intrusion detection principles basics models of intrusion
play

Intrusion Detection Principles Basics Models of Intrusion - PowerPoint PPT Presentation

Feb 25, 2024 •332 likes •744 views

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

  1. Intrusion Detection • Principles • Basics • Models of Intrusion Detection • Architecture of an IDS • Architecture of an IDS • Organization • Incident Response Slide #22-1 FEARLESS engineering

  2. Principles of Intrusion Detection • Characteristics of systems not under attack – User, process actions conform to statistically predictable pattern – User, process actions do not include sequences of actions that subvert the security policy actions that subvert the security policy – Process actions correspond to a set of specifications describing what the processes are allowed to do • Systems under attack do not meet at least one of these Slide #22-2 FEARLESS engineering

  3. Example • Goal: insert a back door into a system – Intruder will modify system configuration file or program – Requires privilege; attacker enters system as an unprivileged user and must acquire privilege unprivileged user and must acquire privilege • Nonprivileged user may not normally acquire privilege (violates #1) • Attacker may break in using sequence of commands that violate security policy (violates #2) • Attacker may cause program to act in ways that violate program’s specification Slide #22-3 FEARLESS engineering

  4. Basic Intrusion Detection • Attack tool is automated script designed to violate a security policy • Example: rootkit – Includes password sniffer – Designed to hide itself using Trojaned versions of – Designed to hide itself using Trojaned versions of various programs ( ps , ls , find , netstat , etc.) – Adds back doors ( login , telnetd , etc.) – Has tools to clean up log entries ( zapper, etc.) Slide #22-4 FEARLESS engineering

  5. Detection • Rootkit configuration files cause ls , du , etc. to hide information – ls lists all files in a directory • Except those hidden by configuration file – dirdump (local program to list directory entries) – dirdump (local program to list directory entries) lists them too • Run both and compare counts • If they differ, ls is doctored • Other approaches possible Slide #22-5 FEARLESS engineering

  6. Key Point • Rootkit does not alter kernel or file structures to conceal files, processes, and network connections – It alters the programs or system calls that interpret those structures those structures – Find some entry point for interpretation that rootkit did not alter – The inconsistency is an anomaly (violates #1) Slide #22-6 FEARLESS engineering

  7. Denning’s Model • Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions – Includes deviation from usual actions – Includes execution of actions leading to break-ins – Includes actions inconsistent with specifications of privileged programs Slide #22-7 FEARLESS engineering

  8. Goals of IDS • Detect wide variety of intrusions – Previously known and unknown attacks – Suggests need to learn/adapt to new attacks or changes in behavior • Detect intrusions in timely fashion • Detect intrusions in timely fashion – May need to be be real-time, especially when system responds to intrusion • Problem: analyzing commands may impact response time of system – May suffice to report intrusion occurred a few minutes or hours ago Slide #22-8 FEARLESS engineering

  9. Goals of IDS • Present analysis in simple, easy-to- understand format – Ideally a binary indicator – Usually more complex, allowing analyst to examine suspected attack examine suspected attack – User interface critical, especially when monitoring many systems • Be accurate – Minimize false positives, false negatives – Minimize time spent verifying attacks, looking for them Slide #22-9 FEARLESS engineering

  10. Models of Intrusion Detection • Anomaly detection – What is usual, is known – What is unusual, is bad • Misuse detection – What is bad, is known – What is bad, is known – What is not bad, is good • Specification-based detection – What is good, is known – What is not good, is bad Slide #22-10 FEARLESS engineering

  11. Anomaly Detection • Analyzes a set of characteristics of system, and compares their values with expected values; report when computed statistics do not match expected statistics – Threshold metrics – Statistical moments – Markov model Slide #22-11 FEARLESS engineering

  12. Threshold Metrics • Counts number of events that occur – Between m and n events (inclusive) expected to occur – If number falls outside this range, anomalous • Example – Windows: lock user out after k failed sequential login attempts. Range is (0, k –1). • k or more failed logins deemed anomalous Slide #22-12 FEARLESS engineering

  13. Difficulties • Appropriate threshold may depend on non- obvious factors – Typing skill of users – If keyboards are US keyboards, and most users are French, typing errors very common are French, typing errors very common • Dvorak vs. non-Dvorak within the US Slide #22-13 FEARLESS engineering

  14. Statistical Moments • Analyzer computes standard deviation (first two moments), other measures of correlation (higher moments) – If measured values fall outside expected interval for particular moments, anomalous for particular moments, anomalous • Potential problem – Profile may evolve over time; solution is to weigh data appropriately or alter rules to take changes into account Slide #22-14 FEARLESS engineering

  15. Example: IDES • Developed at SRI International to test Denning’s model – Represent users, login session, other entities as ordered sequence of statistics < q 0, j , …, q n , j > – q (statistic i for day j ) is count or time interval – q i , j (statistic i for day j ) is count or time interval – Weighting favors recent behavior over past behavior • A k , j sum of counts making up metric of k th statistic on j th day • q k , l +1 = A k , l +1 – A k , l + 2 – rt q k , l where t is number of log entries/total time since start, r factor determined through experience Slide #22-15 FEARLESS engineering

