1 / 16

Intrusion Detection Approaches and Techniques

Intrusion Detection Approaches and Techniques. Meikang Qiu Chang-en Yang Dept. of Computer Science University of Texas at Dallas. Introduction. Intrusion Detection Intrusion: il legal action unauthorized access Intruder: External

liam
Download Presentation

Intrusion Detection Approaches and Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Approaches and Techniques Meikang Qiu Chang-en Yang Dept. of Computer Science University of Texas at Dallas

  2. Introduction • Intrusion Detection • Intrusion: illegal action unauthorized access • Intruder: External Internal • Detection: prevent intrusion UTD Qiu & Yang

  3. Control Center Response to intrusion Reference Data Configuration Data Monitored system Control Center Audit collection Audit storage Processing (Detection) ALARM Active/Processing Data Anti-intrusion techniques UTD Qiu & Yang

  4. Types of Intrusion Detection • two major detection approaches: • Anomaly Detection • define correct static behavior • define acceptable dynamic behavior • detect wrongful changes • Misuse Detection (or Signature) • known intrusion pattern • monitor previous defined intrusion pattern UTD Qiu & Yang

  5. Anomaly Detection • Two types: • Static anomaly detector • system code • Constant data • Dynamic anomaly detector • sequence of events • audit records UTD Qiu & Yang

  6. Static anomaly detection • techniques • Compare: the archived state representation computed current state • String match: checksums, meta-data message-digest algorithms hash functions UTD Qiu & Yang

  7. Dynamic anomaly detection • a base profile -- acceptable behavior: - log-in time, log-in location, and favorite editor - length of interactive session - representative sequences of actions • Difficulties: - Feature selection - statistical way UTD Qiu & Yang

  8. Misuse Detection • Techniques • Aware of all the known vulnerabilities • Intrusion scenario • First generation • rule-based • second generation • state-based UTD Qiu & Yang

  9. Rule-Based Systems • Techniques • intrusion scenarios: a set of rules • knowledge base - fact base - rule base • Rule-fact binding - fires UTD Qiu & Yang

  10. Action Actions Action Initial State Transition State Transition State Compromi-sed State State-based Systems • intrusion scenarios : transitions between states UTD Qiu & Yang

  11. Comparison of the two approaches • Anomaly detection • Advantages: - automatically learns, run unattended - possible to catch novel intrusions • Disadvantages: - unusual not mean illegal • Misuse Detection • Advantages - “knows” correct behavior • Disadvantages - can not detect novel intrusions - difficult to define correct behavior UTD Qiu & Yang

  12. Network Intrusion Detection • Cooperative intrusion • Network-user Identification (NID) problem • Clock synchronization • Two types • Centralized analysis • Hierarchical analysis UTD Qiu & Yang

  13. Centralized analysis • distributed, heterogeneous audit collection • centralized analysis • well for smaller network • inadequate for larger networks • e.g. setuid shell intrusion in SunOS UTD Qiu & Yang

  14. Decentralized (hierarchical) analysis • distributed audit data collection • distributed analysis • modeled as hierarchies • partition into domains UTD Qiu & Yang

  15. Conclusions - First generation: single operating systems - Second generation: distributed systems - Third generation: heterogeneous networks UTD Qiu & Yang

  16. Future Trends • Future Trends (Fourth generation) - hybrid between anomaly and misuse - real time detection - consider consumption of resource UTD Qiu & Yang

More Related