Intrusion Detection Systems (IDS)

Similar documents
Intrusion Detection Systems (IDS)

Computer Security: Principles and Practice

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Network Security. Course notes. Version

CSE 565 Computer Security Fall 2018

Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Intruders and Intrusion Detection. Mahalingam Ramkumar

Firewalls, Tunnels, and Network Intrusion Detection

Overview Intrusion Detection Systems and Practices

Raj Jain. Washington University in St. Louis

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Intruders and Intrusion Detection. Mahalingam Ramkumar

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

IDS: Signature Detection

Intrusion Detection. Daniel Bosk. Department of Information and Communication Systems, Mid Sweden University, Sundsvall.

Overview of Honeypot Security System for E-Banking

The GenCyber Program. By Chris Ralph

Computer Network Vulnerabilities

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Communication Pattern Anomaly Detection in Process Control Systems

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Indicate whether the statement is true or false.

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

CS Review. Prof. Clarkson Spring 2017

Information Security Controls Policy

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Basic Concepts in Intrusion Detection

Define information security Define security as process, not point product.

Introduction to Security

Intrusion Detection Systems

2. INTRUDER DETECTION SYSTEMS

Cryptography and Network Security. Chapter 9 Intruders. Lectured by Nguyễn Đức Thái

Intrusion Detection - Snort

Unit 3 Cyber security

UMSSIA INTRUSION DETECTION

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

How AlienVault ICS SIEM Supports Compliance with CFATS

Active defence through deceptive IPS

ANATOMY OF AN ATTACK!

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

CSE543 - Computer and Network Security Module: Intrusion Detection

CSE543 - Computer and Network Security Module: Intrusion Detection

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

CS 356 Operating System Security. Fall 2013

Managing an Active Incident Response Case. Paul Underwood, COO

CIH

Intrusion Detection - Snort

Network Defenses 21 JANUARY KAMI VANIEA 1

Outline. Intrusion Detection. Intrusion Detection History. Some Challenges. Network-based Host Compromises. Host-based Network Intrusion Detection

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

OSSIM Fast Guide

TestBraindump. Latest test braindump, braindump actual test

RSA INCIDENT RESPONSE SERVICES

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

IC32E - Pre-Instructional Survey

Intrusion Detection and Prevention

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Honeypots. Security on Offense. by Kareem Sumner

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

CS Review. Prof. Clarkson Spring 2016

Network Security: Firewall, VPN, IDS/IPS, SIEM

FP7 NEMESYS Project: Advances on Mobile Network Security

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Network Security. Chapter 0. Attacks and Attack Detection

Distributed Denial of Service (DDoS)

COMPUTER FORENSICS (CFRS)

Chapter 9. Firewalls

Chapter 4. Network Security. Part I

Access Controls. CISSP Guide to Security Essentials Chapter 2

Security Information & Event Management (SIEM)

CS 392 Network Security. Nasir Memon Polytechnic University Module 5 Intrusion Detection

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

A Review Paper on Network Security Attacks and Defences

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

COMPUTER NETWORK SECURITY

RSA INCIDENT RESPONSE SERVICES

Firewall Identification: Banner Grabbing

DEFINITIONS AND REFERENCES

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Security Issues and Best Practices for Water Facilities

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Sachin Shetty Old Dominion University April 10, Cyber Risk Scoring and Mitigation(CRISM)

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Juniper Vendor Security Requirements

Security and Authentication

Cyber Security Audit & Roadmap Business Process and

ANOMALY DETECTION IN COMMUNICTION NETWORKS

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Bayesian Learning Networks Approach to Cybercrime Detection

Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Transcription:

Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering

Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent Threat (APTs) Others Apprentice, Journeyman, Master

Intruder Behavior Target Acquisition and Information Gathering Initial Access Privilege Escalation Information Gathering or System Exploit Maintaining Access Covering Tracks

Contents Motivation and basics (Why and what?) IDS types and detection principles Key Data Problems with IDS systems Prospects for the Future

Why Intrusion Detection?

