SlideShare una empresa de Scribd logo

Intrusion detection

Descargar como PPTX, PDF
CAS
CAS

8.1 Intruders 8.2 Classes of intruders 8.3 Examples of Intrusion 8.4 Security Intrusion & Detection 8.5 Intrusion Techniques 8.6 Intrusion Detection Systems 8.7 IDS Principles 8.8 IDS Requirements 8.9 Host-Based IDS 8.10 Network-Based IDS 8.11 Intrusion Detection Exchange Format 8.12 Honeypot

Tecnología
1 de 25
1 INTRUSION DETECTION ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
CONTENT 8.1 Intruders 8.2 Classes of intruders 8.3 Examples of Intrusion 8.4 Security Intrusion & Detection 8.5 Intrusion Techniques 8.6 Intrusion Detection Systems 8.7 IDS Principles 8.8 IDS Requirements 8.9 Host-Based IDS 8.10 Network-Based IDS 8.11 Intrusion Detection Exchange Format 8.12 Honeypot ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 2
8.1 INTRUDERS • A significant security problem for networked systems is unwanted trespass by users or software. 1) User trespass: Unauthorized logon to a machine, acquisition of privileges or performance of actions beyond those that have been authorized. 2) Software trespass: Form of a virus, worm, or Trojan horse. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 3
8.2 Classes of intruders: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 4
8.3 Examples of Intrusion • Remote root compromise • Web server defacement • Guessing / cracking passwords • Copying viewing sensitive data / databases • Running a packet sniffer • Distributing pirated software • Using an unsecured modem to access net • Impersonating a user to reset password • Using an unattended workstation ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 5
8.4 Security Intrusion & Detection 1) Security Intrusion A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. 2) Intrusion Detection A security service that monitors and analyzes system events for the purpose of finding, and providing real- time or near real-time warning of attempts to access system resources in an unauthorized manner. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 6
8.5 Intrusion Techniques • Objective is to gain access to or increase privileges on a system. • Most initial attacks use system or software vulnerabilities that allow a user to execute code – To opens a back door into the system. E.g., buffer overflow. – To gain protected information. E.g., password. • Intruder behavior patterns – Hacker – Criminal Enterprise – Internal threat ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 7
8.5.1 Hackers • Motivated by thrill of access and status – Hacking community is a strong meritocracy. – Status is determined by level of competence. 1 • Select the target using IP lookup tools such as NSLookup, Dig, and others 2 • Map network for accessible services using tools such as NMAP 3 • Identify potentially vulnerable services (in this case, pcAnywhere) 4 • Brute force (guess) pcAnywhere password 5 • Install remote administration tool called DameWare 6 • Wait for administrator to log on and capture his password 7 • Use that password to access remainder of network ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 8
8.5.2 Criminal Enterprise • Organized groups of hackers now a threat – Corporation / government / loosely affiliated gangs – Typically young – Common target is a credit cards on e-commerce server Criminal Enterprise - Patterns of Behavior Act quickly and precisely to make their activities harder to detect Exploit perimeter via vulnerable ports Use Trojan horses (hidden software) to leave back doors for re-entry Use sniffers to capture passwords Do not stick around until noticed ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 9
8.5.3 Insider Attacks • Among most difficult to detect and prevent • Employees have access & systems knowledge Internal Threat - Patterns of Behavior Create network accounts for themselves and their friends Access accounts and applications they wouldn't normally use for their daily jobs E-mail former and prospective employers Conduct furtive instant-messaging chats Visit web sites that cater to disgruntled employees, such as f'dcompany.com Perform large downloads and file copying Access the network during off hours ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 10
8.6 Intrusion Detection Systems • Classify intrusion detection systems (IDSs) as: – Host-based IDS: monitor single host activity – Network-based IDS: monitor network traffic • Logical components: – Sensors - collect data – Analyzers - determine if intrusion has occurred – User interface - manage / direct / view IDS ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 11
8.7 IDS Principles • Assume intruder behavior differs from legitimate users – Expect overlap as shown – Observe deviations from past history – Problems of: • False positives • False negatives • Must compromise ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 12
8.8 IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 13
8.9 Host-Based IDS • Specialized software to monitor system activity to detect suspicious behavior – primary purpose is to detect intrusions, log suspicious events, and send alerts – can detect both external and internal intrusions • Two approaches, often used in combination: – anomaly detection - defines normal/expected behavior • Threshold detection • Profile based – signature detection - defines proper behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 14
8.9.1 Anomaly Detection • Threshold detection – Checks excessive event occurrences over time – Alone a crude and ineffective intruder detector – Must determine both thresholds and time intervals • Profile based – Characterize past behavior of users / groups – Then detect significant deviations – Based on analysis of audit records • Gather metrics: counter, guage, interval timer, resource utilization • Analyze: mean and standard deviation, multivariate, markov process, time series, operational model ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 15
8.9.2 Signature Detection • Observe events on system and applying a set of rules to decide if intruder • Approaches: – Rule-based anomaly detection • Analyze historical audit records for expected behavior, then match with current behavior – Rule-based penetration identification • Rules identify known penetrations / weaknesses • Often by analyzing attack scripts from Internet • Supplemented with rules from security experts ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 16
8.10 Network-Based IDS • Network-based IDS (NIDS) – Monitor traffic at selected points on a network – In (near) real time to detect intrusion patterns – May examine network, transport and/or application level protocol activity directed toward systems • Comprises a number of sensors – Inline (possibly as part of other net device) – Passive (monitors copy of traffic) ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 17
8.10.1 NIDS Sensor Deployment • Inline sensor • inserted into a network segment so that the traffic that it is monitoring must pass through the sensor • Passive sensors • monitors a copy of network traffic ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 18
• Sensor placement: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 19
8.10.2 NIDS - Intrusion Detection Techniques • Signature detection – At application, transport, network layers; unexpected application services, policy violations • Anomaly detection – of denial of service attacks, scanning, worms • When potential violation detected sensor sends an alert and logs information – Used by analysis module to refine intrusion detection parameters and algorithms – By security admin to improve protection ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 20
8.11 Intrusion Detection Exchange Format ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 21
8.12 Honeypot • Decoy systems designed to: – lure a potential attacker away from critical systems – collect information about the attacker’s activity – encourage the attacker to stay on the system long enough for administrators to respond • filled with fabricated information that a legitimate user of the system wouldn’t access • resource that has no production value – incoming communication is most likely a probe, scan, or attack – outbound communication suggests that the system has probably been compromised • once hackers are within the network, administrators can observe their behavior to figure out defensesITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 22
Honeypot Classifications • Low interaction honeypot – Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, • but does not execute a full version of those services or systems – Provides a less realistic target – Often sufficient for use as a component of a distributed IDS to warn of imminent attack ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 23
• High interaction honeypot – A real system, with a full operating system, services and applications, • which are instrumented and deployed where they can be accessed by attackers – Is a more realistic target that may occupy an attacker for an extended period – However, it requires significantly more resources – If compromised could be used to initiate attacks on other systems ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 24
Honeypot Deployment ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 25

