outline
play

Outline Introduction Intrusion Detection Characteristics of - PDF document

Apr 12, 2023 •427 likes •537 views

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

  1. Outline • Introduction Intrusion Detection • Characteristics of intrusion detection CS 236 systems Computer Software • Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007 CS 236, Winter 2007 Introduction Intrusion Detection • Many mechanisms exist for protecting • Work from the assumption that sooner systems from intruders or later your security measures will fail –Access control, firewalls, • Try to detect the improper behavior of authentication, etc. the intruder who has defeated your security • They all have one common characteristic: • Inform the system or system administrators to take action –They don’t always work Lecture 14 Lecture 14 Page 3 Page 4 CS 236, Winter 2007 CS 236, Winter 2007 Why Intrusion Detection? For Example, • If we can detect bad things, can’t we • Your intrusion detection system regards setting uid on root executables as suspicious simply prevent them? • Possibly not: – Yet the system must allow the system administrator to do so –May be too expensive • If the system detects several such events, it –May involve many separate becomes suspicious operations – And reports the problem –May involve things we didn’t foresee Lecture 14 Lecture 14 Page 5 Page 6 CS 236, Winter 2007 CS 236, Winter 2007 1

  2. Couldn’t the System Just Have Intrusions Stopped This? • Perhaps, but - • “any set of actions that attempt to compromise the integrity, • The real problem was that someone got confidentiality, or availability of a root access resource” 1 –The changing of setuid bits was just • Which covers a lot of ground a symptom –Implying they’re hard to stop • And under some circumstances the behavior is legitimate 1 Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990. Lecture 14 Lecture 14 Page 7 Page 8 CS 236, Winter 2007 CS 236, Winter 2007 Is Intrusion Really a Problem? The NetRanger Data • Is intrusion detection worth the • Gathered during 5 months of 1997 trouble? • From all of NetRanger’s licensed • Yes, at least for some installations customers • Consider the experience of NetRanger • A reliable figure, since the software intrusion detection users reports incidents to the company Lecture 14 Lecture 14 Page 9 Page 10 CS 236, Winter 2007 CS 236, Winter 2007 NetRanger’s Results Kinds of Attacks Seen • 556,464 security alarms in 5 months • Often occurred in waves • Some serious, some not –When someone published code for a – “Serious” defined as attempting to gain particular attack, it happened a lot unauthorized access –Because of “Script Kiddies” • For NetRangercustomers, serious attacks • 100% of web attacks were on web occurred .5 to 5 times per month commerce sites – Electronic commerce sites hit most Lecture 14 Lecture 14 Page 11 Page 12 CS 236, Winter 2007 CS 236, Winter 2007 2

  3. Where Did Attacks Come From? Kinds of Intrusions • Just about everywhere • External intrusions • 48% from ISPs • Internal intrusions • But also attacks from major companies, business partners, government sites, universities, etc. • 39% from outside US –Only based on IP address, though Lecture 14 Lecture 14 Page 13 Page 14 CS 236, Winter 2007 CS 236, Winter 2007 External Intrusions Internal Intrusions • An authorized user trying to gain • What most people think of privileges beyond those he is entitled • An unauthorized (usually remote) user to trying to illicitly access your system • No longer the majority of problems • Using various security vulnerabilities –But often the most serious ones to break in • More dangerous, because insiders have • The typical case of a hacker attack a foothold and know more Lecture 14 Lecture 14 Page 15 Page 16 CS 236, Winter 2007 CS 236, Winter 2007 Basics of Intrusion Detection Intrusion Detection and Logging • A natural match • Watch what’s going on in the system • The intrusion detection system • Try to detect behavior that examines the log characterizes intruders –Which is being kept, anyway • While avoiding improper detection of • Secondary benefits of using the legitimate access intrusion detection system to reduce • Hopefully all at a reasonable cost the log Lecture 14 Lecture 14 Page 17 Page 18 CS 236, Winter 2007 CS 236, Winter 2007 3

  4. On-Line Vs. Off-Line Intrusion Failures In Intrusion Detection Detection • False positives • Intrusion detection mechanisms can be – Legitimate activity identified as an complicated and heavy-weight intrusion • Perhaps better to run them off-line • False negatives –E.g., at nighttime – An intrusion not noticed • Subversion errors • Disadvantage is that you don’t catch – Attacks on the intrusion detection system intrusions as they happen Lecture 14 Lecture 14 Page 19 Page 20 CS 236, Winter 2007 CS 236, Winter 2007 Desired Characteristics in Host Intrusion Detection Intrusion Detection • Continuously running • Run the intrusion detection system on a • Fault tolerant single computer • Subversion resistant • Look for problems only on that • Minimal overhead computer • Must observe deviations • Easily tailorable • Often by examining the logs of the • Evolving computer • Difficult to fool Lecture 14 Lecture 14 Page 21 Page 22 CS 236, Winter 2007 CS 236, Winter 2007 Advantages of the Host Network Intrusion Detection Approach • Lots of information to work with • Do the same for a local (or wide) area network • Only need to deal with problems on one machine • Either by using distributed systems techniques • Can get information in readily understandable form • Or (more commonly) by sniffing network traffic Lecture 14 Lecture 14 Page 23 Page 24 CS 236, Winter 2007 CS 236, Winter 2007 4

