in a file’s inode): p: permissions i: inode number n: number of links u: user id g: group id s: size of file m: modification timestamp a: access timestamp [1-10]: signature #1, signature #2, etc. Signature algorithms supported (MD5, MD4, MD2, Snefru, SHA, CRC-32, CRC-16)

Tripwire Configuration Files (cont) Using masks: Fields can be added (“+”) or subtracted (“-”) from the set of items to be examined for a file Example: +pinugsm12-a = report changes to all fields except access timestamp Mask templates: R = +pinugsm12-a = read-only files; only access timestamp is ignored L = +pinug-sma12 = log files; changes to file size, access time, modification time, and signatures are ignored N = +pinugsma12 = ignore nothing E = -pinugsma12 = ignore everything

Tripwire Configuration File - Example # file/dir mask /etc R # all files under /etc are read-only @@ifhost solaria.cs.purdue.edu !/etc/lp # except for printer logs @@endif /etc/passwd N # ignore nothing /etc/motd L # log file =/var/tmp R # only the directory, not its contents

Tripwire - Overview Files residing on file system generate New database Config file Old database compare Apply masks Report Files residing on file system

Tripwire Reports New database is computed and compared with the old one Any differences are passed through the masks in the configuration file If not masked out differences are written to a report: Changed: -rw-r—r– root 20 Sep 17 13:46:43 1993 /.rhosts ### Attr Observed Expected ### === ======= ======= m Fri Sep 17 13:46:43 1993 Tue Sep 14 20:05:10 1993 a Fri Sep 17 13:46:43 1993 Tue Sep 14 20:05:10 1993

Limitations of Host Based Intrusion Detection No global knowledge or context information Must run IDS on host being monitored Overhead Host compromise = IDS compromise Recovery options are limited

NIDES A collection of target hosts collect system audit data and transfer it to a NIDES host for analysis and intrusion detection Developed at SRI International (released in 1994) Real-time, centralized, multihost-based anomaly and misuse detection Next-generation Intrusion Detection Expert System (NIDES) – a follow-on to SRI’s Intrusion Detection Expert System (IDES)

NIDES - Overview Data collection is performed by target hosts connected by a network Agend daemon started on each target host a boot time Receives requests to start and stop the agen process on that host Agen process: Collects system audit data Converts it into a system-independent format Sends it to the arpool process on the NIDES host Data analysis is performed on a NIDES host (which is not monitored) The arpool process collects audit data from the target hosts and provides it to the analysis components Statistical analysis component (anomaly) Rulebased analysis component (misuse)

NIDES – Overview (cont)

NIDES – Statistical Analysis Adaptive historical profiles for each “user” are maintained Updated regularly Old data “aged” out during profile updates Alert raised whenever observed behavior differs significantly from established patterns Parameters and thresholds can be customized

NIDES – Rulebased Analysis NIDES comes with a basic rulebase for SUN UNIX Encoded in rulebase: Known attacks and intrusion scenarios Specific actions or patterns of behavior that are suspicious or known security violations Expert system looks for matches between current activity and rules in the rulebase and raises alerts Rulebase can also be extended and updated by sites using NIDES

NIDES – Resolver Filters alerts to: Remove false alarms Remove redundancies Direct notification to the appropriate authority

Limitations of Multihost Based Intrusion Detection Much larger volume of data No information about communications: Data Patterns Centralized detection might be fooled by data cleansing Distributed detection might be fooled by lack of agreement

Limitations of Network Based Intrusion Detection Network data rates are very high Encryption of network traffic is becoming more popular Switched environments are becoming more popular Difficult to insure that network IDS sees the same data as the end hosts

Summary An Intrusion Detection System (IDS) is a piece of software that monitors a computer system to detect: Intrusion (unauthorized attempts to use the system) and misuse (abuse of existing privileges) And responds by: Logging activity, notifying a designated authority, or taking appropriate countermeasures Many different IDSs are available and they can be categorized according to their: Detection model (misuse detection, anomaly detection, hybrid) Scope (host based, multihost based, network based) Operation (off-line vs. real-time) Architecture (centralized, hierarchical, distributed)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.