goals of ids
play

Goals of IDS Detect wide variety of intrusions Previously known - PDF document

May 26, 2023 •345 likes •638 views

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

  1. Goals of IDS • Detect wide variety of intrusions – Previously known and unknown attacks – Suggests need to learn/adapt to new attacks or changes in behavior • Detect intrusions in timely fashion – May need to be be real-time, especially when system responds to intrusion • Problem: analyzing commands may impact response time of system – May suffice to report intrusion occurred a few minutes or hours ago June 3, 2004 ECS 235 Slide #1 Goals of IDS • Present analysis in simple, easy-to-understand format – Ideally a binary indicator – Usually more complex, allowing analyst to examine suspected attack – User interface critical, especially when monitoring many systems • Be accurate – Minimize false positives, false negatives – Minimize time spent verifying attacks, looking for them June 3, 2004 ECS 235 Slide #2 1

  2. Models of Intrusion Detection • Anomaly detection – What is usual, is known – What is unusual, is bad • Misuse detection – What is bad is known • Specification-based detection – We know what is good – What is not good is bad June 3, 2004 ECS 235 Slide #3 Anomaly Detection • Analyzes a set of characteristics of system, and compares their values with expected values; report when computed statistics do not match expected statistics – Threshold metrics – Statistical moments – Markov model June 3, 2004 ECS 235 Slide #4 2

  3. Threshold Metrics • Counts number of events that occur – Between m and n events (inclusive) expected to occur – If number falls outside this range, anomalous • Example – Windows: lock user out after k failed sequential login attempts. Range is (0, k –1). • k or more failed logins deemed anomalous June 3, 2004 ECS 235 Slide #5 Difficulties • Appropriate threshold may depend on non- obvious factors – Typing skill of users – If keyboards are US keyboards, and most users are French, typing errors very common • Dvorak vs. non-Dvorak within the US June 3, 2004 ECS 235 Slide #6 3

  4. Statistical Moments • Analyzer computes standard deviation (first two moments), other measures of correlation (higher moments) – If measured values fall outside expected interval for particular moments, anomalous • Potential problem – Profile may evolve over time; solution is to weigh data appropriately or alter rules to take changes into account June 3, 2004 ECS 235 Slide #7 Example: IDES • Developed at SRI International to test Denning’s model – Represent users, login session, other entities as ordered sequence of statistics < q 0, j , …, q n , j > – q i , j (statistic i for day j ) is count or time interval – Weighting favors recent behavior over past behavior • A k , j is sum of counts making up metric of k th statistic on j th day • q k , l +1 = A k , l +1 – A k , l + 2 – rt q k , l where t is number of log entries/total time since start, r factor determined through experience June 3, 2004 ECS 235 Slide #8 4

  5. Example: Haystack • Let A n be n th count or time interval statistic • Defines bounds T L and T U such that 90% of values for A i s lie between T L and T U • Haystack computes A n +1 – Then checks that T L ≤ A n +1 ≤ T U – If false, anomalous • Thresholds updated – A i can change rapidly; as long as thresholds met, all is well June 3, 2004 ECS 235 Slide #9 Potential Problems • Assumes behavior of processes and users can be modeled statistically – Ideal: matches a known distribution such as Gaussian or normal – Otherwise, must use techniques like clustering to determine moments, characteristics that show anomalies, etc. • Real-time computation a problem too June 3, 2004 ECS 235 Slide #10 5

  6. Markov Model • Past state affects current transition • Anomalies based upon sequences of events, and not on occurrence of single event • Problem: need to train system to establish valid sequences – Use known, training data that is not anomalous – The more training data, the better the model – Training data should cover all possible normal uses of system June 3, 2004 ECS 235 Slide #11 Example: TIM • Time-based Inductive Learning • Sequence of events is abcdedeabcabc • TIM derives following rules: R 1 : ab → c (1.0) R 2 : c → d (0.5) R 3 : c → a (0.5) R 4 : d → e (1.0) R 5 : e → a (0.5) R 6 : e → d (0.5) • Seen: abd ; triggers alert – c always follows ab in rule set • Seen: acf ; no alert as multiple events can follow c – May add rule R 7 : c → f (0.33); adjust R 2 , R 3 June 3, 2004 ECS 235 Slide #12 6

