CIT 480: Securing Computer Systems

Size: px
Start display at page:

Download "CIT 480: Securing Computer Systems"

Transcription

1 CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1

2 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of an IDS 5. Example IDS: snort 6. Active Response (IPS) 7. Host-based IDS and IPS 8. IDS Evasion Techniques CIT 480: Securing Computer Systems Slide #2

3 IDS Terminology Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking resources) Intrusion detection The identification through intrusion signatures and report of intrusion activities Intrusion prevention The process of both detecting intrusion activities and managing automatic responsive actions throughout the network CIT 480: Securing Computer Systems Slide #3

4 Goals of IDS 1. Detect wide variety of intrusions Previously known and unknown attacks. Need to adapt to new attacks or changes in behavior. 2. Detect intrusions in timely fashion May need to be be real-time, especially when system responds to intrusion. Problem: analyzing commands may impact response time of system. May suffice to report intrusion occurred a few minutes or hours ago. CIT 480: Securing Computer Systems Slide #4

5 Goals of IDS 3. Present analysis in easy-to-understand format. Ideally a binary indicator. Usually more complex, allowing analyst to examine suspected attack. User interface critical, especially when monitoring many systems. 4. Be accurate Minimize false positives, false negatives. Minimize time spent verifying attacks, looking for them. CIT 480: Securing Computer Systems Slide #5

6 Deep Packet Inspection DPI = Analysis of Application Layer data Protocol Standard Compliance Is port 53 traffic DNS or a covert shell session? Is port 80 traffic HTTP or tunneled IM or P2P? Protocol Anomaly Detection Traffic is valid HTTP. But suspicious URL contains directory traversal. CIT 480: Securing Computer Systems Slide #6

7 Models of Intrusion Detection 1. Anomaly detection (statistical) Develop profile of normal user/host actions. Alert when actions depart too far from profile. Statistical IDS. 2. Misuse detection (rule-based) Create signatures based on attack profiles. Look for signatures, hope for no new attacks. Rule based IDS. CIT 480: Securing Computer Systems Slide #7

8 Possible Alarm Outcomes Intrusion Attack No Intrusion Attack Alarm Sounded True Positive False Positive No Alarm Sounded False Negative True Negative CIT 480: Securing Computer Systems Slide #8

9 Base-Rate Fallacy Difficult to create IDS with high true-positive rate and low false-negative rate. If #intrusions small compared to normal traffic, then IDS will produce many false positives for each intrusion. Effectiveness of IDS can be misinterpreted due to a statistical error known as the base-rate fallacy. This type of error occurs when the probability of some conditional event is assessed without considering the base rate of that event. CIT 480: Securing Computer Systems Slide #9

10 Base-Rate Fallacy Example Example case IDS 99% accurate, 1% false positives or negatives IDS generates 1,000,100 log entries. Base rate is 100 malicious events of 1,000,100 examined. Results Of 100 malicious events, 99 will be detected as malicious, which means we have 1 false negative. Of 1,000,000 benign events, 10,000 will be mistakenly identified as malicious. That is, we have 10,000 false positives! Thus, 10,099 alarms sounded, 10,000 of which are false alarms. Roughly 99% of our alarms are false alarms. CIT 480: Securing Computer Systems Slide #10

11 IDS Components IDS Manager Untrusted Internet router Firewall IDS Sensor IDS Sensor router router

12 IDS Architecture An IDS is essentially a sophisticated audit system Sensors gathers data for analysis from hosts or network. Manager analyzes data obtained from sensors according to its internal rules. Notifier acts on manager results. May simply notify security officer. May reconfigure sensors or manager to alter collection, analysis methods. May activate response mechanism. CIT 480: Securing Computer Systems Slide #12

13 Host-Based Sensors 1. Obtain information from logs May use many logs as sources. May be security-related or not. May use virtual logs if agent is part of the kernel. 2. Agent generates its information Analyzes state of system. Treats results of analysis as log data. CIT 480: Securing Computer Systems Slide #13

