Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of"

Transcription

1 Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code can cause great damage. In order to have computer systems be more secure, there are three main types of defenses against attacks: antivirus software, firewalls, and intrusion detection systems. This paper will discuss this third kind of defense: intrusion detection systems (IDS). This paper will look at different kinds of intrusion detection systems, different ways of detecting intrusions, and system response after detection. II. Introduction An intrusion detection system is a defense mechanism whose goal is to detect when a system or network is being used inappropriately or without correct authorization 1. Work on this began in 1980 with James Anderson who introduced a surveillance system that could detect malicious activity using event tracking records or audit logs. In 1985, Dorothy Denning and Peter Neumann provided a model on an intrusion detection expert system. Beginning with these researches, intrusion detection systems (IDS) were born. They are needed because the other two major kinds of defenses, antivirus software and firewalls, are not adequate to cover all kinds of attacks. Antivirus software 1

2 protects only against malicious programs such as viruses, but not against hackers and many other kinds of threats. Firewalls limit the kind of traffic that can flow in and out of a system so that they do not allow unauthorized access to important information. But these do not protect entirely. The traffic left to flow freely can be harmful. Intrusion detection systems are needed because they can sense a variety of unusual activities, and notify the proper authorities and prevent further attacks. IDS adds to system security, especially when they are used in addition to antiviruses and firewalls. Intrusion detection systems fall into three major categories depending on what kind of system they monitor. Though each has benefits and limitations, an IDS that can monitor the largest number of machines is the best. This paper will explain why this is so. It will also discuss a variety of detection methods and compare and contrast them. Lastly, this paper will look at how an IDS responds to an attack. Work related to IDSes are intrusion prevention systems, which improve upon how IDSes respond to attacks. This paper will not cover all information related to intrusion detection systems, but will examine most of the major issues. III. Main Body Components It is important to discuss, first of all, the basic components of an intrusion detection system. Almost all intrusion detection systems have audit logs. These keep track of what is happening on a system. The logs generated are sent to the management portion of an IDS for analysis to detect intrusions. Most detection systems have sensors that examine traffic and keep records of the packets they view flowing in and out of a 2

3 host or network system. The third major component is the afore mentioned management system, which analyzes data from logs and generates alerts when intrusions are detected. IDSes can be software or hardware. When used on a network, they are usually placed behind a firewall. Kinds of Intrusion Detection Systems An intrusion detection system can be divided into several kinds. The type of detection system is determined by what type of system is being monitored. What is monitored can be a host, a network, or a large portion of the internet. A host-based system keeps and examines audit records about a host. It checks the integrity of system files, watches for suspicious processes, looks at communication traffic in and out of the computer. A network-based system looks at packets on a network. These typically use sensors to log all the activity on a network segment and a console to collect and analyze the logs for suspicious activity. The main difference between host and network systems is that a host monitors its own system whereas a network detection system monitors the segment of the network it is attached to. A host-based intrusion detection system or HIDS is able to detect insider attacks by checking its own files and processes, and outsider attacks by watching incoming and outgoing traffic of the host. A network intrusion detection system or NIDS looks at every packet on a segment of a network, and thereby can get more of an idea of traffic flow to and from the machines in the network. However, NIDS must keep up with the speed of the packets on the LAN. If too many packets are going by too fast, a network detection system will not be able look at all of them. 3

4 An organization can choose to use host-based or network-based solution. If it decides to use host-based systems, it must install a host-based IDS on every host to get a better view of the network. If it uses a network-based system, it may run the risk of missing packets, but it can monitor traffic among more than one machine without having to install many systems. A third solution is distributed intrusion detection systems (DIDS). Distributed systems can better handle a problem that neither host nor network systems are able to deal with very well. For example, a system administrator may see something unusual happen to a host or a portion of the network they are monitoring. They wonder whether other hosts or networks are receiving the same unusual traffic. If they are, this traffic may be part of a concerted attack that spans a large section of the internet. Neither HIDS or NIDS can see a large part of the internet. If there is a way to see other hosts and networks that are not part of the local network that a system administrator may be monitoring, then such an attack can be detected early and wide area epidemics can be prevented. Distributed systems offer this kind of protection. They can have three components. A host agent module generates logs about a single host and sends them across the internet to a central manager module. A LAN monitor agent module generates logs about traffic on the local area network that it is monitoring. It also sends its logs to the central manager module. The central agent module collects these data, and data from other LANs and hosts 2. Thus, it checks for intrusion on a larger scale. DIDS provide for more accurate attack detection and quicker response because administrators can see more network activity. 4

