USC CSCI 530 - 07_intrusion (26 pages)

Previewing pages 1, 2, 3, 24, 25, 26 of 26 page document View the full content.
View Full Document

07_intrusion



Previewing pages 1, 2, 3, 24, 25, 26 of actual document.

View the full content.
View Full Document
View Full Document

07_intrusion

114 views


Pages:
26
School:
University of Southern California
Course:
Csci 530 - Security Systems

Unformatted text preview:

CSCI 530 Spring 2010 CS530 Intrusion Detection Bill Cheng http merlot usc edu cs530 s10 1 Copyright William C Cheng T CSCI 530 Spring 2010 Intrusion Detection Security enforcement mechanisms are not foolproof so we need a way of knowing when they are not working or even better before they stop working We need ways to detect insider misuse detect suspecious activities e g is this employee selling information 2 Copyright William C Cheng T CSCI 530 Spring 2010 Taxonomy for Intrusion Detection What is detected misuse detection look for bad bahaviors e g virus checker spam filters need to download new definition files anomaly detection look at behavior and detect out of profile activities need to compare against a baseline Where detected network based host based system logs application based When attack is detected real time after the fact post mortem 3 Copyright William C Cheng T CSCI 530 Spring 2010 Basis for Detecting Attack Systems operating normally activity conforms to statistically predictable patterns actions do not include attempts to subvert policy actions of processes conform to the policies regarding what they are allowed to do e g when system is under attack will see unusual amount of denied accesses 4 Copyright William C Cheng T CSCI 530 Spring 2010 Rating ID Systems False positives normal activity flagged as intrusion affects adminstrator workload e g port scanners if you don t have the vulnerability do not raise alarm e g spam filtering I filter out all HTML only e mails too many of these denial of service on yourself the boy who cried wolf False negatives attacks that are not detected 5 Copyright William C Cheng T CSCI 530 Spring 2010 Anomaly Detection How it works analyze baseline characteristics of system or user behavior and record need to have an abstraction or a model compare current characteristics and behavior against baseline and determine if it s within tolerance or is it just a statistical fluctuation flag differences Why it is hard deciding



View Full Document

Access the best Study Guides, Lecture Notes and Practice Exams

Loading Unlocking...
Login

Join to view 07_intrusion and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view 07_intrusion and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?