Intruder DetectionOutlineOverviewSlide 4Intruder PreventionIntruder Detection SystemsIDS Anomaly DetectionStatic Anomaly DetectionSlide 9TripwireSlide 11Dynamic Anomaly DetectionSlide 13NIDESSlide 15Anomaly Detection LimitationsIDS Misuse DetectionSlide 18USTATSlide 20Slide 21Slide 22Misuse Detection LimitationsSummaryReferencesIntruder DetectionIntruder DetectionBryan PearsaulBryan PearsaulOutlineOutlineOverviewOverviewIntruder DetectionIntruder DetectionIntruder PreventionIntruder PreventionIntruder Detection SystemsIntruder Detection Systems•Anomaly DetectionAnomaly Detection•Misuse DetectionMisuse Detection•ExamplesExamples•Limitations/DrawbacksLimitations/DrawbacksOverviewOverviewIntrusionIntrusion – when a user takes an – when a user takes an action that they are not legally action that they are not legally allowed to takeallowed to takeWhether they meant to take that Whether they meant to take that action or notaction or notIncreasingly important as we rely Increasingly important as we rely more and more on computer systems more and more on computer systems for the correct functioning of societyfor the correct functioning of societyIntruder DetectionIntruder DetectionDetermining whether an intruder has Determining whether an intruder has gain or has attempted to gain gain or has attempted to gain unauthorized access to the systemunauthorized access to the systemTwo groups of intruders:Two groups of intruders:•ExternalExternal•InternalInternalWays to combat intrusion:Ways to combat intrusion:•Intruder PreventionIntruder Prevention•Intruder Detection SystemsIntruder Detection SystemsIntruder PreventionIntruder PreventionRequiring passwords to be submitted Requiring passwords to be submitted before users can access the systembefore users can access the systemFixing or patching known Fixing or patching known vulnerabilitiesvulnerabilitiesBlocking network accessBlocking network accessRestricting physical accessRestricting physical accessIntruder Detection SystemsIntruder Detection SystemsFirst became needed in late 70sFirst became needed in late 70sOriginally used with single systemsOriginally used with single systemsOS produced audit records that were OS produced audit records that were process by the IDSprocess by the IDSIDS has expanded to distributed IDS has expanded to distributed systems and networkssystems and networksTwo main approaches:Two main approaches:•Anomaly DetectionAnomaly Detection•Misuse DetectionMisuse DetectionIDS Anomaly DetectionIDS Anomaly DetectionStatic and Dynamic AnomaliesStatic and Dynamic AnomaliesIDS distinguishes between normal IDS distinguishes between normal and the anomalyand the anomalyDefine normal behavior or correct Define normal behavior or correct static formstatic formDetect changes in form or anomalous Detect changes in form or anomalous behavior behaviorStatic Anomaly DetectionStatic Anomaly DetectionSome part of the system should Some part of the system should remain constantremain constantDetermines intrusions based on data Determines intrusions based on data integrityintegrityDefine static part as strings of binary Define static part as strings of binary bitsbitsIf the strings are ever modified then If the strings are ever modified then there has been an error or an there has been an error or an intrusionintrusionStatic Anomaly DetectionStatic Anomaly DetectionSystem bit strings are compressed System bit strings are compressed into representations of the system into representations of the system called signaturescalled signaturesSignature is then compared at Signature is then compared at certain time intervals to the current certain time intervals to the current system signaturesystem signatureKnowledge about structure of objects Knowledge about structure of objects in the system, meta-data, can also in the system, meta-data, can also be incorporated into the systembe incorporated into the systemTripwireTripwirePerforms intruder detection using file Performs intruder detection using file integrity checkingintegrity checkingUses signatures and UNIX file meta-Uses signatures and UNIX file meta-datadataConfiguration file specifies attributes Configuration file specifies attributes of filesof filesBuilds a selection mask for each file Builds a selection mask for each file and directory that contains a flag for and directory that contains a flag for each distinct field in a UNIX i-nodeeach distinct field in a UNIX i-nodeTripwireTripwireEach file has at least one signature Each file has at least one signature computed based off bit string of filecomputed based off bit string of fileSelection masks and set of Selection masks and set of signatures are stored in a databasesignatures are stored in a databaseUser-scheduled integrity checks are User-scheduled integrity checks are performed on the signatures and the performed on the signatures and the attributesattributesAny changes are pointed out and Any changes are pointed out and security staff can be notifiedsecurity staff can be notifiedDynamic Anomaly DetectionDynamic Anomaly DetectionAlso known as Statistical-Based IDSAlso known as Statistical-Based IDSMore difficult than detecting static More difficult than detecting static string changesstring changesDefine profiles for each user to Define profiles for each user to characterize normal behaviorcharacterize normal behavior•User choices: Log-in Time, favorite User choices: Log-in Time, favorite programsprograms•User sequence of actionsUser sequence of actions•User CPU usage / network activityUser CPU usage / network activityDynamic Anomaly DetectionDynamic Anomaly DetectionStatistical Distributions are formed Statistical Distributions are formed from profiles and compared to from profiles and compared to current user profilecurrent user profileAnomalous boundary is established Anomalous boundary is established using some number of standard using some number of standard deviations off the meandeviations off the meanProfiles can be gradually changed to Profiles can be gradually changed to reflect user behavioral changes over reflect user behavioral changes over timetimeNIDESNIDESNext-Generation Intrusion Detection Next-Generation Intrusion Detection Expert SystemExpert SystemBuild statistical profiles of users by taking Build statistical profiles of users by taking
View Full Document