  16. Potential Problems • Assumes behavior of processes and users can be modeled statistically – Ideal: matches a known distribution such as Gaussian or normal – Otherwise, must use techniques like clustering to – Otherwise, must use techniques like clustering to determine moments, characteristics that show anomalies, etc. • Real-time computation a problem too Slide #22-16 FEARLESS engineering

  17. Misuse Modeling • Determines whether a sequence of instructions being executed is known to violate the site security policy – Descriptions of known or potential exploits grouped into rule sets grouped into rule sets – IDS matches data against rule sets; on success, potential attack found • Cannot detect attacks unknown to developers of rule sets – No rules to cover them Slide #22-17 FEARLESS engineering

  18. Example: NFR • Built to make adding new rules easily • Architecture: – Packet sucker: read packets from network – Decision engine: uses filters to extract information – Backend: write data generated by filters to disk – Backend: write data generated by filters to disk • Query backend allows administrators to extract raw, postprocessed data from this file • Query backend is separate from NFR process Slide #22-18 FEARLESS engineering

  19. Comparison and Contrast • Misuse detection: if all policy rules known, easy to construct rulesets to detect violations – Usual case is that much of policy is unspecified, so rulesets describe attacks, and are not complete • Anomaly detection: detects unusual events, but these are not necessarily security but these are not necessarily security problems • Specification-based vs. misuse: spec assumes if specifications followed, policy not violated; misuse assumes if policy as embodied in rulesets followed, policy not violated Slide #22-19 FEARLESS engineering

  20. IDS Architecture • Basically, a sophisticated audit system – Agent like logger; it gathers data for analysis – Director like analyzer; it analyzes data obtained from the agents according to its internal rules – Notifier obtains results from director, and takes – Notifier obtains results from director, and takes some action • May simply notify security officer • May reconfigure agents, director to alter collection, analysis methods • May activate response mechanism Slide #22-20 FEARLESS engineering

  21. Agents • Obtains information and sends to director • May put information into another form – Preprocessing of records to extract relevant parts • May delete unneeded information • May delete unneeded information • Director may request agent send other information Slide #22-21 FEARLESS engineering

  22. Example • IDS uses failed login attempts in its analysis • Agent scans login log every 5 minutes, sends director for each new login attempt: – Time of failed login – Account name and entered password – Account name and entered password • Director requests all records of login (failed or not) for particular user – Suspecting a brute-force cracking attempt Slide #22-22 FEARLESS engineering

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and Computer Security Com puter security: confidentiality, integrity, and availability Intrusion: actions to com prom ise security W hy

1.09k views • 63 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE

~FILE SYSTEM~ SUNU WIBIRAMA OUTLINE FILE SYSTEM ACCESS METHODS DIRECTORY STRUCTURE FILE SYSTEM MOUNTING PROTECTION EXTERNAL VIEW OF THE FILE MANAGER FILE MANAGEMENT FILE, IS A NAMED AND ORDERED COLLECTION OF INFORMATION COMPUTER SHOULD

341 views • 33 slides
Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ?

Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ?

Secure, Fast, Easy &amp; Comprehensive File Management System What is FileOrbis ? How does FileOrbis work ? FileOrbis with Unique Features How can FileOrbis help? Modules FileOrbis is not just a sharing platform!

463 views • 21 slides
Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is

Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is

Intelligent Infrastructure management with GOsa Benoit Mortier Leila El Hitori This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.0 Belgium License. Intelligent Infrastructure management with GOsa

600 views • 37 slides
Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne

Whose Bits Are They, Anyway? Access Controlled Applications Built Around AFS DJ Byrne djbyrne@jpl.nasa.gov Jet Propulsion Laboratory Information Services - File/Web Service Engineer http://fil.jpl.nasa.gov/ SLAC AFS Best Practices Workshop

278 views • 17 slides
Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com

Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com

Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com Introduction What is Ansible? Ansible.com Gaining momentum Ansible on GitHub Very fast learning curve Python based Easy to get

375 views • 18 slides
What is Local Buzz? Local Buzz is the optimization of local listings and maps in search engines

What is Local Buzz? Local Buzz is the optimization of local listings and maps in search engines

Did you know that optimization of local listings, maps, reviews, &amp; check-in promos can help customers find you before your competitors? Local listings are increasingly used by people who are searching for products and services in their

299 views • 7 slides
3 Overview 12 Point Local SEO Checklist Additional Local SEO Reading Resources

3 Overview 12 Point Local SEO Checklist Additional Local SEO Reading Resources

Lenovo Partner Network The SEO Journey Series Local SEO Checklist Workbook 3 Overview 12 Point Local SEO Checklist Additional Local SEO Reading Resources Produced by Method Savvy Lenovo Partner Network / The SEO Journey Series

478 views • 8 slides
1

1

(()( (()(

375 views • 9 slides

More recommend