Presentation is loading. Please wait.

Presentation is loading. Please wait.

IIT Indore © Neminah Hubballi

Published byCaitlin Morrison Modified over 9 years ago

Similar presentations

Presentation on theme: "IIT Indore © Neminah Hubballi"— Presentation transcript:

1 IIT Indore © Neminah Hubballi
Intrusion Detection Dr. Neminath Hubballi IIT Indore © Neminah Hubballi

2 IIT Indore © Neminah Hubballi
Intrusion When a user of an information system takes an action that; that user is not legally allowed to take, it is called intrusion. It attempts to compromise Confidentiality Integrity and/or Availability of a system resource. A second line of defense. The first one being intrusion prevention systems. can identify classes of intruders: Spoofing Illegal logins Worm propagations IIT Indore © Neminah Hubballi

3 IIT Indore © Neminah Hubballi
Intrusion Detection Intrusion detection: Monitor the system execution for security violations and take corrective measures when a violation is detected. It involves determining that some entity has attempted or worse gained access to the system resources in a non diplomatic way. IIT Indore © Neminah Hubballi

4 IIT Indore © Neminah Hubballi
IDS Taxonomy Detection Method: Characteristics of analyzer Behavior Based: uses info about normal behavior. Knowledge based: uses info about attacks. Behavior on Detection: the response of system Passive alerting. Active response. Audit source location: Host log files. Network packets. Usage frequency: Continuous monitoring Periodic monitoring IIT Indore © Neminah Hubballi

5 IIT Indore © Neminah Hubballi
Host Based IDS Concerned about security of a single machine. Typically works by protecting the file system and other key data structures change detection. Uses the log information of system for analysis. Ex: syslog With some modification to OS kernel the IDS can be made to look into system calls and model them for intrusion detection. Tripwire is an example of the kind. IIT Indore © Neminah Hubballi

6 IIT Indore © Neminah Hubballi
State Modeling Encodes the behavior as a set of states. An action in the system triggers the movement to next state. The state of a system is a function of all the users, processes, and data present at a given time. The system starts in a state representing the normal behavior and each illegal event takes it towards the state representing the intrusion. IIT Indore © Neminah Hubballi

7 Generic State Transition Diagram
Sate Modeling Generic State Transition Diagram IIT Indore © Neminah Hubballi

8 Signature Based Detection
General view Network Analysis Backend NIDS Sensor Packets Alerts Signature Database IIT Indore © Neminah Hubballi

9 Rule-Based Intrusion Detection
Snort and Bro Ex1: log tcp any any -> /24 !6000:6010 Ex 2: alert icmp any any -> any any (msg: "Ping with TTL=100"; \ ttl: 100;) Ex 3: alert ip any any -> /24 any (content-list: \ "porn"; msg: "Porn word matched";) IIT Indore © Neminah Hubballi

10 IIT Indore © Neminah Hubballi
Anomaly Detection Builds models of normal behavior, and automatically detects any deviation from it Collect data and determine the pattern of legitimate user Threshold detection Define thresholds for frequency of occurrence of events Profile based detection Develop profile of activity for each user. IIT Indore © Neminah Hubballi

11 Anomaly Detection Methods
Statistical approach. A simple statistical count of activities decides the boundary of normal and abnormal. Relatively old method of IDS technology. Vague definition of system behavior but are still relevant. Number of false alarms if the system behavior is changing frequently. IIT Indore © Neminah Hubballi

12 Anomaly Detection Methods cont..
Machine learning techniques Classification: decision tree, SVM, neural network, fuzzy logic, etc. Clustering: based on the assumption that the normal and abnormal behaviors fall into two different clusters, hence grouping them is very easy. Hybrid: combining different classification techniques with an ambitious objective of achieving better classification efficiency. IIT Indore © Neminah Hubballi

13 IIT Indore © Neminah Hubballi
IDS Terminology True Positive (TP): when the attack succeeded and the IDS was able to detect it (Success & Detection) True Negative (TN): when the attack failed and the IDS did not report on it (¬Success & ¬Detection) False Positive (FP): when the attack failed and the IDS reported on it (¬Success & Detection) False Negative (FN): when the attack succeeded and the IDS was not able to detect it (Success & ¬Detection) IIT Indore © Neminah Hubballi

14 Performance Metrics for IDS
Accuracy: the proper detection of attacks and the absence of false alarms Performance: the rate at which traffic and audit events are processed To keep up with traffic, may not be able to put IDS at network entry point Instead, place multiple IDSs downstream Fault tolerance: resistance to attacks Should be run on a single hardened host that supports only intrusion detection services Timeliness: time elapsed between intrusion and detection IIT Indore © Neminah Hubballi

15 Characterizing the IDS
Effectiveness Efficiency Ease of use Security Interoperability Indian Institute of Technology Guwahati IIT Indore © Neminah Hubballi

16 IIT Indore © Neminah Hubballi
Base Rate Fallacy Hypothesize a figurative computer network with Tens of workstations A few servers Few dozens of users audit records per day. 1 or 2 attempted attacks per day. 10 audit records per attack. IIT Indore © Neminah Hubballi

17 Bayesian Detection Rate
True positive rate : False positive rate : False negative rate : True negative rate : Our interest is to Bayesian detection rate : Absence of an alarm i.e., has nothing to worry. IIT Indore © Neminah Hubballi

18 Bayesian Detection Rate
IIT Indore © Neminah Hubballi

19 IDS Historical perspective
IIT Indore © Neminah Hubballi

Download ppt "IIT Indore © Neminah Hubballi"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google