Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?



Similar documents
Intrusion Detection Systems

Name. Description. Rationale

Security Event Management. February 7, 2007 (Revision 5)

Host-based Intrusion Prevention System (HIPS)

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Intrusion Detection Systems

System Specification. Author: CMU Team

Role of Anomaly IDS in Network

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

Network- vs. Host-based Intrusion Detection

IDS / IPS. James E. Thiel S.W.A.T.

funkwerk packetalarm NG IDS/IPS Systems

From Network Security To Content Filtering

Next Generation. VoIP Application Firewall.

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Firewalls, Tunnels, and Network Intrusion Detection

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Intrusion Detection for Mobile Ad Hoc Networks

INTRUSION DETECTION SYSTEMS and Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Ohio Supercomputer Center

A Case Study on Constructing a Security Event Management (SEM) System

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Introduction of Intrusion Detection Systems

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

O S S I M. Open Source Security Information Manager. User Manual

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Firewalls & Intrusion Detection

THE ROLE OF IDS & ADS IN NETWORK SECURITY

B database Security - A Case Study

Computer security technologies

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls


Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

CSE590IS Intrusion Detection Systems. Marianne Shaw January 29, DDoS: Can t prevent malicious traffic reaching you

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Managed Security Services

How To Manage Security On A Networked Computer System

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Current and Future Research into Network Security Prof. Madjid Merabti

Common Cyber Threats. Common cyber threats include:

Fail-Safe IPS Integration with Bypass Technology

Security Mgt. Tools and Subsystems

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

IBM QRadar Security Intelligence April 2013

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Passive Vulnerability Detection

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Ecom Infotech. Page 1 of 6

How To Protect Your Network From Attack From A Hacker On A University Server

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

How To Buy Nitro Security

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

C. Universal Threat Management C.4. Defenses

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Protect Your Enterprise With the Leader in Secure Boundary Services

True in Depth Security through Next Generation SIEM. Ray Menard Senior Principal Security Consultant Q1 Labs

Performance Evaluation of Intrusion Detection Systems

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Detecting Anomaly IDS in Network using Bayesian Network

Managing Latency in IPS Networks

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

Network Based Intrusion Detection Using Honey pot Deception

Taxonomy of Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS

Information Security Basic Concepts

CONTENTS. PCI DSS Compliance Guide

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2. Intrusion Detection and Prevention Systems

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Course Title: Penetration Testing: Security Analysis

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Compliance Guide: PCI DSS

Barracuda Intrusion Detection and Prevention System

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

Network Security Policy

Firewalls and Intrusion Detection

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Managed Security Services for Data

Norton Personal Firewall for Macintosh

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Basic computer security

CSCE 465 Computer & Network Security

Second-generation (GenII) honeypots

Chapter 15 Operating System Security

Transcription:

Contents Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Motivation and basics (Why and what?) IDS types and principles Key Data Problems with IDS systems Prospects for the Future Intrusion Detection Why Intrusion Detection? Intrusion Detection Systems (IDS) does not (a priori) protect your system It works as burglar alarm Intrusion Detection Systems constitute a powerful complement (to basic security) Motivation for Intrusion Detection Even it you do not succeed to stop the intrusion it is of value to know that an intrusion has indeed occurred, how it occurred and which damage that has been caused. IDS are used for: detect intrusions and intrusion attempts give alarms stop on-going attacks (possibly) trace attackers investigate and assess the damage gather information for recovery actions What is Intrusion Detection? 1

What is Security? - protection principles What is Security? - intrusion threat reduction boundary protection recovery service delivery intrusion ALARM service delivery THREAT SYSTEM USER THREAT SYSTEM USER SECURITY Security=Datasäkerhet DEPENDABILITY Safety=Katastrofsäkerhet SECURITY DEPENDABILITY Logging is the basis for ID sensors for intrusion How is accomplished? logins logins Program Program behaviour behaviour (system (system calls) calls) Network Network traffic traffic user user commands commands What do you log? Network traffic to detect network attacks System calls to detect programs that behave suspiciously User commands to detect masquerading, i.e. when an attacker is using another user s account Logins, in order to know who was active on the system when it was attacked What do we want to detect Ordinary intrusions sniffing of passwords buffer overflow attacks Availability attacks (DoS, denial-of-service) are common and hard to protect against Information gathering, i.e. attacks aiming at open ports and weaknesses port-scanning: nmap Vulnerability scanning: satan, saint, nessus Components in an Intrusion Detection System control logging principle analysis & TARGET SYSTEM ALERT! 2