Intrusion Detection Intrusion Detection Systems (IDS) does not (a priori) protect your system It works as burglar alarm Intrusion Detection Systems constitute a powerful complement (to basic security)

Motivation for Intrusion Detection Even it you do not succeed to stop the intrusion it is of value to know that an intrusion has indeed occurred, how it occurred and which damage that has been caused. IDS s are used for: detect intrusions and intrusion attempts give alarms stop on-going attacks (possibly) trace attackers investigate and assess the damage gather information for recovery actions

What is Intrusion Detection?

What is Security? - protection principles threat reduction boundary protection recovery service delivery THREAT SYSTEM USER SECURITY Security=Datasäkerhet DEPENDABILITY Safety=Katastrofsäkerhet

What is Security? - intrusion detection intrusion detection ALARM service delivery THREAT SYSTEM USER SECURITY DEPENDABILITY

How is detection accomplished?

Logging is the basis for ID sensors for intrusion detection Network traffic Program behaviour (system calls) What do you log? Network traffic to detect network attacks System calls to detect programs that behave suspiciously User commands to detect masquerading, i.e. when an attacker is using another user s account Logins, in order to know who was active on the system when it was attacked logins user commands

What do we want to detect Ordinary intrusions sniffing of passwords buffer overflow attacks Availability attacks (DoS, denial-of-service) are common and hard to protect against Information gathering, i.e. attacks aiming at open ports and weaknesses vulnerability and port scanning: Satan, Nmap, Nessus, OpenVAS

Components in an Intrusion Detection System control reference data Logging + data reduction analysis & detection ALERT! TARGET SYSTEM

Principles of Intrusion Detection There are two main principles: misuse detection (missbruksdetektering) - define what is wrong and give alarms for that ( default permit ) anomaly detection (avvikelsedetektering) - define what is correct and give alarms for everything else ( default deny )

Principles of Intrusion Detection The book uses another classification scheme: anomaly detection signature detection - rule-based anomaly detection, in which rules are based on historical anomalies (is really anomaly detection) - rule-based penetration identification, which largely is identical to misuse detection

IDS Systems - overview Reference data acquisition dynamic ANOMALY DETECTION? static less usual: SPECIFICATION BASED MISUSE DETECTION MISUSE DETECTION correct behaviour (default deny) unwanted behaviour (default permit) Reference for check

Key Data for IDS Systems FIGURES-OF-MERIT for IDS-systems Which attributes are interesting? no alarms should be given in the abscence of intrusions intrusion (attempts) must be detected probability of detection ( hit rate ) (upptäcktssannolikhet) rate of false positives ( false alarm rate ) (falskalarmrisk) rate of false negatives ( miss rate ) (misssannolikhet)

Key data for IDS Systems (cont d) intrusion MISS OK no intrusion OK FALSE ALARM normal state problem area!? no alarm alarm

Detection problem Classification the detection is a traditional clasification problem Separate intrusion events from normal events however, there is an overlap.. statistical distribution for normal behaviour Statistical distribution for attack behaviour? parameter

Detection methods Rule based Pattern matching Expert systems Thresholds Statistical analysis Bayesian networks Neural networks Markov models etc A D G Commercial User Customer churn Profile Change B E H Domestic User Propensity to Fraud Hot Destinations C Low Income F I Bad Debt Revenue Loss Pr{A} = 0.76 Pr{B} = 0.24 Pr{C} = 0.74 Pr{D A} = 0.27 Pr{D A} = 0.73 Pr{E A, B,x} = 0.01 Pr{E A,B, C} = 0.02 Pr{E A,B,C} = 0.04 Pr{E A,x,x} = 0.03 Pr{F B,x} = 0.00 Pr{F B, C} = 0.01 Pr{F B,C} = 0.04 Pr{G D, E} = 0.03 Pr{G D,E} = 0.72 Pr{G D,E} = 0.84 Pr{G D,E} = 0.96 Pr{H E} = 0.58 Pr{H E} = 0.42 Pr{I E, F} = 0.02 Pr{I E,F} = 0.98 Pr{I E, F} = 1 Pr{I E,F} = 1

Requirements on IDS Systems system response time (real-time behaviour?) fault tolerance (due to e.g. s/w, h/w, configuration, etc) ease of integration, usability and maintainability portability support for reference data updates (misuse systems) (cp virus programs) excess information (privacy aspects) the cost (CPU usage, memory, delays,...) host-based or network based? security of the IDS (protect the reference information)?

