1 intrusion detection “intrusion detection is the process of identifying and responding to...

1

Intrusion Detection

“Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

2

IDS vs. Surveillance Camera

• Constant vigilance

• Stealth Design

• Infrastructure support

• Adversary belief

3

Basic concepts

• Monitor

• Report

• Respond

4

The Seven Fundamentals

1. What are the methods used

2. How are IDS organized

3. What is an intrusion

4. How do we trace and how do they hide

5. How do we correlate information

6. How can we trap intruders

7. Incident response

5

What are the methods used by IDS?• Audit trail processing

– Use log file from various processes– Proper collection and consolidations of logs

• On-the-fly processing– Mostly network based– Looks at raw traffic– Tries to find known “signatures”

6

What are the methods used by IDS? (cont.)• Profiles of normal behavior

– Estimation of initial behavior– Fine-tuning– Using out-of-band information

• Signatures of abnormal behavior– Known attacks– Suspicious patterns

• Parameter pattern matching or anomaly discovery

7

How are IDS organized

• Architecture

• CIDF

8

How are IDS organized (cont.)

• Sensor• System Management (custom, SYSlog, SNMP, …

etc.)• Processing (Analysis)• Knowledge Bases• Audits and Archives• Alarms (Static and Dynamic)• User interface (GUI, tail –f, …etc.)

9

What is an Intrusion

• Intrusion vs. attack

“Sequence of actions that maybe interleaved with other unrelated actions”

10

How do we trace and how do they hide• In-band techniques

– May use cryptography, weaving approaches, compromised systems, ..etc

• Out-of-band techniques– Public access areas: Cyber cafes, telephony

techniques, ..etc.

11

How do we correlate information

• Single sessions and multiple session correlation

• Real time vs. After the fact correlation

• In-band vs. all-band information

12

How can we trap intruders

• Real systems

• Trap systems

• IDS diverting

13

Incident response

• Ignore the problem, and hope it goes away• Panic• Consider the real factors:

– Does the incident involve critical assets– Has it occurred before– It is still going on– Has damage occurred– What policies and procedures have been violated– Are traps available for use