Segurança Redes e Dados

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Segurança Redes e Dados"

Transcription

1 Segurança Redes e Dados I N T R U S Õ E S / M A N U E L E D U A R D O C O R R E I A P E D R O B R A N D Ã O

2 Slides are based on slides by Dr Lawrie Brown for Computer Security: Principles and Practice, 1/e, by William Stallings and Lawrie Brown 2 Some slides from Mark Stamp Information Security: Principles and Practice 2nd edition (Wiley 2011).

3 3 Definitions

4 Intrusion Prevention Want to keep bad guys out Intrusion prevention is a traditional focus of computer security Authentication is to prevent intrusions Firewalls a form of intrusion prevention Virus defenses aimed at intrusion prevention Like locking the door on your car 4

5 Intrusion Detection Systems Who is likely intruder? May be outsider who got thru firewall May be evil insider What do intruders do? Launch well-known attacks Launch variations on well-known attacks Launch new/little-known attacks Borrow system resources Use compromised system to attack others. etc. 5

6 Intruders significant issue hostile/unwanted trespass from benign to serious user trespass unauthorized logon, privilege abuse software trespass virus, worm, or Trojan horse classes of intruders: masquerader, misfeasor, clandestine user 6 Intruder: (I) An entity that gains or attempts to gain access to a system or system resource without having authorization to do so. (from RFC4949)

7 Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software on unwilling machines using an unsecured modem to access net impersonating a user to reset password using an unattended workstation 7

8 Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection (I) Sensing and analysing system events for the purpose of noticing (i.e., becoming aware of) attempts to access system resources in an unauthorized manner. This includes the following subtypes: - "Active detection": Real-time or near-real-time analysis of system event data to detect current intrusions, which result in an immediate protective response. - "Passive detection": Off-line analysis of audit data to detect past intrusions, which are reported to the system security officer for corrective action. From RFC4949 Internet Security Glossary, Version 2 8

9 Hacker Hacker and Cracker 1. (I) Someone with a strong interest in computers, who enjoys learning about them, programming them, and experimenting and otherwise working with them 2. (O) "An individual who spends an inordinate amount of time working on computer systems for other than professional purposes. 3. (D) Synonym for "cracker". Deprecated Usage: Today, the term is frequently (mis)used (especially by journalists) with definition 3. cracker (I) Someone who tries to break the security of, and gain unauthorized access to, someone else's system, often with malicious intent. (See: adversary, intruder, packet monkey, script kiddy. Compare: hacker.) 9

10 Crackers motivated by thrill of access and status hacking community a strong meritocracy status is determined by level of competence benign intruders might be tolerable do consume resources and may slow performance can t know in advance whether benign or malign IDS/IPS/VPNs can help counter awareness led to establishment of Computer Emergency Response Teams (CERTs) collect/disseminate vulnerability info/responses 10

11 Cracker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network 11

12 Criminal Enterprise organized groups of crackers now a threat corporation / government / loosely affiliated gangs typically young often Eastern European or Russian hackers common target credit cards on e-commerce server criminal crackers usually have specific targets once penetrated act quickly and get out IDS/IPS help but less effective sensitive data needs strong protection 12

13 Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use Trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes. 13

14 Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor IDS/IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data 14

15 Insider Behavior Example 15 create network accounts for themselves and their friends access accounts and applications they wouldn't normally use for their daily jobs former and prospective employers conduct furtive instant-messaging chats visit web sites that cater to disgruntled employees, such as f'dcompany.com perform large downloads and file copying access the network during off hours.

16 Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software vulnerabilities to execute code to get backdoor e.g. buffer overflow or to gain protected information e.g. password guessing or acquisition 16

17 17 IDS approaches

18 Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - manage/direct/view IDS 18

19 IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown observe deviations from past history problems of: false positives false negatives must compromise 19

20 IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration 20

21 Host-Based IDS Monitor activities on hosts for Known attacks Suspicious behavior Designed to detect attacks such as Buffer overflow Escalation of privilege, Can detect both external and internal intrusions 21 Little or no view of network activities

22 Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S always available but may not be optimum detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions 22 e.g. may contain fields for: subject, action, object, exceptioncondition, resource-usage, time-stamp

23 Distributed Host-Based IDS 23

24 Distributed Host-Based IDS 24

25 OSSEC Some examples of Host IDSs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Tripwire Open Source version data integrity tool useful for monitoring and alerting on specific file change(s) There s a commercial one AIDE (Advanced Intrusion Detection Environment) file and directory integrity checker. 25

26 Network-Based IDS Monitor activity at selected points of the network for Known attacks Suspicious network activity May examine network, transport and/or application level protocol activity directed toward systems Designed to detect attacks such as Denial of service Network probes Malformed packets, etc. Comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic) 26 Some overlap with firewall Little or no view of host-based attacks

27 Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic) 27

28 NIDS Sensor Deployment 28

29 Snort Some examples of Net IDSs 29 network intrusion prevention and detection system (IDS/IPS) [ ] Combining the benefits of signature, protocol, and anomaly-based inspection Bro While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.

