1 / 12

Intrusion Detection

Intrusion Detection. By Vidya Satyanarayanan. What is Intrusion?. Intrusion is an unauthorized attempt or achievement to access, alter, render unavailable, or destroy information on a system or the system itself. The art of detecting such activities is known as Intrusion Detection.

troy-camacho
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection By Vidya Satyanarayanan

  2. What is Intrusion? • Intrusion is an unauthorized attempt or achievement to access, alter, render unavailable, or destroy information on a system or the system itself. • The art of detecting such activities is known as Intrusion Detection. • How do Intruders get into systems? • Physical Intrusion • System Intrusion • Remote Intrusion

  3. Why can intruders get into systems? • Software bugs • System configuration • Password cracking 1. Clear-text sniffing 2. Encrypted sniffing 3. Replay attack 4. Password file stealing

  4. Intrusion Detection Systems • IDSs fall into 2 categories: • Network-based IDSs • Host-based IDSs • Host-based IDSs • A host monitor looks at system logs for evidence of malicious or suspicious application activity. • More detailed logging. But can track only successful intrusions. • Monitoring happens in the host, so a successful attack can bring down the system and terminate the monitoring.

  5. Can monitor changes to critical system files and changes in user privileges. • Can monitor TCP port activity and notify system admin when specific ports are accessed. • Drawbacks of Host-based IDSs • Host-based IDSs are not real-time. • Tedious to secure the whole network. • Some Advantages: • Can identify non-network-based attacks like activities of applications and process running on the host. • More likely to catch unknown attacks.

  6. Network-based IDSs • A network monitor watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. • Can detect denial-of-service attack. • Ping-of-Death • SYN Flood • Land/Latierra • Network-based IDSs become less effective as network traffic increases.

  7. How are intrusions detected? • Anomaly Detection (profile-based) • Misuse Detection (Signature-based) Misuse Detection • Recognizes known attacks based on signatures and patterns. • Starts defending the network immediately upon installation. • Have low false alarm rate (false positives). • Effective only against known threats. • Ineffective against passive attacks such as n/w sniffing, wire taps, IP or sequence number spoofing. • Should constantly update the signature database.

  8. Anomaly Detection • Base-line measurements for “normal” user activity is developed and anything that deviates from the normal is detected. • Needs a lot of historical data for building an accurate model. • Can detect attempts to exploit new vulnerabilities. • Have high false alarms. • Can detect fraudulent activity of a privileged insider.

  9. “Normal” Activity Activity Normalizer Alarming & Reporting Sensor Activity Rules Engine Known Malicious Activity Components of IDS

  10. What happens after a NIDS detects an attack? • Reconfigure firewall -Configure the firewall to filter out the IP address of the intruder. • Chime -Beep or play a .WAV file. • Log the attack -Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information). • Launch program -Launch a separate program to handle the event. • Terminate the TCP session -Forge a TCP FIN packet to force a connection to terminate.

  11. Honeypot – a deception system A honeypot is a system designed to look like something that an intruder can hack. Like installing a machine on the network with no particular purpose other than to log all attempted access.

  12. Network-based IDS Products • CiscoSecure IDS 2.5 • ISS RealSecure 7 • Dragon 6 • NFR • Snort 1.8.6 Host-based IDS Products • Real Secure Server Sensor • DragonSquire • NFR HID • Entercept 2.5

More Related