intrusion detection
play

Intrusion Detection Distributed Host-Based Network-Based ITS335: - PowerPoint PPT Presentation

Aug 17, 2022 •281 likes •583 views

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

  1. ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October 2013 its335y13s2l07, Steve/Courses/2013/s2/its335/lectures/intrusion.tex, r2958 1/30

  2. ITS335 Intruders and Intrusion Detection Intrusion Detection ◮ Attacks will occur Intruders ◮ Successful attacks allow intruders to gain unauthorised Intrusion Detection access to resources Host-Based Distributed ◮ Often cheaper to prevent some attacks and detect the Host-Based rest Network-Based ◮ Intrusion Detection Systems (IDS) aim to detect attacks Honeypots Summary ◮ Monitor and analyse system events to find, log and warn of intrusions ◮ Response from a detected attack may be technical or legal 2/30

  3. ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 3/30

  4. ITS335 Types of Intruders Intrusion Detection Masquerader someone who is not authorised to use system Intruders and penetrates access controls to exploit a legitimate Intrusion Detection user’s account; outsider Host-Based Misfeasor legitimate user who accesses resources they are Distributed Host-Based not authorised to, or misuses privileges; insider Network-Based Clandestine user takes administrator control of system and Honeypots uses it to evade detection and access controls; insider Summary or outside 4/30

  5. ITS335 Examples of Intrusion Intrusion Detection ◮ Remote root/administrator compromise of server Intruders ◮ Defacing a web server Intrusion Detection ◮ Guessing/obtaining passwords Host-Based Distributed ◮ Copying databases containing private information, e.g. Host-Based credit card numbers Network-Based Honeypots ◮ Viewing sensitive data, e.g. payroll records, medical Summary information ◮ Capturing network packets to obtain usernames and passwords ◮ Using computer resources to distribute inappropriate/illegal material ◮ Posing as other people (e.g. executive, help-desk) to gain passwords ◮ Using unattended, logged-in computer without permission 5/30

  6. ITS335 Intruder Behaviour Intrusion Detection Cracker Intruders Intrusion Detection ◮ Motivated by thrill of access and/or status Host-Based ◮ Look for open targets; may share information with Distributed Host-Based others Network-Based ◮ Use security flaws in software to gain access Honeypots ◮ IDS and IPS are very useful Summary Criminal Enterprise ◮ Motivated by financial reward and/or political/religious ideologies ◮ Corporations, government funded, gangs ◮ Specific targets; avoid publicity ◮ Use security flaws and social engineering to gain access ◮ IDS and IPS are useful 6/30

  7. ITS335 Intruder Behaviour Intrusion Detection Internal Threat Intruders Intrusion Detection ◮ Motivated by revenge and/or entitlement Host-Based ◮ Have access to system; difficult to detect Distributed Host-Based ◮ Internal security mechanisms are useful: least privilege, Network-Based strong authentication, log and auditing, employee Honeypots termination policies Summary 7/30

  8. ITS335 Intrusion Techniques Intrusion Detection Aim: gain access to system or increase privileges on system Intruders Exploit flaws in software Intrusion Detection Host-Based ◮ Bugs in software that allow execution of code by Distributed Host-Based intruder Network-Based ◮ Solution: keep track of vulnerabilities (CERT); regular Honeypots software updates Summary Acquire protected information ◮ Passwords guessing or cracking ◮ Social engineering attacks ◮ Solution: appropriate technologies, policies and education for confidential information 8/30

  9. ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 9/30

  10. ITS335 Intrusion Detection Systems Intrusion Detection Types Intruders Intrusion Detection Host-based monitor characteristics of a single computer Host-Based Distributed host-based monitor characteristics on set of Distributed Host-Based computers, with central module detecting intrusions Network-Based Network-based monitor network traffic to identify suspicious Honeypots activity Summary Common Components Sensors collect data, e.g. packets, log files, system call traces Analysers received collected data, analyse it and determine if intrusion User Interface allow user to view output and control behaviour of IDS 10/30

  11. ITS335 IDS Principles Intrusion Detection Assume intruder behaviour is different from that of Intruders legitimate users Intrusion Detection Host-Based Distributed Host-Based Network-Based Honeypots Summary Credit: Figure 8.1 in Stallings and Brown, Computer Security , 2nd Ed., Pearson 2012 False positives: legitimate user identified as intruder False negative: intruder not identified 11/30

  12. ITS335 IDS Requirements Intrusion Detection ◮ Run continually with minimal human supervision Intruders ◮ Recover from system restart/crashes Intrusion Detection ◮ Monitor itself and detect attacks on itself Host-Based Distributed ◮ Impose minimal overhead on system Host-Based ◮ Configurable according to system security policies Network-Based Honeypots ◮ Adapt to system and user behaviour changes over time Summary ◮ Scale to monitor large number of hosts ◮ Still (partially) work if some components stop working 12/30

  13. ITS335 Contents Intrusion Detection Intruders Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based Host-Based Intrusion Detection Honeypots Summary Distributed Host-Based Intrusion Detection Network-Based Intrusion Detection Honeypots Summary 13/30

  14. ITS335 Host-Based IDS Intrusion Detection ◮ Special layer of software to protect vulnerable systems Intruders ◮ Primary purpose: detect intrusions, log suspicious Intrusion Detection events, send alerts Host-Based Distributed ◮ May be able to stop attacks if detected early Host-Based ◮ Can detect both internal and external attacks Network-Based Honeypots Summary 14/30