14 Network-Based Sensors Sniff traffic from network. Use hubs, SPAN ports, or taps to see traffic. Need sensors on all switches to see entire network. Deep packet inspection (DPI). Sensor needs same view of traffic as destination Attacker may send packets with TTL set so that they arrive at destination but expire before reaching sensor. Packet fragmentation and reassembly works differently on different OSes, so sensor sees different packet than destination in some cases. End-to-end encryption defeats content monitoring Not traffic analysis, though. Slide #14

15 Aggregation of Information Sensors produce information at multiple layers of abstraction. Application-monitoring sensors provide one view of an event. System-monitoring sensors provide a different view of an event. Network-monitoring sensors provide yet another view (involving many packets) of an event. CIT 480: Securing Computer Systems Slide #15

16 Notifier Accepts information from manager Takes appropriate action Page, call, IM, or security officer. Rate-limit contacts so a single problem does not result in an overwhelming flood of notices. Respond to attack. Often GUIs Use visualization to convey information. CIT 480: Securing Computer Systems Slide #16

17 Example NIDS: snort Network Intrusion Detection System Sniffs packets off wire. Checks packets for matches against rule sets. Logs detected signs of misuse. Alerts adminstrator when misuse detected. CIT 480: Securing Computer Systems Slide #17

18 Example Architecture: snort CIT 480: Securing Computer Systems Slide #18

19 Snort Rules Rule Header Action: pass, log, alert Network Protocol Source Address (Host or Network) + Port Destination Address (Host or Network) + Port Rule Body Content: packet ASCII or binary content TCP/IP flags and options to match Message to log, indicating nature of misuse detected CIT 480: Securing Computer Systems Slide #19

20 Snort Rule Example Example: rule for ssh shell code exploit alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"exploit ssh CRC32 overflow NOOP"; flow:to_server,established; content:" "; reference:bugtraq,2347; reference:cve,cve ; classtype:shellcode-detect; sid:1326; rev:3;) CIT 480: Securing Computer Systems Slide #20

21 IDS Deployment IDS deployment should reflect your threat model. Major classes of attackers: 1. External attackers intruding from Internet. 2. Internal attackers intruding from your LANs. Where should you place IDS systems? 1. Perimeter (outside firewall) 2. DMZ 3. Intranet 4. Wireless CIT 480: Securing Computer Systems Slide #21

22 IDS Deployment CIT 480: Securing Computer Systems Slide #22

23 Snort Web Interface CIT 480: Securing Computer Systems Slide #23

24 Sguil NSM Console

25 Intrusion Prevention Systems What else can you do with IDS alerts? Identify attack before it completes. Prevent it from completing. How to prevent attacks? Directly: IPS drops packets, kills TCP sessions. Indirectly: IPS modifies firewall rules. Is IPS a good idea? How do you deal with false positives? CIT 480: Securing Computer Systems Slide #25

26 IPS Deployment Types Inline IPS Intranet Non-Inline IPS Intranet CIT 480: Securing Computer Systems Slide #26

27 Active Responses by Network Layer Data Link: Shut down a switch port. Only useful for local intrusions. Rate limit switch ports. Network: Block a particular IP address. Inline: can perform blocking itself. Non-inline: send request to firewall. Transport: Send TCP RST or ICMP messages to sender and target to tear down TCP sessions. Application: Inline IPS can modify application data to be harmless: /bin/sh -> /ben/sh CIT 480: Securing Computer Systems Slide #27

28 Host IDS and IPS Anti-virus and anti-spyware AVG anti-virus, SpyBot S&D Log monitors swatch, logwatch Integrity checkers tripwire, osiris, samhain Monitor file checksums, etc. Application shims mod_security (usually called a WAF) CIT 480: Securing Computer Systems Slide #28

29 Evading IDS and IPS Alter appearance to prevent sig match URL encode parameters to avoid match. Use or 783>412-- for SQL injection. Alter context Change TTL so IDS sees different packets than target hosts receives. Fragment packets so that IDS and target host reassemble the packets differently. CIT 480: Securing Computer Systems Slide #29

30 Fragment Evasion Techniques Flood of fragments DoS via heavy use of CPU/RAM on IDS. Tiny fragment Break attack into multiple fragments, none of which match signature. ex: frag 1: cat /etc, frag 2: /shadow Overlapping fragments Offset of later fragments overwrites earlier fragments. ex: frag 1: cat /etc/fred, frag 2: offset=10, shadow Different OSes deal differently with overlapping. CIT 480: Securing Computer Systems Slide #30