30 Distributed Adaptive Intrusion Detection 30

31 31 Intrusion Detection Exchange Format By the IETF Intrusion Detection Working Group

32 OSSIM Some examples of SIEM tools 32 provides a strong correlation engine, detailed low, medium and high level visualization interfaces, and reporting and incident management tools, based on a set of defined assets such as hosts, networks, groups and services. ACARM-ng Alert Correlation, Assessment and Reaction Module - next generation responsible for collection and correlation alerts sent by network and host sensors also referred to as NIDS and HIDS respectively Cyberoam iview delivers identity-based logging and reporting across multiple devices, protocols and locations, enabling organizations to discover not just the threats, but also allows them to correlate these with the who, what, why, where, when of an attack. SIEM Security Information and Event Management

33 are decoy systems Honeypots filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems initially were single systems more recently are/emulate entire networks 33

34 34 Honeypot Deployment DMZ

35 35 Intrusion Detection Techniques

36 Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations anomaly detection of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection 36

37 Signature Detection Example Failed login attempts may indicate password cracking attack IDS could use the rule N failed login attempts in M seconds as signature If N or more failed login attempts in M seconds, IDS warns of attack Note that such a warning is specific Admin knows what attack is suspected Easy to verify attack (or false alarm) 37

38 Signature Detection Suppose IDS warns whenever N or more failed logins in M seconds Set N and M so false alarms not common Can do this based on normal behavior But, if Trudy knows the signature, she can try N 1 logins every M seconds Then signature detection slows down Trudy, but might not stop her 38

39 Signature Detection Many techniques used to make signature detection more robust Goal is to detect almost signatures For example, if about N login attempts in about M seconds Warn of possible password cracking attempt What are reasonable values for about? Can use statistical analysis, heuristics, etc. Must not increase false alarm rate too much 39

40 Signature Detection Advantages of signature detection Simple Detect known attacks Know which attack at time of detection Efficient (if reasonable number of signatures) Disadvantages of signature detection Signature files must be kept up to date Number of signatures may become large Can only detect known attacks Variation on known attack may not be detected 40

41 Anomaly Detection Anomaly detection systems look for unusual or abnormal behavior There are (at least) two challenges What is normal for this system? How far from normal is abnormal? No avoiding statistics here! mean defines normal variance gives distance from normal to abnormal 41

42 How to Measure Normal? How to measure normal? Must measure during representative behavior Must not measure during an attack or else attack will seem normal! Normal is statistical mean 42 Must also compute variance to have any reasonable idea of abnormal

43 How to Measure Abnormal? Abnormal is relative to some normal Abnormal indicates possible attack Statistical discrimination techniques include Bayesian statistics Linear discriminant analysis (LDA) Quadratic discriminant analysis (QDA) Neural nets, hidden Markov models (HMMs), etc. Fancy modeling techniques also used Artificial intelligence Artificial immune system principles Many, many, many others 43

44 Anomaly Detection (1) Spse we monitor use of three commands: open, read, close Under normal use we observe Alice: open, read, close, open, open, read, close, Of the six possible ordered pairs, we see four pairs are normal for Alice, (open,read), (read,close), (close,open), (open,open) Can we use this to identify unusual activity? 44

45 Anomaly Detection (1) We monitor use of the three commands open, read, close If the ratio of abnormal to normal pairs is too high, warn of possible attack Could improve this approach by Also use expected frequency of each pair Use more than two consecutive commands Include more commands/behavior in the model More sophisticated statistical discrimination 45

46 Anomaly Detection (2) Over time, Alice has accessed file F n at rate H n H 0 H 1 H 2 H Recently, Alice has accessed F n at rate A n A 0 A 1 A 2 A Is this normal use for Alice? We compute S = (H 0 A 0 ) 2 +(H 1 A 1 ) 2 + +(H 3 A 3 ) 2 =.02 o We consider S < 0.1 to be normal, so this is normal How to account for use that varies over time?