5 DIDS can have modular components like the one described. Some can also support host-based and network-based IDSes that send their log files to the distributed system. Therefore, by using this kind of DIDS, one can have the benefit of HIDS and NIDS also. Someone using HIDS and DIDS can get an idea of host events while also seeing what is happening to other systems in the internet. People using NIDS and DIDS can see traffic on their local network while also knowing about major events happening on the internet. DIDS offer a multi-level way of monitoring systems. They can see what is going on at the host, network, and global level. This is better than looking at possible intrusions only on a host or only on a network. Information about insider attacks (people misusing a host system), outsider attacks (people trying to attack a particular network), and attacks on other hosts and networks can all be viewed. Seeing what is going on at multiple levels is the key to a better detection system. Methods of Intrusion Detection There are several different kinds of approaches to actually detecting intrusions. These include statistical anomaly detection, rule-based anomaly detection, and rule-based penetration identification. Statistical anomaly detection uses statistics formed from audit logs to detect anomalies from normal user behavior. Most statistical anomaly systems rely on learning about past behavior of users. Analysis of audit logs over time determine what behavior is normal for users. Any deviations generate alerts. Tests for determining 5

6 normal behavior include mean and standard deviation. This test examines data from logs to see if they fall into the range of average behavior and how much the data points vary from one another. The multivariate test looks at correlation between two or more variables, such as login frequency and time between sessions. If these two variables taken together exceed what is normal, then an alert will be generated. The Markov process examines transition probabilities between certain states. For example, it can look at the transitions between commands to see if they fit normal usage. The time series test determines whether something happens too quickly or too slowly. Finally, the operational test suspects intrusion if the number of occurrences of an event surpasses a predetermined limit. These tests can be used together to determine deviations, because each test measures different aspects of a single event. Another approach is rule-based anomaly detection. In this approach, the system analyzes data from audit logs and automatically develops a set of rules to describe normal behavior. While statistical anomaly detection inputs data into statistical tests to see whether this data falls into previously learned statistics, rule-based anomaly detection relies on the rules generated from previous statistics. So data about each new event is tested against the rules to see whether it is normal. Because rules are generated from statistics, a large database of rules is needed for rule-based anomaly systems to work well. The number of rules could reach or even 1 million. Nevertheless, the rulebased anomaly approach is as effective and strong as the statistical anomaly approach 3. despite the large volume of rules. Intrusion Detection Expert System (IDES) is an example of an statistical anomaly system and Wisdom and Sense (W&S) is an example of a system with rule-based anomaly detection. 6

7 An important advantage of anomaly intrusion detection systems is that they can catch new intrusion attempts, which are anomalous behavior. The disadvantage is that if what is normal is abnormal traffic (like during the time of the Code Red worm), then the system will not generate appropriate alerts. Therefore, an anomaly IDS needs to be placed on a network or used in a host system for a long period of time to learn what is normal. This is because the longer it gets a chance to learn, the more accurate are the alerts. A third way of detecting intrusions is rule-based signature or penetration identification. This method is often used along with anomaly systems. In this method, rules are not set up based on analysis of audit logs. Rules can be set up by defining known intrusions and by defining suspicious activity. The usual procedure is to collect information from system administrators and security analysts. Based on this information, one can set up some heuristics. For example, users should not be able to open other users personal directories. They should not write to other users files. They should not copy system programs. They should not be able to log in several times to the same system 4. Besides these rules that are set up against suspicious activity, a signature system also includes rules against known intrusions. Alerts are generated if an event or sequence of events matches the way known intrusions were launched--that is, they match signatures of known intrusions. Usually, vendors provide about 500 to 1500 rules for their products 5. As new intrusions are discovered, a system administrator must update his system with new signatures. The obvious disadvantage of a signature rule-based system is that a system administrator must constantly update his intrusion detection system whenever new 7

