1 / 10

Intrusion Detection and Advanced Persistent Threats

Intrusion Detection and Advanced Persistent Threats. CS 591 Andrew Bates University of Colorado at Colorado Springs. Introduction. What is the Advanced Persistent Threat Pattern Based Intrusion Detection Proposal Conclusion. What is APT.

pamelia
Download Presentation

Intrusion Detection and Advanced Persistent Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs CS 591 - Andrew Bates - UCCS

  2. Introduction • What is the Advanced Persistent Threat • Pattern Based Intrusion Detection • Proposal • Conclusion CS 591 - Andrew Bates - UCCS

  3. What is APT • Combination of many existing known threats not just “Phishing” or “Spear Phishing” • Social Engineering • Zero Day Exploits • Botnets • What’s different? Persistent! • Exploits custom built for a given attack • Threat or attack can span many months • Very carefully crafted • Low Volume CS 591 - Andrew Bates - UCCS

  4. APT and Intrusion Detection Systems • IDS very good at alerting known exploits and vulnerabilities • IDS also good at identifying Denial of Service (DoS) and Distributed DoS (DDoS) attacks • APT can be low volume and may not actually exploit any known vulnerability • Targeted email that coerces victim to download and run some software CS 591 - Andrew Bates - UCCS

  5. Pattern Based Intrusion Detection • Always one step behind • Must know of a vulnerability in order to build pattern • Can have very high false positive rate in large organizations • Must know what “normal” behavior is • Very high maintenance CS 591 - Andrew Bates - UCCS

  6. Pattern Based Intrusion Detection • On small networks can have hundreds of alerts in short period of time • If the relationship between number of hosts and number of alerts/false positives is linear: CS 591 - Andrew Bates - UCCS

  7. Proposal • Push IDS as close to the host as possible • Use learning algorithms to determine normal activity • Trigger on anomalous activity • Score sessions based on triggers and then perform more strenuous tests • Pattern matching, traffic analysis, etc. CS 591 - Andrew Bates - UCCS

  8. Proposal • Leverage VM technology to place inline IDS/IPS with host system • Funnel data to central collection/correlation infrastructure • Alert on anomalous activity based on learned “normal” behaviour CS 591 - Andrew Bates - UCCS

  9. Conclusion • APT is just like any other threat, but may be lower volume and more targeted • Pattern based IDS not well suited for APT detection in an Enterprise • Push IDS towards the host, perhaps even on the physical hardware • “Learn” normal behavior and trigger further tests when abnormal behavior occurs CS 591 - Andrew Bates - UCCS

  10. Questions? CS 591 - Andrew Bates - UCCS

More Related