Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IDS/IPS Definition and Classification
Managing Data Resources
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Security Guidelines and Management
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection State of the Art/Practice Anita Jones University of Virginia.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Some Great Open Source Intrusion Detection Systems (IDSs)
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Application Intrusion Detection
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Security Methods and Practice CET4884
Intrusion Detection Systems
Outline Introduction Characteristics of intrusion detection systems
A Real-time Intrusion Detection System for UNIX
IDS Survey Based on Two Surveys
Intrusion Detection system
Intrusion Detection Systems
Presentation transcript:

Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security

Overview Why IDS IDS Overview Anomaly Detection UNM Pattern Matching Misuse Detection Extended to Networked Systems Conclusion

Why IDS ? In defending network resources, we have –Firewalls –Encryption technology –Authentication devices –Vulnerability checking tools –Others …

Why IDS ? -2- But computer system is still susceptible –Due to unknown system flaws –Due to known system flaws better stay than gone because of functionality or cost. –Due to social engineering tricks A recent news –An 18 year old boy broke into a eCom web site –Thousands customer's credit info was stolen –Including Bill Gates’

Why IDS ? -3- Based on the fact that –Penetrations always exist We need –A second line of defense –A mechanism to detect the penetrations and the attempting intrusions –Which is in the form of an Intrusion Detection System Even attempts are guaranteed to fail –IDS can still help us to find out potential vulnerabilities

Approaches Anomaly Detection –Defines and Characterizes correct static form and acceptable dynamic behavior –Detects anomalous changes or behaviors which may not be intrusions Misuse Detection –Characterizes known ways to penetrate a system as patterns –Monitors for explicit patterns which are known to be intrusions

Anomaly vs. Misuse Anomaly Detection –May have high rate of false alarms –Can detect novel attacks –Normal databases are relatively more stable Misuse Detection –May miss novel attacks –Complexity grows as the number of well- known attacks grows –Difficult to keep them updated as the catalog of attacks grows

Three Generations First Generation –The emphasis was on single computer systems –O/S audit records were post-processed Second Generation –Extended and scaled to address distributed system. –More sophisticated –Primitive real-time alerts became possible

Three Generations -2- The Third Generation –Further extended to address loosely coupled networks, such as LAN Two Primary Challenges –Tracking users as they move through nodes –Managing the data as the size of the network scales up

What Makes A Good IDS ? Manage the volume of data, communications, and processing in large scale networks Increase coverage, i.e. miss ALAP Decrease false alarms Detect intrusion in progress React in real-time

Basic Components Focus –Which entity’s self or which elements of the entity do we try to focus on –Definitions of events or behavior of interest Representation –How to represent signatures effective and efficient

Basic Components -2- Initial Database –Initial behavior profile or normal database –Which can characterize behavior of interest –Which can represent entity of interest Detection Algorithm –Statistical processing techniques for divining the difference between normal and anomalous behavior (effective and efficient)

Anomaly Detection Static –Assume that a portion of the system remain constant –System code and portion of system data –Represented as a binary bit string or a set of such string –A single bit change Dynamic –Assume that system’s behavior is stable –Include a definition behavior –Represented as a sequence of distinct events –Empirical threshold

Static Anomaly Detection How does it work? –Defines the desired state of the system using static bit strings –Archives a representation of the state –Periodically compares the current state and the archived state –Any difference signals an error

Signature Storing and comparing actual bit strings representation is quite costly Compressed representation is called signature Signatures include checksums, message- digest algorithms and hash functions Meta-data: knowledge about the structure

Some Actual Systems Tripwire –A file integrity checker –Uses signatures as well as Unix file meta-data Virus Checkers –Uses actual bit string inserted by the virus –Strings are short, thus uncompressed Self-Noself –Unlike Tripwire, the Self-Nonself signatures are for unwanted string values

Dynamic Anomaly Detection Before Running For each individual entity, IDS creates a base profile to characterize normal, acceptable behavior –Entities can be: users, workstations, remote hosts, or applications –Behaviors can be: preferred choices, resources consumed, representative sequences of actions

Dynamic Anomaly Detection -2- Two ways to build up base profiles –By synthetically running the system Can it represents the real system? –By observing normal user behavior over a sufficiently long time Can we be sure that no intrusion undertaking during the period of time?

Dynamic Anomaly Detection -3- When Running Observes events related or attributed to the entity Incrementally builds a current profile Some operate in real-time, or near real-time, or directly observe the events during occurrence

Dynamic Anomaly Detection -4- Static detections do not care the degree of the difference Dynamic detections do care Comparison is based on empirically determined thresholds Only those mismatch over the thresholds will result in alert

UNM Pattern Matching Focus –Individual application and its behavior –E.g. Sendmail Representation –Uses privileged system call sequences to represent an application’s behavior –E.g. (open, read, mmap), (read, mmap, mmap)… –Sequence length usually between 3 to 6

UNM Pattern Matching -2- Initial Database –Built either by synthetically running the application or by observing its real running –Normal sequences are stored as forest in normal database to save space Detection Algorithm –Largest Minimum Hamming Distance –Normalized LMHD –Local Frame Count

UNM Pattern Matching -3-

UNM Pattern Matching sendmai 2.ftpd 3.lpr 4.ps

UNM Pattern Matching -5-

Misuse Detection Remember known technique Monitor the system if any of those known technique presents Intrusion scenario – A description of a fairly precisely know kind of intrusion which usually a sequence of actions

Rule-Based vs. State-Based Rule-Based –Encode scenarios as a set of rules, where rules reflect the sequence of actions –Fact base is a collection of assertions based on accumulated data –Rule base contains the rules that describe known intrusion scenarios –Rule-face binding –Rule firs State-Based –Attribute-value pairs characterize systems states of interest –Actions are defined as transitions between states –Monitor the actions and then change the state –If compromised state reached, the intrusion happens

Extended to Networked Systems New situations –Cooperative intrusions are more frequent –Intruder(s) use multiple nodes in an attempt to Parallel actions to make intrusion faster Distribute actions to disguise their activities New elements in Network IDS –Include network traffic as part of behavior –Data sharing and communication

Centralized vs. Decentralized Centralized Analysis –Audit data is collected on individual systems –Reported to some centralized location –Intrusion detection analysis is performed there –Don’t work well for large network due to sheer volume of data –Need data translation in heterogeneous systems Decentralized Analysis –Distributed audit data collection –Distribute intrusion detection analysis –Works well for large networks because less data shared between different components –Can eliminate translation problem by grouping homogeneous systems

Partition In decentralized system, entire system is divided into smaller domains for the purpose of communication Partition can base on –Geography –Administrative control –Collections of similar software platforms –Anticipated types of intrusions Still centralized within a domain

Vulnerabilities Intrusion detection software themselves are not inherently survivable and need protection also Initialization will be flawed if the intrusions are present Audit data must be timely available IDS should not compete resource with the rest of the system

Conclusion Why IDS The generations of IDS What makes a good IDS Basic components of an IDS Different approaches used in IDS Exam how the UNM pattern matching works with How IDS extended for networked systems What is the vulnerabilities of IDS