  7. Sequences of System Calls • Forrest: define normal behavior in terms of sequences of system calls ( traces ) • Experiments show it distinguishes sendmail and lpd from other programs • Training trace is: open read write open mmap write fchmod close • Produces following database: June 3, 2004 ECS 235 Slide #13 Traces open read write open open mmap write fchmod read write open mmap write open mmap write write fchmod close mmap write fchmod close fchmod close close • Trace is: open read read open mmap write fchmod close June 3, 2004 ECS 235 Slide #14 7

  8. Analysis • Differs in 5 places: – Second read should be write (first open line) – Second read should be write (read line) – Second open should be write (read line) – mmap should be write (read line) – write should be mmap (read line) • 18 possible places of difference – Mismatch rate 5/18 ≈ 28% June 3, 2004 ECS 235 Slide #15 Derivation of Statistics • IDES assumes Gaussian distribution of events – Experience indicates not right distribution • Clustering – Does not assume a priori distribution of data – Obtain data, group into subsets ( clusters ) based on some property ( feature ) – Analyze the clusters, not individual data points June 3, 2004 ECS 235 Slide #16 8

  9. Example: Clustering proc user value percent clus#1 clus#2 p 1 matt 359 100% 4 2 p 2 holly 10 3% 1 1 p 3 heidi 263 73% 3 2 p 4 steven 68 19% 1 1 p 5 david 133 37% 2 1 p 6 mike 195 54% 3 2 • Clus#1: break into 4 groups (25% each); 2, 4 may be anomalous (1 entry each) • Clus#2: break into 2 groups (50% each) June 3, 2004 ECS 235 Slide #17 Finding Features • Which features best show anomalies? – CPU use may not, but I/O use may • Use training data – Anomalous data marked – Feature selection program picks features, clusters that best reflects anomalous data June 3, 2004 ECS 235 Slide #18 9

  10. Example • Analysis of network traffic for features enabling classification as anomalous • 7 features – Index number – Length of time of connection – Packet count from source to destination – Packet count from destination to source – Number of data bytes from source to destination – Number of data bytes from destination to source – Expert system warning of how likely an attack June 3, 2004 ECS 235 Slide #19 Feature Selection • 3 types of algorithms used to select best feature set – Backwards sequential search: assume full set, delete features until error rate minimized • Best: all features except index (error rate 0.011%) – Beam search: order possible clusters from best to worst, then search from best – Random sequential search: begin with random feature set, add and delete features • Slowest • Produced same results as other two June 3, 2004 ECS 235 Slide #20 10

  11. Results • If following features used: – Length of time of connection – Number of packets from destination – Number of data bytes from source classification error less than 0.02% • Identifying type of connection (like SMTP) – Best feature set omitted index, number of data bytes from destination (error rate 0.007%) – Other types of connections done similarly, but used different sets June 3, 2004 ECS 235 Slide #21 Misuse Modeling • Determines whether a sequence of instructions being executed is known to violate the site security policy – Descriptions of known or potential exploits grouped into rule sets – IDS matches data against rule sets; on success, potential attack found • Cannot detect attacks unknown to developers of rule sets – No rules to cover them June 3, 2004 ECS 235 Slide #22 11