  5. Advantages of Network Network Intrusion Detection and Approach Data Volume • Need not use up any resources on • Lots of information passes on the users’ machines network • Easier to properly configure for large • If you grab it all, you will produce vast installations amounts of data • Can observe things affecting multiple • Which will require vast amounts of machines time to process Lecture 14 Lecture 14 Page 25 Page 26 CS 236, Winter 2007 CS 236, Winter 2007 Network Intrusion Detection and Styles of Intrusion Detection Sensors • Misuse intrusion detection • Use programs called sensors to grab only relevant data – Try to detect things known to be bad • Anomaly intrusion detection • Sensors quickly examine network traffic – Try to detect deviations from normal – Record the relevant stuff behavior – Discard the rest • Specification intrusion detection • If you design sensors right, greatly reduces – Try to detect deviations from defined the problem of data volume “good states” Lecture 14 Lecture 14 Page 27 Page 28 CS 236, Winter 2007 CS 236, Winter 2007 Misuse Detection Level of Misuse Detection • Could look for specific attacks • Determine what actions are undesirable – E.g., Syn attacks or IP spoofing • Watch for those to occur • But that only detects already-known attacks • Signal an alert when they happen • Better to also look for known suspicious behavior • Often referred to as signature detection – Like trying to become root – Or changing file permissions Lecture 14 Lecture 14 Page 29 Page 30 CS 236, Winter 2007 CS 236, Winter 2007 5

  6. Pluses and Minuses of Misuse How Is Misuse Detected? Detection • By examining logs + Few false positives – Only works after the fact + Simple technology • By monitoring system activities + Hard to fool – Often hard to trap what you need to see – Only detects known problems • By scanning the state of the system – Gradually becomes less useful if not – Can’t trap actions that don’t leave traces updated • By sniffing the network – Sometimes signatures are hard to generate – For network intrusion detection systems Lecture 14 Lecture 14 Page 31 Page 32 CS 236, Winter 2007 CS 236, Winter 2007 Misuse Detection and Anomaly Detection Commercial Systems • Essentially all commercial intrusion • Misuse detection can only detect detection systems detect misuse known problems – Primarily using signatures of attacks • And many potential misuses can also • Many of these systems are very similar be perfectly legitimate – With only different details • Anomaly detection instead builds a • Differentiated primarily by quality of their model of valid behavior signature library –And watches for deviations – How large, how quickly updated Lecture 14 Lecture 14 Page 33 Page 34 CS 236, Winter 2007 CS 236, Winter 2007 Pluses and Minuses of Anomaly Methods of Anomaly Detection Detection • Statistical models + Can detect previously unknown attacks –User behavior – Hard to identify and diagnose nature of attacks –Program behavior – Unless careful, may be prone to many –Overall system/network behavior false positives • Expert systems – Depending on method, can be • Misuse detection and anomaly expensive and complex detection sometimes blur together Lecture 14 Lecture 14 Page 35 Page 36 CS 236, Winter 2007 CS 236, Winter 2007 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline

An automatic mammogram system: from screening to diagnosis Ins Domingues Breast Cancer Workshop April 7th 2015 Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Outline Pectoral muscle

589 views • 45 slides
Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in

Presentation Preparation Outline Speech Outline Template ***Use this outline to guide you in preparing for your presentation; this outline is required. Title: I. Introduction (The speech actually starts here.) A. Attention Getter:

479 views • 3 slides
PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline

PT1 TMP Presentation Outline 1 Group Members: ___________________________________ Use this outline to organize your argument to create a logical flow of information and plan your presentation layout. This outline is worth a group grade (one copy

506 views • 3 slides
1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a

1 Web Application Development 2 3 Web Application Development CSS Outline An outline is a line that is drawn around elements, OUTSIDE the borders, to make the element "stand out". CSS has the following outline properties:

1.76k views • 117 slides
Outline Outline Background of the Network Vision Vision Aims Activities

Outline Outline Background of the Network Vision Vision Aims Activities

Asia Pacific Adaptation Network (APAN)- A k A key regional Initiative i l I iti ti Puja Sawhney Coordinator, APAN , Institute for Global Environmental Strategies Thimpu, Bhutan p 16 th November, 2011 Outline Outline Background of the

441 views • 9 slides
When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really

When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters When (Low ) Pow er Really Matters Yogesh K. Ramadass, AnanthaGroup Microsystems Technology Laboratory Outline Outline Outline Outline

507 views • 36 slides
Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR

Presentation Outline Worksheet You can use part or all of this outline to help you. This is YOUR personal presentation so you can create it however you want. These are just suggestions to help you get started. The purpose is to educate your

