Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection.

Published bySuharto Iskandar Modified over 5 years ago

Similar presentations

Presentation on theme: "Intrusion Detection."— Presentation transcript:

1 Intrusion Detection

2 What is Intrusion Literal meaning: The definition of an intrusion is an unwelcome interruption or a situation where somewhere private has an unwelcome visit or addition. Computer security: To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state.

3 Principles Characteristics of Computer system that are not under attack The actions of users and processes generally conform to a statistically predictable pattern. A user who does only word processing when using the computer is unlikely to perform a system maintenance function. The actions of users and processes do not include sequences of commands to subvert (threaten) security policy of the system. In theory, any such sequence is excluded; in practice, only sequences known to subvert the system can be detected. The actions of processes conform to a set of specifications describing actions that the processes are allowed to do (or not allowed to do).

4 Principles Computer under attack (intrusion) fail to meet at least one of the previous characteristics. Basic Detection: Characteristics listed above guide the detection of intrusion.

5 Attack tools and intrusion detection system
An attack tool is automated script designed to violate a security policy An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station. How IDS is different to firewall?

6

7 Goal of IDS Detects Wide variety of intrusions
Inside / outside, virus, worms, Trojan horse, keylogger Detects intrusions in a timely fashion Timely – not necessarily in real time. Real time intrusion detection raise the issue of responsiveness. Delay on intrusion detection probably useless Present the analysis in a simple, easy-to-understand format Be accurate False Positive - reports attracts but no attack False Negative – fail to report attack when no attack

8 Model Different models Can be adaptive or static Other basic
Adaptive: That alter their behavior on the basic of system states or condition Static: Initialized from collected data and do not change Other basic Anomaly Modeling Misuse Modeling Specification Modeling

9 Anomaly Modeling Analyzes a set of characteristics of the system and compares their behavior with a set of expected values. Use the assumption that unexpected behavior is evidence of an intrusion Eg: Microsoft windows lock user out after some number n of fail login attempts ATM blocks user account with n number of attempts

10 Misuse Modeling Misuse detection determines whether a sequence of instructions being executed is known to violate the site security policy being executed. If so, it reports a potential intrusion, Requires a knowledge of system vulnerabilities we define abnormal system behavior at first, and then define any other behavior, as normal behavior.  In other words, anything we don't know is normal.

11 Specification Modeling
Specification-based detection determines whether or not a sequence of instructions violates a specification of how a program, or system, should execute. If so, it reports a potential intrusion. How different than previous two model Anomaly detection : Art of looking for unusual states Misuse detection: Art of looking for states known to be bad Specification detection: it looks state known not to be good. When system enters such state it reports possible intrusion

12 Architecture IDS is like automated auditing mechanism
Consists three parts Agents: Corresponds to logger. It acquires information from a target (such as computer system) Director: Corresponds to analyzer. It analyze the data as required. Then pass information to the notifier Notifier: determines whether and how to notify the necessary entity

13 Architecture

14 Agent Obtain information from data source
Source may be log file, another process or a network Acquired information is sent to director Sometime preprocessing required to convert into specific format Example: Agent will sent time and location of fail login attempt to director. Director will wait for certain number of fail login attempt and may disable account

15 Agent: types Host-based information gathering
Usually use system and application logs to obtain record of events and analyze them to determine what to pass to the director Log may be security related or other log Network based information gathering Use variety of device and software to monitor network traffic It can detect network-oriented attack like denial of service, DNS poisioning May use network sniffing to read the network traffic

16 Agent: Types (2) Combined sources Aggregate of information needed
Collected both from host and network

17 Director Analyze the data from the agent as required
Director itself reduces the incoming log entries to eliminate unnecessary and redundant records Then use analysis engine to determine if an attack is underway May use any of, or a mixture of, several technique to perform its analysis Functioning of director is crucial to effectiveness of intrusion detection system  May use dedicated system

18 Notifier Notifier accepts information from the director and takes appropriate action Notify user if necessary May use graphical interface Graph showing spread of worms Red / Green signal to show under attack or not