  12. Example: IDIOT • Event is a single action, or a series of actions resulting in a single record • Five features of attacks: – Existence: attack creates file or other entity – Sequence: attack causes several events sequentially – Partial order: attack causes 2 or more sequences of events, and events form partial order under temporal relation – Duration: something exists for interval of time – Interval: events occur exactly n units of time apart June 3, 2004 ECS 235 Slide #23 IDIOT Representation • Sequences of events may be interlaced • Use colored Petri nets to capture this – Each signature corresponds to a particular CPA – Nodes are tokens; edges, transitions – Final state of signature is compromised state • Example: mkdir attack – Edges protected by guards (expressions) – Tokens move from node to node as guards satisfied June 3, 2004 ECS 235 Slide #24 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Do Now What are your team goals for the day? How are you achieving your goals? Goals for the

Do Now What are your team goals for the day? How are you achieving your goals? Goals for the

Do Now What are your team goals for the day? How are you achieving your goals? Goals for the Working Days Learn about your Computer Scientist Roles Knowing the strengths of different members of your team, decide who will be doing which

351 views • 9 slides
of Proposed B u a Financial Financial Goals Policy l i c y Goals P o Goals a l s

of Proposed B u a Financial Financial Goals Policy l i c y Goals P o Goals a l s

Proposed FY 201 8 Budget Presentation Presented to Delta County Board of Commissioners August 15, 2017 d g e t G o a l s of Proposed B u a Financial Financial Goals Policy l i c y Goals P o Goals a l s G o \

817 views • 29 slides
APS Strategic Plan Goals and Strategies February 10, 2018 Strategic Plan Goals Goals : Key areas

APS Strategic Plan Goals and Strategies February 10, 2018 Strategic Plan Goals Goals : Key areas

APS Strategic Plan Goals and Strategies February 10, 2018 Strategic Plan Goals Goals : Key areas where we will focus work and resources Goals Examples Current APS Strategic Plan Goals: Goal 1: Challenge and Engage All Students Goal 2: Eliminate

320 views • 10 slides
Using Learning Goals to Inform Instruction Erin Meikle Overview What we mean by learning goals

Using Learning Goals to Inform Instruction Erin Meikle Overview What we mean by learning goals

Using Learning Goals to Inform Instruction Erin Meikle Overview What we mean by learning goals Specifying learning goals Why learning goals are important What are learning goals? e.g., Students will be able to complete the following task by

416 views • 27 slides
History and goals of NLU; course plan and goals Bill MacCartney and Christopher Potts CS 244U:

History and goals of NLU; course plan and goals Bill MacCartney and Christopher Potts CS 244U:

Goals of NLU The history of NLU Connections with nearby fields NLU present &amp; future Subfields Discourse and context History and goals of NLU; course plan and goals Bill MacCartney and Christopher Potts CS 244U: Natural language

1.33k views • 70 slides
Goals The general goals of this presentation are to: Present a detailed discussion of

Goals The general goals of this presentation are to: Present a detailed discussion of

Goals The general goals of this presentation are to: Present a detailed discussion of underlying exposure to loss Illustrate the use of commonly applied actuarial techniques to estimate the unpaid cost of incurred coal worker

1.05k views • 68 slides
Building and Department Goals This presentation demonstrates the goals for all school sites

Building and Department Goals This presentation demonstrates the goals for all school sites

June 12, 2018 z MCSD Results of Building and Department Goals This presentation demonstrates the goals for all school sites and district departments to best support the 2017-2018 Board Goals Support our Schools, Students, Teachers and

714 views • 10 slides
Presentation Tips Before You Start Understand your goals and the goals of your audience.

Presentation Tips Before You Start Understand your goals and the goals of your audience.

