Presentation is loading. Please wait.

Presentation is loading. Please wait.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab."— Presentation transcript:

1 A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab. 2003.09

2 1. Introduction Intrusion Detection Systems generic ID architecture Common Intrusion Detection Framework (CIDF) - DARPA (Defense Advanced Research Projects Agency) Event generators (E-boxes) Event analyzers (A-boxes) Event databases (D-boxes) Event response units (R-boxes)

3 event generators obtain information from sources and transformed into a standard format (gido) event analyzers statistical analysis and pattern recognition searching event databases storage of events and information (gidos) response units initiate the proper response

4

5 2. Systems analyzed

6 3. Methodology Comparison criteria Granularity of data processing Source of audit data (raw events) network-based : Ethernet (see all traffic) IPSEC host-based : security logs Detection method 1. rule based 2. anomaly based Response to detected intrusions passive active

7 System organization Centralized : data analysis Distributed : data collection Security : withstand attacks againstitself Degree of interoperability Exchange of audit data records Exchange of misuse patterns or statistical information about user activities Exchange of alarm reports and event notifications Manageability HP Openview, BMC Patrol Adaptivity System and network infrastructure requirements TCP/IP

8 Classification of comparison criteria

9 4. Results Functional aspects Granularity of data processing real-time T-Sight Source of audit data (Raw events) host-based (H) both host-based and network-based (NW/H) network-based (NW) switched networks network encryption Response to detected intrusions Passive responses sending e-mails, paging or displaying alert messages. Active response network-based systems : terminating transport level sessions Host-based systems : control processes, terminate network sessions Interfaces to network management applications : SNMP (send traps) Interfaces to network elements : firewall control sessions/connections Service availability aspects Legal aspects : “ returning fire ”

10 Degree of interoperability 1. Exchange of audit data records 2. Exchange of security policies 3. Exchange of misuse patterns or statistical information about user activities 4. Exchange of alarm reports, event notifications and response mechanisms

11

12 Adaptivity (customization) Adding new intrusion patterns Adopting rules for site specific protocols and applications Detection method Rule based detection anomaly based detection Detection capabilities Physical and data-link layer Network and transport layer Operating Systems Applications, databases, management and support systems, office automation

13

14

15 Security aspects 1. Confidentiality of audit data 2. Integrity of audit data : using encryption 3. Confidentiality of the detection policy 4. Integrity of detection policy 5. Protection of response mechanisms 6. Availability Encrypted communication channels Heartbeat functions Stealth behavior Access control Weaknesses of network-based systems

16 Architectural aspects System organization distributed environment single host or network segment System and network infrastructure requirements Operating systems Network technology

17

18

19 Operational aspects Performance aspects Communication overhead network-based intrusion detection, the overhead is caused by the distribution of audit data and the communication between the various subsystems of the IDS. Computational overhead host-based IDS execute and collect audit data on the target they monitor.

20 Management aspects Configuration management management of the detection capability and the corresponding response mechanisms Security management Access security Audit trails and security alarms Security of management 1. Authenticity 2. Integrity 3. Confidentiality 4. Availability Management interfaces Management model Many-to-Many One-to-Many One-to-one

21 5. Conclusions The role of IDS in corporate security infrastructures: IDS are not a substitute for other security services such as firewalls, authentication servers etc Host-based versus network-based IDS. Security of IDS Lack of modularity and interoperability Background of vendors

22 RealSecure

23 Architecture: RealSecure Engines Network interface Ethernet, fast Ethernet, FDDI and Token-ring Packet Capture Module Windows NT: network service Solaris: Data Link Provider Interface Filter Module Attack recognition Module Response Module

24 RealSecure RealSecure Agents RealSecure Manager Central real-time alarm Central data management Central engine configuration

25 Intruder Alert

26 Architecture Interface console Manager interface console and manager only runs on Windows NT/95 Agents

27 Intruder Alert Intruder Alert Domains: groups of agents/hosts Intruder Alert Policies Drop & Detect Policies Detect and respond Policies Custom-configurable Policies Carte Blanche

28 NetRanger

29 Architecture Sensors Ethernet, Fast Ethernet, Token Ring and FDDI Director Post office

30 Stake Out I.D

31 Architecture Network Observation Intrusion Detection Evidence logging Alert Notification Incident Analyzer/Reporter

32 Kane Security Monitor

33 Architecture Monitoring Console Collection Auditor and Alerting Engine Intelligent Agents

34 Session Wall-3

35 Architecture Network Usage Reporting Network Security WEB and Internal Usage Policy Monitoring and Controls Company Preservation

36 Entrax

37 Architecture Command Console Assessment Manager Alert Manager Detection Policy Editor Audit Policy Editor Collection Policy Editor Report Manager Target Agent

38 CMDS (Computer Misuse Detection System)

39 SecureNET PRO

40 CyberCop

41 Architecture CyberCop Sensors CyberCop Management Server

42 INTOUCH INSA

43 T-sight

44 NIDES

45 ID-Trak

46 SecureCom

47 POLYCENTER

48 Network Flight Recorder

Download ppt "A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Survey of Information Assurance Intrusion Detection systems.

Survey of Information Assurance Intrusion Detection systems.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.

Kai, 2004 INSA1 The Evolution of Intrusion Detection Systems.
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Similar presentations

Ads by Google