DOC PREVIEW
U of I CS 498 - Intrusion Detection

This preview shows page 1-2-3-4-5-6 out of 19 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 19 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Intrusion DetectionReading materialSlide 3Goal of Intrusion DetectionIDS ArchitectureData sourcesMis-use/Signature DetectionExample SignatureExample Snort RuleAnomaly/statistical detectionHost Based IDSCisco Security Agent ArchitectureClassical NIDS deploymentNIDS Remediation OptionsIntrusion Protection Systems (IPS)Network IPS scenarioNetflow as an IDS basisLarge Scale IDSMore large scale IDSIntrusion DetectionCyber SecuritySpring 2006Reading material•Chapter 25 from Computer Security, Matt Bishop•Cisco Security Agent –http://cisco.com/en/US/products/sw/secursw/ps5057/products_white_paper0900aecd8020f448.shtml•Distributed IDS – DShield–http://dshield.org•Dark address space–http://research.arbornetworks.com/downloads/research38/dark_address_space.pdf -Intrusion Detection•Use audit trail•React rather than directly prevent–Find “bad actions”–Work with access control mechanisms to stop them from happening•May be hindered by confidentiality mechanisms–Like access control may not be able to see enough of traffic stream to detectGoal of Intrusion Detection•Holy Grail: Detect and correct “bad” system behavior•Detection can be viewed in two parts–Anomaly detection: Use statistical techniques to determine unusual behavior–Mis-use detection: Use signatures to determine occurrence of known attacks•Detection can be performed on host data (HIDS), network data (NIDS), or a hybrid of bothIDS Architecture•Agents run at the lowest level gathering data. •Agents send data to a Director that performs more significant processing of the data. –Potentially there is a hierarchy of agents and directors•Directors invoke Notifiers to perform some action in response to a detected attack–Popup a window on a screen–Send an email or a page–Send a new syslog message elsewhere.–Access control mechanism to block future action from the attacker•Update firewall config•BGP blackholeData sources•Direct data–Network packets–System calls•Indirect data–Syslog data, Windows event logs–Events from other intrusion detection systems–Netflow information generated by routers about network trafficMis-use/Signature Detection•Fixed signatures are used in most deployed IDS products–E.g., Cisco, ISS, Snort, Bro•Like virus scanners, part of the value of the product is the team of people producing new signatures for newly observed malevolent behavior–Dedicated attacker can adjust his behavior to avoid matching the signature.–Cannot find what we don’t know about•The volume of signatures can also result in many false positive. –Must tune the IDS to match the characteristics of your network–Can result in IDS tuned too low to miss real events–Can hide real attacks in the mass of false positivesExample Signature•Signature for port sweep–A set of TCP packets attempting to connect to a sequence of ports on the same device in a fixed amount of time•In some environments, the admin might run nmap periodically to get an inventory of what is on the network–You would not want to activate this signature in that caseExample Snort Rule•Rule header up to ‘(‘–Identifies packets of interest•Rule options after ‘(‘–What to do to matching packetsAnomaly/statistical detection•Seems like using statistics will result in a more adaptable and self-tuning system–Statistics, neural networks, data mining, etc.•How do you characterize normal?–Create training data from observing “good” runs•E.g., Forrest’s program system call analysis–Use visualization to rely on your eyes•How do you adjust to real changes in behavior?–Gradual changes can be easily addressed. Gradually adjust expected changes over time–Rapid changes can occur. E.g., different behavior after work hours or changing to a work on the next projectHost Based IDS•Tripwire – Very basic detection of changes to installed binaries•More recent HIDS. Look at patterns of actions of system calls, file activity, etc. to permit, deny, or query operations–Cisco Security Agent–Symantec–McAfee EnterceptCisco Security Agent ArchitectureClassical NIDS deploymentNIDS Remediation Options•Log the event•Drop the connection•Reset the connection•Change the configuration of a nearby router or firewall to block future connectionsIntrusion Protection Systems (IPS)•Another name for inline NIDS•Requires very fast signature handling–Slow signature handling will not only miss attacks but it will also cause the delay of valid traffic–Specialized hardware required for high volume gateways•The inlie intrusion detector can take direct steps to remediate.•If you move IDS into the network processing path, how is this different from really clever firewalling?Network IPS scenarioNetflow as an IDS basis•Netflow is a logging format that tracks connections (source, destination, protocol and ports)–Original developed to support traffic engineering–Emerged as a good source of IDS traffic analysis•Arbor Networks –http://arbornetworks.com/–Analyzes router netflow data–Uses patented algorithms to detect anomalous activity•Netflow visualization–NVisionIP and VisFlowConnect projects at NCSA–http://www.projects.ncassr.org/sift/Large Scale IDS•Internet Storm Center and dshield.org–A very coarse level statistical analysis to find outliers in port activity–Uses a donated firewall logs from people all over the internet–Detect new worms or other widespread malware–http://dshield.orgMore large scale IDS•Dark addresses are routable addresses that are not completely connected. May be routable from one part of the internet but not another–http://research.arbornetworks.com/downloads/research38/dark_address_space.pdf•Any traffic in the dark address space is invalid–It is a random target of a worm attack–It is a temporarily or locally routable address that is being used as the non-traceable source of an attack•Hone in on activity on these dark address spaces–Internet motion detectors and network telescopes propose placing sensors at strategic points in the Internet–Use the information on these sensors as early warnings for emerging


View Full Document

U of I CS 498 - Intrusion Detection

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Intrusion Detection
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Intrusion Detection and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Intrusion Detection 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?