47 Anomaly Detection (2) To allow normal to adapt to new use, we update averages: H n = 0.2A n + 0.8H n In this example, H n are updated H 2 = =.38 and H 3 = =.12 And we now have 47 H 0 H 1 H 2 H

48 Anomaly Detection (2) The updated long term average is 48 Suppose new observed rates H 0 H 1 H 2 H A 0 A 1 A 2 A Is this normal use? Compute S = (H 0 A 0 ) 2 + +(H 3 A 3 ) 2 =.0488 o Since S =.0488 < 0.1 we consider this normal And we again update the long term averages: H n = 0.2A n + 0.8H n

49 Anomaly Detection (2) The starting averages were: H 0 H 1 H 2 H After 2 iterations, averages are: H 0 H 1 H 2 H Statistics slowly evolve to match behavior This reduces false alarms for SA But also opens an avenue for attack o Suppose Trudy always wants to access F 3 o Can she convince IDS this is normal for Alice?

50 Anomaly Detection (2) To make this approach more robust, must incorporate the variance Can also combine N stats S i as, say, T = (S 1 + S 2 + S S N ) / N to obtain a more complete view of normal 50

51 Anomaly Detection Issues Systems constantly evolve and so must IDS Static system would place huge burden on admin But evolving IDS makes it possible for attacker to (slowly) convince IDS that an attack is normal Attacker may win simply by going slow What does abnormal really mean? Indicates there may be an attack Might not be any specific info about attack How to respond to such vague information? In contrast, signature detection is very specific 51

52 Advantages? Anomaly Detection Chance of detecting unknown attacks Disadvantages? Cannot use anomaly detection alone must be used with signature detection Reliability is unclear May be subject to attack 52 Anomaly detection indicates something unusual, but lacks specific info on possible attack

53 Anomaly Detection: The Bottom Line Anomaly-based IDS is active research topic Many security experts have high hopes for its ultimate success Often cited as key future security technology Hackers are not convinced! Title of a talk at Defcon: Why Anomaly-based IDS is an Attacker s Best Friend Anomaly detection is difficult and tricky As hard as AI? 53

54 Summary introduced intruders & intrusion detection nomenclature intrusion detection approaches host-based (single and distributed) network distributed adaptive Security Information and Event Management honeypots intrusion detection techniques Signature and anomaly 54

55 The end

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based Lecture Outline Intruders & Intrusion Hackers Criminal groups Insiders Detection and IDS Techniques Detection Principles Requirements Host-based Network-based Honeypot Madartists Intruders significant

More information

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/

More information

CS419 Computer Security

CS419 Computer Security CS419 Computer Security Vinod Ganapathy Topic: Intrusion Detection and Firewalls Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes

More information

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d CS 6v81 - Network Security Firewalls Firewalls and Intrusion Detection Systems 2 (Source: Stallings book, papers) What is a firewall? Collection of components between two networks that filter cross traffic

More information

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

More information

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

Security Intrusion & Detection. Intrusion Detection Systems (IDSs) Security Intrusion & Detection Security Intrusion One or combination of security events in which an intruder gains (or attempts) to gain access to a system without having authorization to do so Intrusion

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

IDS : Intrusion Detection System the Survey of Information Security

IDS : Intrusion Detection System the Survey of Information Security IDS : Intrusion Detection System the Survey of Information Security Sheetal Thakare 1, Pankaj Ingle 2, Dr. B.B. Meshram 3 1,2 Computer Technology Department, VJTI, Matunga,Mumbai 3 Head Of Computer TechnologyDepartment,

More information

THE ROLE OF IDS & ADS IN NETWORK SECURITY

THE ROLE OF IDS & ADS IN NETWORK SECURITY THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT Appendix A to 11-02-P1-NJOIT NJ OFFICE OF INFORMATION TECHNOLOGY P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT The Intent

More information

Intruders and viruses. 8: Network Security 8-1

Intruders and viruses. 8: Network Security 8-1 Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds

More information

Role of Anomaly IDS in Network

Role of Anomaly IDS in Network Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,

More information

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection

More information

Name. Description. Rationale

Name. Description. Rationale Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.

More information

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IntruPro TM IPS. Inline Intrusion Prevention. White Paper IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph 0925910 I MCA OVERVIEW Introduction Overview The IDS Puzzle Current State of IDS Threats I have a good firewall, why do I need an IDS? Expectations

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Contents Motivation and basics (Why and what?) IDS types and detection principles Key Data Problems

More information

SURVEY OF INTRUSION DETECTION SYSTEM

SURVEY OF INTRUSION DETECTION SYSTEM SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT

More information

Computer Networks & Computer Security

Computer Networks & Computer Security Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:

More information

Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

More information

Hackers: Detection and Prevention

Hackers: Detection and Prevention Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik

More information

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection for Mobile Ad Hoc Networks Intrusion Detection for Mobile Ad Hoc Networks Tom Chen SMU, Dept of Electrical Engineering tchen@engr.smu.edu http://www.engr.smu.edu/~tchen TC/Rockwell/5-20-04 SMU Engineering p. 1 Outline Security problems

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

Radware s Behavioral Server Cracking Protection

Radware s Behavioral Server Cracking Protection Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information

More information

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment Chris Martin Senior Director Product Strategy Industrial Defender Inc. Agenda Overview of IDS/IPS

More information

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002 Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Page 1 Page

More information

Intrusion Detections Systems

Intrusion Detections Systems Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...

