Intrusion Detection Systems
|
|
- Reynold Banks
- 8 years ago
- Views:
Transcription
1 Intrusion Detection Systems Sebastian Abt Selected Topics in IT-Security Lecture 05 Summer term 2012
2 Motivation STITS, Lecture 05: Intrusion Detec4on Systems
3 Motivation» Why do we need intrusion detection systems? Computer systems commonly contain sensitive data Vulnerabilites inherent to computer systems or software Flaws in system design or software development Misconfiguration of a system or software No or inappropriate operational processes Attackers try to gain access to systems by exploiting vulnerabilities Insider vs. outsider threat Industry espionage Internet underground economy STITS, Lecture 05: Intrusion Detec4on Systems
4 Motivation» Intrusion detection systems in real life? Car alarms House alarms Fire detectors Earthquake detectors Tsunami warning systems STITS, Lecture 05: Intrusion Detec4on Systems
5 Learning Objectives» Understanding necessity of IDS» Understanding principles of IDS» Understand capability of IDS» Be able to classify IDS» Be able to evaluate IDS performance» Get an impression of open source Snort IDS STITS, Lecture 05: Intrusion Detec4on Systems
6 Definitions» A vulnerability is an exlpoitable flaw in a system or software» An attacker is a person seeking unauthorized access to systems or data» An attack is an attempt to violate a security goal» An intrusion is a successful attack» An exploit is a software written for exploiting a specific vulnerability» Malware is malicious software used during an attack STITS, Lecture 05: Intrusion Detec4on Systems
7 Definitions» Intrusion detection (ID) is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices» An intrusion detection system (IDS) is a software that automates the intrusion detection process» An intrusion prevention system (IPS) is a software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents STITS, Lecture 05: Intrusion Detec4on Systems Source: NIST Special Publication , Guide to Intrusion Detection and Prevention Systems (IDPS)
8 IDS vs. IPS» IPS can actively stop malicious activities Enables pro-active mitigation of attacks IPS has to be deployed in-band with data stream» Possible mitigation measures? Terminate malicious network connections Terminate malicious processes» Further on, we will not distinguish between IDS and IPS STITS, Lecture 05: Intrusion Detec4on Systems
9 IDS vs. Extrusion Detection System» IDS usually monitor data inbound to computer systems Detecting attacks targeting specific systems» An extrusion detection systems (EDS) monitors data outbound to computer systems Protecting others from a specific system Usually used to detect illegal activities originating from computer systems Data leakage (e.g. industry espionage) Misuse of corporate systems and networks (e.g. file sharing, watching policy-defined illegal web sites) STITS, Lecture 05: Intrusion Detec4on Systems
10 Architecture and Components of IDS Generalized architecture Sensor or agent Pre-proc. data Event database Get/update event info Detection engine Get/update knowledge Domain knowledge Get event info Alert Update knowledge Console Command View STITS, Lecture 05: Intrusion Detec4on Systems
11 Architecture and Components of IDS Components» Sensor or agent Sensors and agents capture and pre-process activity» Detection engine A component that receives information from sensors or agents and anylses them, utilizing domain knowledge» Event database A repository for event information recorded by sensors and agents or detection engines» Console A program that provides an interface for the IDS users and administrators STITS, Lecture 05: Intrusion Detec4on Systems
12 Architecture and Components of IDS Generic processing pipeline» Monitoring of data» Analysis of data» Detection of attacks» Response to attacks IDS Data Monitoring Analysis Detec4on Response Ac4on STITS, Lecture 05: Intrusion Detec4on Systems
13 Classification of IDS» IDS are usually classified according to their locality of deplyoment and their incorporated ID technique Locality of deployment Host-based IDS Network-based IDS Application-based IDS Intrusion detection technique Misuse detection Anomaly detection Specification-based detection» As usual, hybrid solutions are possible... STITS, Lecture 05: Intrusion Detec4on Systems
14 Locality of Deployment Host-based IDS (1)» (Usually) Software deployed on a computer system» Monitors host activity Sequence of system calls Network sockets Library loading» Pros Most complete view on data Fine-grained analysis of host activity» Cons Attackable from host (e.g. rootkit) Attacker has already reached host system STITS, Lecture 05: Intrusion Detec4on Systems
