chapter 25: intrusion detection
DESCRIPTION
Chapter 25: Intrusion Detection. Dr. Wayne Summers Department of Computer Science Columbus State University [email protected] http://csc.colstate.edu/summers. Principles. Computer Systems under attack - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/1.jpg)
Chapter 25: Intrusion Detection
Dr. Wayne Summers
Department of Computer Science
Columbus State University
http://csc.colstate.edu/summers
![Page 2: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/2.jpg)
2Principles
Computer Systems under attack
– Actions of users and processes do not conform to a statistically predictable pattern
– Actions of users and processes include sequences of commands that attempt to subvert the security policy of the system
– Actions of processes do not conform to set of specifications that are allowed for the process
![Page 3: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/3.jpg)
3Basic Intrusion Detection
Attack tool- automated script designed to violate a security policy (ex. rootkit)
Goals of an IDS
– Detect a wide variety of intrusions (inside / outside; known/unknown attacks)
– Detect intrusions in a timely fashion
– Present the analysis in simple, easy-to-use format
– Be accurate (minimize false positives and false negatives)
![Page 4: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/4.jpg)
4Models
Anomaly Modeling – analyzes set of characteristics of system and compares behavior to expected values– Threshold metric: uses minimum/maximum values
– Statistical moments: uses mean/std. dev. & other measures of correlation
– Markov model: uses set of probabilities of transition (requires training data)
Misuse Modeling – determines whether a sequence of instructions being executed is known to violate the site security policy
Specification Modeling – determines whether a sequence of instructions violates a specification of how a program/system should execute
![Page 5: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/5.jpg)
5Architecture
Agent – obtains information from data source (“logger”)– Host-based Intrusion Detection System (HIDS)
• Uses system and application logs
– Network-based Intrusion Detection System (NIDS)• Uses devices and software to monitor network traffic
Director – reduces log entries and then determines if an attack is underway (“analyzer”)
Notifier – accepts information from director and takes appropriate action (GUI, email)
![Page 6: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/6.jpg)
6Architecture of IDS
HOST AHIDS
HOST BHIDS
HOST NNIDS
HOST CHIDS
Director(Analyzer
)
Notifier
HIDS: Host Intrusion Detection System
NIDS: Network Intrusion Detection System(logger)
![Page 7: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/7.jpg)
7Host-based IDS
– Periodically analyze logs, perform file system integrity check.
– Examples: • Generic: ISS RealSecure Server Sensor.• Check host file system: Tripwire, AIDE• Check host network connections: BlackICE,
PortSentry• Check host’s log files: LogSentry, Swatch • Intrusion Prevention System: Cisco Security
Agent (Okena Stormwatch).
![Page 8: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/8.jpg)
8Network-based IDS
– Analyze network traffic content and pattern for signs of intrusion
– Examples:• Snort • Cisco Sensors
![Page 9: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/9.jpg)
9Organization of IDSs
Monitoring Network Traffic for Intrusions
– Network Security Monitor• Develops profile of expected usage of network
and compares current usage with the profile
– Distributed IDS – combines abilities of NSM with host-based IDS
– Autonomous Agents for ID – autonomous agents that work together
![Page 10: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/10.jpg)
10IDS Placement
DNSServer
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
MailServer
WebServer
DMZ
Router
IDS
IDS
IDS
![Page 11: Chapter 25: Intrusion Detection](https://reader036.vdocuments.site/reader036/viewer/2022081506/5681553b550346895dc311c7/html5/thumbnails/11.jpg)
11Intrusion Response
Incident Prevention – Intrusion Prevention Systems– Identify attack before it completes
– Jail (sandbox) attacks
Intrusion Handling– Preparation for attack
– Identification of attack
– Containment of the attack
– Eradication of the attack (blocks further attacks)
– Recovery from the attack
– Follow-up to the attack• Pursue legal action• Tracing attack: thumbprinting, IP header markers