More information

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

A Proposed Architecture of Intrusion Detection Systems for Internet Banking A Proposed Architecture of Intrusion Detection Systems for Internet Banking A B S T R A C T Pritika Mehra Post Graduate Department of Computer Science, Khalsa College for Women Amritsar, India Mehra_priti@yahoo.com

More information

USM IT Security Council Guide for Security Event Logging. Version 1.1

USM IT Security Council Guide for Security Event Logging. Version 1.1 USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate

More information

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION

More information

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) 1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories

More information

Performance Evaluation of Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Network Security: A New Perspective. NIKSUN Inc.

Network Security: A New Perspective. NIKSUN Inc. Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow IDS 4.0 Roadshow Module 1- IDS Technology Overview Agenda Network Security Network Security Policy Management Protocols The Security Wheel IDS Terminology IDS Technology HIDS and NIDS IDS Communication

More information

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Ohio Supercomputer Center

Ohio Supercomputer Center Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original

More information

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion

More information

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses

More information

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01 How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot

More information

Intrusion Detection System (IDS)

Intrusion Detection System (IDS) Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems

More information

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information. Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro Environment Network/services can be damaged

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security

More information

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science A Seminar report On Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion

More information

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at www.visa. Global Partner Management Notice Subject: Visa Data Security Alert Malicious Software and Internet Protocol Addresses Dated: April 10, 2009 Announcement: The protection of account information is a responsibility

More information

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection? Contents Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Motivation and basics (Why and what?) IDS types and principles Key Data Problems with

More information

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Shih-Yi Tu Chung-Huang Yang Kouichi Sakurai Graduate Institute of Information and Computer Education, National Kaohsiung Normal

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Penetration Testing Service. By Comsec Information Security Consulting

Penetration Testing Service. By Comsec Information Security Consulting Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Financial Institution Letters

Financial Institution Letters Financial Institution Letters Risk Assessment Tools And Practices For Information System Security FIL-68-99 July 7, 1999 TO: SUBJECT: CHIEF EXECUTIVE OFFICER FDIC Issues Paper on Information System Security

More information

Banking Security using Honeypot

Banking Security using Honeypot Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information

More information

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849 WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Design and Development of. Graphical User Interface for building Snort Rules

Design and Development of. Graphical User Interface for building Snort Rules Design and Development of Graphical User Interface for building Snort Rules Thesis submitted in partial fulfillment of the requirements for the award of degree of Master of Technology in Computer Science

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM INTRUSION DETECTION SYSTEM INTRUSION DETECTION AND PREVENTION using SAX 2.0 and WIRESHARK Cain & Abel 4.9.35 Supervisor Dr. Akshai Kumar Aggarwal Director School of Computer Sciences University of Windsor

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626 Intrusion Detection Systems vs. Intrusion Prevention Systems Sohkyoung (Michelle) Cho ACC 626 1.0 INTRODUCTION An increasing number of organizations use information systems to conduct their core business

More information

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory A Little Context! The Five Golden Principles of Security! Know your system! Principle

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/

More information

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold The Essentials Series PCI Compliance sponsored by by Rebecca Herold Using PCI DSS Compliant Log Management to Identify Attacks from Outside the Enterprise...1 Outside Attacks Impact Business...1 PCI DSS

More information

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford Intrusion Detection Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford For this term paper I will be discussing the subject of Intrusion detection. I will be going

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

More information

PCI Security Scan Procedures. Version 1.0 December 2004

PCI Security Scan Procedures. Version 1.0 December 2004 PCI Security Scan Procedures Version 1.0 December 2004 Disclaimer The Payment Card Industry (PCI) is to be used as a guideline for all entities that store, process, or transmit Visa cardholder data conducting

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

1 Intrusion Detection System deployment Methodology

1 Intrusion Detection System deployment Methodology 1 Intrusion Detection System deployment Methodology Its almost ten years since the firewall became the foremost security tool for network administrators. And for the last five years, most people agreed

More information

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project. Our Security Ways we protect our valuables: By Edith Butler Fall 2008 Locks Security Alarm Video Surveillance, etc. History about IDS It began in 1980, with James Anderson's paper: History of IDS Cont

More information

86-10-15 The Self-Hack Audit Stephen James Payoff

86-10-15 The Self-Hack Audit Stephen James Payoff 86-10-15 The Self-Hack Audit Stephen James Payoff As organizations continue to link their internal networks to the Internet, system managers and administrators are becoming increasingly aware of the need

More information