8 intrusions are discovered and new signatures are available. This constant updating can be a hassle, and if one does not do it in time an intrusion can occur. Another disadvantage is that this system cannot detect new intrusions because new intrusions do not follow any known patterns. An anomaly based system does not have these disadvantages. It can serve to complement signature detection s weaknesses. On the other hand, the signature based model is able to quickly detect misuse and known ways of intrusion more accurately than anomaly systems. In anomaly based systems, alerts may be generated by small, non-critical deviations, thereby creating many false alarms (or false positives). Similarly, if a network often has a large volume of abnormal traffic, actual harmful packets may escape detection, thereby creating false negatives. By using signature based systems to detect known intrusions, the accuracy of detection increases because signatures are designed to catch known intrusions whereas anomaly systems can either miss the intrusion or create so many false positives that the true positive is overlooked. Therefore, signature detection and anomaly detection serve well to complement each other. A rule of thumb is to use systems together. Operating together, they become a stronger system and their weaknesses can be covered by one another s strengths. NetScreen Intrusion Detection and Prevention: an example It is worthwhile to learn more about an intrusion detection system by looking at an actual IDS product. This paper will look at an intrusion detection product called NetScreen Intrusion Detection and Prevention (IDP). IDP is a network-based system that utilizes several different mechanisms to maximize the number and types of attacks that 8

9 can be detected. These mechanisms include stateful signature, protocol anomaly, traffic anomaly, backdoor detection, network honeypot, among others. IDP, like many other detection products, employs both anomaly and signature detection. Let us see how these methods are used in a real IDS product. IDP s signature detection is unlike other products on the market. Other products compares every packet to signatures of known attacks to see if there is a match. So this kind of packet signature detection processes unnecessary information, because it applies the mechanism to all traffic even when attacks cannot be generated at that point. However, stateful signature detection looks only at relevant traffic where attacks can be generated. For example, in order to determine whether a user is trying to login to a server as a root user, stateful signature detection would not look for the word root in all transactions. It would look for it only in the login sequence 6. Thus, precious resources are not wasted; a system administrator can look at packets that are of genuine concern. IDP s anomaly detection chooses to focus on the usage of communication protocols and traffic flow rather than other kinds of system usage. IDP s protocol anomaly detection analyzes traffic, comparing them with normal traffic that follows protocols. Usually, abnormal traffic is ambiguous, that is, it does not follow protocol specifications so that they can avoid detection. But normal packets are unambiguous. Thus this mechanism tests traffic to see whether it deviates from how normal traffic follows protocol specifications. Those packets that deviate are flagged with alerts. The effectiveness of protocol anomaly depends on the number of protocols the detection system recognizes. Abnormal packets that use a protocol not supported by the detection system may successfully escape detection. Therefore, the greater number of protocols a 9

10 system supports, the better. Some example protocols that IDP supports are IP, TCP, ICMP, ECHO, FINGER, DNS, POP3, IMAP, and many others 7. IDP also supports traffic anomaly detection. This kind of anomaly detection detects attacks that continue throughout a number of sessions. For example, an attack could begin by gathering some information (port scanning). Later, an attacker can penetrate through an open port that his earlier port scan discovered. Traffic anomaly detection would recognize port scanning as abnormal traffic, because port scans deviate from most normal traffic patterns. Thus, traffic anomaly detection that focuses on analyzing traffic patterns can detect port scans and other kinds of probes. After detection, the victim of the potential attack can close the vulnerable port and watch out for future activity from the attacker s IP address. IDP has another mechanism, which may protect against backdoor attacks. Backdoor attacks are those that enter the system through another program without the user s knowledge. While a user executes one program, a hidden program may also be running. By running this program that the user does not see, an attacker gains control of the system. An example of a backdoor attack is a Trojan horse. After the user opens the Trojan, for example a singing birthday card, the Trojan downloads the malicious code. The attacker interacts with the malicious program and gains control of the system. IDP detects backdoor attacks by searching for interactive traffic such as that between the attacker and the program in the compromised system. Upon finding such traffic, IDP tests this against what is defined by the administrator to be allowed. This is similar to comparing current traffic to a set of rules or heuristics. Unexpected interactive traffic that violates these rules generate alarms. 10