Problems with IDS systems

A few practical problems 1. False alarms 2. Adaptivity/Portability 3. Scalability 4. Lack of test methods 5. Privacy concerns

Problem area 1 False alarms MANY alarms If detection is 99% correct and the number of intrusions is 0.01% in the analysed information: 99% of all alarms will be false alarms! There is a trade-off between covering all attacks and the number of false alarms (False) alarm investigation is resource demanding

Base rate Fallacy Accuracy is 99% Number of attacks: 0.01% in analyzed data. attack Accuracy = TP + TN / all no attack alarm True Positive False Positive no alarm False Negative True Negative In this case: (TP+FN) / all = 0.0001 (FP+TN) / all = 0.9999

ATTACK 0.0001 NO attack 0.9999 IDS: YES 0.0001*0.99 IDS: NO 0.0001*0.01 IDS: YES 0.9999*0.01 IDS:NO 0.9999*0.99 0.000099 0.000001 0.009999 0.989901 SUM: 1

ATTACK 0.0001 NO attack 0.9999 IDS: YES 0.0001*0.99 IDS: NO 0.0001*0.01 IDS: YES 0.9999*0.01 IDS:NO 0.9999*0.99 0.000099 0.000001 0.009999 0.989901 SUM: 1 We got an alarm is it true or false?

ATTACK 0.0001 NO attack 0.9999 IDS: YES 0.0001*0.99 IDS: YES 0.9999*0.01 0.000099 0.009999 SUM: 0.010098 We got an alarm is it true or false? Remove all cases that no longer can be true.

ATTACK 0.0001 IDS: YES 0.0001*0.99 0.000099 Probability = 1% NO attack 0.9999 IDS: YES 0.9999*0.01 0.009999 Probability = 99% SUM: 0.010098 We got an alarm is it true or false? Remove all cases that no longer can be true.

Problem area 1 False alarms MANY alarms If detection is 99% correct and the number of intrusions is 0.01% in the analysed information: 99% of all alarms will be false alarms! There is a trade-off between covering all attacks and the number of false alarms (False) alarm investigation is resource demanding

Problem area 2 Adaptation/Portability You can not buy a detection system that is adapted to your computer system The services provided are often unique The user behaviour varies The adaptation of a (simple) network based IDS may require two weeks of work

Problem area 3 Scalability Network-based IDS network speeds One sensor, many sensors (office network) One sensor, many sensors (Internet of Things)

Problem area 4 Test methods there is normally no IDS specification that states what intrusions the system covers Only (?) DARPA has made a comparative study, which has been much criticized (Lincoln Lab data 1999)

A few practical problems 1. False alarms 2. Adaptivity/Portability 3. Scalability 4. Lack of test methods 5. Privacy concerns

The future

Intrusion prevention systems (IPS) Is hot right now Gartner Group report: IDS is dead, long live IPS The meaning of IPS is not well defined it is rather a commercial term The best interpretation is an IDS with some kind of response function, such as reconfiguring a firewall disrupt TCP connections discontinue services stop system calls (in runtime)

Components in an IDS with response function control reference data response policy Logging + data reduction analysis & detection response unit ALARM! TARGET SYSTEM

The future earlier detection, detection of unwanted behaviour, i.e. potential intrusion attempts, pro-active data collection more intelligent systems diversion, deflection, honey pots active countermeasures strike back!? (not to be recommend!) truly distributed systems (alert correlation) fraud detection

Future threats Threat 1: higher transmission rates make network data collection hard (or even impossible) Threat 2: increased use of encryption reduces the amount of useful data.

Future possibilities New detection methods Visualization Find patterns and anomolous behaviour Use the qualities of the human brain! Combining methods Intrusion tolerance

Honeypots A Honeypot is a decoy system, designed to lure a potential attacker. Thus, these systems are made to look like a real system, as far as possible, but they are completely faked. The goals of a honeypot are: - collecting information of attacker activity - diverting attackers (from the real system) - encourage the attacker to stay long enough on the system for the administrator to respond The honeypot can be mounted: in the internal or external network or in the DMZ

Honeypots (cont d) Honeypot are of two different types (at least): production honeypots - easy to use - gathers limited information - used by companies, etc research honeypots - complex to deploy and maintain - gathers extensive information, intended for research and long-term use - used by academia, military, governments, etc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback