Computer Security: Principles and Practice

Similar documents
Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Raj Jain. Washington University in St. Louis

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Cryptography and Network Security. Chapter 9 Intruders. Lectured by Nguyễn Đức Thái

IDS: Signature Detection

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Intruders and Intrusion Detection. Mahalingam Ramkumar

CSE 565 Computer Security Fall 2018

Table 20.1 Some Examples of Intruder Patterns of Behavior

Intruders and Intrusion Detection. Mahalingam Ramkumar

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

Unit 5. System Security

INTRUDERS. Tran Song Dat Phuc Department of Computer Science and Engineering SeoulTech 2014

2. INTRUDER DETECTION SYSTEMS

Chapter 9. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Intrusion Detection Systems (IDS)

COMPUTER NETWORK SECURITY

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Overview Intrusion Detection Systems and Practices

Intruders, Human Identification and Authentication, Web Authentication

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Network Security. Course notes. Version

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Chapter 4. Network Security. Part I

Intrusion Detection & Password Management

Computer Security: Principles and Practice

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Anomaly Detection in Communication Networks

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

COMPUTER NETWORK SECURITY

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Chapter 3 Process Description and Control

Network Intrusion Goals and Methods

Cyber security tips and self-assessment for business

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Hacking Terminology. Mark R. Adams, CISSP KPMG LLP

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Ethical Hacking and Prevention

Intrusion Detection and Prevention

Basic Concepts in Intrusion Detection

Intrusion Detection - Snort

Intrusion Detection - Snort

Security and Authentication

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Intrusion Detection Systems (IDS)

Intrusion Detection Systems and Network Security

CS System Security 2nd-Half Semester Review

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

UMSSIA INTRUSION DETECTION

Curso: Ethical Hacking and Countermeasures

SDR Guide to Complete the SDR

Network Security. Chapter 0. Attacks and Attack Detection

Developing the Sensor Capability in Cyber Security

CIH

Computer Network Vulnerabilities

Gladiator Incident Alert

CS Review. Prof. Clarkson Spring 2017

BOR3307: Intro to Cybersecurity

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Computer Security: Principles and Practice

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Advanced Diploma on Information Security

Incident Handling and Detection

Acceptable Use Policy

Access Controls. CISSP Guide to Security Essentials Chapter 2

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Network Security Issues and New Challenges

Intrusion Detection System

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CE Advanced Network Security Honeypots

Security Information & Event Management (SIEM)

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

ARAKIS An Early Warning and Attack Identification System

Overview of Honeypot Security System for E-Banking

Introduction to Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Intrusion Detection and Prevention in Telecommunications Networks

Information Security Training Needs Assessment Study. Dr. Melissa Dark CERIAS Assistant Professor Continuing Education Director

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Design your network to aid forensics investigation

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Configuring Anomaly Detection

1. Intrusion Detection and Prevention Systems

SCP SC Network Defense and Countermeasures (NDC) Exam.

CompTIA Security+(2008 Edition) Exam

Security System and COntrol 1

CSE 565 Computer Security Fall 2018

Configuring Anomaly Detection

Intrusion Detection Systems

MIS5206-Section Protecting Information Assets-Exam 1

Transcription:

Computer Security: Principles and Practice Chapter 6 Intrusion Detection First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown

Intruders significant issue hostile/unwanted trespass from benign to serious user trespass unauthorized logon, privilege abuse software trespass virus, worm, or trojan horse classes of intruders: masquerader, misfeasor, clandestine user 2

Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying viewing sensitive data / databases running a packet sniffer distributing pirated software using an unsecured modem to access net impersonating a user to reset password using an unattended workstation 3

Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. Intrusion Detection a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near realtime warning of attempts to access system resources in an unauthorized manner. 4

Hackers motivated by thrill of access and status hacking community a strong meritocracy status is determined by level of competence benign intruders might be tolerable do consume resources and may slow performance can t know in advance whether benign or malign IDS / IPS / VPNs can help counter awareness led to establishment of CERTs collect / disseminate vulnerability info / responses 5

Hacker Behavior Example 1. select target using IP lookup tools 2. map network for accessible services 3. identify potentially vulnerable services 4. brute force (guess) passwords 5. install remote administration tool 6. wait for admin to log on and capture password 7. use password to access remainder of network 6

