1 60-564 Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Slides:



Advertisements
Similar presentations
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Advertisements

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Internet Packet eXchange Protocol (IPX) Network Documentation
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
COEN 252 Computer Forensics
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Introduction of Internet security Sui Wang IS300.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Operating system Security By Murtaza K. Madraswala.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
Topic 5: Basic Security.
Network Programming and Network Security Lane Thames Graduate Research Assistant.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.
Malicious Software.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Cryptography and Network Security Sixth Edition by William Stallings.
DoS/DDoS attack and defense
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Web Security Firewalls, Buffer overflows and proxy servers.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Role Of Network IDS in Network Perimeter Defense.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security Methods and Practice CET4884
Security on the Internet Norman White ©2001. Security What is it? Confidentiality – Can my information be stolen? Integrity – Can it be changed? Availability.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CompTIA Security+ Study Guide (SY0-401)
TMG Client Protection 6NPS – Session 7.
Outline Introduction Characteristics of intrusion detection systems
Operating system Security
Security in Networking
NET 311 Information Security
CompTIA Security+ Study Guide (SY0-401)
Chap 10 Malicious Software.
Security.
Chap 10 Malicious Software.
Operating System Concepts
Crisis and Aftermath Morris worm.
Presentation transcript:

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

2 Outline Introduction Computer attacks The STAT framework Intrusion Detection System A novel IDS – WebSTAT Performance evaluation Conclusion

3 Introduction Computer security is to protect computer resources: read and write access to a data file processing time communication over a network link An intrusion is somebody attempting to break into or misuse your system IDS is a network security system designed to identify intrusive or malicious behavior via monitoring of network activity.

4 Computer Attacks Worms - self replicating programs that spread across a network. Viruses - programs that replicate when a user performs some action such as running a program. Server attacks - a client exploits a bug in the server to cause it to perform some unintended action. Client attacks - a server exploits a bug in a client to cause it to perform some unintended action. Network attacks (denial of service) - a remote attacker exploits a bug in the network software or weakness in the protocol to cause a server, router, or network to fail. Root attacks - a user on a multiuser operating system obtains the priveliges of another user (usually root)

5 Computer Attacks - Worm A worm is an independent program that replicates from machine to machine across network connections. The three security flaws: Backdoor bypasses the normal security mechanisms Usually installed for maintenance purposes Buffer overflow A process contains: Code, data, and stack Stack is to store information associated with function calls By overriding stack, the attacker can both inject a malicious execution code and set the return address to point to the malicious code Weak password First guess the administrator’s password Copy itself to the startup to propagate every time the machine start up

6 Computer Attacks - Virus software program capable of causing great harm to the computer Unlike a worm, it requires action from a user to spread For example, viruses spread when the recipient runs an attached program

7 Computer Attacks - Server Attacks Nearly every type of service has identified vulnerabilities which has been attacked For example, IIS4 installs a number of sample scripts. These scripts give clients access to view any file on the same volume as the web server

8 Computer Attacks - Client Attacks Unlike a server attack, it works by waiting for victims to connect to a rogue server For example, a buffer overflow vulnerability has been found in Outlook It allows arbitrary code to be executed by overflowing the time zone field in the date field of the mail header activated when the user download the mail from mail server using outlook

9 Computer Attacks - Network Attacks usually Denial of Service (DoS) attacks disturb the normal operation of applications take advantage of a weakness in the system or application cause it to crash or stop responding For example, ping to death: Some systems will crash if they received a fragmented ICMP packet. An attack is to send a packet larger than 65,535 bytes, which causes many TCP/IP implementations to crash.

10 Computer Attacks - Root Attacks a user on a multi-user system obtains root or administrative privileges Certain programs are suid bit set, break this program means obtaining the root user privilege

11 The STAT Framework STAT is a technique for representing high-level descriptions of computer attacks It contains 6 components: STATL Language Extension Module Event Provider Scenario Plug-in Response Module STAT Core

12 The STATL Language Attack description language Using states and transitions to represent attack scenarios domain-independent It is extended by the IDS developer to express the characteristics of a particular domain and environment. E.g. Sun Solaris, Windows NT.

13 Language Extension Modules shared libraries that define events that describe a particular application domain. Loaded into STAT Core in runtime Loaded before either Scenario Plugin or Event Provider can use it

14 Event Providers collects events from the external environment Create events as defined in Language Extension Modules encapsulates events into generic STAT events inserts events into the event queue of the STAT Core

15 Scenario Plugins shared library that describes an attack scenario. It is defined either from a STATL description or from user manually

16 Response Modules shared library that contains Response Functions. If the state in a scenario is reached the Response Function is invoked For example, it an alert to someone, or take steps to stop an ongoing attack once a state is reached.

17 STAT Core Loads various modules matches the event supplied by Event Providers executes the corresponding transitions triggers responses defined in Response Modules

18 Intrusion Detection System Host-based IDS uses log files and system’s auditing agents monitors the communications traffic in and out of a single computer checks the integrity of system files and process Network-based IDS monitors the traffic on its network segment Capture three signatures: String, Port and Header signatures

19 WebSTAT It is an IDS developed based on STAT framework. built by composing the STAT core with a number of web language extensions modules, event providers, attack scenarios plugins, and response modules.

20 Attack Scenario Examples Document Root Escape Attack: detect events from the web server log and operating system logs to examine the unauthorized file system access Cookie stealing scenario: detects if a valid cookie is improperly used by unauthorized user to steal protected web resources

21 Performance Evaluation Experiments on a host running standalone Apache Apache monitored by WebSTAT WebSTAT incurs a small performance overhead in web server throughput. acceptable given the powerful detection capabilities WebSTAT provides a sophisticated web server performance tuning would also reduce the overhead

22 Conclusion Presented classification of computer attacks and intrusion detection system Described STAT framework The IDS implementation WebSTAT From the performance evaluation result, we see although WebSTAT brings some small performance overhead to the web server It is acceptable considering the advanced detection capabilities.

23 Reference Sherif, J.S.; Dearmond, T.G.; “Intrusion detection: systems and models” Sundaram, A., “An Introduction to Intrusion Detection”. Mahoney, M., “Computer Security: A Survey of Attacks and Defenses” Lindquist, U., and E. Jonsson, “How to Systematically Classify Computer Security Intrusions" Giovanni Vigna, William Robertson, Vishal Kher, and Richard A. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers” STAT Framework Reference Manual S.T. Eckmann, G. Vigna, and R.A. Kemmerer, "STATL: An Attack Language for State-based Intrusion Detection," G. Vigna, S.T. Eckmann, and R.A. Kemmerer, "The STAT Tool Suite" G. Vigna, R.A. Kemmerer, and P. Blix, "Designing a Web of Highly- Configurable Intrusion Detection Sensors"

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.