IDS: Signature Detection

Similar documents
Computer Security: Principles and Practice

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Unit 5. System Security

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Firewalls, Tunnels, and Network Intrusion Detection

Intrusion Detection - Snort

Chapter 9. Firewalls

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

2. INTRUDER DETECTION SYSTEMS

Intrusion Detection - Snort

COMPUTER NETWORK SECURITY

CSE 565 Computer Security Fall 2018

ANOMALY DETECTION IN COMMUNICTION NETWORKS

CS System Security 2nd-Half Semester Review

Study of Snort Ruleset Privacy Impact

Overview Intrusion Detection Systems and Practices

Intelligent and Secure Network

CIH

Chapter 4. Network Security. Part I

Raj Jain. Washington University in St. Louis

Dynamic Datacenter Security Solidex, November 2009

Computer Network Vulnerabilities

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Basic Concepts in Intrusion Detection

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

intelop Stealth IPS false Positive

Information Systems Security

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Training for the cyber professionals of tomorrow

Managing Latency in IPS Networks

CISNTWK-440. Chapter 5 Network Defenses

UTM 5000 WannaCry Technote

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Intrusion Detection Systems and Network Security

Activating Intrusion Prevention Service

1. Intrusion Detection and Prevention Systems

ARAKIS An Early Warning and Attack Identification System

Intrusion Detection Systems (IDS)

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Cisco IOS Firewall Intrusion Detection System Commands

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

Lecture 12. Application Layer. Application Layer 1

Active defence through deceptive IPS

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

arxiv: v1 [cs.ma] 13 May 2008

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

Introduction to Security. Computer Networks Term A15

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

IBM Zürich Research Laboratory. Billy Goat Overview. James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland IBM Corporation

CE Advanced Network Security

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

The Intrusion Rules Editor

Chapter 8 roadmap. Network Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Intrusion Detection and Prevention

Signature-Based Network Intrusion Detection System Using SNORT And WINPCAP

Anomaly Detection in Communication Networks

Cisco Intrusion Prevention Solutions

CS System Security Mid-Semester Review

Firewalls N E T W O R K ( A N D D ATA ) S E C U R I T Y / P E D R O B R A N D Ã O M A N U E L E D U A R D O C O R R E I A

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

NETWORK THREATS DEMAN

Network Security. Chapter 0. Attacks and Attack Detection

The Intrusion Rules Editor

Configuring attack detection and prevention 1

The Intrusion Rules Editor

Intrusion Detection. What is Intrusion Detection

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

ProCurve Network Immunity

Lab 8: Firewalls & Intrusion Detec6on Systems

Current Trends in Network Intrusion Detection Techniques

Scrutinizer Flow Analytics

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

Network Security Issues and New Challenges

Chapter 1 B: Exploring the Network

ISO27001 Preparing your business with Snare

Network Intrusion Goals and Methods

Developing the Sensor Capability in Cyber Security

Darknet Traffic Monitoring using Honeypot

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

AIT 682: Network and Systems Security

The following topics describe how to configure correlation policies and rules.

Configuring Anomaly Detection

Endpoint Protection : Last line of defense?

Network Security. Course notes. Version

Symantec Client Security. Integrated protection for network and remote clients.

Transcription:

IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions of known or potential exploits grouped into rule sets IDS matches data against rule sets; on success, potential attack found Rule-based anomaly detection Analyze historical audit records for expected behavior, then match with current behavior similar in terms of its approach to statistical anomaly detection Rule-based penetration identification Rules identify known penetrations / weaknesses Often by analyzing attack scripts from Internet Supplemented with rules from security experts Issue: Cannot detect attacks unknown to developers of rule set 15

IDS: Requirements Run continually Minimal human supervision Fault tolerant E.g. ability to recover from system crashes Provide graceful degradation of service E.g. mostly unaffected by failure of single IDS components Resist subversion E.g. ability to self detect modification by attacker Impose a minimal overhead on system Scale to monitor large numbers of systems Configured according to system security policies Adapt to changes in systems and users 16

Intrusion Detection Structures 17

Host-Based IDS Specialized software to monitor system activity to detect suspicious behavior Primary purpose is to detect intrusions, log suspicious events, and send alerts Can detect both external and internal intrusions Two approaches, often used in combination: Anomaly detection - defines normal/expected behavior threshold detection profile based Signature detection defines attack patterns 18

Distributed Host-Based IDS Host agent module: Collects audits on host and transmits them to the central manager LAN monitor agent module: Collects and reports LAN audits to central manager Central manager module: Correlates reports from hosts and LAN monitor to detect intrusion 19

