CSCE 465 Computer & Network Security



Similar documents
Intrusion Detection Systems. (slides courtesy Prof. Stolfo)

Intrusion Detection Systems

Introduction of Intrusion Detection Systems

Intrusion Detection for Mobile Ad Hoc Networks

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSC574 - Computer and Network Security Module: Intrusion Detection

CSE590IS Intrusion Detection Systems. Marianne Shaw January 29, DDoS: Can t prevent malicious traffic reaching you

CS Computer and Network Security: Intrusion Detection

Network Intrusion Detection Systems. Beyond packet filtering

SURVEY OF INTRUSION DETECTION SYSTEM

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Analyzing Intrusion Detection System Evasions Through Honeynets

Taxonomy of Intrusion Detection System

INTRUSION DETECTION SYSTEMS and Network Security

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Intrusion Detection Systems

Performance Evaluation of Intrusion Detection Systems

Intrusion Detection System (IDS)

Intrusion Detection Systems

Role of Anomaly IDS in Network

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detections Systems

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

IDS / IPS. James E. Thiel S.W.A.T.

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

How To Prevent Network Attacks

Name. Description. Rationale

Intrusion Detection System

Course Title: Penetration Testing: Security Analysis

Intrusion Detection Systems

Intrusion Detection Systems

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

Kingston University London

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Building accurate intrusion detection systems. Diego Zamboni Global Security Analysis Lab IBM Zürich Research Laboratory

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Chapter 9 Firewalls and Intrusion Prevention Systems

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Network- vs. Host-based Intrusion Detection

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

1. INTRODUCTION 2. CLASSIFICATION OF INTRUSION DETECTION SYSTEMS

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Managing Latency in IPS Networks

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

CIS 433/533 - Computer and Network Security Intrusion Detection

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Intrusion Detection 1 / 46. Intrusion Detection. Motivation Defenses Just an Overview Generic Architecture Fundamental Choices Location Type Actions

Firewalls and Intrusion Detection

A Review on Network Intrusion Detection System Using Open Source Snort

EVADING IDSS AND FIREWALLS AS FUNDAMENTAL SOURCES OF INFORMATION IN SIEMS

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

An Alternative Model Of Virtualization Based Intrusion Detection System In Cloud Computing

Firewalls, Tunnels, and Network Intrusion Detection

Announcements. Lab 2 now on web site

Intrusion Detection in AlienVault

How To Design An Intrusion Prevention System

Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

AN EFFICIENT INTRUSION DETECTION SYSTEM FOR NETWORKS WITH CENTRALIZED ROUTING

Intrusion Detection from Simple to Cloud

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany

How To Protect A Network From Attack From A Hacker (Hbss)

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

A Review on Intrusion Detection System to Protect Cloud Data

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Bro at 10 Gps: Current Testing and Plans

Intrusion Detection Systems (IDS)

An Inspection on Intrusion Detection and Prevention Mechanisms

IDS : Intrusion Detection System the Survey of Information Security

Observation and Findings

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

NETWORK SECURITY (W/LAB) Course Syllabus

Web Application Security

An Overview of Intrusion Detection System Strategies and Issues

Dynamic Rule Based Traffic Analysis in NIDS

B database Security - A Case Study

Online Network Traffic Security Inspection Using MMT Tool

Online Network Intrusion Detection System Using Temporal Logic and Stream Data Processing

Chapter-3 Intruder Detection and Intruder Identification

Traffic Analysis. CSF: Forensics Cyber-Security. Part II.B. Techniques and Tools: Network Forensics. Fall 2015 Nuno Santos

JAVA FRAMEWORK FOR SIGNATURE BASED NETWORK INTRUSION DETECTION SYSTEM

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Detecting Attacks. Signature-based Intrusion Detection. Signature-based Detection. Signature-based Detection. Problems

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Dragon solution. Zdeněk Pala. ECIE certified engineer ECI certified instructor There is nothing more important than our customers

On-Premises DDoS Mitigation for the Enterprise

Current and Future Research into Network Security Prof. Madjid Merabti

Transcription:

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1

Intrusion Definitions A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying and responding to intrusion activities Why Is Intrusion Detection Necessary? Prevent Detect React/ Survive Security principles: layered mechanisms 2