19 Organization of IDS Can be organized in several ways
Three paradigm used along this slide to organize IDS 1st examine network traffic 2nd explore how to combine network and host sources 3rd distribute the director among multiple system

20 Monitoring Network Traffic for Intrusion: NSM
Develops a profile of expected usage of network and compares current usage with that profile Runs of local area network Measures network utilization and other characteristics It reports anomalous behavior over network Eg: NSM (Network Security Monitor) Monitors the source, destination and service of network traffic Provides graphical user display to enable the system security officer to see at a glance of the network

21 Combining Host and Network Monitoring: DIDS
Combines the abilities of NSM with intrusion detection monitoring of individual host Motivation: neither network-based nor host-based is sufficient Eg: Intruder attempting to log on system with out password wont be detected be network based monitoring Intruder using network to use resources wont be detected by host-based monitoring Distributed Intrusion Detection System (DIDS), created in 1991 in University of California is the example Used network identification number (NID) to identify user

22 Autonomous Agents: AAFID
Previous two model has single point to failure i.e. director Solution: Partition the IDS into multiple components that function independently of one another and yet communicate to correlate information Eg: Autonomous agents for intrusion detection (AAFID) All modern IDS use this approach

23 Intrusion Response Once an intrusion is detected, how can the system protected? Intrusion Response deals with this problem Its goal is to handle the attempted attack in such a way that the damage is minimized Responded in two ways Incident Prevention Intrusion Handling

24 Incident Prevention Intrusion attempts will be detected and stopped before they succeed. Involves closely monitoring the system and taking action to defeat the attack Eg: Lock the system after n number of unsuccessful login attempt Jailing of attacker Allows attacker to think that their attack have succeeded, but places them in a confined area in which their behavior can be controlled and even manipulated

25 Intrusion Handling Security policy of site is violated after intrusion
Handling the intrusion means restoring the system to comply with the site security policy AND Taking action against the attacker that the policy specifies Consists six phases

26 Six phases of intrusion handling
Preparation for an attack This step occurs before any attack are detected. It establishes procedures and mechanism for detection and responding to attacks. 2. Identification of an attack This triggers the remaining phase 3. Containment (Confinement) of attack [Containment = control] This step limits the damage as much as possible

27 Six phases of intrusion of detection
4. Eradication of the attack This step stop the attack and block further similar attacks 5. Recovery from the attack This step restores the system to a secure state (with respect to site security policy) 6. Follow-up the attack

28 Containment Phase Literal meaning: Control, Suppression
Means limiting the access of the attacker to system resources The domain of the attacker is reduced as much as possible Two approaches Passively Monitoring Constraining Access to prevent further damage [Damage: any action that causes system to deviate from secure state]

29 Containment phase (2) Passive monitoring
Simply records the attackers action for later use Do not interfere with the attacker It reveals information about attack, possibly, the goals of attackers Constraining access to prevent further damage Steps are taken to constrain the action of the attacker Protection domain of attacker is reduced

30 Eradication Phase Means stopping attack
Usual approach is to deny access to system completely or to terminate the processes involved in the attack (Such as terminating the network connection) Ensures that the attack does not immediately resume Common method for implementation blocking is to place wrapper around suspected target.

31 Follow-Up Phase In this phase system take some action external to the system against attacker Involves taking action against the attacker, identifying problem in the handling of the incident, and recording lesson learned Pursue some form of legal action Counterattacking – Two forms Legal mechanism: such as filing complaints, requires evidence Technical attack: damage the attacker seriously, discourage future attack

32 Consequence to be considered during counter attack
May harm the innocent party. Attacker may be the imposter May have side effect. The counterattack is antithetical to the shared use of a network (directly opposed or contrasted; mutually incompatible.) The counter attack may be legally actionable Counterattack conclusion: Exceptional circumstances, may be appropriate. In general it should be avoided

Download ppt "Intrusion Detection."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Network security policy: best practices

Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Engineering Security Requirement

Engineering Security Requirement
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.

Intrusion Detection Dr. Gregory Vert. Intrusion Detection Definition: –Detection of an attack While it is going on Shortly after it has occurred.

Similar presentations

Ads by Google