  15. ITS335 Anomaly vs Signature Detection Intrusion Detection Anomaly Detection Intruders Intrusion Detection ◮ Compare observed behaviour against previously Host-Based collected normal behaviour Distributed Host-Based ◮ Threshold detection: thresholds based on frequency of Network-Based occurrence of events, independent of user Honeypots ◮ Profile-based: profiles of users created and compared Summary against Signature Detection ◮ Define behaviour or attacks by set of rules or patterns; compare observed behaviour against rules/patterns ◮ Rule-based anomaly detection: define rules based on past observed normal behaviour ◮ Rule-based penetration identification: define rules based on attacks 15/30

  16. ITS335 Audit Records Intrusion Detection Native Intruders Intrusion Detection ◮ Most operating systems have logs of software and user Host-Based activity Distributed Host-Based ◮ Advantage: no additional collection software needed Network-Based ◮ Disadvantage: information may not contain all needed Honeypots information or in inconvenient form Summary Detection-specific ◮ Records generated specifically for IDS ◮ Advantage: may work on different systems ◮ Disadvantage: extra overhead in collecting information 16/30

  17. ITS335 Example Measures for Intrusion Detection Intrusion Detection Intruders Login and Session Activity Intrusion Detection Measure Type of Intrusion Detected Host-Based Login frequency by day and time Intruders may be likely to log in during off hours Frequency of login at different Intruders may log in from a location that a particular user never Distributed locations uses Host-Based Time since last login Break-in on a “dead” account Elapsed time per sessions Significant deviations might indicate masquerader Network-Based Quantity of output to location Excessive amounts of data transmitted to remote locations could signify leakage of sensitive data Honeypots Session resource utilisation Unusual processor or I/O levels could signal intruder Summary Password failures at login Attempted break-in by password guessing Failures to login from specified Attempted break-in terminals Command or Program Execution Activity Execution frequency Detect intruders based on their use of different commands Program resource utilisation Increased processor utilisation or I/O may indicate virus/Trojan Execution denials May detect attempt by user seeking higher privileges File Access Activity Read, write, create, delete frequency Abnormal values may indicate masquerading Records read, written Abnormal values may indicate attempt to obtain sensitive data Failure count for read, write May detect users who persistently attempt to access create, delete unauthorised files 17/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Targeted Attacks: Analysis and Investigation Building Trust in the Information Age Summer School

Targeted Attacks: Analysis and Investigation Building Trust in the Information Age Summer School

Targeted Attacks: Analysis and Investigation Building Trust in the Information Age Summer School on Computer Security & Privacy 16th of September 2014 Dr. Marco Balduzzi Course Outline Who am I and research in the industry Target

811 views • 56 slides
Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security

Preparing for the Unthinkable Cyber Security Chicago 2018 Agenda Introduction Security Landscape Meraki Security Demo Security Landscape The Growing Importance of Security MALWARE HAS RISEN BY MORE THAN 10X IN THE LAST YEAR 70% M ALW AR E

604 views • 35 slides
Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche

Empirical Analysis and Statistical Modelling of Attack Processes based on Honeypots M. Kaniche 1 , E. Alata 1 , V.Nicomette 1 , Y. Deswarte 1 , M. Dacier 2 LAAS-CNRS 1 , Eurecom 2 Mohamed.Kaaniche@laas.fr ACI Scurit &

409 views • 17 slides
E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to

Motivation How E-mail works Conventional Wisdom Previous Work Implementation Results Conclusion E-mail trends in 2010: How do spammers get your address? Using distributed poisoned addresses to track harvesting behavior Robert Marmorstein

447 views • 17 slides
Great Fires in Raleigh Mike Legeros Presenter Information Day Job: Software company,

Great Fires in Raleigh Mike Legeros Presenter Information Day Job: Software company,

Raleigh Fire Department Historical Society www.raleighfirehistory.org Great Fires in Raleigh Mike Legeros Presenter Information Day Job: Software company, member of web team. Former Raleigh firefighter Fighting Fires

448 views • 18 slides
HoseGoes Orange B Sketch Model Review Slide 1 Introduction Slide 2 Approaches for finding fire

HoseGoes Orange B Sketch Model Review Slide 1 Introduction Slide 2 Approaches for finding fire

HoseGoes Orange B Sketch Model Review Slide 1 Introduction Slide 2 Approaches for finding fire hose in low visibility Sound Light Touch Directionality guider on hose Lead out of building Slide 3 Engineering

494 views • 11 slides
Comparison of Garden Hose complexity with communication and circuit complexities Mikhail

Comparison of Garden Hose complexity with communication and circuit complexities Mikhail

. . . . .. . . .. . . .. . . .. . .. . . . .. . . .. . . .. . Comparison of Garden Hose complexity with communication and circuit complexities Mikhail Dektyarev .. . .. . . . .. . . .. . . .. . . .. .

423 views • 21 slides
On the control of a multirobot system for an elastic hose Zelmar Echegoyen, Alicia dAnjou,

On the control of a multirobot system for an elastic hose Zelmar Echegoyen, Alicia dAnjou,

On the control of a multirobot system for an elastic hose Zelmar Echegoyen, Alicia dAnjou, Manuel Graa Computational Intelligence Group, Universidad del Pais Vasco www.ehu.es/ccwintco ICONIP 2008, Auckland New Zealand, november 26, 2008

513 views • 32 slides

More recommend