31 Web Evasion Techniques URL encoding GET /%63%67%69%2d%62%69%6e/bad.cgi /./ directory insertion GET /./cgi-bin/./bad.cgi Long directory insertion GET /junklongdirectorypathstuffhereuseless/../cgi-bin/bad.cgi IDS may only read first part of URL for speed. Tab separation GET<tab>/cgi-bin/bad.cgi Tabs usually work on servers, but may not be in sig. Case sensitivity GET /CGI-BIN/bad.cgi Windows filenames are case insensitive, but signature may not be. CIT 480: Securing Computer Systems Slide #31

32 Countering Evasion Keep IDS/IPS signatures up to date. On daily or weekly basis. Use both host and network IDS/IPS. Host-based harder to evade as runs on host. Fragment attacks can t evade host IDS. Network IDS still useful as overall monitor. Tune IDS/IPS to handle based on experience False positives False negatives CIT 480: Securing Computer Systems Slide #32

33 Key Points 1. Models of IDS: Anomaly detection: unexpected events (statistical IDS.) Misuse detection: violations of policy (rule-based IDS). 2. IDS Architecture: sensors, manager, notifier. 3. Host vs. Network IDS Host: agent on host checks files, processes to detect attacks. Network: sniffs and analyzes packets to detect intrusions. 4. IPS Stop intrusions, but what about false positives? Inline vs. non-inline: how do prevention techniques differ? 5. IDS/IPS Evasion Alter appearance to avoid signature match. Alter context to so IDS interprets differently than host. CIT 480: Securing Computer Systems Slide #33

34 References 1. Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet Security, 2 nd edition, Goodrich and Tammasia, Introduction to Computer Security, Pearson, The Honeynet Project, Know Your Enemy, 2 nd edition, Addison-Wesley, Richard A. Kemmerer and Giovanni Vigna, Intrusion Detection: A Brief History and Overview, IEEE Security & Privacy, v1 n1, Apr 2002, pp Steven Northcutt and Julie Novak, Network Intrusion Detection, 3 rd edition, New Riders, Michael Rash et. al., Intrusion Prevention and Active Response, Syngress, Rafiq Rehman, Intrusion Detection Systems with Snort: Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Prentice Hall, Ed Skoudis, Counter Hack Reloaded 2/e, Prentice Hall, CIT 480: Securing Computer Systems Slide #34

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack Intrusion Detection Topics 1. Principles 2. Models of Intrusion Detection 3. False Positives 4. Architecture of an IDS 5. IDS Deployment 6. Active Response (IPS) 7. Host-based IDS and IPS 8. IDS Evasion

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking

More information

CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems CIT 480: Securing Computer Systems Tunneling and VPNs CIT 480: Securing Computer Systems Slide #1 Topics 1. Tunneling 1. Encapsulation 2. Security 3. SSH 2. Virtual Private Networks 1. Site-to-site 2.

More information

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:

More information

Intrusion Detection Systems

Intrusion Detection Systems Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types

More information

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events,

More information

Network Security: Firewall, VPN, IDS/IPS, SIEM

Network Security: Firewall, VPN, IDS/IPS, SIEM Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu) SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate

More information

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS) CSC 474 Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) 1 Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly detection

More information

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:

More information

Activating Intrusion Prevention Service

Activating Intrusion Prevention Service Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers

More information

UMSSIA INTRUSION DETECTION

UMSSIA INTRUSION DETECTION UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type

More information

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS

More information

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks Outline AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly

More information

AIT 682: Network and Systems Security

AIT 682: Network and Systems Security AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Instructor: Dr. Kun Sun Firewalls Filtering firewalls Proxy firewalls Outline Intrusion Detection System

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter

More information

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified

More information

Network Intrusion Detection Systems. Beyond packet filtering

Network Intrusion Detection Systems. Beyond packet filtering Network Intrusion Detection Systems Beyond packet filtering Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic

More information

Network Security. Chapter 0. Attacks and Attack Detection

Network Security. Chapter 0. Attacks and Attack Detection Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part

More information

CIT 380: Securing Computer Systems. Network Security Concepts

CIT 380: Securing Computer Systems. Network Security Concepts CIT 380: Securing Computer Systems Network Security Concepts Topics 1. Protocols and Layers 2. Layer 2 Network Concepts 3. MAC Spoofing 4. ARP 5. ARP Spoofing 6. Network Sniffing Protocols A protocol defines

More information

Pre processors. Detection Engine

Pre processors. Detection Engine Packet Decoder Pre processors Detection Engine Logging and Alerting System Output Modules Filesystem Syslog Database XML Firewall config You should know how the rules are constructed in order to fully

More information

Managing Latency in IPS Networks

Managing Latency in IPS Networks Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings

More information

intelop Stealth IPS false Positive

intelop Stealth IPS false Positive There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate

More information

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli NIDS: Snort Group 8 Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli 1 Summary NIDS Snort Syn Flood Attack Exploit Kit Detection: Bleeding Life Packet Level Evasion Snort as

More information

IDS: Signature Detection

IDS: Signature Detection IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions

More information

CIH

CIH mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer

More information

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM). Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy

More information

Understanding Cisco Cybersecurity Fundamentals

Understanding Cisco Cybersecurity Fundamentals 210-250 Understanding Cisco Cybersecurity Fundamentals NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-250 Exam on Understanding Cisco

More information

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis

More information

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings) Security Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings) Lecture Outline Network Attacks Attive Attacks Passive Attacks TCP Attacks Contermeasures IPSec SSL/TLS Firewalls

More information

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013 Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker

More information

Chapter 8 roadmap. Network Security

Chapter 8 roadmap. Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing

More information

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis Intrusion Detection Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 22-1 1. Intruders 2. Intrusion

More information

BOR3307: Intro to Cybersecurity

BOR3307: Intro to Cybersecurity Key Terms for lesson 4 are listed below: It is important that you maintain a copy of these key terms handy as you take this course and complete the readings. Working from a standard lexicon will keep you

More information

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng Firewalls IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response: Recovery, Forensics

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

2. INTRUDER DETECTION SYSTEMS

2. INTRUDER DETECTION SYSTEMS 1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding

More information

Defending Computer Networks Lecture 12: NIDS. Stuart Staniford Adjunct Professor of Computer Science

Defending Computer Networks Lecture 12: NIDS. Stuart Staniford Adjunct Professor of Computer Science Defending Computer Networks Lecture 12: NIDS Stuart Staniford Adjunct Professor of Computer Science Logis;cs Quiz 2 next Tuesday (10/13/15) Quiz 1 graded (in CMS, papers in front) Range 5-11, mean 9.4

More information

Intrusion Detection - Snort

Intrusion Detection - Snort Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected

More information

Detecting Attacks, Part 2

Detecting Attacks, Part 2 Detecting Attacks, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/

More information

Intrusion Detection - Snort

Intrusion Detection - Snort Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures

More information

ProCurve Network Immunity

ProCurve Network Immunity ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

More information

Internet Security: Firewall

Internet Security: Firewall Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits

More information

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology

More information

Certified Snort Professional VS-1148

Certified Snort Professional VS-1148 VS-1148 Certified Snort Professional Certification Code VS-1148 Vskills certification for Snort Professional assesses the candidate as per the company s need for network security and assessment. The certification

More information

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

Question No: 2 Which identifier is used to describe the application or process that submitted a log message? Volume: 65 Questions Question No: 1 Which definition of a fork in Linux is true? A. daemon to execute scheduled commands B. parent directory name of a file pathname C. macros for manipulating CPU sets

More information

Implementing Cisco Cybersecurity Operations

Implementing Cisco Cybersecurity Operations 210-255 Implementing Cisco Cybersecurity Operations NWExam.com SUCCESS GUIDE TO CISCO CERTIFICATION Exam Summary Syllabus Questions Table of Contents Introduction to 210-255 Exam on Implementing Cisco

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Intruders significant issue hostile/unwanted

More information

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation) 1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation) A Brief History of the World 2 OSI Model vs TCP/IP suite 3 TFTP & SMTP 4 ICMP 5 NAT/PAT 6 ARP/RARP 7 DHCP 8

More information

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been

More information

Authors: Mark Handley, Vern Paxson, Christian Kreibich

Authors: Mark Handley, Vern Paxson, Christian Kreibich Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley, Vern Paxson, Christian Kreibich Exploitable Ambiguities NIDS does not have full range

More information

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005 Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks

More information

Overview Intrusion Detection Systems and Practices

Overview Intrusion Detection Systems and Practices Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy

More information

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation Configuration Example March 2018 2018 Juniper Networks, Inc. Juniper Networks, Inc. 1133

More information

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved. IDS & IPD CSH6 Chapter 27 Intrusion Detection & Intrusion Prevention Devices Rebecca Gurley Bace Topics Security Behind the Firewall Main Concepts Intrusion Prevention Information Sources Analysis Schemes

More information

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government

More information

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output

More information

CSCI 680: Computer & Network Security

CSCI 680: Computer & Network Security CSCI 680: Computer & Network Security Lecture 15 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck and Micah Sherr 1 Grading Class Participat ion and Quizzes 10% Grade Breakdown Homewo

More information

1. Intrusion Detection and Prevention Systems

1. Intrusion Detection and Prevention Systems 1. Intrusion Detection and Prevention Systems Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which

More information

Security Principles SNORT - IDS

Security Principles SNORT - IDS Security Principles SNORT - IDS Intrusion detection What is intrusion detection? Technically, any method that allows you to discover if someone has penetrated or is attempting intrusion into your network,

More information

OSSIM Fast Guide

OSSIM Fast Guide ----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution

More information

CE Advanced Network Security Honeypots

CE Advanced Network Security Honeypots CE 817 - Advanced Network Security Honeypots Lecture 12 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained

More information

Managing SonicWall Gateway Anti Virus Service

Managing SonicWall Gateway Anti Virus Service Managing SonicWall Gateway Anti Virus Service SonicWall Gateway Anti-Virus (GAV) delivers real-time virus protection directly on the SonicWall security appliance by using SonicWall s IPS-Deep Packet Inspection

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 12 Week of April 24, 2017 Question 1 Detection strategies (20 min) Suppose you are responsible for detecting attacks on the UC Berkeley network, and

More information

Michael Rash DEFCON 12 07/31/2004

Michael Rash DEFCON 12 07/31/2004 Advanced Netfilter: Content Replacement (ala Snort_inline) and Combining Port Knocking with p0f Michael Rash DEFCON 12 07/31/2004 http://www.enterasys.com http://www.cipherdyne.org Introduction Port knocking

More information

ASA/PIX Security Appliance

ASA/PIX Security Appliance I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail

More information

Computer Security and Privacy

Computer Security and Privacy CSE P 590 / CSE M 590 (Spring 2010) Computer Security and Privacy Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for

More information

Introduction to Security

Introduction to Security IS 2150 / TEL 2810 Introduction to Security James Joshi Professor, SIS Lecture 12 2016 Intrusion Detection, Auditing System Firewalls & VPN 1 Intrusion Detection 2 Intrusion Detection/Response Denning:

More information

Basic Concepts in Intrusion Detection

Basic Concepts in Intrusion Detection Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification

More information

Computer Network Vulnerabilities

Computer Network Vulnerabilities Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like

More information

A Distributed Intrusion Alert System

A Distributed Intrusion Alert System A Distributed Intrusion Alert System Chih-Yao Lin, Hsiang-Ren Shih, and Yomin Hou Taiwan National Computer Emergency Response Team {chinyao, shr, yominhou}@twncert.org.tw Abstract In this paper, a distributed

More information

Firewall and IDS/IPS. What is a firewall?