11 Another way to detect intrusions is through a network honeypot, which IDP uses. A network honeypot is a system that impersonates real services. When an attacker scans ports and finds such a system, the system sends fake information to the attacker so that the attacker would try to access these false services. Since legitimate users only access services through ports that they know offer real services, whoever tries to access services of honeypots are not legitimate users. They have done a port scan and found the honeypot; they can be assumed to be attackers. Since honeypots make it difficult for attackers to use them to compromise other systems, catching attackers this way spares other systems of potential attacks by these hackers. After looking at some of the detection mechanisms that Netscreen s IDP offers, one can see how each of them work together to maximize detection of attacks. Signature and anomaly detections can catch known and new attacks. Together they can also detect any type of abnormal and wrong use of the system. Backdoor intrusions like Trojans can be handled by IDP s backdoor detection. Honeypots can get an idea of what the attacker wants to do, such as the services he wants to access as he plans to take over a system. Honeypots also notify the IDP of these port scanning attackers, and proper responses can be taken to watch out for traffic from these attackers. Used by themselves, only some attacks may be detected. Anomaly detections used alone may not catch everything or may generate many false positives. Signature and honeypot detections help lower false positives, because traffic that match signatures and people who access honeypots are usually guilty of attacking a system. In this example, we have seen a variety of methods in a real intrusion detection system. The reason for these methods to be employed in one 11

12 IDS is to catch a wide variety of attacks. Many methods are better than one in detecting intrusions. Response after Detection There are many methods of intrusion detection. But what happens after an attack is detected? The rest of this paper will discuss some ways intrusion detection systems can respond to detected attacks. Usually, all suspected packets can be displayed on screen. So an administrator can analyze suspected packets and respond to attacks personally. For example, he or she can close a vulnerable port or disconnect an affected system. However, it would be too much for a security professional to respond to each alarm. Automated responses are necessary. One type of automated response is called session sniping. Session sniping is performed on TCP connections. Two systems, communicating through TCP, must establish a connection through handshaking before any data can flow between them. When users want to terminate the session, they must close the connection. In order to stop illegitimate traffic, an IDS can knock down this connection so that the attack can be stopped. An IDS that uses session sniping sends packets to the attacker and the victim with the TCP reset bit set to 1. When they receive these packets, the connection would stop. Another way to respond to attacks is to signal the firewall or router. After detection, an IDS tells the firewall or router to block future packets from the intruder s IP address. 12

13 But these responses have drawbacks. They are too late to stop the effects of an attack. Before a TCP connection can be dropped, some malicious packets may have already entered the system. Firewalls and routers only block malicious packets in the future. Those that already got through the firewalls and routers can still have an effect on the system. Unfortunately, most intrusion detection systems rely on these response mechanisms. Because of this, intrusion detection systems usually do not have adequate prevention. Some security professionals are turning to intrusion prevention systems (IPS) to overcome this problem. IPS is a new development, whose goal is to prevent attacks from affecting a system at all. IPS usually drops malicious packets as they are detected. So a system does not have to recover from an attack since they will not be affected in the first place. IV. Summary This paper has covered some of the major topics related to understanding an intrusion detection system. The best intrusion detection system, which can accurately detect a variety of attacks, is one that detects intrusions at different levels and applies a multi-method approach. Host-based and network-based detection systems have their benefits and limitations. A distributed system may be better because it can know what is going on at the host, network, and global level. A multi-method approach, using signature, anomaly, honeypot, backdoor defense, etc., increases the chances of catching all kinds of attacks. 13

14 The way to a secure system is not through a cure-all that could detect and prevent all intrusions. No such system exists. Indeed, the approach to intrusion detection is to use many methods instead of one. The way to securing a system is to use many products instead of one. Anti-virus software and firewalls should preferably be used along with intrusion detection systems. An able and attentive system administrator is also needed. The reason for such an army is that attacks come in various forms. No single method can stop them. While good IDSes are able to detect many intrusions, most IDSes cannot prevent attacks effectively. The focus in the future will probably be on intrusion prevention systems that both effectively detect and prevent attacks. 14