Distributed Host-Based IDS Filter: Retains records of security interest Create standardised host audit record (HAR) Template-driven logic: Scans for: notable events (failed access, change of access control) know attack pattern Abnormality of user behaviour Sends alert to central manager Central manager: Draw inferences form HARs Can request additional HARs from hosts 20

Network-Based IDS (NIDS) Network-based IDS (NIDS) Monitor traffic at selected points on a network In (near) real time to detect intrusion patterns May examine network, transport and/or application level protocol activity directed toward systems Comprises a number of sensors Inline Actual traffic passes through the sensor possibly realized as part of other net device, i.e. no additional hardware required Passive Monitors copy of actual traffic, therefore more efficient than inline 21

NIDS: Sensor Deployment Positions of network IDS to analyse: 1) problems with firewall policy and attacks from the outside world that could penetrate the perimeter defence 2) number and types of attacks from the Internet targeting the network 3) major backbone networks and detect unauthorized activities by authorized users within organisation s network 4) attacks targeting critical system resources 22

NIDS: Intrusion Detection Techniques Signature detection At application, transport, network layers; unexpected application services, policy violations Anomaly detection Detection of denial of service attacks, scanning, worms Function of sensors Sends an alert and logs information if violation detected Used by analysis module to refine intrusion detection parameters and algorithms Used by security admin to improve protection 23

Distributed Adaptive Intrusion Detection Issues of former IDSs: Monitor selective network parts and may miss an attack Less appropriate for loose boundaries (e.g. host may joined/or disappear) Distributed adaptive IDS: Does not rely on perimeter defence like firewalls Each host, network device considered as a sensor Nodes use peer-to-peer gossip protocol to inform each other of suspicions If enough gossip messages receiver, then an attack is assumed 24

Intrusion Detection Exchange Format Data source: Raw data at IDS to detect unauthorized/undesired activity Sensor: collects data from the data source & forwards events to the analyzer Analyzer: process analyzing data collected for unauthorized/undesired activity Administrator: human with overall responsibility for setting security policy of org Manager: Process from which operator manages components of ID system Operator: human that is the primary user of the IDS manager 25

SNORT 26

SNORT Lightweight IDS Real-time packet capture and rule analysis Passive or inline Components Packet Decoder: Identifies and isolate protocol headers at the data link, network, transport, and application layers. Detection Engine: Does intrusion detection. Analyses each packet using rules defined for this configuration of Snort by the security administrator. Logger: Log packets that matches a rule for later analysis Alerter: Send alert for detected message. Whether a log, or an alert is created is determined by the snort rules. 27

SNORT Rules Use a simple, flexible rule definition language With fixed header and zero or more options Header includes: Action: What to do when a packet that matches the rule criteria is found Protocol: If packet protocol matches this field then analysis proceeds Source IP: Source of packet Source port: For the specified protocol (e.g.,a TCP port). Direction: Unidirectional (->) or bidirectional (<->) Dest IP, dest port Example rule to detect TCP SYN-FIN attack: Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12; \ reference: arachnids, 198; classtype: attempted-recon;) 28

Honeypot 29

Honeypots Decoy systems Filled with fabricated info Instrumented with monitors / event loggers Divert and hold attacker to collect activity info Without exposing production systems Initially were single systems More recently are/emulate entire networks 30

Honeypot Deployment Positions of honeypot: 1) Tracking attempts to connect to unused IP addresses within the scope of the network 2) External available services 3) Catch internal attacks, and detect badly configured firewalls that forwards impermissible traffic from the Internet to the internal network 31

Maleware 32

Malicious Software Programs exploiting system vulnerabilities Known as malicious software or malware program fragments that need a host program e.g. viruses, logic bombs, and backdoors independent self-contained programs e.g. worms, bots replicating or not Sophisticated threat to computer systems 33

Malware Terminology Virus Worm Logic bomb Trojan horse Backdoor (trapdoor) Mobile code Auto-rooter Kit (virus generator) Spammer and Flooder programs Keyloggers Rootkit Zombie, bot 34

Viruses Piece of software that infects programs modifying them to include a copy of the virus so it executes secretly when host program is run Specific to operating system and hardware taking advantage of their details and weaknesses Phases of typical virus: Dormant: Propagation: Triggering: Execution: Idle state, eventually waiting for some events to start (e.g. presence of a program, file,.. ) Virus copies itself to other programs Activation of the designed malicious function Execution of intended malicious function 35

Virus Structure Components: Infection mechanism - enables replication Trigger - event that makes payload activate Payload - what it does, malicious or benign Prepended / postpended / embedded When infected program invoked, executes virus code then original program code Avoidance of virus: Block initial infection (difficult/in general impossible) Block propagation (with access controls) 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback