Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant."— Presentation transcript:

1 Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant deviations. Misuse detection models: compare a user’s session to known techniques used by attackers to penetrate a system. Purpose is to reduce the amount of audit data to be manually reviewed.

2 Intrusion Detection Expert System IDES is a real-time system developed at SRI. (Its model has been used in other systems.) IDES monitors external threats (users trying to penetrate the system) and internal threats (users trying to abuse their authorizations). IDES is based on experience and learning from watching the system, not on fixed rules. IDES learns the “normal” behavior of users (in order to learn what “abnormal” behavior is.)

3 Intrusion Detection Expert System Threats-behaviors relationships: –Intrusion attempt: many login attempts. –Masquerading: legitimate login (but stolen) followed by abnormal usage pattern. –Penetration by legitimate users: trying to circumvent the security controls; if successful they start commands which were normally forbidden; this behavior is then detected. –Spreading of data by authorized users: user logs in at abnormal times, performs many reads, uses printers more, prints more copies, etc.

4 Intrusion Detection Expert System Threats-behaviors relationships: –Inference by authorized users: confidential data is obtained by aggregation or inference. This probably involves abnormal frequency and type of queries. –Trojan Horses: inserted or substituted program probably exhibits different usage of resources. –Viruses: cause increased frequency of writing to executable files. –Denial of service: intruder locks a resource, and exhibits high activity rate for that resource.

5 Intrusion Detection Expert System Metrics: –Event counter: the “normal” frequency (time dependent) of different types of events is characterized, in order to detect abnormal usage. –Time interval: the “normal” time interval between correlated events is computed, to detect abnormal (most likely short) intervals. –Resource measurement: the “normal” use of resources of each type of action is computed. Abnormal use of resources can then be detected.

6 Intrusion Detection Expert System Statistical models: –Operational model: compare observations to threshold which is determined by an expert. –Average and standard deviation model: detect deviation beyond the standard deviation. –Multivaried model: finds deviations in correlation between two or more metrics. –Markovian model: uses types of events as state variables and a state transition matrix to characterize the frequencies of transitions. –Time series model: uses event counter, measurement of resources and interval times.

7 Intrusion Detection Expert System Login and session activity profiles: –Login frequency: detect logins at abnormal times or frequency. –Location frequency: detect logins from locations never used by this user. –Last login: useful to detect intrusion threats through “dead” accounts. –Session duration: detect abnormally short or long sessions. –Session output: detect sessions in which more output is generated than usual.

8 Intrusion Detection Expert System Login and session activity profiles: –CPU per session, I/O per session: use standard deviation method to find abnormal resource usage. –Password failures: count number of password failures before successful login. –Location failures: locations from where failed logins are attempted are detected.

9 Intrusion Detection Expert System Command and program execution profiles: –Execution frequency: for one user to detect attempts to break security; for all users to detect Trojan Horse attack. –CPU per program, I/O per program: to detect viruses or Trojan Horses. –Denied executions: find users trying to execute a program they are not authorized for. –Saturation of program resources: detect that a program often terminates abnormally; this could be an attempt to use abnormal termination as a covert channel.

10 Intrusion Detection Expert System File or record access profiles: –Read, write, create and delete frequency: anomalies in create/delete or read/write operations may indicate inference attempts or penetration by a user who does not normally have that access. –Read/written records: number of different records read or written. –Read/write/delete/create failures: user may be attempting something but (still) failing. –File resource exhaustion: such failures may again indicate failures being used as a covert channel.

11 Intrusion Detection Expert System IDES has been implemented using Oracle for management of all IDES information. IDES runs on a different machine from the one with the “main” database: –Performance: the presence of IDES does not increase system response time of the database. –Security: IDES can be protected from the monitored system. –Integration: IDES can be easily adapted to different environments and integrated with various types of host system.

12 Other Intrusion Detection Systems The Haystack system: developed for the US Air Force computer systems (not specifically to audit databases). The Multics Intrusion Detection and Alerting System (MIDAS): expert system developed for the US National Computer Security Center Multics-based network. Wisdom and Sense anomaly detection system: developed at Los Alamos National Laboratory.

Download ppt "Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
30/04/2015Tim S Roberts 20081 COIT13152 Operating Systems T1, 2008 Tim S Roberts.

30/04/2015Tim S Roberts COIT13152 Operating Systems T1, 2008 Tim S Roberts.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.

Informationsteknologi Thursday, October 11, 2007Computer Systems/Operating Systems - Class 161 Today’s class Security.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.

Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
seminar on Intrusion detection system

seminar on Intrusion detection system
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.

Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.

Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

Similar presentations

Ads by Google