1 / 17

Intrusion Detection

Intrusion Detection. CIT304 University of Sunderland Harry R. Erwin, PhD. Resources. B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1. E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: 0-9666700-7-8

morey
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection CIT304 University of Sunderland Harry R. Erwin, PhD

  2. Resources • B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1. • E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: 0-9666700-7-8 • R. G. Bace, 2000, Intrusion Detection, Macmillan Technical Publishing, ISBN: 1-57870-185-6 • We will mostly follow Schneier in this lecture.

  3. Intrusion Detection Systems (IDS) • Network Monitors—watch your network looking for suspicious behavior • Often but not always based on Audit • Provide reactive rather than proactive security • Alert on successful and ongoing attacks • Need to be accurate in detecting attacks and in determining that an attack is not underway. • Also may provide diagnosis tools.

  4. The False Alarm Problem • Base rate fallacy—suppose you have a test that is 99% accurate. Is this good? Not necessarily! • Suppose the real attack rate is 1x10-6 per packet and there are 100,000,000 packets a day. This test will generate 10,000 false positives (100 per day) for every real attack it detects (about 4 per year). (Work it out…) • If network attacks are rare, a test has to be powerful to be useful. • Hint: this is a likely exam question.

  5. The Timely Notification Problem • You may want to be warned in time to do something, but… • What about slow attacks, running over hours or days? When should the IDS become suspicious and tell you? • What about ambiguous evidence? Do you really want to be warned about borderline cases?

  6. The Response Problem • What do you do if you do hear an alarm? I.e., the current problem with giving out general warnings of terrorist activity. • Options include: • Wait • Collect more information • Do something • Hope it goes away • You may be too busy fighting alligators to do anything intelligent about draining the swamp.

  7. Approaches to Building an IDS • Misuse detection • IDS knows what an attack looks like and looks for it. • “Network virus scanner” • Fast, easy to build, has a low false positive rate. • Misses a lot and is easy to fool. • Probably will get better over time.

  8. Approaches to Building an IDS (II) • Anomaly detection • Generates a statistical or neural network model of the network to figure out what is normal • Sounds an alarm for abnormal activity • Uses AI: • Bayesian statistics • Neural networks • Expert systems

  9. Problems with Anomaly Detection • Does the training data include an attack? Then hacking will be considered normal. 8( • New things happen on networks all the time. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD. 8( • How can it categorize attacks? That requires expert input. 8( • False positives are much higher. 8( • Attack indicators are brittle, so that hackers can sneak past them. 8(

  10. Inline versus Audit-Based IDS • Should the IDS detect attacks in real-time or using audit log processing? • Inline will have incomplete data. • Inline is also computationally expensive. • Audit log processing is after the fact. • Audit log formats vary quite a bit. • A combined approach is feasible, but costly.

  11. Host-Based versus Network-Based IDS • Network-based IDS is basically wire-tapping • Stealthy • Operating-system independent • Host-based IDS uses audit logs • From workstations, servers, switches, routers, etc. • Product-specific.

  12. Make or Buy • Do your own monitoring or pay someone else? • Counterpane • Qinetiq • Trust issues particularly important. • In-house expertise requirement.

  13. Honey Pots and Burglar Alarms • Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. • Honey pots are burglar alarms dressed up to look attractive. May incorporate subnetworks and dummy computers. • Costly. • Have to look real to the attackers. • Legality important. Entrapment may be an issue, so intruders must be warned. • Read http://csrc.nist.gov/publications/secpubs/berferd.ps • See also http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM

  14. Incident Handling Issues • Be prepared • Have procedures • Don’t panic • When to call in the police? • Expectation management • Damage control • Dealing with witch hunts

  15. IDS Requirements • Must be: • Effective • Easy to use • Adaptable • Robust • Fast • Efficient • Safe

  16. Future IDS Needs • Should be: • Accommodating • Security enhancing • Scalable • Realistic • Hardened

  17. Conclusions • We aren’t there yet, • But any IDS system is better than none at all. • This is the place to be if you want to work on secure systems development.

More Related