Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.

Slides:



Advertisements
Similar presentations
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Advertisements

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Most Analytical and Comprehensive Defense Network in a Box.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Installing Samba Vicki Insixiengmay Jonathan Krieger.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IIT Indore © Neminah Hubballi
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
Role Of Network IDS in Network Perimeter Defense.
Lecture 11 Page 1 CS 136, Fall 2014 Intrusion Detection Computer Security Peter Reiher November 18, 2014.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 14 Page 1 CS 136, Fall 2010 Intrusion Detection Systems CS 136 Computer Security Peter Reiher November 16, 2010.
Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Some Great Open Source Intrusion Detection Systems (IDSs)
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Styles of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Firewall Configuration and Administration
Outline Introduction Characteristics of intrusion detection systems
Putting It All Together
Putting It All Together
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Intrusion Detection & Prevention
Intrusion Detection Computer Security Peter Reiher May 10, 2016
Intrusion Detection CS 136 Computer Security Peter Reiher May 13, 2014
Outline Introduction Characteristics of intrusion detection systems
Outline How can we perform intrusion detection?
6. Application Software Security
Outline Introduction Characteristics of intrusion detection systems
Presentation transcript:

Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good behavior on one system is bad behavior on another –Behaviors change and new vulnerabilities are discovered Intrusion detection systems must change to meet needs

Lecture 11 Page 2 CS 236 Online How Do Intrusion Detection Systems Evolve? Manually or semi-automatically –New information added that allows them to detect new kinds of attacks Automatically –Deduce new problems or things to watch for without human intervention

Lecture 11 Page 3 CS 236 Online A Problem With Manually Evolving Systems System/network administrator action is required for each change –To be really effective, not just manual installation –More customized to the environment Too heavy a burden to change very often So they change slowly, akin to software updates

Lecture 11 Page 4 CS 236 Online A Problem With Evolving Intrusion Detection Systems Very clever intruders can use the evolution against them Instead of immediately performing dangerous actions, evolve towards them If the intruder is more clever than the system, the system gradually accepts the new behavior Possible with manual changing systems, but harder for attackers to succeed

Lecture 11 Page 5 CS 236 Online Intrusion Detection Tuning Generally, there’s a tradeoff between false positives and false negatives You can tune the system to decrease one –Usually at cost of increasing the other Choice depends on one’s situation

Lecture 11 Page 6 CS 236 Online Practicalities of Operation Most commercial intrusion detection systems are add-ons –They run as normal applications They must make use of readily available information –Audit logged information –Sniffed packets –Output of systems calls they make And performance is very important

Lecture 11 Page 7 CS 236 Online Practicalities of Audit Logs for IDS Operating systems only log certain stuff They don’t necessarily log what an intrusion detection system really needs They produce large amounts of data –Expensive to process –Expensive to store If attack was successful, logs may be corrupted

Lecture 11 Page 8 CS 236 Online What Does an IDS Do When It Detects an Attack? Automated response –Shut down the “attacker” –Or more carefully protect the attacked service Alarms –Notify a system administrator Often via special console –Who investigates and takes action Logging –Just keep record for later investigation

Lecture 11 Page 9 CS 236 Online Consequences of the Choices Automated –Too many false positives and your network stops working –Is the automated response effective? Alarm –Too many false positives and your administrator ignores them –Is the administrator able to determine what’s going on fast enough? Logging –Doesn’t necessarily lead to any action

Lecture 11 Page 10 CS 236 Online How Good Does an IDS Have To Be? Depends on what you’re using it for Like biometric authentication, need to trade off false positives/false negatives Each positive signal (real or false) should cause something to happen –What’s the consequence?

Lecture 11 Page 11 CS 236 Online False Positives and IDS Systems For automated response, what happens? Something gets shut off that shouldn’t be –May be a lot of work to turn it on again For manual response, what happens? Either a human investigates and dismisses it Or nothing happens If human looks at it, can take a lot of his time

Lecture 11 Page 12 CS 236 Online Consider a Case for Manual Response Your web site gets 10 million packets per day Your IDS has a FPR of.1% on packets –So you get 10,000 false positives/day Say each one takes one minute to handle That’s 166 man hours per day –You’ll need 20+ full time experts just to weed out false positives

Lecture 11 Page 13 CS 236 Online What Are Your Choices? Tune to a lower FPR –Usually causing more false negatives –If too many of those, system is useless Have triage system for signals –If first step is still human, still expensive –Maybe you can automate some of it? Ignore your IDS’ signals –In which case, why bother with it at all?

Lecture 11 Page 14 CS 236 Online Intrusion Prevention Systems Essentially a buzzword for IDS that takes automatic action when intrusion is detected Goal is to quickly take remedial actions to threats Since IPSs are automated, false positives could be very, very bad “Poor man’s” version is IDS controlling a firewall

Lecture 11 Page 15 CS 236 Online Sample Intrusion Detection Systems Snort Bro RealSecure ISS NetRanger

Lecture 11 Page 16 CS 236 Online Snort Network intrusion detection system Public domain –Designed for Linux –But also runs on Windows and Mac Designed for high extensibility –Allows easy plug-ins for detection –And rule-based description of good & bad traffic Very widely used

Lecture 11 Page 17 CS 236 Online Bro Like Snort, public domain network based IDS Developed at LBL Includes more sophisticated non- signature methods than Snort More general and extensible than Snort Maybe not as easy to use

Lecture 11 Page 18 CS 236 Online RealSecure ISS Commercial IDS Bundled into IBM security products Distributed client/server architecture –Incorporates network and host components Other components report to server on dedicated machine

Lecture 11 Page 19 CS 236 Online NetRanger Bundled into Cisco products –Under a different name For use in network environments –“Sensors” in promiscuous mode capture packets off the local network Examines data flows –Raises alarm for suspicious flows Using misuse detection techniques –Based on a signature database

Lecture 11 Page 20 CS 236 Online Is Intrusion Detection Useful? 69% of CIS survey respondents (2008) use one –54% use intrusion prevention In 2003, Gartner Group analyst called IDS a failed technology –Predicted its death by 2005 –They’re not dead yet Signature-based IDS especially criticized

Lecture 11 Page 21 CS 236 Online Which Type of Intrusion Detection System Should I Use? NIST report 1 recommends using multiple IDSs –Preferably multiple types E.g., host and network Each will detect different things –Using different data and techniques Good defense in depth 1

Lecture 11 Page 22 CS 236 Online The Future of Intrusion Detection? General concept has never quite lived up to its promise Yet alternatives are clearly failing –We aren’t keeping the bad guys out So research and development continues And most serious people use them –Even if they are imperfect

Lecture 11 Page 23 CS 236 Online Conclusions Intrusion detection systems are helpful enough that those who care about security should use them They are not yet terribly sophisticated –Which implies they aren’t that effective Much research continues to improve them Not clear if they’ll ever achieve what the original inventors hoped for

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.