Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System Snort. What is Snort? Free and Open Source Intrusion Detection System Monitor network traffic Scan for protocol anomalies Scan.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

IDPS (Intrusion Detection & Prevention System )

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

seminar on Intrusion detection system

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Host Intrusion Prevention Systems & Beyond

Lecture 11 Intrusion Detection (cont)

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Day 19. Security Tools Firewalls –Host Based –Network based IDS/IPS –Host Based –Network based –Signature based detection –Anomaly based detection Anti.

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

IIT Indore © Neminah Hubballi

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Module 7: Advanced Application and Web Filtering.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Intrusion Detection System

Security System for KOREN/APII-Testbed

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

Role Of Network IDS in Network Perimeter Defense.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Some Great Open Source Intrusion Detection Systems (IDSs)

Security Methods and Practice CET4884

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

CompTIA Security+ Study Guide (SY0-401)

IDS Intrusion Detection Systems

Snort – IDS / IPS.

(A CORPORATE NETWORK APPROACH)

Configuring TMG as a Firewall

James Logan CS526 Dr. Chow April 29, 2009

CompTIA Security+ Study Guide (SY0-401)

CompTIA Security+ Study Guide (SY0-501)

Intrusion Detection system

Protection Mechanisms in Security Management

Presentation transcript:

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom

Thesis’s subject: An analysis of IDSs difficulties and how to solve them. Two approaches are explored:  Designing efficient filters  Improving IDS architecture (MIDS) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Plan of Presentation  Introduction to IDSs  IDS challenges  solution 1: Efficient filter design  solution 2: MIDS, an alternative IDS architecture Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Introduction to IDSs IDSs are programs monitoring a computer system (network, host) to detect intrusion attempts. Typically made of a sensor, some filters, an alert-flow and a monitoring center. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08 Host / Network SENSOR SENSOR API filter Monitoring Center Alert-flow Filter Sensor Monitored Data Monitored System

Sensors: host based / network based Filters: small programs analyzing sensor data to detect intrusions. Detection Strategies:  Signature  Anomaly detection (protocol anomaly) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08 Protocol Standard Pratical Usage Attaques

IDS Challenges Insertion & Evasion Alert-flow control Encrypted traffic Learning from antiviruses Technical obstacles Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Insertion & Evasion Efficient detection theoretically implies knowledge of monitored system’s state and rules Despite standards, systems are implemented differently. Ex: different TCP/IP stack implementation => always make false assumptions on monitored system’s reactions => possible to shape the traffic so that the IDS accepts a packet but not the monitored system (Insertion) or the contrary (Evasion) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Alert-flow control challenges  False positives Can not be avoided Increase with traffic  Hiding attacks  IDS evasion  Alert flood  Slow rate attacks  Distributed attacks Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08 need for intelligent alert-flow processing components

Encrypted Traffic Network based IDS can’t monitor encrypted traffic Only known solution = decryption proxy but hard to deploy ex: https Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08 Client HTTPS Decryption Proxy HTTP/SSL clear HTTP HTTP Server Network Based IDS

Learning from Antivirus Virus/Antivirus similar to Attacks/IDS similar techniques (signature, anomaly) probably similar results, but antivirus are more mature Evasion race (IDS evasion, polymorphism, etc.) need for reactive/automated filter updating process Anomaly detection effective if used with signatures Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Technical obstacles resistance to fragmentation/insertion/evasion => efficient TCP/IP stack monitoring high rate traffic => load balancing Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Solutions ? approach 1: improving filters approach 2: alternative IDS architectures Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Efficient filters: improves detection & alert-flow control how ? mixing signature & anomaly detection protocol anomaly analysis engine enables efficient signature matching internal caching and filtering of alert-flow reduces volume of alert-flow more acurate analysis (corelation) Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Efficient filters: Telnet filter example Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Efficient filters: TCP filter example Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Alternative IDS structure IDSs are alert-flow management systems. Focus on: multiplying alert sources merging alert-flows from different sources processing intelligently the alert-flow Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Suggested Architecture: Multi IDS Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08 Monitored System snort ISS NFR Host / Network Monitoring Center Monitored Data alert flow merger Corelation Engine IDS alert-flow multiple IDSs host & network based multiple filtering techniques alert-flow corelation

Host based sensors: detect the host side of an attack hidden to network based IDS (evasion, encryption, etc.) Multiple different network based sensors: Many different TCP/IP stack implementation => reduce risk of evasion/insertion Alert-flow merging and processing Merging alert-flow Shaping alert-flow to increase its informational load Alert corelation Data mining solve evasion/insertion, alert flow control & encryption problems Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08

Remaining problems: reactive/automated filter updating process => by out-sourcing IDS management to a specialized entity alert-flows corelation: we are now working on it ! Conclusion Intelligent data and alert-flow processing is the future of IDSs. Design Lines for a Long Term Competitive IDS - Erwan Lemonnier /10/08