15 routers, switches) Network Architectures Locality of Deployment The network architecture for host-based IDPS deployments is typically very simple. Because the agents are deployed to existing hosts on the organization s networks, the components usually communicate over those networks instead of using a separate management network. Most products encrypt their communications, preventing eavesdroppers from accessing sensitive information. Appliance-based agents are typically deployed inline immediately in front of the hosts that they are protecting. Figure 7-1 shows an example of a host-based IDPS deployment architecture. Host-based IDS (2) STITS, Lecture 05: Intrusion Detec4on Systems Figure 7-1. Host-Based IDPS Agent Deployment Architecture Example Source: NIST Special Publication , Guide to Intrusion Detection and Prevention Systems (IDPS)
16 Locality of Deployment Network-based IDS (1)» Either software deployed on a router or firewall, or specialized hardware/software attached to network links» Monitors network traffic In-band: data streams are traversing IDS to reach destination Out-of-band: data streams are mirrored to IDS Active mirroring: SPAN port on network device Passive mirroring: network TAP STITS, Lecture 05: Intrusion Detec4on Systems
17 Locality of Deployment Network-based IDS (2)» Pros: Can monitor network traffic of many hosts Global view on activities Early stage detection» Cons: No state information from host Possibly limited by encryption High volume of network traffic STITS, Lecture 05: Intrusion Detec4on Systems
18 GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS (IDPS) Locality of Deployment Network-based IDS (3) GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEM (b) Out-of-Band deployment (a) In-Band deployment 4.3 Security Capabilities Figure 4-3. Passive Network-Based IDPS Sensor Architecture Example STITS, Lecture 05: Intrusion Detec4on Systems Source: NIST Special Publication , Guide to Intrusion Detection and Prevention Systems (IDPS) Figure 4-2. Inline Network-Based IDPS Sensor Architecture Example Passive. A passive sensor is deployed so that it monitors a copy of the actual network traffic;
19 Locality of Deployment Application-based IDS» Software components or sandbox of specific application» Monitors data inside and state of application Data fed into application, e.g. SQL queries Log statements» Pros Application-specific view on data Possibility to effectively prevent exploitation of vulnerabilities» Cons Run-time overhead Development overhead STITS, Lecture 05: Intrusion Detec4on Systems
20 Intrusion Detection Technique Misuse detection» IDS uses attack signatures to perform intrusion detection» Signatures describe known attacks Hypothesis: attacks of the same kind show same patterns Need attack model detects known attacks only Signatures have to be generated timely and reliably» Well-known systems Snort Intrusion Detection System Bro Network Security Monitor STITS, Lecture 05: Intrusion Detec4on Systems
21 Intrusion Detection Technique Anomaly detection» IDS uses a model of normality to perform intrusion detection» Model of normality (profile) shall describe normal system behaviour Hypothesis: attacks cause deviation from profile Can possibly detect yet unknown attacks But: how to model normal system behaviour? Expert knowledge: manually construct profile AI/ML: learn profile from monitoring data Issues? STITS, Lecture 05: Intrusion Detec4on Systems
22 Intrusion Detection Technique Specification-based detection» IDS uses specification of normal activities to perform intrusion detection» Policies describe permitted events and activities Hypothesis: attacks differ from policy Explicit models of normality Permitted/certified software Matrix of network communication» Technique commonly deployed in network packet filters STITS, Lecture 05: Intrusion Detec4on Systems
23 Signature/Model Generation» IDS need signatures (misuse detection) or profiles (anomaly detection) to detect intrusions» How can signatures/models be generated? Identify characteristics of specific class of events Characteristics of attacks Characteristics of normal behaviour Characteristics are usually referred to as features Multiple (distinctive) features are combined to form a feature vector Process of generating feature vector is called feature extraction Feature vector has to be encoded appropriately STITS, Lecture 05: Intrusion Detec4on Systems
