Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

Similar documents
CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Segurança Redes e Dados

Firewalls. CS 6v81 - Network Security. What is a firewall? Firewall capabilities. Firewall limitations. Firewall limitations, cont d

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Intruders and viruses. 8: Network Security 8-1

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

USM IT Security Council Guide for Security Event Logging. Version 1.1

Security Intrusion & Detection. Intrusion Detection Systems (IDSs)

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

INTRUDERS PART 6: SYSTEM SECURITY CHAPTER 20-1

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Taxonomy of Intrusion Detection System

Intrusion Detection Systems

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Penetration Testing Service. By Comsec Information Security Consulting

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Name. Description. Rationale

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

Performance Evaluation of Intrusion Detection Systems

The Self-Hack Audit Stephen James Payoff

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEMS and Network Security

Network Security: Introduction

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Architecture Overview

Network Based Intrusion Detection Using Honey pot Deception

Intrusion Detection for Mobile Ad Hoc Networks

Global Partner Management Notice

Network and Host-based Vulnerability Assessment

IDS / IPS. James E. Thiel S.W.A.T.

Hackers: Detection and Prevention

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

How To Protect Your Network From Attack From A Hacker On A University Server

Computer Networks & Computer Security

GFI White Paper PCI-DSS compliance and GFI Software products

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Network- vs. Host-based Intrusion Detection

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Information Technology Cyber Security Policy

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

CRYPTUS DIPLOMA IN IT SECURITY

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Chapter 9 Firewalls and Intrusion Prevention Systems

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Detailed Description about course module wise:

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

B database Security - A Case Study

Chapter 15 Operating System Security

Section 12 MUST BE COMPLETED BY: 4/22

Network Security Audit. Vulnerability Assessment (VA)

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

PROFESSIONAL SECURITY SYSTEMS

Intrusion Detection System (IDS)

Standard: Event Monitoring

Cracking and Computer Security

IDS : Intrusion Detection System the Survey of Information Security

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

CEH Version8 Course Outline

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

How To Classify A Dnet Attack

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Passing PCI Compliance How to Address the Application Security Mandates

How To Audit The Mint'S Information Technology

Radware s Behavioral Server Cracking Protection

CORE IMPACT AND THE CONSENSUS AUDIT GUIDELINES (CAG)

[CEH]: Ethical Hacking and Countermeasures

How To Prevent Hacker Attacks With Network Behavior Analysis

EC Council Certified Ethical Hacker V8

How To Protect A Network From Attack From A Hacker (Hbss)

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

A Decision Maker s Guide to Securing an IT Infrastructure

Contents. Intrusion Detection Systems (IDS) Intrusion Detection. Why Intrusion Detection? What is Intrusion Detection?

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)

Certified Ethical Hacker (CEH)

Simple Steps to Securing Your SSL VPN

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Transcription:

Lecture Outline Intruders & Intrusion Hackers Criminal groups Insiders Detection and IDS Techniques Detection Principles Requirements Host-based Network-based Honeypot Madartists

Intruders significant security issue for networked systems is hostile/unwanted trespass (by users or software) from benign to serious user trespass unauthorized logon, privilege abuse software trespass virus, worm, or trojan horse classes of intruders: masquerader, misfeasor, clandestine user

Examples of Intrusion Defacing a Web server Guessing and cracking passwords Copying a database containing credit card numbers Viewing sensitive data, including payroll records and medical information, without authorization Running a packet sniffer on a workstation to capture usernames and passwords Temporary agents or consultants (as incompetent users or clandestine users) Dialing into an unsecured modem and gaining internal network access Posing as an executive, calling the help desk, resetting the executive s e-mail password, and learning the new password Using an unattended, logged-in workstation without permission

Hackers motivated by thrill of access and status hacking community a strong meritocracy status is determined by level of competence share info with fellow hackers benign intruders might be tolerable do consume resources and may slow performance can t know in advance whether benign or malign IDS / IPS / VPNs can help counter awareness led to establishment of certs collect / disseminate vulnerability info / responses CERT (CMU)/ Computer Security Incident Response Team (generic) US-CERT TERENA what is the problem here?