Firewall and IDS/IPS. What is a firewall? Firewall and IDS/IPS Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica What is a firewall? firewall = wall to protect against fire propagation controlled connection

More information

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale

HONEYNET SOLUTIONS. A deployment guide 1. INTRODUCTION. Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale HONEYNET SOLUTIONS A deployment guide Ronald C Dodge JR, Richard T Brown, Daniel J Ragsdale United States Military Academy Abstract: Key words: Honeynets provide network and system managers a unique intrusion

More information

CSC Network Security

CSC Network Security CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet

More information

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015 Distributed Systems 29. Firewalls Paul Krzyzanowski Rutgers University Fall 2015 2013-2015 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive data & systems not accessible Integrity:

More information

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security

Positive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security Positive Security Model for Web Applications, Challenges and Promise Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security Introduction Breach Security, Inc. Breach Security is the market leader in

More information

Exam : : Implementing Cisco Intrusion Prevention Systems. Title. Ver :

Exam : : Implementing Cisco Intrusion Prevention Systems. Title. Ver : Exam : 642-532 Title : Implementing Cisco Intrusion Prevention Systems Ver : 09.27.07 QUESTION 1: A new IDSM2 module was installed in the Certkiller network. Which of the following features regarding the

More information

Network Security Fundamentals

Network Security Fundamentals Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 6 Firewalls & VPNs Topics Firewall Fundamentals Case

More information

CNIT 121: Computer Forensics. 9 Network Evidence

CNIT 121: Computer Forensics. 9 Network Evidence CNIT 121: Computer Forensics 9 Network Evidence The Case for Network Monitoring Types of Network Monitoring Types of Network Monitoring Event-based alerts Snort, Suricata, SourceFire, RSA NetWitness Require

More information

A Study on Intrusion Detection Techniques in a TCP/IP Environment

A Study on Intrusion Detection Techniques in a TCP/IP Environment A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the

More information

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam IDS / SNORT Matsuzaki maz Yoshinobu stole slides from Fakrul Alam 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not

More information

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work? Lab1 Definition of Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Passive Sniffing: It is called passive because it is difficult

More information

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Weekly Tasks Week 5 Rich Macfarlane 2013 Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development Aim: The aim of these labs are to further investigate the Snort, network IDS, and methods

More information

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied

More information

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y 2 01 6 / 2 017 P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A Slides are based on slides by Dr Lawrie Brown (UNSW@ADFA) for Computer

More information

COMPUTER NETWORK SECURITY

COMPUTER NETWORK SECURITY COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls

More information

Chapter 6: IPS. CCNA Security Workbook

Chapter 6: IPS. CCNA Security Workbook Chapter 6: IPS Technology Brief As the awareness of cyber and network security is increasing day by day, it is very important to understand the core concepts of Intrusion Detection/Defense System (IDS)

More information

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1 Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack

More information

CSc 466/566. Computer Security. 18 : Network Security Introduction

CSc 466/566. Computer Security. 18 : Network Security Introduction 1/81 CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:57:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg

More information

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640 Contents Topic 1: Analogy... 2 Analogy: Deterring Jewel Thieves at a Museum... 2 Topic 2: Module Introduction... 4 Topic 3: Host-Based Intrusion Detection... 5 How Host-Based IDSs Work... 5 Topic 4: IDS

More information

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand

More information

CSC 574 Computer and Network Security. TCP/IP Security

CSC 574 Computer and Network Security. TCP/IP Security CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network

More information

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet Chapter 2 - Part 1 The TCP/IP Protocol: The Language of the Internet Protocols A protocol is a language or set of rules that two or more computers use to communicate 2 Protocol Analogy: Phone Call Parties

More information

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Actual4Test.   Actual4test - actual test exam dumps-pass for IT exams Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : GCFW Title : GIAC Certified Firewall Analyst Vendors : GIAC Version : DEMO Get Latest & Valid GCFW Exam's

More information

Raj Jain. Washington University in St. Louis

Raj Jain. Washington University in St. Louis Intrusion Detection Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

More information

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall. Intrusion Detection Daniel Bosk Department of Information and Communication Systems, Mid Sweden University, Sundsvall. intrusion.tex 2093 2014-11-26 12:20:57Z danbos Overview 1 Intruders Intruders Behaviour

More information

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8 Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and

More information

Foreword by Todd Heberlein

Foreword by Todd Heberlein ConteNTS in Detail About the Author Foreword by Todd Heberlein xvii xix Preface xxv Audience... xxvi Prerequisites... xxvii A Note on Software and Protocols... xxvii Scope.... xxviii Acknowledgments...

More information