Intrusion Detection Systems

Similar documents
Overview Intrusion Detection Systems and Practices

Intrusion Detection and Malware Analysis

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

2. INTRUDER DETECTION SYSTEMS

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

CIT 480: Securing Computer Systems

UMSSIA INTRUSION DETECTION

Distributed Denial of Service (DDoS)

Network Security: Firewall, VPN, IDS/IPS, SIEM

Intrusion Detection System

Intrusion Detection Systems and Network Security

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack

CS Review. Prof. Clarkson Spring 2017

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Enhancing Byte-Level Network Intrusion Detection Signatures with Context

Mobile Agent Based Adaptive Intrusion Detection and Prevention Systems

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

OSSIM Fast Guide

CE Advanced Network Security

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Basic Concepts in Intrusion Detection

ANOMALY DETECTION IN COMMUNICTION NETWORKS

CND Exam Blueprint v2.0

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

CSE 565 Computer Security Fall 2018

Intrusion Detection Systems (IDS)

intelop Stealth IPS false Positive

CSC 574 Computer and Network Security. Firewalls and IDS

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection - Snort

CS 161 Computer Security

CSE543 - Computer and Network Security Module: Intrusion Detection

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

CSE543 - Computer and Network Security Module: Intrusion Detection

Intrusion Detection -- A 20 year practice. Outline. Till Peng Liu School of IST Penn State University

Developing the Sensor Capability in Cyber Security

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Introduction to Security

APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS.

Intrusion Detection Systems (IDS)

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Intrusion Detection Systems Overview

Intrusion Detection - Snort

Intrusion Detection. October 19, 2018

Network Security. Chapter 0. Attacks and Attack Detection

Network Security. Course notes. Version

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

The Reconnaissance Phase

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Anomaly Detection in Communication Networks

IDS: Signature Detection

IP Profiler. Tracking the activity and behavior of an IP address. Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP)

An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

system to cover their tracks, the HIDS can provide an independent audit trail of the attack.

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

Computer Security: Principles and Practice

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

Security Correlation Server System Deployment and Planning Guide

Compare Security Analytics Solutions

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Flow-based Anomaly Intrusion Detection System Using Neural Network

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

FlowMatrix Tutorial. FlowMatrix modus operandi

SIEM (Security Information Event Management)

Raj Jain. Washington University in St. Louis

HikCentral V1.3 for Windows Hardening Guide

Managing Latency in IPS Networks

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort

Enterprise Protection for the Administrator

Forensic Network Analysis in the Time of APTs

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

CS Review. Prof. Clarkson Spring 2016

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Configuring Anomaly Detection

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

Online Intrusion Alert Based on Aggregation and Correlation

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

SCP SC Network Defense and Countermeasures (NDC) Exam.

SSL Automated Signatures

Stefano Zanero. Ph.D. Student, Politecnico di Milano CTO & Founder, Secure Network S.r.l.

CSE 565 Computer Security Fall 2018

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffic

Reducing the Cost of Incident Response

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Getting Started Guide. This document provides step-by-step instructions for installing Max Secure Anti-Virus and its prerequisite software.

Chapter 22: Intrusion Detection

Introduction Challenges with using ML Guidelines for using ML Conclusions

Configuring Anomaly Detection

Configuring Anomaly Detection

Intrusion Detection Using Data Mining Technique (Classification)

Implementation of Signature-based Detection System using Snort in Windows

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Collaborative Intrusion Detection System : A Framework for Accurate and Efficient IDS. Outline

Transcription:

Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15

Outline 1 Introduction Overview History 2 Types Misuse Anomaly 3 Examples Snort Tripwire 4 Conclusion Comparisons Ahmad Almulhem - Network Security Engineering - 2008 2 / 15

Overview History Need for Detection Someone trying to go in House door and window are locked, why install an alarm? What if you forget to lock? What if you forget to update your firewall? Ahmad Almulhem - Network Security Engineering - 2008 3 / 15