Elements of Intrusion Detection Primary assumptions: System activities are observable Normal and intrusive activities have distinct evidence Components of intrusion detection systems: From an algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together From a system architecture perspective: Audit data processor, knowledge base, decision engine, alarm generation and responses Components of Intrusion Detection System system activities are observable Audit Data Preprocessor Audit Records Activity Data Detection Models Decision Table Detection Engine Alarms Decision Engine normal and intrusive activities have distinct evidence Action/Report 3

Intrusion Detection Approaches Modeling Features: evidences extracted from audit data Analysis approach: piecing the evidences together Misuse detection (signature-based, e.g., Snort, Bro) Anomaly detection (e.g., statistical-based) Deployment: Network-based or Host-based Development and maintenance Hand-coding of expert knowledge Learning based on audit data Misuse Detection pattern matching Intrusion Patterns intrusion activities Example: if (src_ip == dst_ip) then land attack Can t detect new attacks 4

Anomaly Detection 90 80 70 60 50 activity measures 40 30 20 10 0 CPU Process Size probable intrusion normal profile abnormal Relatively high false positive rate - anomalies can just be new normal activities. Monitoring Networks and Hosts Network Packets tcpdump Operating System Events BSM 5

Key Performance Metrics Algorithm Alarm: A; Intrusion: I Detection (true positive) rate: P(A I) False negative rate P( A I) False positive rate: P(A I) True negative rate P( A I) Bayesian detection rate: P(I A) Alarm (detection result) T F Architecture Scalable Resilient to attacks Intrusion (Reality) T F True Positive False Positive False Negative True Negative Bayesian Detection Rate P( I ) P( A I ) P( I A) = P( I ) P( A I ) + P( ØI ) P( A ØI ) Base-rate fallacy Even if false alarm rate P(A I) is very low, Bayesian detection rate P(I A) is still low if base-rate P(I) is low E.g. if P(A I) = 1, P(A I) = 10-5, P(I) = 2 10-5, P(I A) = 66% Implications to IDS Design algorithms to reduce false alarm rate Deploy IDS to appropriate point/layer with sufficiently high base rate 6

Example ROC Curve % Detect IDS1 IDS2 % False Alarm Ideal system should have 100% detection rate with 0% false alarm Host-Based IDSs (HIDS) Using OS auditing mechanisms E.G., BSM on Solaris: logs all direct or indirect events generated by a user strace for system calls made by a program Monitoring user activities E.G., Analyze shell commands Monitoring executions of system programs E.G., Analyze system calls made by sendmail 7

Example HIDS: A Sense of Self - Immunology Approach Prof. Forrest at University of New Mexico Anomaly detection Simple and short sequences of events to distinguish self from not Currently looking at system calls (strace) Apply to detection of lpr and sendmail Some Details Anomaly detection for Unix processes Short sequences of system calls as normal profile (Forrest et al. UNM),open,read,mmap,mmap,open,getrlimit,mmap,close, Sliding window of length k open,read,mmap,mmap read,mmap,mmap,open mmap,mmap,open,getrlimit mmap,open,getrlimit,mmap Y % matched > e N normal abnormal 8

Network IDSs (NIDS) Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at routers Inspecting network traffic Watch for violations of protocols and unusual connection patterns Monitoring user activities Look into the data portions of the packets for malicious command sequences May be easily defeated by encryption Data portions and some header information can be encrypted Other problems Architecture of Network IDS Policy script Alerts/notifications Policy Script Interpreter Event control Event stream Event Engine tcpdump filters Filtered packet stream libpcap Packet stream Network 9

Firewall Versus Network IDS Firewall Active filtering Fail-close Network IDS Passive monitoring Fail-open IDS FW Requirements of Network IDS High-speed, large volume monitoring No packet filter drops Real-time notification Mechanism separate from policy Extensible Broad detection coverage Economy in resource usage Resilience to stress Resilience to attacks upon the IDS itself! 10

Eluding Network IDS What the IDS sees may not be what the end system gets. Insertion and evasion attacks. IDS needs to perform full reassembly of packets. But there are still ambiguities in protocols and operating systems: E.G. TTL, fragments. Need to normalize the packets. Insertion Attack End-System sees: IDS sees: A T X T A C A T T A C K K Attacker s data stream T X T C A A K Examples: bad checksum, TTL. 11

Evasion Attack End-System sees: A T T A C K IDS sees: A T T C K Attacker s data stream T T C A A K Example: fragmentation overlap 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information