Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security.

Published byAlexia Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security."— Presentation transcript:

1

2 Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security

3 Overview Why IDS IDS Overview Anomaly Detection UNM Pattern Matching Misuse Detection Extended to Networked Systems Conclusion

4 Why IDS ? In defending network resources, we have –Firewalls –Encryption technology –Authentication devices –Vulnerability checking tools –Others …

5 Why IDS ? -2- But computer system is still susceptible –Due to unknown system flaws –Due to known system flaws better stay than gone because of functionality or cost. –Due to social engineering tricks A recent news –An 18 year old boy broke into a eCom web site –Thousands customer's credit info was stolen –Including Bill Gates’

6 Why IDS ? -3- Based on the fact that –Penetrations always exist We need –A second line of defense –A mechanism to detect the penetrations and the attempting intrusions –Which is in the form of an Intrusion Detection System Even attempts are guaranteed to fail –IDS can still help us to find out potential vulnerabilities

7 Approaches Anomaly Detection –Defines and Characterizes correct static form and acceptable dynamic behavior –Detects anomalous changes or behaviors which may not be intrusions Misuse Detection –Characterizes known ways to penetrate a system as patterns –Monitors for explicit patterns which are known to be intrusions

8 Anomaly vs. Misuse Anomaly Detection –May have high rate of false alarms –Can detect novel attacks –Normal databases are relatively more stable Misuse Detection –May miss novel attacks –Complexity grows as the number of well- known attacks grows –Difficult to keep them updated as the catalog of attacks grows

9 Three Generations First Generation –The emphasis was on single computer systems –O/S audit records were post-processed Second Generation –Extended and scaled to address distributed system. –More sophisticated –Primitive real-time alerts became possible

10 Three Generations -2- The Third Generation –Further extended to address loosely coupled networks, such as LAN Two Primary Challenges –Tracking users as they move through nodes –Managing the data as the size of the network scales up

11 What Makes A Good IDS ? Manage the volume of data, communications, and processing in large scale networks Increase coverage, i.e. miss ALAP Decrease false alarms Detect intrusion in progress React in real-time

12 Basic Components Focus –Which entity’s self or which elements of the entity do we try to focus on –Definitions of events or behavior of interest Representation –How to represent signatures effective and efficient

13 Basic Components -2- Initial Database –Initial behavior profile or normal database –Which can characterize behavior of interest –Which can represent entity of interest Detection Algorithm –Statistical processing techniques for divining the difference between normal and anomalous behavior (effective and efficient)

14 Anomaly Detection Static –Assume that a portion of the system remain constant –System code and portion of system data –Represented as a binary bit string or a set of such string –A single bit change Dynamic –Assume that system’s behavior is stable –Include a definition behavior –Represented as a sequence of distinct events –Empirical threshold

15 Static Anomaly Detection How does it work? –Defines the desired state of the system using static bit strings –Archives a representation of the state –Periodically compares the current state and the archived state –Any difference signals an error

16 Signature Storing and comparing actual bit strings representation is quite costly Compressed representation is called signature Signatures include checksums, message- digest algorithms and hash functions Meta-data: knowledge about the structure

17 Some Actual Systems Tripwire –A file integrity checker –Uses signatures as well as Unix file meta-data Virus Checkers –Uses actual bit string inserted by the virus –Strings are short, thus uncompressed Self-Noself –Unlike Tripwire, the Self-Nonself signatures are for unwanted string values

18 Dynamic Anomaly Detection Before Running For each individual entity, IDS creates a base profile to characterize normal, acceptable behavior –Entities can be: users, workstations, remote hosts, or applications –Behaviors can be: preferred choices, resources consumed, representative sequences of actions

19 Dynamic Anomaly Detection -2- Two ways to build up base profiles –By synthetically running the system Can it represents the real system? –By observing normal user behavior over a sufficiently long time Can we be sure that no intrusion undertaking during the period of time?

20 Dynamic Anomaly Detection -3- When Running Observes events related or attributed to the entity Incrementally builds a current profile Some operate in real-time, or near real-time, or directly observe the events during occurrence

21 Dynamic Anomaly Detection -4- Static detections do not care the degree of the difference Dynamic detections do care Comparison is based on empirically determined thresholds Only those mismatch over the thresholds will result in alert

22 UNM Pattern Matching Focus –Individual application and its behavior –E.g. Sendmail Representation –Uses privileged system call sequences to represent an application’s behavior –E.g. (open, read, mmap), (read, mmap, mmap)… –Sequence length usually between 3 to 6

23 UNM Pattern Matching -2- Initial Database –Built either by synthetically running the application or by observing its real running –Normal sequences are stored as forest in normal database to save space Detection Algorithm –Largest Minimum Hamming Distance –Normalized LMHD –Local Frame Count

24 UNM Pattern Matching -3-

25 UNM Pattern Matching -4- 1.sendmai 2.ftpd 3.lpr 4.ps

26 UNM Pattern Matching -5-

27 Misuse Detection Remember known technique Monitor the system if any of those known technique presents Intrusion scenario – A description of a fairly precisely know kind of intrusion which usually a sequence of actions

28 Rule-Based vs. State-Based Rule-Based –Encode scenarios as a set of rules, where rules reflect the sequence of actions –Fact base is a collection of assertions based on accumulated data –Rule base contains the rules that describe known intrusion scenarios –Rule-face binding –Rule firs State-Based –Attribute-value pairs characterize systems states of interest –Actions are defined as transitions between states –Monitor the actions and then change the state –If compromised state reached, the intrusion happens

29 Extended to Networked Systems New situations –Cooperative intrusions are more frequent –Intruder(s) use multiple nodes in an attempt to Parallel actions to make intrusion faster Distribute actions to disguise their activities New elements in Network IDS –Include network traffic as part of behavior –Data sharing and communication

30 Centralized vs. Decentralized Centralized Analysis –Audit data is collected on individual systems –Reported to some centralized location –Intrusion detection analysis is performed there –Don’t work well for large network due to sheer volume of data –Need data translation in heterogeneous systems Decentralized Analysis –Distributed audit data collection –Distribute intrusion detection analysis –Works well for large networks because less data shared between different components –Can eliminate translation problem by grouping homogeneous systems

31 Partition In decentralized system, entire system is divided into smaller domains for the purpose of communication Partition can base on –Geography –Administrative control –Collections of similar software platforms –Anticipated types of intrusions Still centralized within a domain

32 Vulnerabilities Intrusion detection software themselves are not inherently survivable and need protection also Initialization will be flawed if the intrusions are present Audit data must be timely available IDS should not compete resource with the rest of the system

33 Conclusion Why IDS The generations of IDS What makes a good IDS Basic components of an IDS Different approaches used in IDS Exam how the UNM pattern matching works with How IDS extended for networked systems What is the vulnerabilities of IDS

Download ppt "Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.

Formal Methods for Intrusion Detection Presented by Brian Kellogg CSE 914: Formal Methods for Software Development Michigan State University December 11.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IDS/IPS Definition and Classification

IDS/IPS Definition and Classification
Managing Data Resources

Managing Data Resources
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.

Intrusion Detection Systems By Ali Hushyar. What is an intrusion? Intrusion: “any action or set of actions that attempt to compromise the integrity, confidentiality.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google