Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Slides:



Advertisements
Similar presentations
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Advertisements

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Department Of Computer Engineering
INTRUSION DETECTION SYSTEM
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Installing Samba Vicki Insixiengmay Jonathan Krieger.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.
COEN 252 Computer Forensics
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IIT Indore © Neminah Hubballi
Network Intrusion Detection Systems Ali Shayan October 2008.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
1. 2 Device management refers to the IDS Sensor's ability to dynamically reconfigure the filters and access control lists (ACL) on a router, switch, and.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
COEN 252 Computer Forensics Collecting Network-based Evidence.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Linux Networking and Security
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Intrusion Detection Karthikeyan Mahadevan. Intrusion Detection What is Intrusion? Simply put, an intrusion is someone attempting to break into or misuse.
SAM-21 Fortress Model and Defense in Depth Some revision on Computer Architecture.
CHAPTER 9 Sniffing.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 HoneyNets, Intrusion Detection Systems, and Network Forensics.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Intrusion Detection System
Understand Audit Policies LESSON Security Fundamentals.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
IDS Intrusion Detection Systems
Access control techniques
Intrusion Detection Systems (IDS)
Intrusion detection systems?
Network hardening Chapter 14.
Intrusion-Detection Systems
Presentation transcript:

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID –Host-based Detects intrusions based on information found in the host –Network-based Detects intrusions based on study of network flows.

Intrusion Detection (ID) There are then two way to approach ID –Knowledge-based The id has a “signature” pattern that is unacceptable. –Behavior-based The id has a pattern of usage, and looks for changes in that behavior.

Host-based ID Uses the systems own auditing tools to detect an intrusion. –Log files –Network traffic in and out of a single computer (personal firewalls and host wrappers) –Process monitoring –Disk usage –File system changes

Host-based ID Log files can tell: –When a user login/out –How they logged in (console/telnet/ftp/ssh) –Login attempts and failures –Who gained super user / administrator access –From whom mail was received/sent –When the machine was rebooted –Any loggable anomalous behavior

Host-based ID Log files should be protected. –They are one of the most likely files to be modified if an intrusion takes place. –Make sure permissions of the logs keeps the file(s) secure…and even unreadable to a hacker. –Try mirroring the log file to another machine that the hacker most likely won’t be able to access.

Personal Firewalls We all know about personal firewalls by now. But… Make the firewall create logs. It can make you aware of attempted access. If you just block traffic you will never know: – what hackers are trying to get to (to protect other systems) –Where the hackers are coming from –If there are other related issues

Host Wrappers Used to allow access to certain server programs. –Can limit based on time of day, repetition. –Can limit based on ip address /domain –Can limit based on ip address / domain and service requested. Popular host wrappers are –Unix: TCPWrapper –Windows: NukeNabber

Process Monitoring By monitoring running processes you can see if applications are running that are not supposed to –Unix: ps (list running processess) lsof (list of open files) process accounting (if kernel configured) –Windows Task manager

Disk Usage Sudden increases / reductions in disk storage could indicated an intrusion Use quotas Unix tools –df (disk usage of partitions) –du (storage in a directory) Windows –Properties under “My Computer”

File system changes Monitor your system for file changes –Size –Modification date –File permissions –Ownership –Location on the hard drive (sector or inode number) Popular tools are –Tripwire ( –symantec ( –ISS by IBM, (

Network-based ID Generally done by putting a network card in promiscuous mode and monitoring all the traffic With a knowledge-based approach, packets are considered “interesting” if they match a “signature” There are 3 different type of signatures –String –Port –Header condition

Network-based ID String signatures look for certain strings inside of a packet. Like “password”, “rhosts”, “su”, etc Port signatures watch for connections to well know ports that have security problems (nfs) or are frequently attacked (ftp, telnet, imap) Header condition signatures look for malformed headers. –SIN/FIN packet (not allowed) –Extremely large window size –Urgent flag for the NetBios packet (WinNuke)

Network-based ID Well-known, network-based intrusion detection systems include: – Symantec ( –Cisco ( –ISS by IBM( –SNORT (

Knowledge Based ID Almost all ID systems are knowledge based The ID contains info about known attack methods and detects them Only as good as the “signatures” in the IDS. Signatures must be updated constantly Very good at detecting an intrusion –Very low false alarm rate –Gives a good trace of how to harden your system –Good analysis of the intrusion with evidence that can be used to “get” the intruder.

Knowledge Based ID Draw backs include: –Only detects known intrusions –Closely tied to the operating system and programs running on it. –Very difficult to configure a new intrusion without catching valid access.

Behavior Based ID Works by detecting a change in “normal” behavior. Normal behavior is gotten by monitoring the system for a period of time. Then this model of normal behavior is compared to current activity. If there are a difference between the model “norm” and current activity, an alarm is sent.

Behavior Based ID Advantages: –Can see new and unforeseen attacks –Less dependant on OS specific mechanisms –Can even see ‘abuse of privilege’ which is not necessarily an attack … just an abuse –It is considered paranoid. Any change from “normal” is bad until incorporated into the “normal” pattern. Disadvantages –Many false alarms –Difficult to get “normal” behavior –Behavior changes in time –An attack can be “learned” as normal behavior if it occurs during the learning phase

Intrusion Detection Both the host based and network based ID should be used to protect your system.