15 References Carr, Jim. Intrusion Detection Systems: Back to Front? Network Magazine. 5 Sep URL: Farshchi, Jamil. Statistical based approach to Intrusion Detection. URL: Hawrylkiw, Dan. Network Intrusion and use of automated responses. URL: Hrivnak, Allison. Host Based Intrusion Detection: An Overview of Tripwire and Intruder Alert. 29 Jan URL: Kemmerer, Richard A. Computer Security. URL: Netscreen.com. Products. URL: Sans.org. What is host-based intrusion detection? URL: Sans.org. What is network based intrusion detection? URL: Sink, Michael. The Use of Honeypots and Packet Sniffers for Intrusion Detection. 15 April URL: Spafford, Eugene, and Diego Zamboni. Data collection mechanisms for intrusion detection systems. 2 June URL: Spitzner, Lance. Honeypots: Tracking Hackers. San Francisco: Pearson Education, Inc., Stallings, William. Network Security Essentials: Applications and Standards. New Jersey: Prentice Hall, Inc., Zuver, Robert. A Thousand Heads Are Better Than One The Present and Future of Distributed Intrusion Detection. 30 April URL: 15

16 Endnotes 1. Hrivnak. 2. Stallings, p Ibid, p Ibid, p Farshchi. 6. Netscreen.com. 7. Ibid. 16

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

A Proposed Architecture of Intrusion Detection Systems for Internet Banking A Proposed Architecture of Intrusion Detection Systems for Internet Banking A B S T R A C T Pritika Mehra Post Graduate Department of Computer Science, Khalsa College for Women Amritsar, India Mehra_priti@yahoo.com

More information

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection

More information

Intruders and viruses. 8: Network Security 8-1

Intruders and viruses. 8: Network Security 8-1 Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project. Our Security Ways we protect our valuables: By Edith Butler Fall 2008 Locks Security Alarm Video Surveillance, etc. History about IDS It began in 1980, with James Anderson's paper: History of IDS Cont

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

Computer Networks & Computer Security

Computer Networks & Computer Security Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:

More information

IDS : Intrusion Detection System the Survey of Information Security

IDS : Intrusion Detection System the Survey of Information Security IDS : Intrusion Detection System the Survey of Information Security Sheetal Thakare 1, Pankaj Ingle 2, Dr. B.B. Meshram 3 1,2 Computer Technology Department, VJTI, Matunga,Mumbai 3 Head Of Computer TechnologyDepartment,

More information

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Hackers: Detection and Prevention

Hackers: Detection and Prevention Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik

More information

The Truth about False Positives

The Truth about False Positives An ISS Technical White Paper The Truth about False Positives 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Overview In the security industry, many security analysts remark that

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Intrusion Detections Systems

Intrusion Detections Systems Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IntruPro TM IPS. Inline Intrusion Prevention. White Paper IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert

More information

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment

More information

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa. Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

Role of Anomaly IDS in Network

Role of Anomaly IDS in Network Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,

More information

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) 1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

CS419 Computer Security

CS419 Computer Security CS419 Computer Security Vinod Ganapathy Topic: Intrusion Detection and Firewalls Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes

More information

An Inspection on Intrusion Detection and Prevention Mechanisms

An Inspection on Intrusion Detection and Prevention Mechanisms An Inspection on Intrusion Detection and Prevention Mechanisms Kanagadurga Natarajan 1, Aarthi Sadagopan 2 1, 2 Computer Science and Engineering, A.V.C.College of Engineering, Mannampandal, TamilNadu,

More information

INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM INTRUSION DETECTION SYSTEM INTRUSION DETECTION AND PREVENTION using SAX 2.0 and WIRESHARK Cain & Abel 4.9.35 Supervisor Dr. Akshai Kumar Aggarwal Director School of Computer Sciences University of Windsor

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs Intrusion Detection Systems Oussama El-Rawas History and Concepts of IDSs Overview A brief description about the history of Intrusion Detection Systems An introduction to Intrusion Detection Systems including:

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion

More information

Segurança Redes e Dados

Segurança Redes e Dados Segurança Redes e Dados I N T R U S Õ E S 2 0 1 2 / 2 0 1 2 M A N U E L E D U A R D O C O R R E I A P E D R O B R A N D Ã O Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer Security:

More information

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems In this chapter, you will Understand host-based intrusion detection systems Explore network-based intrusion detection systems Learn what honeypots are used for Learn how to

More information

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold The Essentials Series PCI Compliance sponsored by by Rebecca Herold Using PCI DSS Compliant Log Management to Identify Attacks from Outside the Enterprise...1 Outside Attacks Impact Business...1 PCI DSS

More information

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based Lecture Outline Intruders & Intrusion Hackers Criminal groups Insiders Detection and IDS Techniques Detection Principles Requirements Host-based Network-based Honeypot Madartists Intruders significant

More information

Common Cyber Threats. Common cyber threats include:

Common Cyber Threats. Common cyber threats include: Common Cyber Threats: and Common Cyber Threats... 2 Phishing and Spear Phishing... 3... 3... 4 Malicious Code... 5... 5... 5 Weak and Default Passwords... 6... 6... 6 Unpatched or Outdated Software Vulnerabilities...