Principles of Intrusion Detection IDS Systems - overview There are two main principles: misuse (missbruksdetektering) - define what is wrong and give alarms for that ( default permit ) anomaly (avvikelsedetektering) - define what is correct and give alarms for everything else ( default deny ) Reference data acquisition dynamic static ANOMALY DETECTION less usual: SPECIFICATION BASED MISUSE DETECTION correct behaviour (default deny)? MISUSE DETECTION unwanted behaviour (default permit) Reference for check Key Data for IDS Systems Key data for IDS Systems (cont d) FIGURES-OF-MERIT for IDS-systems Which attributes are interesting? no alarms should be given in the abscence of intrusions intrusion (attempts) must be detected probability of ( hit rate ) (upptäcktssannolikhet) rate of false positives ( false alarm rate ) (falskalarmrisk) rate of false negatives ( miss rate ) (misssannolikhet) intrusion no intrusion MISS OK no alar m OK FA LSE ALARM normal state problem area!? alarm Detection problem Detection methods Classification the is a traditional clasification problem Separate intrusion events from normal events however, there is an overlap.. statistical distribution for normal behaviour? Statistical distribution for attack behaviour parameter Rule based Pattern matching Expert systems Thresholds Statistical analysis Bayesian networks Neural networks Markov models etc A D G Commercial User Customer churn Profile Change B E H Domestic User Propensity to Fraud Hot Destinations C Low Income F I Bad Debt Revenue Loss Pr{A} = 0.76 Pr{B} = 0.24 Pr{C} = 0.74 Pr{D A} = 0.27 Pr{D A} = 0.73 Pr{E A, B,x} = 0.01 Pr{E A,B, C} = 0.02 Pr{E A,B,C} = 0.04 Pr{E A,x,x} = 0.03 Pr{F B,x} = 0.00 Pr{F B, C} = 0.01 Pr{F B,C} = 0.04 Pr{G D, E} = 0.03 Pr{G D,E} = 0.72 Pr{G D,E} = 0.84 Pr{G D,E} = 0.96 Pr{H E} = 0.58 Pr{H E} = 0.42 Pr{I E, F} = 0.02 Pr{I E,F} = 0.98 Pr{I E, F} = 1 Pr{I E,F} = 1 3

Requirements on IDS Systems system response time (real-time behaviour?) fault tolerance (due to e.g. s/w, h/w, configuration, etc) ease of integration, usability and maintainability portability support for reference data updates (misuse systems) (cp virus programs) excess information (privacy aspects) the cost (CPU usage, memory, delays,...) host-based or network based? security of the IDS (protect the reference information)? Problems with IDS systems A few practical problems 1. False alarms 2. Adaptivity/Portability 3. Scalability 4. Lack of test methods 5. Privacy concerns False alarms Problem area 1 MANYalarms If is 99% correct and the number of intrusions is 0.01% in the analysed information: 99% of all alarms will be false alarms! There is a trade-off between covering all attacks and the number of false alarms (False) alarm investigation is resource demanding Problem area 2 Adaptation/Portability You can not buy a system that is adapted to your computer system The services provided are often unique The user behaviour varies The adaptation of a (simple) network based IDS may require two weeks of work Problem area 4 Test methods there is normally no IDS specification that states what intrusions the system covers Only (?) DARPA has made a comparative study, which has been much criticized 4

Intrusion prevention systems (IPS) The future Is hot right now Gartner Group report: IDS is dead, long live IPS The meaning of IPS is not well defined it is rather a commercial term The best interpretation is an IDS with some kind of response function, such as reconfiguring a firewall disrupt TCP connections discontinue services stop system calls (in runtime) Components in an IDS with response function control logging principle analysis & TARGET SYSTEM response policy response unit ALARM! The future earlier, of unwanted behaviour, i.e. potential intrusion attempts, pro-active data collection more intelligent systems diversion, deflection, honey pots active countermeasures strike back!? (not to be recommend!) truly distributed systems (alert correlation) Future threats Future possibilities Service Users Threat 1: higher transmission rates make network data collection hard (or even impossible) Threat 2: increased use of encryption reduces the amount of useful data. New methods Visualization Find patterns and anomolous behaviour Use the qualities of the human brain! Combining methods Intrusion tolerance Suspects Premium Rate Services 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information