& Selected Topics: Digital Forensics

Slides:

Advertisements

Similar presentations

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Advertisements

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Guide to Network Defense and Countermeasures Second Edition

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Intrusion Detection Systems and Practices

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

Host Intrusion Prevention Systems & Beyond

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Lecture 11 Intrusion Detection (cont)

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Intrusion Detection Chapter 12.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Guide to Network Defense and Countermeasures

Operating system Security By Murtaza K. Madraswala.

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Module 11: Designing Security for Network Perimeters.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Cryptography and Network Security Sixth Edition by William Stallings.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Role Of Network IDS in Network Perimeter Defense.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques.

IS3220 Information Technology Infrastructure Security

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Some Great Open Source Intrusion Detection Systems (IDSs)

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

IDS Intrusion Detection Systems

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

Computer & Network Forensics

Chapter 4: Protecting the Organization

Intrusion Detection system

By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.

Presentation transcript:

91.460.201 & 91.530.202 Selected Topics: Digital Forensics Overview of Intrusion Detection/prevention Xinwen Fu

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

A Big Picture of Cyber Space TAMU Internet Firewall Intrusion Detection System Router Switch UML By Dr. Xinwen Fu http://www.inmon.com/tutorials/ids.php

What is Intrusion Detection? "a process of identifying and responding to malicious activity targeted at computing and networking resources" Incident occurs: Point-in-Time or Ongoing pre-incident preparation Detection of Incidents Initial Response Formulate Strategy Data Collection Analysis Reporting Investigate the incident Resolution, Recovery, Implement Security Measures CSIRT: Computer Security Incident Team A sensor (an analysis engine) that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions. By Dr. Xinwen Fu

A Brief History of Intrusion Detection 1970s – Rudimentary audit-trail analysis 1980s – Signature-Based expert systems 1990s – Explosion of available IDS systems 2000s Emergence of Active IDS Intrusion Detection and Prevention (IDP) Intrusion Prevention Systems (IPS) Convergence of Technologies Firewall + IDP + Anti-Virus Appliances and Security Switches Host => Network => Perimeter Network based IDS’s can be Signature-Based or Behavior Based. Signature based IDS’s are based on the fact that attacks have certain patterns or signatures. Vendors do updates on this IDS’s similar to Antivirus software makers, when new attacks are discovered, they are added to the signature base. This type is also called rules based IDS. Signature-Based == rules based By Dr. Xinwen Fu

A Sample Intrusion Detection System (IDS) By Dr. Xinwen Fu

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

Internet Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

HIDS: Host-Based Intrusion Detection System HIDS resides on a single host system System analyzes: Network packets entering and leaving the host Audit trails and log files on the host Processes and systems running on the host Recent advances in Intrusion Prevention: Protocol enforcement Stack enforcement File checksum monitoring All these attempt to protect against exploitation of software vulnerabilities by buffer overflow or protocol anomalies By Dr. Xinwen Fu

Buffer overflows void main(int argc, char *argv[]) { char buffer[512]; if (argc > 1) strcpy(buffer,argv[1]); } char *strcpy(char *dest, const char *src); DESCRIPTION The strcpy() function copies the string pointed to by src (including the terminating `\0' character) to the array pointed to by dest. The strings may not overlap, and the destination string dest must be large enough to receive the copy. By Dr. Xinwen Fu

What is happening within your code? Stack is used to store local variables and the return address (where your function should return when it finishes) An attacker’s input consists of A malicious code A new return address (pointing to the malicious code) By Dr. Xinwen Fu

Where is the HIDS on the Internet? Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

NIDS: Network-Based Intrusion Detection System NIDS listens to the entire network segment System analyzes: Network packets passing along the network cable Audit trails and log files sent to NIDS by hosts Processes and systems running on the network hosts Recent advances in Intrusion Prevention: “Active” rules to shutdown connections “Integration” to firewalls to disable attackers “Data Mining” to summarize the events By Dr. Xinwen Fu

Where is the NIDS on the Internet? Mid-Continent ComCast TAMU UML By Dr. Xinwen Fu

PIDS: Perimeter-Based Intrusion Detection System PIDS resides on a gateway/edge router System analyzes: Network packets passing through the gateway Audit trails and log files on the gateway Processes and systems running on the gateway Recent advances in Intrusion Prevention: Actively blocking known malicious attacks Zero-latency blocking By Dr. Xinwen Fu

