Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion and intrusion detection Published online 27 July 2001 by John McHugh, © Springer-Verlag 2001 Presented by Po-yuan Peng.

Published byArleen Gilmore Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion and intrusion detection Published online 27 July 2001 by John McHugh, © Springer-Verlag 2001 Presented by Po-yuan Peng."— Presentation transcript:

1 Intrusion and intrusion detection Published online 27 July 2001 by John McHugh, © Springer-Verlag 2001 Presented by Po-yuan Peng

2 Summary of the paper Intrusions Detection models Approaches to intrusion detection

3 Intrusions Attacking hardware flaw Multics – “a sequence of code … which would cause the hardware … to bypass access checking.” Exec-VIII – Bad assumption of “immutable code segment”, which has allowed an error handler in user program to modify the core image of the re-entrant processor. Using predefined accounts Login: system Password: manager

4 Intrusions (2) Viruses, worms Morris Worm – “… exploited a misconfiguration in the sendmail …also spread by overflowing … the finger deamon … used the trusted peer relationship … to spread itself as well.” Exploiting buffer overflow Problem exists almost everywhere. One could easily gain super user privileges. The procedure can be written as an automated script.

5 Detection models Auditing –1950~1980 –Data analyzed by human Anomaly-based detection –1980~1990 –Use profiles to characterize “normal behaviours” –Statistical analysis + expert system

6 Approaches Host-based data collection –Selective vs unselective logging messages –Choice of items and level of detail to record Network-based data collection –It can be independent of hosts being monitored

7 Approaches (2) Anomaly-based detection –Charaterizes “normal behaviours” –Brings novel attacks to attention –Requires train data to build profiles –Assumes anomalies equate to intrusion –Assumes intrusions are unusual enough to permit detection

8 Approaches (3) Signature-based detection –Describes abstract patterns that can be found in an attack –Manifestations of a known attack can be deliberately diversified, thus hard to describe –Identifies novel attacks if given description at an appropriate level of abstraction.

9 Appreciation The description of the idea behind approaches to both intrusion detection methods is only a line or two, very quick to understand. The author consistently uses Axelsson’s taxonomy to classify the examples intrusion detection system in his survey.

10 Criticism The author explans how anomaly-based detection works in a short descriptive text without a proper how and who to define of term “unusual” or “abnormal”.He introduces another simile, the noise distribution. He can draw as a diagram easily. It takes me a lot of reading to build a precise picture.

11 Criticism (2) Under section 4.4 the author gives the definition of anomaly-based detection: “Given a complete characterization of the noise distribution, an anomaly-based detector recognizes as an intrusion any observation that does not appear to be noise alone.” Since in reality the leading condition is always false, the rest of definition is not logically implied. (How can you give a “complete” or “perfect” set of description/rules on what is a normal behaviour?)

12 Question Looking at one of the assumptions for anomaly- based detection: “Intrusive activities are necessarily different from non-intrusive activities at some level of observation.” Is it sensible to determine a measure of this “difference” so that this measure can be used as an indication of likelihood of an attack? (ie The more an activity differs from a nearest non- intrusive one, the more likely it is to be an intrusion.)

Download ppt "Intrusion and intrusion detection Published online 27 July 2001 by John McHugh, © Springer-Verlag 2001 Presented by Po-yuan Peng."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Chapter 6 Review Questions

Chapter 6 Review Questions
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Chapter 14 Intrusion Detection. Hacker Capabilities.

Chapter 14 Intrusion Detection. Hacker Capabilities.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.

Chapter 15 Computer Security Techniques Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google