Intrusion Detection Presentation : 3 OF n by Manish Mehta 02/21/03.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Intrusion Detection Systems and Practices
Survey of Information Assurance Intrusion Detection systems.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
seminar on Intrusion detection system
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Module 8: Implementing Administrative Templates and Audit Policy.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Chapter 17: Watching Your System BAI617. Chapter Topics Working With Event Viewer Performance Monitor Resource Monitor.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
COEN 252 Computer Forensics
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
COEN 252 Computer Forensics Collecting Network-based Evidence.
Module 14: Configuring Server Security Compliance
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Grant Pannell. Intrusion Detection Systems  Attempt to detect unauthorized activity  CIA – Confidentiality, Integrity, Availability  Commonly network-based.
FORESEC Academy FORESEC Academy Security Essentials (III)
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Cryptography and Network Security Sixth Edition by William Stallings.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Module 10: Implementing Administrative Templates and Audit Policy.
Intrusion Detection System
Understand Audit Policies LESSON Security Fundamentals.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Role Of Network IDS in Network Perimeter Defense.
Chapter 3-Auditing Computer-based Information Systems.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Chapter 12 Operating System Security. Possible for a system to be compromised during the installation process before it can install the latest patches.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Some Great Open Source Intrusion Detection Systems (IDSs)
OSSEC HIDS ● Jonathan Schipp ● Dubois County Linux User Group ● Sept 4 th, 2011 ● jonschipp (at) gmail.com.
 What threat assessments are  What vulnerability assessments are  What exploit assessments are.
Evaluating a Real-time Anomaly-based IDS
Lesson 16-Windows NT Security Issues
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Intrusion Detection system
Presentation transcript:

Intrusion Detection Presentation : 3 OF n by Manish Mehta 02/21/03

What will we discuss? Host-Based Detection Host-based Architecture -Centralized -Distributed real-time Operational Concepts for host-based detection Policy Management(next time) Benefits of Host-based ID Challenges for Host-based Technologies

Introduction Why do you call it ‘Host-based’? - used to analyze data originating on host. - Application - Syslog - RDBMS - Web Server -OS event logs - kernel - Basic Security Module

Why do you need it? Despite of popularity of network-based ID, host-based monitoring is becoming more important because of insider threat.

Host-based Detection Not all threats can be detected using Network-based ID. There are three main categories of the threats we deal with Host-based ID -Abuse of Privilege -Critical Data Access and Modification -Change in Security Configuration

Abuse of Privilege When a user has root, admin, or some other privilege and uses it in an unauthorized manner. Examples: Contractors with elevated Privileges Ex-employee with old account Admin creates Back-door account Inadvertent Privileges Granted.

Critical Data Access and Modification Mission-critical data = “Company Jewels” Any release/modification of this data carries a significant liability.

Examples Student Changes Grade Employee Modifies performance Evaluation. Falsification of Results Unauthorized Disclosure Theft of Personnel/Medical Reports. Web-site data is modified (Graffiti) Anonymous users browsing Critical Files.

Changes in Security Configuration Generally Security Configurations are one- time and static operations. Done when machine is built or deployed. Changes are necessary only when policy changes. By monitoring Security Configuration, unauthorized modifications may be caught early.

Examples User disabling locking Screen Savers Legal Notice Missing Guest Account Enabled. Open Registry Nomadic users with Compromised Systems.

Host-based ID Architecture Usually “agent-based” Two types of Host-based ID -Centralized - Raw data is forwarded to a central location before it is analyzed. -Distributed (real-time) - The raw data is analyzed in real-time on the target first and only alerts are forwarded.

Centralized host-based Architecture

Distributed real-time Architecture

Advantages of Centralized Architecture No performance degradation on the target Statistical behavioral information Multi-host signature Raw data archive for prosecution support

Disadvantages of Centralized Architecture No real-time detection. No real-time response. Some network Traffic.

Misconception  (revisited) Real-Time ID “I need Intrusion Detection” “Are you interested in network-based or host based?” “Oh, I need real-time Intrusion Detection” “Great, on the host or the network” “What???”

Advantages of Distributed real-time Architecture Real-time alerting Real-time response

Disadvantages of Distributed real-time Architecture Performance degradation on the target. No statistical behavioral information. No multi-host signatures. No raw data archive for prosecution support Reduced data forensics capabilities. Gaps in data analysis when system offline.

Target Agents Small executables that run with privilege on target systems. Factors to be considered –Performance –Management implications

Tasks of Target Agent Read audit data in real-time. Detect misuse and forward alerts. Centralize raw event logs. Set audit policy. Execute responses locally on the target. Verify file integrity. Perform Compliance checks.

Autonomous Agents They have mind of their own. They can move from system to system on their own. Advantage: Criminal will never know on which system they are currently. Disadvantage: Neither will you !

Operational Modes Operational mode describes the manner in which you will operate your HIDS and partially describe the end goals of monitoring. Four primary operational modes: -Tip-Off -Surveillance -Damage Assessment -Compliance

Tip-Off and Surveillance The defining characteristic for tip-off The system is detecting something previously unsuspected. (in/out-of band) Unlike tip-off, surveillance takes place when misuse is already indicated or suspected. It usually follows a tip-off from either an IDS or an out-of-band indicator.

Damage Assessment Used after an incident. Determining extent of Compromise. -actions leading to compromise -areas of compromise -Collateral damage -Residue effects (time-bomb) Data forensics

Compliance Confirming that users are complying with policies. -Proper use of application/process -Logging in/out at night.

Questions ?

Until then..

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.