618 views • 3 slides
Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation

ZSim Tutorial MICRO 2015 S TATS AND C ONFIGURATION Core Models Po-An Tsai Outline 2 Outline 2 ZSim core simulation techniques Outline 2 ZSim core simulation techniques ZSim core structure I1D I1I Simple IPC 1 core

1.96k views • 120 slides
Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Outline Outline Motivation Motivation 1 1. Email Speech Acts 2. Modeling textual intention

Modeling Intention in Email : Speech Acts, Information Leaks and User Ranking Methods p g Vitor R. Carvalho Carnegie Mellon University William Cohen Ramnath a at Tom Tom Jon Jon Balasubramanyan Mitchell Elsas Outline Outline

1.09k views • 65 slides
Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C

Session Outline Course themes imperative problem solving (think: outline form) C programming (close to the machine) storage and processing of data Linux operating system control of robots Demo Course Web site

780 views • 9 slides
Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Outline : Outline : Our method to perform periodicity search Candidates of the next Geminga The

Periodicity Sear Periodicity Search of ch of the the Geming Geminga-lik -like Pulsar e Pulsars Lupin Chun-Che Lin () Institute of Astronomy, National Central University, Taiwan Outline : Outline : Our method to perform periodicity

654 views • 19 slides
Outline for St Outline for St Outline for

Outline for St Outline for St Outline for

Outline for St Outline for St Outline for St Outline for St Francis Participation Francis Participation Francis Participation Francis Participation St Francis Overview Current Work on

120 views • 10 slides
RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa

RDF Beyond RDF Beyond Outline Outline RDFa RDFa Microformat Schema.org S h RDFa RDFa RDFa RDFa RDFa: A collection of attributes and processing p g rules for extending XHTML to support RDF. HTML contains structured data,

768 views • 37 slides
Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This

Appendix J: Capstone Presentation Outline Revised Spring 2016 CAPSTONE PRESENTATION OUTLINE This is a suggested outline only. Students should work closely with their Faculty Advisors to adapt this format the presentation to the needs of the

418 views • 4 slides
1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

1 Course Outline Course Outline Course Outline Course Outline 3D Graphics Pipeline 3D

Goals Goals Foundations of Computer Graphics Foundations of Computer Graphics Systems: Write complex 3D graphics programs (Spring 2010) (Spring 2010) (real-time in OpenGL, offline raytracer, animation) CS 184, Lecture 1: Overview and

176 views • 5 slides
Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

Sophak PHOEUN, National DRR Forum Coordinat or & Executive Assistant to Vice President of NCDM , National Committee for Disaster Management. Outline Outline 1. About Cambodia 1. About Cambodia 2. Overview of disaster Hazards &

346 views • 15 slides
;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03

;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03

"#$%&'(%)*+ ,-./0123245%%%%%%%%$674%899: ;%"'4<=>20'%#646?420'%$5>46@> ;%)64A0<B%*??6>>%+0'4<03 ;%CCC%&'(%AD6<6%(06>%<0&@2'E %%?0@6%2'40%73&5F !

514 views • 7 slides
Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 ,

Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 ,

Scheduling Intrusion Detection Systems in Resource-Bounded Cyber-Physical Systems Waseem Abbas 1 , Aron Laszka 2 , Yevgeniy Vorobeychik 1 , Xenofon Koutsoukos 1 1 Institute for Software Integrated Systems, Vanderbilt University 2 Electrical

495 views • 24 slides
The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory

The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org UC Computing Services Conference 2007 Outline Design of the Bro NIDS Philosophy Architecture

1.14k views • 39 slides
How to Operationalize a Consultative Model of Customer Service Anait Freeman NIH Office of

How to Operationalize a Consultative Model of Customer Service Anait Freeman NIH Office of

How to Operationalize a Consultative Model of Customer Service Anait Freeman NIH Office of Human Resources Engagement and FEVS Program Manager Consultation Program Strategy Employee Engagement Program Direct Direct Consultative

543 views • 12 slides
Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN

Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN

Cyber@UC Meeting 40 CEH Networking If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach, Recruitment Ongoing Projects:

644 views • 40 slides
Side-channel based intrusion detection for industrial control systems I have no idea what

Side-channel based intrusion detection for industrial control systems I have no idea what

Side-channel based intrusion detection for industrial control systems I have no idea what this device is doing, but at least its still doing the same thing. CRITIS 2017, October 9 th , 2017 Pol Van Aubel 1/31 Authors Joint work:

928 views • 31 slides
Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood

Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood

Efficient Packet Classification for Intrusion Detection Using FPGA Haoyu Song, John W. Lockwood Applied Research Lab : Reconfigurable Network Group Department of Computer Science and Engineering

214 views • 9 slides
HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5 YEARS IN AUTOMOTIVE TOP NOTCH LOCATIONS EMBEDDED SOFTWARE PROFESSIONALS AROUND SOFTWARE PROJECTS BUILDING THE GLOBE BUSINESS DELIVERED

616 views • 34 slides

More recommend