Overview History Intrusion Detection Systems Definition (Intrusion Detection Systems) An intrusion detection system (IDS) is a system that monitors computing resources (a single host or an entire network) in order to detect attacks and/or anomalous activities. Requires reliable and complete data about the target system Don not detect intrusions, instead identify evidence (manifestation) of intrusions! Similar to a smoke detector (detect smoke, not fire!) Ahmad Almulhem - Network Security Engineering - 2008 4 / 15

Overview History IDS Goals Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion Needs to be real-time, especially when system responds to intrusion Problem: analyzing commands may impact response time of system May suffice to report intrusion occurred a few minutes or hours ago Present analysis in simple, easy-to-understand format Ideally a binary indicator Usually more complex, allowing analyst to examine suspected attack User interface critical, especially when monitoring many systems Be accurate Minimize false positives, false negatives Minimize time spent verifying attacks, looking for them Ahmad Almulhem - Network Security Engineering - 2008 5 / 15

Overview History Where does IDS fit? Lines of defenses in network security model 1 Prevention: Firewalls, authentication, access control 2 Detection: IDS Ahmad Almulhem - Network Security Engineering - 2008 6 / 15

Overview History Intrusion Detection History Originally, system admins performed intrusion detection by sitting in front of a console and monitoring user activities e.g. a vacationing user login locally, a never used printer is active ad hoc and not scalable 70s and early 80s, admins print audit logs and search them every week time consuming forensic tool after the fact no hope to catch ongoing intrusions Ahmad Almulhem - Network Security Engineering - 2008 7 / 15

Overview History Intrusion Detection History 80, as storage became cheaper, audit logs moved online researchers developed programs to analyze the data but, analysis was slow and often computationally intensive, usually run at night 90s, researchers developed real-time intrusion detection systems in some cases, attack preemption distributed intrusion detection Ahmad Almulhem - Network Security Engineering - 2008 8 / 15

Misuse Anomaly IDS Types Source of Data: 1 Network-based IDS Analyze traffic 2 Host-based IDS Analyze logs Check file-system integrity Detection Method: 1 Signature-based (misuse-based) IDS 2 Anomaly-based IDS Ahmad Almulhem - Network Security Engineering - 2008 9 / 15

Misuse Anomaly Signature-Based IDS Signature-based IDS An IDS which detects attacks by matching against a database of known attacks. Similar to anti-virus software Have a database of attack signatures (e.g. GET /etc/passwd) If a a rule matches, an alert fires Simple and effective New attacks are not detected! Ahmad Almulhem - Network Security Engineering - 2008 10 / 15

Misuse Anomaly Anomaly-Based IDS Anomaly-Based IDS An IDS which builds a model of normal system behaviour, and alerts when a deviation from the model is detected. Classify into either normal or anomalous How do you define normal? (e.g. a user normal activities) AI techniques: Neural networks Mathematical Techniques: Threshold metrics, statistics (mean, std) Ahmad Almulhem - Network Security Engineering - 2008 11 / 15

Snort Tripwire Snort Network-Based / Misuse-based (signature-based) Uses rules of attacks Open-source Snort Rule alert tcp any any -> 192.168.1.0/24 111 (content:" 00 01 86 a5 "; msg: "mountd access";) Ahmad Almulhem - Network Security Engineering - 2008 12 / 15

Snort Tripwire Tripwire Host-based / Anomaly-Based Ensure the integrity of critical system files Create a baseline database of file locations, dates modified, and other data Identify changes made to them Ahmad Almulhem - Network Security Engineering - 2008 13 / 15

Comparisons Network-Based vs Host-Based Network-based (NIDS) Advantages Easy to deploy Monitors many hosts Disadvantages Difficulty processing in high-speed networks Difficulty with encrypted protocols No indicator of attack success Host-based (HIDS) Advantages Detects at application layer No trouble with encryption Disadvantages Harder to manage, correlate data IDS on host may be attacked and/or disabled Ahmad Almulhem - Network Security Engineering - 2008 14 / 15

Comparisons Signature-based vs Anomaly-Based Signature-based Advantages Simple and effective Easy to administer Disadvantages Can t detect new attacks Can t detect slightly modified signatures Anomaly-based Advantages Detects new attacks Disadvantages Require extensive training sets of data to determine what is normal Usually produce a high number of false alarms Ahmad Almulhem - Network Security Engineering - 2008 15 / 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback