Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
IDS/IPS Definition and Classification
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
How to Prepare for the Fall Exam COM380/CIT304 Harry Erwin, PhD University of Sunderland.
Intrusion Detection Systems and Practices
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Computer Account Hijacking Detection Using a Neural Network Nick Pongratz Math 340.
DARPA Challenges for Anomaly Detection of Program Exploits Anup K. Ghosh, Ph.D. DARPA/ATO JHU Workshop on Intrusion Detection Johns Hopkins University.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Survey – IDS Testing Marmagna Desai [ 592 Presentation]
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Intrusion Detection Chapter 12.
Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.
Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Introduction University of Sunderland CIT304 Harry R Erwin, PhD.
Introduction University of Sunderland CSEM02 Harry R Erwin, PhD Peter Dunne, PhD.
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
Intrusion Detection Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Detection Intrusion, Malware, and Fraud. 2 Intrusion Detection Systems Development of IDSs is to address increasing numbers of network attacks An IDS.
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
Audit COM380 University of Sunderland Harry R. Erwin, PhD.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
Cybersecurity for the modern Commercial Brokerage Presented by Brian W. Palm.
The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System Authors : Martin Botha, Rossouw von Solms, Kent Perry, Edwin Loubser.
Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS Intrusion Detection Systems
Intrusion Control.
Outline Introduction Characteristics of intrusion detection systems
Evaluating a Real-time Anomaly-based IDS
Intrusion Detection Systems (IDS)
Intrusion Detection Systems
Firewalls and Security
Intrusion Detection system
Presentation transcript:

Intrusion Detection CSEM02 University of Sunderland Harry R. Erwin, PhD

Resources B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: R. G. Bace, 2000, Intrusion Detection, Macmillan Technical Publishing, ISBN: We will mostly follow Schneier in this lecture.

Intrusion Detection Systems (IDS) Network Monitors—watch your network looking for suspicious behavior Often but not always based on Audit Provide reactive rather than proactive security Alert on successful and ongoing attacks Need to be accurate in detecting attacks and in determining that an attack is not underway. Also may provide diagnosis tools.

The False Alarm Problem Base rate fallacy—suppose you have a test that is 99% accurate. Is this good? Not necessarily! Suppose the real attack rate is 1x This test will generate 10,000 false positives for every real attack it detects. (Work it out…) If network attacks are rare, a test has to be powerful to be useful.

The Timely Notification Problem You may want to be warned in time to do something, but… What about slow attacks? When should the IDS become suspicious and tell you? What about ambiguous evidence? Do you want to be warned about borderline cases?

The Response Problem What do you do if you do hear an alarm? I.e., the problem with giving out general warnings of terrorist activity. Options include: –Wait –Collect more information –Do something –Hope it goes away You may be too busy fighting alligators to do anything intelligent about draining the swamp.

Approaches to Building an IDS Misuse detection –IDS knows what an attack looks like and looks for it. –“Network virus scanner” –Fast, easy to build, has a low false positive rate. –Misses a lot and is easy to fool. –Probably will get better over time.

Approaches to Building an IDS (II) Anomaly detection –Generates a statistical or neural network model of the network to figure out what is normal –Sounds an alarm for abnormal activity –Uses AI: Bayesian statistics Neural networks Expert systems

Problems with Anomaly Detection Does the training data include an attack? Then hacking will be considered normal. 8( New things happen on networks all the time. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD. 8( How can it categorize attacks? That requires expert input. 8( False positives are much higher. 8( Attack indicators are brittle, so that hackers can sneak past them. 8(

Inline versus Audit-Based IDS Should the IDS detect attacks in real-time or using audit log processing? –Inline will have incomplete data. –Inline is also computationally expensive. –Audit log processing is after the fact. –Audit log formats vary quite a bit. –A combined approach is feasible, but costly.

Host-Based versus Network- Based IDS Network-based IDS is basically wire- tapping –Stealthy –Operating-system independent Host-based IDS uses audit logs –From workstations, servers, switches, routers, etc. –Product-specific.

Make or Buy Do your own monitoring or pay someone else? –Counterpane –Qinetiq –Other vendors important, too. –SRM is a local company that does this. Trust issues particularly important. Inhouse expertise requirement.

Honey Pots and Burglar Alarms Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. Honey pots are burglar alarms dressed up to look attractive. May incorporate subnetworks and dummy computers. –Costly –Have to look real to the attackers –Legality important. Entrapment may be an issue, so intruders must be warned. Read See also

Incident Handling Issues Be prepared Have procedures Don’t panic Call in the police? Expectation management Damage control Dealing with witch hunts

IDS Requirements Must be: –Effective –Easy to use –Adaptable –Robust –Fast –Efficient –Safe

Future IDS Needs Should be: –Accommodating –Security enhancing –Scalable –Realistic –Hardened

Conclusions We aren’t there yet, But any IDS system is better than none at all. This is the place to be if you want to work on secure systems development.