Hacker Behavior Examples 1. Hackers exploit newly discovered weaknesses and evade detection and countermeasures (but they follow recognizable patterns that ordinary users normally do not follow) 2. select target using IP lookup tools 3. map network for accessible services 4. identify potentially vulnerable services 5. brute force (guess) passwords 6. install remote administration tool (example) 7. wait for admin to log on and capture password 8. use password to access remainder of network

Recent Hacker Behavior Example

Criminal Enterprise organized groups of hackers now a widespread threat corporation / government / loosely affiliated gangs typically young draw from countries where freedoms are curtailed Eastern European bloc source of income common target credit cards on e-commerce server criminal hackers usually have specific targets once penetrated act quickly and get out IDS / IPS help but less effective sensitive data needs strong protection Recall TED Hire the Hackers internet forums like darkmarket.org and theftservices.org - related news

Hackers

Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes. IDSs and IPSs can also be used for these types of attackers, but may be less effective because of the quick in-and-out nature of the attack.

Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor Kenneth Peterson cc VP of Sales for stock analysis IDS / IPS may help but also need other and more direct approaches: enforcing least privilege, monitor logs, protect sensitive resources with strong authentication, on termination delete employee's computer and network access and make a mirror image of employee's hard drive before reissuing it

(Shady) Insider Behavior Examples Ethical? 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. e-mail former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com ratemyboss 6. perform large downloads and file copying 7. access the network during off hours.

Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host for suspicious activity Network-based IDS: monitor network traffic Analyzes transport and application activity IDS has 3 logical components: sensors - collect data Input: network packet, log files, system call traces analyzers - determine if intrusion has occurred Input: feed from sensors or other analyzers user interface - manage / direct / view IDS manager, director, console component s a ui a

IDS Principles IDS detection based on assumption that intruder behavior differs from legitimate users in ways that can be quantified expect overlap as shown not b/w observe deviations from past history problems of: false positives false negatives must compromise

IDS Requirements run continually with minimal human supervision. be fault tolerant in the sense that it must be able to recover from system crashes and reinitializations. resist subversion. The IDS must be able to monitor itself and detect if it has been modified by an attacker. impose a minimal overhead on the system where it is running. be able to be configured according to the security policies of the system that is being monitored. be able to adapt to changes in system and user behavior over time. be able to scale to monitor a large number of hosts. provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible. allow dynamic reconfiguration; that is, the ability to reconfigure the IDS without having to restart it.

Host-Based IDS specialized software to monitor (vulnerable/ sensitive) system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions Follow two basic approaches, often used in combination: anomaly detection - involves the collection of data relating to the behavior of legitimate users over a period of time. statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. attempt to define normal, or expected, behavior. This approach is effective against masqueraders, who are unlikely to mimic the behavior patterns of the accounts they appropriate. On the other hand, such techniques may be unable to deal with misfeasors. signature detection - defines a set of rules or attack patterns used to decide that a given behavior is that of an intruder. it attempts to define proper behavior and may be able to recognize events and sequences that, in context, reveal penetration

Anomaly Detection threshold detection involves counting the number of occurrences of a specific event type over an interval of time checks excessive event occurrences over time must determine both thresholds and time intervals alone a crude and ineffective intruder detector (FP & FN), nut useful in conjunction with other techniques profile based characterize past behavior of users / groups then detect significant deviations set of parameters, not single item based on analysis of audit records gather metrics: counter, interval timer, resource utilization (to define typical behavior) this becomes the input against which to gauge analyze: statistical processes: mean and standard deviation, multivariate, Markov process, time series

Collection of Data a fundamental tool for intrusion detection two variants: native audit records - provided by O/S (most multi-user operating systems include accounting software that collects information on user activity) always available but may not be optimum advantage or disadvantage? detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions e.g. may contain fields for: subject, action, object, resource-usage, timestamp (Dorothy Denning 87)

Signature Detection observe events on system and applying a set of rules to decide if intruder approaches: rule-based anomaly detection similar in approach and strengths to statistical anomaly detection historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns rules may represent past behavior patterns of users, programs, privileges, time slots, terminals etc. current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior. rule-based penetration identification rules identify known penetrations / weaknesses typically, the rules used in these systems are specific to the machine and operating system often by analyzing attack scripts from Internet supplemented with rules from security experts

Placement of Network-Based IDS

Advantages and Disadvantages of Each Location

Honeypots

Next Group of Topics Cookies DOS Classic SYN Spoofing Reflection Smurf Forensics Software Security Buffer Overflow SQL Injection Cross-Site Scripting Best Practices Wireless/ Mobile Security

Lab 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information