24 Lifecycle of a Vulnerability Zero-day attacks, anomaly detection Known attacks, misuse detection information is not public information is public discovery exploit disclosure patch available patch installed creation t creat t disco t explo t discl t patch t insta t t explo t patch t disco pre-disclosure risk post-disclosure risk t insta post-patch risk Source: Frei et al., Modelling the Security Ecosystem - The lifecycle of a vulnerability defined by distinctive The Dynamics events. of (In)Security The exact sequen een vulnerabilities. STITS, Lecture 05: Intrusion Detec4on Systems
25 Efficiency of IDS» IDS efficiency can be evaluated according to different criteria: Accuracy Proper detection of attacks Absence of false alarms Throughput Amount of data analysed per time unit Fault tolerance Availability of IDS Resistance to attacks targeting IDS Timeliness Time elapsed between intrusion and detection STITS, Lecture 05: Intrusion Detec4on Systems
26 Accuracy of IDS Definitions» Correlation of detection result and reality of event E High false negative rate leads to undetected attacks High false positive rate leads to annoyed operators Q: Which technique is prone to what errors? Detection result(e) Valid event Attack Reality(E) Valid event Attack True negative False positive False negative True positive STITS, Lecture 05: Intrusion Detec4on Systems
27 Accuracy of IDS Base-rate fallacy» Suppose 1% of network traffic belongs to malicious activities IDS accuracy is 90% Malicious traffic classified as intrusion with probability 0.9 Valid traffic classified as intrusion with probability 0.1» Probability that an alarm indicates an intrusion? Prob(Intrusion occured Alarm is raised) Conditional probability STITS, Lecture 05: Intrusion Detec4on Systems
28 Accuracy of IDS Conditional probability» Conditional probability Prob(X Y) is the probability that event X occurs if event Y is known to occur» Conditional probability of X given Y is defined as Prob(X Y )= Prob(X \ Y ) Prob(Y ) Q: Constraint on Prob(Y)?» Prob(X Y) denotes joint probability of X and Y Prob(X \ Y )=Prob(X Y )Prob(Y ) STITS, Lecture 05: Intrusion Detec4on Systems
29 » Can be used to compute conditional entropy Prob(X Y )= Prob(X \ Y ) Prob(Y ) = = Prob(X\Y ) Prob(X) Prob(Y ) Prob(X) Prob(Y X)Prob(X) Prob(Y ) Accuracy of IDS Bayes theorem Often, Prob(X Y) has to be computed and Prob(Y X) is known. STITS, Lecture 05: Intrusion Detec4on Systems
30 Accuracy of IDS Base-rate fallacy» Suppose 1% of network traffic belongs to malicious activities IDS accuracy is 90% Malicious traffic classified as intrusion with probability 0.9 Valid traffic classified as intrusion with probability 0.1» Probability that an alarm indicates an intrusion? Prob(Intrusion occured Alarm is raised) Conditional probability STITS, Lecture 05: Intrusion Detec4on Systems
31 Accuracy of IDS Base-rate fallacy» The scene... Let M denote malicious activity, Prob(M) = 0.01 A denote an alarm raised by IDS, Prob(A) =? M denote benign activity, Prob( M) = 1-Prob(M) = 0.99 A denote no alarm raised by IDS, Prob( A) =?» Probability of true positive Prob(A M) = 0.9 obtained when testing our IDS» Probability of false positive Prob(A M) = 0.1 obtained when testing our IDS STITS, Lecture 05: Intrusion Detec4on Systems
32 » Probability of true negative Prob( A M) = 1 Prob(A M) = 0.9» Probability of false negative Prob( A M) = 1 Prob(A M) = 0.1» Probability that an alarm indicates an intrusion Bayesian detection rate Accuracy of IDS Base-rate fallacy Prob(A M)Prob(M) Prob(M A) = Prob(A M)Prob(M)+Prob(A M)Prob( M) = = =0.083 STITS, Lecture 05: Intrusion Detec4on Systems
33 » Probability that an alarm indicates an intrusion Prob(M A) = % Probability that an alarm indicates no intrusion Prob( M A) = 1-Prob(M A) = %» False alarm rate is approximately 92%! 92 out of 100 alarms do not indicate intrusions Accuracy of IDS Base-rate fallacy» Effect due to low base-rate of malicious activity Malicious activity is rare, compared to total activity See Axelsson, 1999, The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection for further details STITS, Lecture 05: Intrusion Detec4on Systems
34 Accuracy of IDS Bayesian detection rate vs. base-rate STITS, Lecture 05: Intrusion Detec4on Systems
35 Visualisation of IDS performance» Receiver operating characteristic (ROC) curve 120 True positive rate IDS1 IDS False positive rate STITS, Lecture 05: Intrusion Detec4on Systems
36 Visualisation of IDS performance» Receiver operating characteristic (ROC) curve 120 True positive rate IDS1 IDS2 Ideal IDS False positive rate STITS, Lecture 05: Intrusion Detec4on Systems
37 Snort IDS» Well-known and established network-based IDS Open source Signature-based Commercial support and signatures Snort IDS Data Monitoring Analysis Detec4on Response Ac4on STITS, Lecture 05: Intrusion Detec4on Systems
