styles of intrusion detection
play

Styles of Intrusion Detection Misuse intrusion detection Try to - PowerPoint PPT Presentation

Sep 21, 2022 •472 likes •627 views

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

  1. Styles of Intrusion Detection • Misuse intrusion detection – Try to detect things known to be bad • Anomaly intrusion detection – Try to detect deviations from normal behavior • Specification intrusion detection – Try to detect deviations from defined “good states” Lecture 11 Page 1 CS 236 Online

  2. Misuse Detection • Determine what actions are undesirable • Watch for those to occur • Signal an alert when they happen • Often referred to as signature detection Lecture 11 Page 2 CS 236 Online

  3. Level of Misuse Detection • Could look for specific attacks – E.g., SYN floods or IP spoofing • But that only detects already-known attacks • Better to also look for known suspicious behavior – Like trying to become root – Or changing file permissions Lecture 11 Page 3 CS 236 Online

  4. How Is Misuse Detected? • By examining logs – Only works after the fact • By monitoring system activities – Often hard to trap what you need to see • By scanning the state of the system – Can’t trap actions that don’t leave traces • By sniffing the network – For network intrusion detection systems Lecture 11 Page 4 CS 236 Online

  5. Pluses and Minuses of Misuse Detection + Few false positives + Simple technology + Hard to fool • At least about things it knows about – Only detects known problems – Gradually becomes less useful if not updated – Sometimes signatures are hard to generate Lecture 11 Page 5 CS 236 Online

  6. Misuse Detection and Commercial Systems • Essentially all commercial intrusion detection systems primarily detect misuse – Generally using signatures of attacks • Many of these systems are very similar – Differing only in details • Differentiated primarily by quality of their signature library – How large, how quickly updated Lecture 11 Page 6 CS 236 Online

  7. Anomaly Detection • Misuse detection can only detect known problems • And many potential misuses can also be perfectly legitimate • Anomaly detection instead builds a model of valid behavior – And watches for deviations Lecture 11 Page 7 CS 236 Online

  8. Methods of Anomaly Detection • Statistical models – User behavior – Program behavior – Overall system/network behavior • Expert systems • Pattern matching of various sorts • Misuse detection and anomaly detection sometimes blur together Lecture 11 Page 8 CS 236 Online

  9. Pluses and Minuses of Anomaly Detection + Can detect previously unknown attacks + Not deceived by trivial changes in attack – Hard to identify and diagnose nature of attacks – Unless careful, may be prone to many false positives – Depending on method, can be expensive and complex Lecture 11 Page 9 CS 236 Online

  10. Anomaly Detection and Academic Systems • Most academic research on IDS in this area – More interesting problems – Greater promise for the future – Increasingly, misuse detection seems inadequate • But few really effective systems currently use it – Not entirely clear that will ever change – What if it doesn’t? Lecture 11 Page 10 CS 236 Online

  11. Specification Detection • Define some set of states of the system as good • Detect when the system is in a different state • Signal a problem if it is Lecture 11 Page 11 CS 236 Online

  12. How Does This Differ From Misuse and Anomaly Detection? • Misuse detection says that certain things are bad • Anomaly detection says deviations from statistically normal behavior are bad • Specification detection defines exactly what is good and calls the rest bad Lecture 11 Page 12 CS 236 Online

  13. Some Challenges • How much state do you have to look at? – Typically dealt with by limiting observation to state relevant to security – Easy to underestimate that . . . • How do you specify a good state? • How often do you look? – Might miss attacks that transiently change the state Lecture 11 Page 13 CS 236 Online

  14. Protocol Anomaly Detection • Really a form of specification intrusion detection • Based on precise definitions of network protocols • Can easily detect deviations • Incorporated into some commercial systems – E.g., Snort and Checkpoint Lecture 11 Page 14 CS 236 Online

  15. Pluses and Minuses of Specification Detection + Allows formalization of what you’re looking for + Limits where you need to look + Can detect unknown attacks - Only effective when one can specify correct state - Based on locating right states to examine - Maybe attackers can do what they want without changing from a “good” state Lecture 11 Page 15 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection & Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What

Automobile Intrusion Detection Jun Li Twitter @bravo_fighter UnicornTeam Qihoo360 2 What this talk is about? Automotive intrusion detection Automotive cyber-security architecture From the highest viewpoint J 3 Outline Quick

926 views • 63 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

315 views • 30 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides
Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many

Small is Beautiful: the design of Lua Roberto Ierusalimschy PUC-Rio Language design many tradeoffs similar to any other design process designers seldom talk about them what a language is not good for Typical tradeoffs

724 views • 49 slides
Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*,

Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*,

Generalized Pattern Matching Micro-Engine Yuanwei Fang*, Raihan Rasool , Dilip Vasudevan*, Andrew A. Chien* Argonne National Laboratory King Faisal University University of Chicago * Big Data Applications Deep Packet

275 views • 26 slides
Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic, Language & Computation University of Amsterdam Raquel Fernndez Discourse BSc AI 2011 1 / 21 Plan for Today Discussion of HW#2 and

812 views • 21 slides

More recommend