intrusion detection systems. 1980-paper written detailing importance of audit data in detecting...
TRANSCRIPT
![Page 1: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/1.jpg)
Intrusion Detection Systems
![Page 2: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/2.jpg)
Intrusion Detection Systems
1980-Paper written detailing importance of audit data in detecting misuse + user behavior
1984-SRI int’l develop method of tracking and analyzing of users of ARPANET, resulting 1st IDS
1988-Haystack project - IDS based on using defined patterns of misuse, resulting in Distributed IDS
1990-Todd Heberlein - Network Security Monitor – 1st network monitor, lots of interest leading to commercial development, leading to the IDS boom we see today.
![Page 3: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/3.jpg)
What are Intrusion Detection Systems?
Not a firewall!
Firewall is just that; a wall (allow/deny) IDS is a monitoring system; it takes notes
of what is going on, and reports it to someone else to deal with.
![Page 4: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/4.jpg)
What are Intrusion Detection Systems?
Sensors -> report security eventsConsole -> monitor events/alerts
control sensorsEngine -> logs events reported by sensor
generate alerts based upon security rules
Can have all 3 components in a single place
![Page 5: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/5.jpg)
Types of IDSBased upon where the sensors are placed in
the system as well as the rules used to generate alerts
Network IDSHost-based IDS
IDS
![Page 6: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/6.jpg)
Network IDS Ideally scan all, but not always practical
Examines network traffic connected to network device allowing port mirroring or network tap
Signature vs anomaly based
![Page 7: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/7.jpg)
Network IDSSignature Based (knowledge based)
most IDS are signature based works like antivirus software – looks
for attempts to exploit known vulnerabilities
This type is ineffective if an exploit type is unknown to the system
![Page 8: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/8.jpg)
Network IDSAnomaly based (behavior based)
This type observes the deviation from “normal” behavior of the system.
Not vulnerable to new/unforeseen vulnerabilities
High “false positive” rate; requires a “learning phase” and subsequent “retraining” as network changes.
![Page 9: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/9.jpg)
Host based IDS Host based
Individual devices Monitors PC – sys calls, app logs, file mods Single device only! Alerts user/admin if detected
![Page 10: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/10.jpg)
Hybrid IDS Hybrid systems
Can be combination of these systems Such as host based + network based
With the host reporting to the network based system for a more comprehensive protection
![Page 11: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/11.jpg)
Passive VS Reactive IDS Among the variety of “flavors” of IDS they
can be categorized into two major groups:
Passive Systems work by simply monitoring, detecting and alerting
Reactive Systems perform any necessary action or actions to a detected threat
![Page 12: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/12.jpg)
I just found a threat, user
Passive IDS Monitors System for any suspicious or
malicious intrusion If found, evaluates it to determine whether
it is a threat If detected as so, generates and sends an
alert to user Up to the user to take action
![Page 13: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/13.jpg)
Reactive IDSAlerts console user and attempts to respond
according to security rules/capabilities reprogram firewall reset connections block IP addresses
Typically called Intrusion Prevention SystemEssentially a firewall with network and
application level filtering
I found a threat and I’m taking care of it, oh yeah
![Page 14: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/14.jpg)
IDS Evasion Techniques Closely related to network attack methods Designed to avoid detection by the IDS Some basic and commonly known
methods to attack IDS are through: String matching weaknesses Session assembly weaknesses Denial of service techniques
![Page 15: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/15.jpg)
String Matching Weaknesses
Easiest to implement and understand Most IDS strong dependency on string
matching Using variants, string manipulation
techniques, and character substitution techniques so strings don’t match
Strings don’t match no threat is detected
![Page 16: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/16.jpg)
Session Assembly Weakness Works by dividing string across several
packets Data will be delivered a few bytes at the
time with modified IP packets to evade string match
To defend IDS should fully understand session (difficult and processor intensive)
![Page 17: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/17.jpg)
Denial of Service Technique Characterized by preventing legitimate
users of a service from using that service Examples
Consume device’s processing power Fill up disk space More alarms than can be handled by
management systems Personnel not being able to investigate all the
alarms Device lock up
![Page 18: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/18.jpg)
Towards the Future IDS vendors and hardware will have to
keep a pace with all the switched networks and traffic increases
The future of IDS lies in data correlation AI Data mining
Future IDS, produce result by examining input from different sources
![Page 19: Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of](https://reader036.vdocuments.site/reader036/viewer/2022082713/5697c0021a28abf838cc3056/html5/thumbnails/19.jpg)
Conclusion Nearly every company dependent on
Internet to survive, so IDS here to stay Also as technology advances for new IDS
so does the possibility of new threats Security issues are always present However promising future
Statistical Analysis Predictive AI