38 Snort IDS Data» Create your own network tap as illustrated below» Connect a free computer to tap ports» Configuration example, assuming FreeBSD and Intel networking cards: ids# ids# ids# ids# ids# ifconfig bridge create! ifconfig bridge0 addm em0 addm em1 monitor up! ifconfig em0 up! ifconfig em1 up! tcpdump -ni bridge0! STITS, Lecture 05: Intrusion Detec4on Systems
39 Snort IDS Monitoring» Three operating modes Sniffer Packet logger Network-based IDS ids# snort -de -l /ids -c /etc/snort.conf -D! -d inspect payload data -e inspect ethernet layer -l log directory -c snort configuration file -D run as daemon STITS, Lecture 05: Intrusion Detec4on Systems
40 Snort IDS Analysis» Snort pre-processors Run before detection engine Own pre-processors can be written in C» Example pre-processors Frag3 IP defragmentation Stream5 TCP/UDP stream reassemly Protocol awareness HTTP Inspect HTTP decode and normalization {SMTP,POP,IMAP,Telnet,FTP,RPC} pre-processors STITS, Lecture 05: Intrusion Detec4on Systems
41 Snort IDS Detection (1)» Signature-based detection using rules» Rules are applied to pre-processed data» Rule format RULE_HEADER (RULE_OPTIONS) RULE_HEADER ACTION PROTO SRC_IP SRC_PORT DIR DST_IP DST_PORT ACTION = {alert,log,pass,activate,dynamic,drop,reject,sdrop} PROTO = {IP,TCP,UDP,ICMP} SRC_IP,DST_IP = IP addresses or ranges SRC_PORT,DST_PORT = Port numbers or ranges DIR = {->, <>} STITS, Lecture 05: Intrusion Detec4on Systems
42 Snort IDS Detection (2)» Signature-based detection using rules» Rules are applied to pre-processed data» Rule format RULE_HEADER (RULE_OPTIONS) RULE_OPTIONS Define detection parameters RULE_OPTIONS = {OPTION} OPTION = KEYWORD : ARGUMENTS ; Four categories of rule options general information about the rules itself payload payload specific options non-payload non-payload effects post-detection post-detection triggers STITS, Lecture 05: Intrusion Detec4on Systems
43 Snort IDS Detection (3)» Example rules x86 Linux shellcode sequence alert ip $EXTERNAL_NET any -> $HOME_NET any! (! msg:"shellcode Linux shellcode";! content:" E8 C0 FF FF FF /bin/sh";! fast_pattern:only;! reference:arachnids,343;! classtype:shellcode-detect;! sid:652;! rev:11;! )! STITS, Lecture 05: Intrusion Detec4on Systems
44 Snort IDS Detection (4)» Example rules TT-bot trying to contact CnC server alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS! (! msg:"botnet-cnc TT-bot botnet contact to C&C server attempt";! flow:to_server,established;! content: TT-Bot";! nocase;! http_header;! pcre:"/^user-agent\x3a[^\r\n]*tt-bot/mi";! reference:url,anubis.iseclab.org/index.php? action=result&format=html&task_id= ca ead93feabed2;! classtype:trojan-activity;! sid:16493;! rev:7;! )! STITS, Lecture 05: Intrusion Detec4on Systems
45 Snort IDS Response» Basically defined in rule s action alert Generate specific alert (Pager, SMS, ) log Log packet to Snort log file pass Ignore packet activate Alert and run dynamic rule dynamic Remain idle until actived drop Drop and log packet (only in inband/ips mode) reject Block and log packet, and send TCP RST or ICMP unreachable sdrop Drop, without logging (performance) STITS, Lecture 05: Intrusion Detec4on Systems
46 Summary» IDS can detect known and unknown attacks» IDS do not need to be placed inline with data stream» IDS can operate on different OSI layers» IDS show different types of errors» High accuracy and low false alarm rate are essential for operational gain of IDS» Regular update of models/signatures is elementary» Alarm correlation and filtering are important research topics STITS, Lecture 05: Intrusion Detec4on Systems
IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationIntrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com
Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationIntrusion Detection Systems
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Intrusion Detection Systems CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationLesson 5: Network perimeter security
Lesson 5: Network perimeter security Alejandro Ramos Fraile aramosf@sia.es Tiger Team Manager (SIA company) Security Consulting (CISSP, CISA) Perimeter Security The architecture and elements that provide
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationNetwork Intrusion Detection Systems
Network Intrusion Detection Systems False Positive Reduction Through Anomaly Detection Joint research by Emmanuele Zambon & Damiano Bolzoni 7/1/06 NIDS - False Positive reduction through Anomaly Detection
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationLab exercise: Working with Wireshark and Snort for Intrusion Detection
