Intrusion detection
6,511 views
25 slides
Sep 14, 2017
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
8.1 Intruders
8.2 Classes of intruders
8.3 Examples of Intrusion
8.4 Security Intrusion & Detection
8.5 Intrusion Techniques
8.6 Intrusion Detection Systems
8.7 IDS Principles
8.8 IDS Requirements
8.9 Host-Based IDS
8.10 Network-Based IDS
8.11 Intrusion Detection Exchange Format
8.12 Honeypot
Slide Content
1 INTRUSION DETECTION ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman . http :// vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
CONTENT 8 .1 Intruders 8 .2 Classes of intruders 8 .3 Examples of Intrusion 8 .4 Security Intrusion & Detection 8 .5 Intrusion Techniques 8 .6 Intrusion Detection Systems 8 .7 IDS Principles 8 .8 IDS Requirements 8 .9 Host-Based IDS 8 .10 Network-Based IDS 8 .11 Intrusion Detection Exchange Format 8 .12 Honeypot ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 2
8 .1 INTRUDERS A significant security problem for networked systems is unwanted trespass by users or software. 1) User trespass: Unauthorized logon to a machine, acquisition of privileges or performance of actions beyond those that have been authorized. 2) Software trespass: Form of a virus, worm, or Trojan horse. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 3
8 .2 Classes of intruders: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 4
8 .3 Examples of Intrusion Remote root compromise Web server defacement Guessing / cracking passwords Copying viewing sensitive data / databases Running a packet sniffer Distributing pirated software Using an unsecured modem to access net Impersonating a user to reset password Using an unattended workstation ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 5
8 .4 Security Intrusion & Detection 1) Security Intrusion A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. 2) Intrusion Detection A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 6
8 .5 Intrusion Techniques Objective is to gain access to or increase privileges on a system. Most initial attacks use system or software vulnerabilities that allow a user to execute code To opens a back door into the system. E.g., buffer overflow. To gain protected information. E.g., password. Intruder behavior patterns Hacker Criminal Enterprise Internal threat ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 7
8 .5.1 Hackers Motivated by thrill of access and status Hacking community is a strong meritocracy. Status is determined by level of competence. Hacker Patterns of Behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 8
8 .5.2 Criminal Enterprise Organized groups of hackers now a threat Corporation / government / loosely affiliated gangs Typically young Common target is a credit cards on e-commerce server Criminal Enterprise - Patterns of Behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 9
8 .5.3 Insider Attacks Among most difficult to detect and prevent Employees have access & systems knowledge Internal Threat - Patterns of Behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 10
8 .6 Intrusion Detection Systems Classify intrusion detection systems (IDSs) as: Host-based IDS: monitor single host activity Network-based IDS: monitor network traffic Logical components: Sensors - collect data Analyzers - determine if intrusion has occurred User interface - manage / direct / view IDS ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 11
8 .7 IDS Principles Assume intruder behavior differs from legitimate users Expect overlap as shown Observe deviations from past history Problems of: False positives False negatives Must compromise ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 12
8 .8 IDS Requirements ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 13
8 .9 Host-Based IDS Specialized software to monitor system activity to detect suspicious behavior primary purpose is to detect intrusions, log suspicious events, and send alerts can detect both external and internal intrusions Two approaches, often used in combination: anomaly detection - defines normal/expected behavior Threshold detection Profile based signature detection - defines proper behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 14
8 .9.1 Anomaly Detection Threshold detection Checks excessive event occurrences over time Alone a crude and ineffective intruder detector Must determine both thresholds and time intervals Profile based Characterize past behavior of users / groups Then detect significant deviations Based on analysis of audit records Gather metrics: counter, guage , interval timer, resource utilization Analyze: mean and standard deviation, multivariate, markov process, time series, operational model ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 15
8 .9.2 Signature Detection Observe events on system and applying a set of rules to decide if intruder Approaches: Rule-based anomaly detection Analyze historical audit records for expected behavior, then match with current behavior Rule-based penetration identification Rules identify known penetrations / weaknesses Often by analyzing attack scripts from Internet Supplemented with rules from security experts ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 16
8 .10 Network-Based IDS Network-based IDS (NIDS) Monitor traffic at selected points on a network In (near) real time to detect intrusion patterns May examine network, transport and/or application level protocol activity directed toward systems Comprises a number of sensors Inline (possibly as part of other net device) Passive (monitors copy of traffic) ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 17
8 .10.1 NIDS Sensor Deployment Inline sensor inserted into a network segment so that the traffic that it is monitoring must pass through the sensor Passive sensors monitors a copy of network traffic ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 18
Sensor placement: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 19
8 .10.2 NIDS - Intrusion Detection Techniques Signature detection At application, transport, network layers; unexpected application services, policy violations Anomaly detection of denial of service attacks, scanning, worms When potential violation detected sensor sends an alert and logs information Used by analysis module to refine intrusion detection parameters and algorithms By security admin to improve protection ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 20
8 .11 Intrusion Detection Exchange Format ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 21
8.12 Honeypot D ecoy systems designed to: lure a potential attacker away from critical systems collect information about the attacker’s activity encourage the attacker to stay on the system long enough for administrators to respond filled with fabricated information that a legitimate user of the system wouldn’t access resource that has no production value incoming communication is most likely a probe, scan, or attack outbound communication suggests that the system has probably been compromised once hackers are within the network, administrators can observe their behavior to figure out defenses ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 22
Honeypot Classifications Low interaction honeypot Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems Provides a less realistic target Often sufficient for use as a component of a distributed IDS to warn of imminent attack ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 23
High interaction honeypot A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers Is a more realistic target that may occupy an attacker for an extended period However, it requires significantly more resources If compromised could be used to initiate attacks on other systems ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 24
Honeypot Deployment ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 25
Categories
DesignDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6,511
- Slides 25
- Favorites 3
- Age 3000 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
26 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
30 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
24 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
27 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
23 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
24 views