Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis



Similar documents
CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Intrusion Detection Systems

Segurança Redes e Dados

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

CS549: Cryptography and Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

INTRUSION DETECTION SYSTEMS and Network Security

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Firewalls and Intrusion Detection

How To Protect Your Network From Attack From A Hacker On A University Server

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Introduction of Intrusion Detection Systems

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Network Based Intrusion Detection Using Honey pot Deception

PROFESSIONAL SECURITY SYSTEMS

Network and Host-based Vulnerability Assessment

Global Partner Management Notice

How To Protect Your Network From Attack From Outside From Inside And Outside

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Chapter 20 Firewalls. Cryptography and Network Security Chapter 22. What is a Firewall? Introduction 4/19/2010

Intrusion Detection Systems

Intruders and viruses. 8: Network Security 8-1

Intrusion Detection for Mobile Ad Hoc Networks

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

IDS / IPS. James E. Thiel S.W.A.T.

Taxonomy of Intrusion Detection System

74% 96 Action Items. Compliance

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls, Tunnels, and Network Intrusion Detection

Closing Wireless Loopholes for PCI Compliance and Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

The Self-Hack Audit Stephen James Payoff

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Hackers: Detection and Prevention

Computer Networks & Computer Security

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

Chapter 9 Firewalls and Intrusion Prevention Systems

Role of Anomaly IDS in Network

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Grandstream Networks, Inc. UCM6100 Security Manual

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Computer Security: Principles and Practice

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

THE ROLE OF IDS & ADS IN NETWORK SECURITY

A Decision Maker s Guide to Securing an IT Infrastructure

Network Security: Introduction

Network- vs. Host-based Intrusion Detection

CMPT 471 Networking II

CMS Operational Policy for Firewall Administration

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Name. Description. Rationale

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

TIME SCHEDULE. 1 Introduction to Computer Security & Cryptography 13

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

CS5008: Internet Computing

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Firewalls & Intrusion Detection

Transport Level Security

ITEC441- IS Security. Chapter 15 Performing a Penetration Test


Description: Objective: Attending students will learn:

Radware s Behavioral Server Cracking Protection

GFI White Paper PCI-DSS compliance and GFI Software products

Locking down a Hitachi ID Suite server

Development of a Network Intrusion Detection System

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewall Firewall August, 2003

CTS2134 Introduction to Networking. Module Network Security

Concierge SIEM Reporting Overview

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Firewalls Netasq. Security Management by NETASQ

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Malicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis

SECURITY ADVISORY FROM PATTON ELECTRONICS

Firewall Design Principles Firewall Characteristics Types of Firewalls

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Transcription:

Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/ 1. Intruders 2. Intrusion Detection 3. Password Management These slides are based partly on Lawrie Brown s slides supplied with William Stallings s book Cryptography and Network Security: Principles and Practice, 6 th Ed, 2013. 21-1 21-2 Concepts Intrusion: Break into, misuse, or exploit a system (against policy) Intruders: Insiders or outsiders Most IDS are designed for outsiders Vulnerability: Weakness that could be used by the attacker Threat: Party that exploits a vulnerability Structured Threat: Adversaries with a formal methodology, a financial sponsor, and a defined objective. Unstructured Threat: Compromise victims out of intellectual curiosity Intrusion vs. Extrusion Detection Intrusion Detection: Detecting unauthorized activity by inspecting inbound traffic Extrusion Detection: Detecting unauthorized activity by inspecting outbound traffic Extrusion: Insider visiting malicious web site or a Trojan contacting a remote internet relay chat channel 21-3 21-4

Examples of Intrusion Remote root compromise Web server defacement Guessing / cracking passwords Copying viewing sensitive data / databases Running a packet sniffer Distributing pirated software Using an unsecured modem to access net Impersonating a user to reset password Using an unattended workstation 21-5 Categories of Intruders Hackers: Motivated by thrill of access and status Hacking community a strong meritocracy Status is determined by level of competence Computer Emergency Response Teams (CERTs) -Collect / disseminate vulnerability info / responses Criminal Enterprises: Organized groups of hackers E.g., Eastern European or Russian hackers Often target credit cards on e-commerce server Internal Threat May be motivated by revenge / entitlement When employment terminated Taking customer data when move to competitor Ref: http://en.wikipedia.org/wiki/computer_emergency_response_team 21-6 Hacker Behavior Example 1. Select target using IP lookup tools 2. Map network for accessible services 3. Identify potentially vulnerable services 4. Brute force (guess) passwords 5. Install remote administration tool 6. Wait for admin to log on and capture password 7. Use password to access remainder of network Criminal Enterprise Behavior 1. Act quickly and precisely to make their activities harder to detect 2. Exploit perimeter via vulnerable ports 3. Use trojan horses (hidden software) to leave back doors for re-entry 4. Use sniffers to capture passwords 5. Do not stick around until noticed 6. Make few or no mistakes. Ref: http://en.wikipedia.org/wiki/hacker_(computer_security) 21-7 21-8

Insider Behavior Example 1. Create network accounts for themselves and their friends 2. Access accounts and applications they wouldn't normally use for their daily jobs 3. E-mail former and prospective employers 4. Conduct furtive instant-messaging chats 5. Visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. Perform large downloads and file copying 7. Access the network during off hours. Intrusion Techniques Often use system / software vulnerabilities Key goal often is to acquire passwords So then exercise access rights of owner Basic attack methodology Target acquisition and information gathering Initial access Privilege escalation Covering tracks 21-9 21-10 Password Guessing and Capture Attacker knows a login (from email/web page etc) Then attempts to guess password for it Defaults, short passwords, common word searches User info (variations on names, birthday, phone, common words/interests) Exhaustively searching all possible passwords Check by login or against stolen password file Another attack involves password capture Watching over shoulder as password is entered Using a trojan horse program to collect Monitoring an insecure network login, E.g., FTP Ref: http://en.wikipedia.org/wiki/password_cracking 21-11 Notification Alarms False Positive: Valid traffic causes an alarm False Negative: Invalid traffic does not cause an alarm Normal Probability 21-12 Abnormal Activities False Negatives False Positives

Types of IDS Signature Based IDS: Search for known attack patterns using pattern matching, heuristics, protocol decode Rule Based IDS: Violation of security policy Anomaly-Based IDS Statistical or non-statistical detection Response: Passive: Alert the console Reactive: Stop the intrusion Intrusion Prevention System Blocking Sample Signatures ICMP Floods directed at a single host Connections of multiple ports using TCP SYN A single host sweeping a range of nodes using ICMP A single host sweeping a range of nodes using TCP Connections to multiple ports with RPC requests between two nodes Ref: http://en.wikipedia.org/wiki/intrusion_detection_system, http://en.wikipedia.org/wiki/intrusion_detection 21-13 21-14 Anomaly Based IDS Traffic that deviates from normal, e.g., routing updates from a host Statistical Anomaly: sudden changes in traffic characteristics Machine Learning: Learn from false positives and negatives Data Mining: Develop fuzzy rules to detect attacks Statistical Anomaly Detection Threshold detection Count occurrences of specific event over time If exceed reasonable value assume intrusion Used alone, it is a crude and ineffective detector Profile based Characterize past behavior of users Detect significant deviations from this Profile usually multi-parameter 21-15 21-16

Audit Records Fundamental tool for intrusion detection Native audit records: Part of all common multi-user O/S Detection-specific audit records Created specifically to collect wanted info Audit Record Analysis: Foundation of statistical approaches Analyze records to get metrics over time Counter, gauge, interval timer, resource use Use various tests on these to determine if current behavior is acceptable Mean & standard deviation, multivariate, markov process, time series, operational Key advantage is no prior knowledge used Ref: http://en.wikipedia.org/wiki/information_security_audit, http://en.wikipedia.org/wiki/audit_trail 21-17 Rule-Based Intrusion Detection Rule-based anomaly detection Analyze historical audit records to identify usage patterns and auto-generate rules for them Rule-based penetration identification Uses expert systems technology With rules identifying known penetration, weakness patterns, or suspicious behavior Compare audit records or states against rules Rules usually machine & O/S specific Rules are generated by experts who interview & codify knowledge of security admins Quality depends on how well this is done 21-18 Types of IDS IDS Sensor: SW/HW to collect and analyze network traffic Host IDS: Runs on each server or host Network IDS: Monitors traffic on the network Network IDS may be part of routers or firewalls Manager Host Based Network Based IDS Host vs. Network IDS Agent Agent Agent Ref: http://en.wikipedia.org/wiki/host-based_intrusion_detection_system http://en.wikipedia.org/wiki/network_intrusion_detection_system 21-19 WWW Mail DNS 21-20

Honeypots Decoy systems to lure attackers Away from accessing critical systems To collect information of their activities To encourage attacker to stay on system so administrator can respond Are filled with fabricated information Instrumented to collect detailed information on attackers activities Single or multiple networked systems Password Management Front-line defense against intruders Users supply both: Login determines privileges of that user Password to identify them Passwords often stored encrypted Unix uses multiple DES (variant with salt) More recent systems use crypto hash function Should protect password file on system Ref: http://en.wikipedia.org/wiki/honeypot_(computing) 21-21 Ref: http://en.wikipedia.org/wiki/salt_(cryptography) 21-22 Managing Passwords Summary Education: Give guidelines for good passwords Require a mix of upper & lower case letters, numbers, punctuation Computer Generated Passwords Not memorisable, so will be written down (sticky label syndrome) FIPS PUB 181: Random pronounceable syllables Reactive Checking: Run offline password guessing tools Proactive Checking: Check when users select passwords Compare against dictionary of bad passwords 21-23 1. Intruders can be both internal, external or organized 2. IDS can be signature based, anomaly based, or statistical Should minimized false positives and false negatives. 3. IDS can be host based or network based. Host based is more scalable. 4. Honeypots can be used to detect intruders 5. Password management requires education and proactive checking 21-24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information