Criminal Enterprise organized groups of hackers now a threat corporation / government / loosely affiliated gangs typically young often Eastern European or Russian hackers common target credit cards on e-commerce server criminal hackers usually have specific targets once penetrated act quickly and get out IDS / IPS help but less effective sensitive data needs strong protection 7

Criminal Enterprise Behavior 1. act quickly and precisely to make their activities harder to detect 2. exploit perimeter via vulnerable ports 3. use trojan horses (hidden software) to leave back doors for re-entry 4. use sniffers to capture passwords 5. do not stick around until noticed 6. make few or no mistakes. 8

Insider Attacks among most difficult to detect and prevent employees have access & systems knowledge may be motivated by revenge / entitlement when employment terminated taking customer data when move to competitor IDS / IPS may help but also need: least privilege, monitor logs, strong authentication, termination process to block access & mirror data 9

Insider Behavior Example 1. create network accounts for themselves and their friends 2. access accounts and applications they wouldn't normally use for their daily jobs 3. e-mail former and prospective employers 4. conduct furtive instant-messaging chats 5. visit web sites that cater to disgruntled employees, such as f'dcompany.com 6. perform large downloads and file copying 7. access the network during off hours. 10

Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software vulnerabilities to execute code to get backdoor e.g. buffer overflow or to gain protected information e.g. password guessing or acquisition 11

Intrusion Detection Systems classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic logical components: sensors - collect data analyzers - determine if intrusion has occurred user interface - manage / direct / view IDS 12

IDS Principles assume intruder behavior differs from legitimate users expect overlap as shown observe deviations from past history problems of: false positives false negatives must compromise 13

IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration 14

Host-Based IDS specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions two approaches, often used in combination: anomaly detection - defines normal/expected behavior threshold detection profile based signature detection - defines proper behavior 15

Audit Records a fundamental tool for intrusion detection two variants: native audit records - provided by O/S always available but may not be optimum detection-specific audit records - IDS specific additional overhead but specific to IDS task often log individual elementary actions e.g. may contain fields for: subject, action, object, exception-condition, resource-usage, time-stamp 16

Anomaly Detection threshold detection checks excessive event occurrences over time alone a crude and ineffective intruder detector must determine both thresholds and time intervals profile based characterize past behavior of users / groups then detect significant deviations based on analysis of audit records gather metrics: counter, guage, interval timer, resource utilization analyze: mean and standard deviation, multivariate, markov process, time series, operational model 17

Signature Detection observe events on system and applying a set of rules to decide if intruder approaches: rule-based anomaly detection analyze historical audit records for expected behavior, then match with current behavior rule-based penetration identification rules identify known penetrations / weaknesses often by analyzing attack scripts from Internet supplemented with rules from security experts 18

Distributed Host-Based IDS 19

Distributed Host-Based IDS 20

Network-Based IDS network-based IDS (NIDS) monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or application level protocol activity directed toward systems comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic) 21

NIDS Sensor Deployment 22

Intrusion Detection Techniques signature detection at application, transport, network layers; unexpected application services, policy violations anomaly detection of denial of service attacks, scanning, worms when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion detection parameters and algorithms by security admin to improve protection 23

Distributed Adaptive Intrusion Detection 24

Intrusion Detection Exchange Format 25

Honeypots are decoy systems filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems initially were single systems more recently are/emulate entire networks 26

Honeypot Deployment 27

SNORT lightweight IDS real-time packet capture and rule analysis passive or inline 28

SNORT Rules use a simple, flexible rule definition language with fixed header and zero or more options header includes: action, protocol, source IP, source port, direction, dest IP, dest port many options example rule to detect TCP SYN-FIN attack: Alerttcp $EXT E R N AL_N E T any -> $HO M E _ N E T any \ (msg:"sca N SYN FIN";flags: SF, 12;\ reference: arachnids, 198; classtype: atte mpted-recon;) 29

Summary introduced intruders & intrusion detection hackers, criminals, insiders intrusion detection approaches host-based (single and distributed) network distributed adaptive exchange format honeypots SNORT example 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback