DOC PREVIEW
UCF COT 4810 - Intruder Detection

This preview shows page 1-2-24-25 out of 25 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 25 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Intruder DetectionOutlineOverviewSlide 4Intruder PreventionIntruder Detection SystemsIDS Anomaly DetectionStatic Anomaly DetectionSlide 9TripwireSlide 11Dynamic Anomaly DetectionSlide 13NIDESSlide 15Anomaly Detection LimitationsIDS Misuse DetectionSlide 18USTATSlide 20Slide 21Slide 22Misuse Detection LimitationsSummaryReferencesIntruder DetectionIntruder DetectionBryan PearsaulBryan PearsaulOutlineOutlineOverviewOverviewIntruder DetectionIntruder DetectionIntruder PreventionIntruder PreventionIntruder Detection SystemsIntruder Detection Systems•Anomaly DetectionAnomaly Detection•Misuse DetectionMisuse Detection•ExamplesExamples•Limitations/DrawbacksLimitations/DrawbacksOverviewOverviewIntrusionIntrusion – when a user takes an – when a user takes an action that they are not legally action that they are not legally allowed to takeallowed to takeWhether they meant to take that Whether they meant to take that action or notaction or notIncreasingly important as we rely Increasingly important as we rely more and more on computer systems more and more on computer systems for the correct functioning of societyfor the correct functioning of societyIntruder DetectionIntruder DetectionDetermining whether an intruder has Determining whether an intruder has gain or has attempted to gain gain or has attempted to gain unauthorized access to the systemunauthorized access to the systemTwo groups of intruders:Two groups of intruders:•ExternalExternal•InternalInternalWays to combat intrusion:Ways to combat intrusion:•Intruder PreventionIntruder Prevention•Intruder Detection SystemsIntruder Detection SystemsIntruder PreventionIntruder PreventionRequiring passwords to be submitted Requiring passwords to be submitted before users can access the systembefore users can access the systemFixing or patching known Fixing or patching known vulnerabilitiesvulnerabilitiesBlocking network accessBlocking network accessRestricting physical accessRestricting physical accessIntruder Detection SystemsIntruder Detection SystemsFirst became needed in late 70sFirst became needed in late 70sOriginally used with single systemsOriginally used with single systemsOS produced audit records that were OS produced audit records that were process by the IDSprocess by the IDSIDS has expanded to distributed IDS has expanded to distributed systems and networkssystems and networksTwo main approaches:Two main approaches:•Anomaly DetectionAnomaly Detection•Misuse DetectionMisuse DetectionIDS Anomaly DetectionIDS Anomaly DetectionStatic and Dynamic AnomaliesStatic and Dynamic AnomaliesIDS distinguishes between normal IDS distinguishes between normal and the anomalyand the anomalyDefine normal behavior or correct Define normal behavior or correct static formstatic formDetect changes in form or anomalous Detect changes in form or anomalous behavior behaviorStatic Anomaly DetectionStatic Anomaly DetectionSome part of the system should Some part of the system should remain constantremain constantDetermines intrusions based on data Determines intrusions based on data integrityintegrityDefine static part as strings of binary Define static part as strings of binary bitsbitsIf the strings are ever modified then If the strings are ever modified then there has been an error or an there has been an error or an intrusionintrusionStatic Anomaly DetectionStatic Anomaly DetectionSystem bit strings are compressed System bit strings are compressed into representations of the system into representations of the system called signaturescalled signaturesSignature is then compared at Signature is then compared at certain time intervals to the current certain time intervals to the current system signaturesystem signatureKnowledge about structure of objects Knowledge about structure of objects in the system, meta-data, can also in the system, meta-data, can also be incorporated into the systembe incorporated into the systemTripwireTripwirePerforms intruder detection using file Performs intruder detection using file integrity checkingintegrity checkingUses signatures and UNIX file meta-Uses signatures and UNIX file meta-datadataConfiguration file specifies attributes Configuration file specifies attributes of filesof filesBuilds a selection mask for each file Builds a selection mask for each file and directory that contains a flag for and directory that contains a flag for each distinct field in a UNIX i-nodeeach distinct field in a UNIX i-nodeTripwireTripwireEach file has at least one signature Each file has at least one signature computed based off bit string of filecomputed based off bit string of fileSelection masks and set of Selection masks and set of signatures are stored in a databasesignatures are stored in a databaseUser-scheduled integrity checks are User-scheduled integrity checks are performed on the signatures and the performed on the signatures and the attributesattributesAny changes are pointed out and Any changes are pointed out and security staff can be notifiedsecurity staff can be notifiedDynamic Anomaly DetectionDynamic Anomaly DetectionAlso known as Statistical-Based IDSAlso known as Statistical-Based IDSMore difficult than detecting static More difficult than detecting static string changesstring changesDefine profiles for each user to Define profiles for each user to characterize normal behaviorcharacterize normal behavior•User choices: Log-in Time, favorite User choices: Log-in Time, favorite programsprograms•User sequence of actionsUser sequence of actions•User CPU usage / network activityUser CPU usage / network activityDynamic Anomaly DetectionDynamic Anomaly DetectionStatistical Distributions are formed Statistical Distributions are formed from profiles and compared to from profiles and compared to current user profilecurrent user profileAnomalous boundary is established Anomalous boundary is established using some number of standard using some number of standard deviations off the meandeviations off the meanProfiles can be gradually changed to Profiles can be gradually changed to reflect user behavioral changes over reflect user behavioral changes over timetimeNIDESNIDESNext-Generation Intrusion Detection Next-Generation Intrusion Detection Expert SystemExpert SystemBuild statistical profiles of users by taking Build statistical profiles of users by taking


View Full Document

UCF COT 4810 - Intruder Detection

Documents in this Course
Spoofing

Spoofing

25 pages

CAPTCHA

CAPTCHA

18 pages

Load more
Download Intruder Detection
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Intruder Detection and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Intruder Detection 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?