CS 491S: Computer and Network Security Fall 2008 Lab exercise: Working with Wireshark and Snort for Intrusion Detection Abstract: This lab is intended to give you experience with two key tools used by
More informationPerformance Evaluation of Intrusion Detection Systems
Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection
More informationTECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS
TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS 19 NOVEMBER 2003 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationIntrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)
ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationSecurity Intrusion & Detection. Intrusion Detection Systems (IDSs)
Security Intrusion & Detection Security Intrusion One or combination of security events in which an intruder gains (or attempts) to gain access to a system without having authorization to do so Intrusion
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationHow To Prevent Network Attacks
Ali A. Ghorbani Wei Lu Mahbod Tavallaee Network Intrusion Detection and Prevention Concepts and Techniques )Spri inger Contents 1 Network Attacks 1 1.1 Attack Taxonomies 2 1.2 Probes 4 1.2.1 IPSweep and
More informationA Review on Network Intrusion Detection System Using Open Source Snort
, pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationIntrusion Detection Systems
Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/
More informationSnort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010
December 7, 2010 Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationNetwork Security Monitoring
Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationCSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)
CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationIDS : Intrusion Detection System the Survey of Information Security
IDS : Intrusion Detection System the Survey of Information Security Sheetal Thakare 1, Pankaj Ingle 2, Dr. B.B. Meshram 3 1,2 Computer Technology Department, VJTI, Matunga,Mumbai 3 Head Of Computer TechnologyDepartment,
More informationNetwork security Exercise 10 Network monitoring
Network security Exercise 10 Network monitoring Tobias Limmer Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 2. 6.02.2009 Tobias Limmer:
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationAppSec DC November 13, 2009. The OWASP Foundation http://www.owasp.org. Custom Intrusion Detection Techniques for Monitoring Web Applications
Custom Intrusion Detection Techniques for Monitoring Web Applications AppSec DC November 13, 2009 Matthew Olney Sourcefire VRT molney@sourcefire.com The OWASP Foundation http://www.owasp.org GIVE YOUR
More informationDynamic Rule Based Traffic Analysis in NIDS
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationIntrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
1 of 8 3/25/2005 9:45 AM Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Intrusion Detection systems fall into two broad categories and a single new one. All categories
More informationIntrusion Detection System (IDS)
Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationIntrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626
Intrusion Detection Systems vs. Intrusion Prevention Systems Sohkyoung (Michelle) Cho ACC 626 1.0 INTRODUCTION An increasing number of organizations use information systems to conduct their core business
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationTraffic Monitoring : Experience
Traffic Monitoring : Experience Objectives Lebah Net To understand who and/or what the threats are To understand attacker operation Originating Host Motives (purpose of access) Tools and Techniques Who
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationRole of Anomaly IDS in Network
Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationSecurity Advisory. Some IPS systems can be easily fingerprinted using simple techniques.
Some IPS systems can be easily fingered using simple techniques. The unintentional disclosure of which security devices are deployed within your defences could put your network at significant risk. Security
More informationCS 5410 - Computer and Network Security: Intrusion Detection
CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Locked Down You re using all the techniques we will talk about over the course of the semester: Strong access
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationFrom Network Security To Content Filtering
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationRadware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International. www.radware.
