Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection.

Slides:



Advertisements
Similar presentations
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Advertisements

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Linux Networking and Security
Lecture 11 Page 1 CS 236 Online Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible –Good.
Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
Lecture 11 Page 1 CS 136, Fall 2014 Intrusion Detection Computer Security Peter Reiher November 18, 2014.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Lecture 14 Page 1 CS 136, Fall 2010 Intrusion Detection Systems CS 136 Computer Security Peter Reiher November 16, 2010.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
Lecture 13 Page 1 CS 236 Online Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS Intrusion Detection Systems
IDS/IPS Intrusion Detection System/ Intrusion Prevention System.
Styles of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Outline Introduction Characteristics of intrusion detection systems
Security Methods and Practice CET4884
Putting It All Together
Putting It All Together
Basics of Intrusion Detection
Outline Introduction Characteristics of intrusion detection systems
Intrusion Detection Computer Security Peter Reiher May 10, 2016
Intrusion Detection CS 136 Computer Security Peter Reiher May 13, 2014
Outline Introduction Characteristics of intrusion detection systems
Outline How can we perform intrusion detection?
Outline Introduction Characteristics of intrusion detection systems
Presentation transcript:

Lecture 13 Page 1 CS 236 Online Styles of Intrusion Detection Misuse intrusion detection –Try to detect things known to be bad Anomaly intrusion detection –Try to detect deviations from normal behavior Specification intrusion detection –Try to detect deviations from defined “good states”

Lecture 13 Page 2 CS 236 Online Misuse Detection Determine what actions are undesirable Watch for those to occur Signal an alert when they happen Often referred to as signature detection

Lecture 13 Page 3 CS 236 Online Level of Misuse Detection Could look for specific attacks –E.g., Syn attacks or IP spoofing But that only detects already-known attacks Better to also look for known suspicious behavior –Like trying to become root –Or changing file permissions

Lecture 13 Page 4 CS 236 Online How Is Misuse Detected? By examining logs –Only works after the fact By monitoring system activities –Often hard to trap what you need to see By scanning the state of the system –Can’t trap actions that don’t leave traces By sniffing the network –For network intrusion detection systems

Lecture 13 Page 5 CS 236 Online Pluses and Minuses of Misuse Detection +Few false positives +Simple technology +Hard to fool At least about things it knows about –Only detects known problems –Gradually becomes less useful if not updated –Sometimes signatures are hard to generate

Lecture 13 Page 6 CS 236 Online Misuse Detection and Commercial Systems Essentially all commercial intrusion detection systems detect misuse –Primarily using signatures of attacks Many of these systems are very similar –With only different details Differentiated primarily by quality of their signature library –How large, how quickly updated

Lecture 13 Page 7 CS 236 Online Anomaly Detection Misuse detection can only detect known problems And many potential misuses can also be perfectly legitimate Anomaly detection instead builds a model of valid behavior –And watches for deviations

Lecture 13 Page 8 CS 236 Online Methods of Anomaly Detection Statistical models –User behavior –Program behavior –Overall system/network behavior Expert systems Pattern matching of various sorts Misuse detection and anomaly detection sometimes blur together

Lecture 13 Page 9 CS 236 Online Pluses and Minuses of Anomaly Detection +Can detect previously unknown attacks –Hard to identify and diagnose nature of attacks –Unless careful, may be prone to many false positives –Depending on method, can be expensive and complex

Lecture 13 Page 10 CS 236 Online Anomaly Detection and Academic Systems Most academic research on IDS in this area –More interesting problems –Greater promise for the future –Increasingly, misuse detection seems inadequate But few really effective systems currently use it –Not entirely clear that will ever change –What if it doesn’t?

Lecture 13 Page 11 CS 236 Online Specification Detection Define some set of states of the system as good Detect when the system is in a different state Signal a problem if it is

Lecture 13 Page 12 CS 236 Online How Does This Differ From Misuse and Anomaly Detection? Misuse detection says that certain things are bad Anomaly detection says deviations from statistically normal behavior are bad Specification detection specifies exactly what is good and calls the rest bad A relatively new approach

Lecture 13 Page 13 CS 236 Online Some Challenges How much state do you have to look at? –Typically dealt with by limiting observation to state relevant to security How do you specify a good state?

