U of I CS 498 - Intrusion Detection (19 pages)

Previewing pages 1, 2, 3, 4, 5, 6 of 19 page document View the full content.
View Full Document

Intrusion Detection



Previewing pages 1, 2, 3, 4, 5, 6 of actual document.

View the full content.
View Full Document
View Full Document

Intrusion Detection

94 views

Other


Pages:
19
School:
University of Illinois
Course:
Cs 498 - Special Topics
Special Topics Documents

Unformatted text preview:

Intrusion Detection Cyber Security Spring 2006 Reading material Chapter 25 from Computer Security Matt Bishop Cisco Security Agent http cisco com en US products sw secursw ps5057 products white paper0900aecd8020f448 shtml Distributed IDS DShield http dshield org Dark address space http research arbornetworks com downloads researc h38 dark address space pdf Intrusion Detection Use audit trail React rather than directly prevent Find bad actions Work with access control mechanisms to stop them from happening May be hindered by confidentiality mechanisms Like access control may not be able to see enough of traffic stream to detect Goal of Intrusion Detection Holy Grail Detect and correct bad system behavior Detection can be viewed in two parts Anomaly detection Use statistical techniques to determine unusual behavior Mis use detection Use signatures to determine occurrence of known attacks Detection can be performed on host data HIDS network data NIDS or a hybrid of both IDS Architecture Agents run at the lowest level gathering data Agents send data to a Director that performs more significant processing of the data Potentially there is a hierarchy of agents and directors Directors invoke Notifiers to perform some action in response to a detected attack Popup a window on a screen Send an email or a page Send a new syslog message elsewhere Access control mechanism to block future action from the attacker Update firewall config BGP blackhole Data sources Direct data Network packets System calls Indirect data Syslog data Windows event logs Events from other intrusion detection systems Netflow information generated by routers about network traffic Mis use Signature Detection Fixed signatures are used in most deployed IDS products E g Cisco ISS Snort Bro Like virus scanners part of the value of the product is the team of people producing new signatures for newly observed malevolent behavior Dedicated attacker can adjust his behavior to avoid matching the signature Cannot



View Full Document

Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view Intrusion Detection and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Intrusion Detection and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?