Presentation Tips Before You Start Understand your goals and the goals of your audience. What are your organizational goals in this endeavor? What do you think the audience goals are? Why would they sit through it? Constantly ask

582 views • 3 slides
Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission &amp; Goals History BOR adopted the

Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission &amp; Goals History BOR adopted the

Mission, Goals, Metrics: Where Is CSCU Today? CSCU Mission &amp; Goals History BOR adopted the mission and goals - June 2013 Mission &amp; goals development included a wide array of stakeholders In addition to the CSCU Mission , each

314 views • 15 slides
S.E.T.F. Presentation www.barracudauae.com Vision Setting Goals is Easy, Achieving Goals and

S.E.T.F. Presentation www.barracudauae.com Vision Setting Goals is Easy, Achieving Goals and

2019 - 2020 S.E.T.F. Presentation www.barracudauae.com Vision Setting Goals is Easy, Achieving Goals and Fulfilling Dreams Requires Focus, Motivation and Passion. Never Settle for Second Best. Keep Exploring, Dreaming, Succeeding, Keep

976 views • 64 slides
2015-17 Division Goals &amp; Outcomes Annual Review of Goals, Outcomes &amp; Various Mission and

2015-17 Division Goals &amp; Outcomes Annual Review of Goals, Outcomes &amp; Various Mission and

2015-17 Division Goals &amp; Outcomes Annual Review of Goals, Outcomes &amp; Various Mission and Vision Statements Review as required by these CAPRA Standards 1.4 Mission 1.4.1 Agency Goals and Objectives (Biennial Budget)

780 views • 36 slides
Our Goals Our Goals Further Expand our Role in Improve our Product by the Community

Our Goals Our Goals Further Expand our Role in Improve our Product by the Community

Our Goals Our Goals Further Expand our Role in Improve our Product by the Community Collective Design Design a Structure to Fit 21st Build on our Commitment to Model of Education that Adapts Project-Based Learning, to the Needs

228 views • 19 slides
TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following Learning Goals are Covered in the

TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following Learning Goals are Covered in the

create your own exercise Mario Silaci, Lucas Wolf TIME IS POWER - QUANTUMINSERT 1 Learning Goals The Following Learning Goals are Covered in the Lecture PreLab Lab What are requirements to perform the QUANTUM X X X INSERT (QI)? How does

615 views • 34 slides
Andrea Hart Exhibit Development Intern Orlando Science Center Educational goals Cognitive

Andrea Hart Exhibit Development Intern Orlando Science Center Educational goals Cognitive

Defining goals and telling the story Andrea Hart Exhibit Development Intern Orlando Science Center Educational goals Cognitive Affective Performance: Developing skills Social goals Example, goals expressed as a message:

259 views • 21 slides
HOUSING COMMISSION GOALS 2006 Housing Commission 06' Goals (Items not identified in the Housing

HOUSING COMMISSION GOALS 2006 Housing Commission 06' Goals (Items not identified in the Housing

HOUSING COMMISSION GOALS 2006 Housing Commission 06' Goals (Items not identified in the Housing Action Plan Goals Action Plan) Goal 1-Funding Land Acquisition A. Facilitate the Process of applying for funds by Non- Profits (ongoing) Vacant /

296 views • 19 slides
IMPLICATIONS IMPLICATIONS OF OF ONE - YEAR STUDENT GROWT GROWTH H GOALS GOALS Setting

IMPLICATIONS IMPLICATIONS OF OF ONE - YEAR STUDENT GROWT GROWTH H GOALS GOALS Setting

IMPLICATIONS IMPLICATIONS OF OF ONE - YEAR STUDENT GROWT GROWTH H GOALS GOALS Setting Goals Based on National Norms for Benchmark Assessments Math Reading State Proficiency NWEA State Proficiency NWEA Grade Target Norm

740 views • 10 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others measures, procedures and dependencies Peter van der Reest, Yves Kemp, DESY IT Hepix Spring 2014, 21.05.2014 General DESY risk assessment &gt; DESY

469 views • 15 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls &amp; Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1 Firewall &amp; IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

365 views • 20 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides
How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix

How to Test an IDS? GENESIDS: An Automated System for Generating Attack Traffjc WTMC 2018 Felix Erlacher , Falko Dressler Network Intrusion Detection Systems (NIDS) Analyze network traffjc for malicous activity Felix Erlacher: How to Test an

671 views • 37 slides

More recommend