Lecture 13 Page 14 CS 236 Online Pluses and Minuses of Specification Detection +Allows formalization of what you’re looking for +Limits where you need to look +Can detect unknown attacks ­Not very well understood yet ­Based on locating right states to examine ­Maybe attackers can do what they want without leaving “good” state

Lecture 13 Page 15 CS 236 Online Customizing and Evolving Intrusion Detection A single intrusion detection solution is impossible –Good behavior on one system is bad behavior on another –Behaviors change and new vulnerabilities are discovered Intrusion detection systems must change to meet needs

Lecture 13 Page 16 CS 236 Online How Do Intrusion Detection Systems Evolve? Manually or semi-automatically –New information added that allows them to detect new kinds of attacks Automatically –Deduce new problems or things to watch for without human intervention

Lecture 13 Page 17 CS 236 Online A Problem With Evolving Intrusion Detection Systems Very clever intruders can use the evolution against them Instead of immediately performing dangerous actions, –evolve towards them If the intruder is more clever than the system –the system gradually accepts the new behavior

Lecture 13 Page 18 CS 236 Online Intrusion Detection Tuning Generally, there’s a tradeoff between false positives and false negatives You can tune the system to decrease one –Usually at cost of increasing the other Choice depends on one’s situation

Lecture 13 Page 19 CS 236 Online Practicalities of Operation Most commercial intrusion detection systems are add-ons –They run as normal applications They must make use of readily available information –Audit logged information –Sniffed packets –Output of systems calls they make And performance is very important

Lecture 13 Page 20 CS 236 Online Practicalities of Audit Logs for IDS Operating systems only log certain things They don’t necessarily log what an intrusion detection system really needs They produce large amounts of data –Expensive to process –Expensive to store If attack was successful, logs may be corrupted

Lecture 13 Page 21 CS 236 Online What Does an IDS Do When It Detects an Attack? Automated response –Shut down the “attacker” –Or more carefully protect the attacked service Alarms –Notify a system administrator Often via special console –Who investigates and takes action Logging –Just keep record for later investigation

Lecture 13 Page 22 CS 236 Online Consequences of the Choices Automated –Too many false positives and your network stops working –Is the automated response effective? Alarm –Too many false positives and your administrator ignores them –Is the administrator able to determine what’s going on fast enough?

Lecture 13 Page 23 CS 236 Online Intrusion Prevention Systems Essentially a buzzword for IDS that takes automatic action when intrusion is detected Goal is to quickly take remedial actions to threats Since IPSs are automated, false positives could be very, very bad “Poor man’s” version is IDS controlling a firewall

Lecture 13 Page 24 CS 236 Online Sample Intrusion Detection Systems Snort Bro RealSecure ISS NetRanger

Lecture 13 Page 25 CS 236 Online Snort Network intrusion detection system Public domain –Designed for Linux –But also runs on Win32 Designed for high extensibility –Allows easy plugins for detection –And rule-based description of good & bad traffic

Lecture 13 Page 26 CS 236 Online Bro Like Snort, public domain network based IDS Developed at LBL Includes more sophisticated non- signature methods than Snort More general and extensible than Snort Maybe not as easy to use

Lecture 13 Page 27 CS 236 Online RealSecure ISS Commercial IDS from ISS Very popular and widely deployed Distributed client/server architecture –Incorporates network and host components Other components report to server on dedicated machine

Lecture 13 Page 28 CS 236 Online NetRanger Now bundled into Cisco products For use in network environments –“Sensors” in promiscuous mode capture packets off the local network Examines data flows –Raises alarm for suspicious flows Using misuse detection techniques –Based on a signature database

Lecture 13 Page 29 CS 236 Online Is Intrusion Detection Useful? 69% of CSI/FBI survey respondents (2008) use one –54% use intrusion prevention In 2003, Gartner Group analyst called IDS a failed technology –Predicted its death by 2005 –They’re not dead yet Signature-based IDS especially criticized

Lecture 13 Page 30 CS 236 Online Which Type of Intrusion Detection System Should I Use? NIST report recommends using multiple IDSs –Preferably multiple types E.g., host and network Each will detect different things –Using different data and techniques Good defense in depth

Lecture 13 Page 31 CS 236 Online The Future of Intrusion Detection? General concept has never quite lived up to its promise Yet alternatives are clearly failing –We aren’t keeping the bad guys out So research and development continues And most serious people use them –Even if they are imperfect

Lecture 13 Page 32 CS 236 Online Conclusions Intrusion detection systems are helpful enough that those who care about security should use them They are not yet terribly sophisticated –Which implies they aren’t that effective Much research continues to improve them Not clear if they’ll ever achieve what the original inventors hoped for

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.