Network Security MonitoringIndicators and WarningsSlide 3Intrusion Detection SystemsSlide 5Slide 6Slide 7Slide 8Slide 9Intrusion Detection Systems Common Detection MethodologiesSlide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Intrusion Detection Systems ComponentsNetwork MonitorsSlide 21Slide 22Intrusion Detection Systems NetworksSlide 24Intrusion Detection Systems ManagementSlide 26Slide 27Slide 28Slide 29Slide 30Network Based IDPSNetwork Based IDPS Architecture and Sensor LocationsSlide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Wireless IDPSSlide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Network Behavior Analysis (NBA)Host Based IDPSSlide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Network Security MonitoringCOEN 250Indicators and WarningsIndicator“an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”*Indications and Warnings“the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”*** DoD Dictionary of Military Terms** U.S. Army Intelligence, Document on Indicators in Operations Other Than WarIndicators and WarningsIndicators generated by an Intrusion Detection System (IDS) are alertsExamples:Web server initiates outbound FTP to a site in RussiaSpike in ICMP messagesWarningsResult of analyst’s interpretation of indicatorEscalation of warningConclusion that warning warrants further analysisConclusion that warning is indeed an incidentTriggers Incident ResponseIntrusion Detection SystemsIntrusion DetectionProcess of monitoring events occurring in a computer system or networkAnalyzing them for signs of possible incidentsIncidentViolation or imminent threat of violation of computer security policiesacceptable use policiesstandard security practicesArise fromMalwareAttacksHonest errorsIntrusion Detection SystemsIntrusion Detection SystemSoftware that automatizes the detection processIntrusion Prevention SystemAdditionally has the capacity to stop some possible incidentsIntrusion Detection SystemsKey functions of IDS TechnologyRecording information related to observed eventsNotifying security administrators of important observed eventsProducing reportsIDPS technology can be augmented by human analysisIntrusion Detection SystemsKey functions of IPS technologyIPS stops attack itselfTerminate network connectionTerminate user sessionBlock access to target from offending user accountIP addressBlock all access to targetIPS changes security environmentIPS changes configuration of other security controls to disrupt attackReconfiguring a network deviceAltering a host based firewallApply patches to a host it detects is vulnerableIntrusion Detection SystemsKey functions of IPS technologyIPS changes attack’s contentsRemove or replace malicious portions of an attackRemove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destinationIPS acts as proxy and normalizes incoming requestsIntrusion Detection SystemsCurrent IDPS technology has false positives and false negatives.Attackers use evasion techniquesE.g using escapingIntrusion Detection SystemsCommon Detection MethodologiesSignature Based DetectionSignature is a patterns corresponding to a known threat.ExamplesTelnet attempt with user name “root”e-mail with “You received a picture from a *”OS system log entry indicating that host’s auditing has been disabledIntrusion Detection SystemsCommon Detection MethodologiesSignature-Based DetectionVery effective against known threatsBasically ineffective against unknown threatsSubject to evasion by polymorphic attacksIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based DetectionRelies on defining normal activity against observed events Identifies significant deviationsAnomaly-Based IDPS has profilesRepresenting normal behavior of actors and activitiesUsersHostsNetwork connectionsApplicationsDeveloped through observation over timeIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based Detection Profile Examples:Amount of email a user sendsBandwidth of web activitiesNumber of failed login attempts for a hostLevel of processor utilization for a hostIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based DetectionCan be effective at detecting unknown threatsDepend on accuracy of profilesInadvertent inclusion of malicious activity in a profileDynamic profiles can be subverted by an attacker increasing slowly activityStatic profiles generate false positives if usage patterns differSubject to stealth attacksMake it difficult for human analyst to find reason for an alertIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisSometimes known as “deep packet inspection”Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations“Stateful” refers to IDPS capability of understanding protocolsIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisCan identify unexpected sequences of commandsAllows tracking of authenticators for each sessionHelpful for human analysis of suspicious activityTypically includes reasonableness check for individual commandsE.g. minimum and maximum length of argumentsIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisUses protocol models based on standardsBut most standards are underspecifiedMany implementations are not completely compliantVery resource intensiveCannot detect attacks that do not violate a protocolDetects protocol bending attacksIntrusion Detection SystemsNetwork Based IDPSWireless IDPSNetwork Behavior Analysis (NBA)Host-Based IDPSIntrusion Detection SystemsComponentsSensors / MonitorsUsed for network activity monitoringAgentUsed for host-based IDPSManagement ServerCentralized component that receives data from agents and monitorsPerform correlation:Matching event
View Full Document