1Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE "!#!$%&'$()#*&+,.-0/213)5460*6078*&/219):<;1#=.69>@?#69+A0B8B8CDr. Clifford NeumanUniversity of Southern CaliforniaInformation Sciences InstituteCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE DFEG<H%I9HKJLNMPO8LQH R8S• All proposals replied to. If you do not have a response send a follow-up message to [email protected].• End-of-term exam on last regular lecture day. • Research paper officially due the same day, but no penalty if turned in up to one week late.• Out of town Friday, see me after class if you would otherwise need to meet me during my Friday office hours.Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE T%UWVYXZ\[^] _^U`8a'Vbadc'VY]K_^U• Security Enforcement Mechanisms are not foolproof, so we need a way of knowing when they are not working.–Or even better, before they stop working• We need ways to detect insider misuseCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE efhg_'Ud_'ikjml%_^X9TUWVYXZ\[^] _'Um`8anVadc'V] _^U• What is detected– Signature based approaches– Anomaly detection• Where detected– Network Based– Host Based– Application Based• When attack is detected– Real time– After the factCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE o8fW[^] [lp_'X8qdanVadcdV]"UnrfdVbVfdcs• Systems operating normally–Activity conforms to statistically predictable patterns.–Actions do not include attempts to subvert policy.–Actions of processes conform to the policies regarding what they are allowed to do.Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE t8fdV]"UWruT%`v[hjh[dVba^ik[• False positives–Normal activity flagged as intrusionwAffects adminstrator workload–E.g. spam filtering• False Negatives–Attacks that are not detected2Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Uh_^i fj `8adVbadcnVY]2_^U• How it works–Analyze baseline characteristics of system or user behavior and record.–Compare current characteristics and behavior against baseline.–Flag differences• Why it is hard–Deciding how to characterize behavior so that changes reflect intrusions and not normal changes in activities.Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE adVX ]Kch[• Threshold metrics–Number of failed access attempts.–Bandwidth consumed.• State change probabilities (Markov models)–Requires training by analyzing normal traces–Looking for transitions that don’t seem to follow the normal patternCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE ] [^Z\[daqdadVba'cdV] _U• Whether activities or code is violate site policy.– Rule based– Signature based.• Problems– Can only detect attacks known in advance.– Virus checkers are usually signature based. – Many more false negatives (subject to definition)• Strengths– Tend to have fewer false positives.Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 9_KadcdV]"Unr T%UdZhV` fdVbf• Audit vs. Intrusion Detection• Network Based ID• Host Based ID• Application based IDCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE adV_^Xso8fh[da'q T%`• Often based on network sniffing–Listening to network traffic as it goes by a sensor nodewCould be placed in routers or other network components–Issues?wPlacementwLoadwEncrypted trafficwDetermining intentCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE _h[dVo8fW[dadq T%`• Scan system and application logs• Report on system state• Report activity to ID system• Issues–Only get what applications already put into logs–Might not understand the intent of an action.3Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE "] cnfdV]2_^Uo8fh[da'q T%`• Application determines what to report to ID system.– Based on a policy• Drawbacks– Requires application involvement. Some applications will not report.Authorization functions like GAA-API can help address this limitation.• Benefits– Application understands the objects and entities to which policies apply.Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE T [h[^ZWah[ ]"UT%UhVXZ [^] _'U`8adVadcnVY]2_'U• Collecting data on and reporting events–Languages, e.g. CIDFwDr. Tung will talk about in his lectures.• Reducing Data–To reduce network traffic consumedwConsider overhead–Summarize datawFinding relationshipsCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE 9_^in_^Una'UhV [m_'l0T%`v[hjh[dVba^ik[• Collectors–Gather raw data• Director–Reduces incoming traffic and finds relationships• Notifier–Accepts data from director and takes appropriate actionCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE q df^Uncda'q T%`i _'qda[• Distributed Ditection–Combining host and netwror monitoring (DIDS)–Autonomous agents (Crosbie and Spafford)Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE T%UWVYXZ\[^] _^Ut8aW[d_'U [da• Intrusion Prevention –(marketing buzzword)• Intrusion Response–How to react when an intrusion is detectedCopyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE '_h[h[^]Ka t8aW[h_'U [^aW[–Notify administrator–System or network lockdown–Place attacker in controlled
View Full Document