Where is PIDS on the Internet? Mid-Continent Prairiewave TAMU By Dr. Xinwen Fu

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

Throughput - Real Time Intrusion Detection Current technology can perform at gigabit speeds To exceed that speed, there are various options: Software Signature sets, based on protocol Optimization; reduction in requirement to scan Hardware Co-processor chips: ASIC (application-specific integrated circuit) or others Faster main processors This is important for host and network IDP But for perimeter IDP, how fast is your ISP link? An ASIC (application-specific integrated circuit) By Dr. Xinwen Fu

The Emergence of Intrusion Prevention If you detect an attack and know it's an attack It seems sensible to block it However, three problems are apparent: False Positives (false alarm) – Blocking normal traffic Denial Of Service – Blocking spoofed hosts Latency – Delays in blocking limit effectiveness Evolution of the technology, and merging of firewall and IDP functionality is solving these problems By Dr. Xinwen Fu

A Big Picture of Intrusion Detection and Prevention Being Together By Dr. Xinwen Fu

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

SQL Slammer Worm The Fastest Internet Worm in History Time line: July 24th 2002, Microsoft announced vulnerability January 25th 2003, SQL Slammer worm unleashed 05:29:36GMT first detection It infected more than 90 percent of vulnerable hosts within 10 minutes The Worm: 376 byte viral payload in a single UDP packet Infects machines with a single packet over UDP/1434 UDP is a broadcast protocol: Possible to infect multiple hosts with 1 packet By Dr. Xinwen Fu

Hosts infected With Slammer A before-and-after animation showing the number of infected Sapphire hosts in a half-hour period between 05:29 UTC and 06:00 UTC. By Dr. Xinwen Fu http://www.caida.org/research/security/sapphire/

How to stop SQL Slammer? Patch Firewall / VPN: Block UDP/1434 (inbound and outbound) Use a VPN for access to sensitive services Intrusion Detection and Prevention: UDP/1434 is a well known protocol: Well known vulnerability, 6 months before exploit IDP signatures can detect and block exploits of this vulnerability The size of the packet is anomalous behavior Zero-Latency Active IDS/IDP is the only way of blocking this worm By Dr. Xinwen Fu

Outline What is intrusion detection Host, Network & Perimeter Detection The Emergence of Intrusion Prevention Real-World Examples Future Directions By Dr. Xinwen Fu

Future Directions What do you think? By Dr. Xinwen Fu

Intrusion Detection Approach IDS Classification Intrusion Detection Approach Intrusion detection approach Protected Systems Structure Data Sources Behavior after an Attack Analysis Timing HIDS NIDS Hybrids Audit Trail Network Packets System State Analysis (Kernel, Services, File, etc.) On-the-fly Processing Interval Based IDS Anomaly detection Signature detection Centralized System Distributed System Agent System Active IDS Passive IDS By Dr. Xinwen Fu

Terms Anomaly detection: explores issues in intrusion detection associated with deviations from normal system or user behavior Signature detection: discriminates between anomaly or attack patterns (signatures) and known intrusion detection signatures (also called rules based detection) HIDS: uses information derived from a single host NIDS: exploits information obtained from a whole segment of a local network Passive IDS: simply generate alerts and log network packets Active IDS: detect and respond to attacks, attempt to patch software holes before getting hacked or act proactively by logging out potential intruders, or blocking services By Dr. Xinwen Fu

References Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part I - (network intrusions; attack symptoms; IDS tasks; and IDS architecture), http://www.windowsecurity.com/pages/article_p.asp?id=1147, Apr 07, 2003 Przemyslaw Kazienko & Piotr Dorosz, Intrusion Detection Systems (IDS) Part 2 - Classification; methods; techniques, http://www.windowsecurity.com/pages/article_p.asp?id=1335, Jun 15, 2004 Cisco IDS Solution, http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_audience_business_benefit09186a008033a458.html, 2005 Randy Stauber, Defense In Depth, http://www.infosecwriters.com/texts.php?op=display&id=170, 19/05/04 By Dr. Xinwen Fu

Cat with Boots By Dr. Xinwen Fu