Radware s Smart IDS Management FireProof and Intrusion Detection Systems Deployment and ROI North America Radware Inc. 575 Corporate Dr. Suite 205 Mahwah, NJ 07430 Tel 888 234 5763 International Radware
More informationThe Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection Stefan Axelsson Presented by Kiran Kashalkar Agenda 1. 1. General Overview of of IDS 2. 2. Bayes Theorem and Base-Rate
More informationCSC574 - Computer and Network Security Module: Intrusion Detection
CSC574 - Computer and Network Security Module: Intrusion Detection Prof. William Enck Spring 2013 1 Intrusion An authorized action... that exploits a vulnerability... that causes a compromise... and thus
More informationComputer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1
Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton
More informationFirewalls & Intrusion Detection
Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationWHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT
WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION
More informationDeployment of Snort IDS in SIP based VoIP environments
Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes
More informationAnalysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware
Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware 1 Corresponding Author: lawal5@yahoo.com 1 O.B. Lawal Computer Science Department,
More informationIntruPro TM IPS. Inline Intrusion Prevention. White Paper
IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert
More informationComputer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection
More informationContent-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.
Content-ID Content-ID enables customers to apply policies to inspect and control content traversing the network. Malware & Vulnerability Research 0-day Malware and Exploits from WildFire Industry Collaboration
More informationState of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number:
State of Vermont Intrusion Detection and Prevention Policy Date: 11-02-10 Approved by: Tom Pelham Policy Number: 1 Table of Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope...
More informationThe Need for Intelligent Network Security: Adapting IPS for today s Threats
The Need for Intelligent Network Security: Adapting IPS for today s Threats James Tucker Security Engineer Sourcefire Nordics A Bit of History It started with passive IDS. Burglar alarm for the network
More informationAnalysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware
Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware 1 Corresponding Author: lawal5@yahoo.com 1 O.B. Lawal Computer Science Department,
More informationIntrusion Detection and Prevention
Intrusion Detection and Prevention Packet Capture The first step in understanding how an IDS works is to understand packet capture. The best way to do this is to grab some packets with TCPdump. TCPdump
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationAlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More information1. INTRODUCTION 2. CLASSIFICATION OF INTRUSION DETECTION SYSTEMS
International Journal of Computational Engineering & Management, Vol. 15 Issue 1, January 2012 www..org A REVIEW ON INFORMATION FLOW IN INTRUSION DETECTION SYSTEM Yogesh Kumar 1, Swati Dhawan 2 1 Astt.
More informationPassive Vulnerability Detection
Page 1 of 5 Passive Vulnerability Detection "Techniques to passively find network security vulnerabilities" Ron Gula rgula@securitywizards.com September 9, 1999 Copyright 1999 Network Security Wizards
More informationName. Description. Rationale
Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.
More informationIntrusion Defense Firewall
Intrusion Defense Firewall Available as a Plug-In for OfficeScan 8 Network-Level HIPS at the Endpoint A Trend Micro White Paper October 2008 I. EXECUTIVE SUMMARY Mobile computers that connect directly
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationDMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
More informationnmap, nessus, and snort Vulnerability Analysis & Intrusion Detection
nmap, nessus, and snort Vulnerability Analysis & Intrusion Detection agenda Vulnerability Analysis Concepts Vulnerability Scanning Tools nmap nikto nessus Intrusion Detection Concepts Intrusion Detection
More informationIntrusion Detection Systems
Intrusion Detection Systems Sokratis K. Katsikas Dept. of Digital Systems University of Piraeus ska@unipi.gr Agenda Overview of IDS Intrusion prevention using game theory Reducing false positives Clustering
More informationIntelligent. Data Sheet
Cisco IPS Software Product Overview Cisco IPS Software is the industry s leading network-based intrusion prevention software. It provides intelligent, precise, and flexible protection for your business
More informationWho am I? BlackHat RSA
Intrusion Detection Who am I? Informal Security Education CS - Colby College Honors work in Static Analysis Fortify Software Engineer Architect Product Management HP AlienVault Products BlackHat RSA What
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion
More information