SCU COEN 250 - Network Security Monitoring

Unformatted text preview:

Network Security MonitoringIndicators and WarningsSlide 3Intrusion Detection SystemsSlide 5Slide 6Slide 7Slide 8Slide 9Intrusion Detection Systems Common Detection MethodologiesSlide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Intrusion Detection Systems ComponentsNetwork MonitorsSlide 21Slide 22Intrusion Detection Systems NetworksSlide 24Intrusion Detection Systems ManagementSlide 26Slide 27Slide 28Slide 29Slide 30Network Based IDPSNetwork Based IDPS Architecture and Sensor LocationsSlide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Wireless IDPSSlide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Network Behavior Analysis (NBA)Host Based IDPSSlide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Network Security MonitoringCOEN 250Indicators and WarningsIndicator“an item of information which reflects the intention or capability of a potential enemy to adopt or reject a course of action”*Indications and Warnings“the strategic monitoring of world military, economic, and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests”*** DoD Dictionary of Military Terms** U.S. Army Intelligence, Document on Indicators in Operations Other Than WarIndicators and WarningsIndicators generated by an Intrusion Detection System (IDS) are alertsExamples:Web server initiates outbound FTP to a site in RussiaSpike in ICMP messagesWarningsResult of analyst’s interpretation of indicatorEscalation of warningConclusion that warning warrants further analysisConclusion that warning is indeed an incidentTriggers Incident ResponseIntrusion Detection SystemsIntrusion DetectionProcess of monitoring events occurring in a computer system or networkAnalyzing them for signs of possible incidentsIncidentViolation or imminent threat of violation of computer security policiesacceptable use policiesstandard security practicesArise fromMalwareAttacksHonest errorsIntrusion Detection SystemsIntrusion Detection SystemSoftware that automatizes the detection processIntrusion Prevention SystemAdditionally has the capacity to stop some possible incidentsIntrusion Detection SystemsKey functions of IDS TechnologyRecording information related to observed eventsNotifying security administrators of important observed eventsProducing reportsIDPS technology can be augmented by human analysisIntrusion Detection SystemsKey functions of IPS technologyIPS stops attack itselfTerminate network connectionTerminate user sessionBlock access to target from offending user accountIP addressBlock all access to targetIPS changes security environmentIPS changes configuration of other security controls to disrupt attackReconfiguring a network deviceAltering a host based firewallApply patches to a host it detects is vulnerableIntrusion Detection SystemsKey functions of IPS technologyIPS changes attack’s contentsRemove or replace malicious portions of an attackRemove an infected file attachment from e-mail, but allow e-mail sans attachment to reach destinationIPS acts as proxy and normalizes incoming requestsIntrusion Detection SystemsCurrent IDPS technology has false positives and false negatives.Attackers use evasion techniquesE.g using escapingIntrusion Detection SystemsCommon Detection MethodologiesSignature Based DetectionSignature is a patterns corresponding to a known threat.ExamplesTelnet attempt with user name “root”e-mail with “You received a picture from a *”OS system log entry indicating that host’s auditing has been disabledIntrusion Detection SystemsCommon Detection MethodologiesSignature-Based DetectionVery effective against known threatsBasically ineffective against unknown threatsSubject to evasion by polymorphic attacksIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based DetectionRelies on defining normal activity against observed events Identifies significant deviationsAnomaly-Based IDPS has profilesRepresenting normal behavior of actors and activitiesUsersHostsNetwork connectionsApplicationsDeveloped through observation over timeIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based Detection Profile Examples:Amount of email a user sendsBandwidth of web activitiesNumber of failed login attempts for a hostLevel of processor utilization for a hostIntrusion Detection SystemsCommon Detection MethodologiesAnomaly-Based DetectionCan be effective at detecting unknown threatsDepend on accuracy of profilesInadvertent inclusion of malicious activity in a profileDynamic profiles can be subverted by an attacker increasing slowly activityStatic profiles generate false positives if usage patterns differSubject to stealth attacksMake it difficult for human analyst to find reason for an alertIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisSometimes known as “deep packet inspection”Compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations“Stateful” refers to IDPS capability of understanding protocolsIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisCan identify unexpected sequences of commandsAllows tracking of authenticators for each sessionHelpful for human analysis of suspicious activityTypically includes reasonableness check for individual commandsE.g. minimum and maximum length of argumentsIntrusion Detection SystemsCommon Detection MethodologiesStateful Protocol AnalysisUses protocol models based on standardsBut most standards are underspecifiedMany implementations are not completely compliantVery resource intensiveCannot detect attacks that do not violate a protocolDetects protocol bending attacksIntrusion Detection SystemsNetwork Based IDPSWireless IDPSNetwork Behavior Analysis (NBA)Host-Based IDPSIntrusion Detection SystemsComponentsSensors / MonitorsUsed for network activity monitoringAgentUsed for host-based IDPSManagement ServerCentralized component that receives data from agents and monitorsPerform correlation:Matching event


View Full Document

SCU COEN 250 - Network Security Monitoring

Documents in this Course
Load more
Download Network Security Monitoring
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Network Security Monitoring and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Network Security Monitoring 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?