More information

Network Incident Report

Network Incident Report To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850

More information

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security

More information

IS TEST 3 - TIPS FOUR (4) levels of detective controls offered by intrusion detection system (IDS) methodologies. First layer is typically responsible for monitoring the network and network devices. NIDS

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing Partha Ghosh, Ria Ghosh, Ruma Dutta Abstract: The massive jumps in technology led to the expansion of Cloud Computing

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Contents Motivation and basics (Why and what?) IDS types and detection principles Key Data Problems

More information

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations

More information

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep

More information

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,

More information

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520 AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies

More information

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Page 1 Page

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

Intrusion Detection System (IDS)

Intrusion Detection System (IDS) Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes

More information

Securing the system using honeypot in cloud computing environment

Securing the system using honeypot in cloud computing environment Volume: 2, Issue: 4, 172-176 April 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 M. Phil Research Scholar, Department of Computer Science Vivekanandha College

More information

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through

More information

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Intrusion Detection Systems. Darren R. Davis Student Computing Labs Intrusion Detection Systems Darren R. Davis Student Computing Labs Overview Intrusion Detection What is it? Why do I need it? How do I do it? Intrusion Detection Software Network based Host based Intrusion

More information

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Shih-Yi Tu Chung-Huang Yang Kouichi Sakurai Graduate Institute of Information and Computer Education, National Kaohsiung Normal

More information

Performance Evaluation of Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection

More information

Science Park Research Journal

Science Park Research Journal 2321-8045 Science Park Research Journal Original Article th INTRUSION DETECTION SYSTEM An Approach for Finding Attacks Ashutosh Kumar and Mayank Kumar Mittra ABSTRACT Traditionally firewalls are used to

More information

Rules definition for anomaly based intrusion detection

Rules definition for anomaly based intrusion detection Rules definition for anomaly based intrusion detection 2002 By Lubomir Nistor Introduction Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately,

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

Dragon solution. Zdeněk Pala. ECIE certified engineer ECI certified instructor zpala@enterasys.com. There is nothing more important than our customers

Dragon solution. Zdeněk Pala. ECIE certified engineer ECI certified instructor zpala@enterasys.com. There is nothing more important than our customers There is nothing more important than our customers Dragon solution Zdeněk Pala ECIE certified engineer ECI certified instructor zpala@enterasys.com A Division of Siemens Enterprise Communications GmbH

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/

More information

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar Network-Based and Host- Based Intrusion Detection Graduate Seminar 1 Goal This presentation is an in-depth overview of intrusion detection. As such, the purpose of the presentation is for reference. 2

More information

C. Universal Threat Management C.4. Defenses

C. Universal Threat Management C.4. Defenses UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management C.4. Defenses 1 of 20 Over 80 000 vulnerabilities have been found in existing software These vulnerabilities are under constant

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

A Review on Network Intrusion Detection System Using Open Source Snort

A Review on Network Intrusion Detection System Using Open Source Snort , pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,

More information

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

Radware s Behavioral Server Cracking Protection

Radware s Behavioral Server Cracking Protection Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Lancope StealthWatch Technology Security Through Network Intelligence

Lancope StealthWatch Technology Security Through Network Intelligence Lancope StealthWatch Technology Security Through Network Intelligence www.lancope.com Network Behavior Anomaly Detection Solution Presented at Central Plains ISSA Meeting October 7, 2005 A Network Behavior

More information

Network Monitoring and Forensics

Network Monitoring and Forensics Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IJCSMC, Vol. 2, Issue.

More information

Intrusion Detection Theory

Intrusion Detection Theory Intrusion Detection System (IDS) CPE5021 Advanced Network Security --- IDS: Theory and Practice--- Lecture 6 Knowledge Base Analysis Engine Response Module Alert Database Other machines Event Provider

More information