Recomendados

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 

Recomendados

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Intruders
IntrudersIntruders
Intruderstechn
 
Types of attacks
Types of attacksTypes of attacks
Types of attacksVivek Gandhi
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptxRoyBokhiriya
 
IS - Firewall
IS - FirewallIS - Firewall
IS - FirewallFumikageTokoyami4
 

Más contenido relacionado

La actualidad más candente

Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionUmesh Dhital
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyMd. Afif Al Mamun
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.pptZaheer720515
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementationAkash Jadhav
 
Intruders
IntrudersIntruders
Intruderstechn
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 

La actualidad más candente (20)

Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Advanced cryptography and implementation
Advanced cryptography and implementationAdvanced cryptography and implementation
Advanced cryptography and implementation
 
Intruders
IntrudersIntruders
Intruders
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Network security
Network securityNetwork security
Network security
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 

Similar a Intrusion detection

Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxSriK49
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7limsh
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxpawandeoli1
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universitypheonix4
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Securityelipanganiban15
 
Network and web security
Network and web securityNetwork and web security
Network and web securityNitesh Saitwal
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 

Similar a Intrusion detection (20)

Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
 
IS - Firewall
IS - FirewallIS - Firewall
IS - Firewall
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptx
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
 
M.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptxM.Tech. IDS Lecture-Mid Term.pptx
M.Tech. IDS Lecture-Mid Term.pptx
 
M.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era universityM.Tech. IDS Lecture by graphic era university
M.Tech. IDS Lecture by graphic era university
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusion
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Security
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
ch08.ppt
ch08.pptch08.ppt
ch08.ppt
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 

Más de CAS

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCAS
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4CAS
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2CAS
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1CAS
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT SecurityCAS
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodologyCAS
 
Can you solve this
Can you solve thisCan you solve this
Can you solve thisCAS
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authenticationCAS
 
Malicious software
Malicious softwareMalicious software
Malicious softwareCAS
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspectsCAS
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Human resources security
Human resources securityHuman resources security
Human resources securityCAS
 
Database security
Database securityDatabase security
Database securityCAS
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic toolsCAS
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)CAS
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2CAS
 

Más de CAS (20)

CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4RRB JE Stage 2 Computer and Applications Questions Part 4
RRB JE Stage 2 Computer and Applications Questions Part 4
 
RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3RRB JE Stage 2 Computer and Applications Questions part 3
RRB JE Stage 2 Computer and Applications Questions part 3
 
RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2RRB JE Stage 2 Computer and Applications Questions Part 2
RRB JE Stage 2 Computer and Applications Questions Part 2
 
RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1RRB JE Stage 2 Computer and Applications Questions Part 1
RRB JE Stage 2 Computer and Applications Questions Part 1
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 
Introduction to research methodology
Introduction to research methodologyIntroduction to research methodology
Introduction to research methodology
 
Can you solve this
Can you solve thisCan you solve this
Can you solve this
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Legal and ethical aspects
Legal and ethical aspectsLegal and ethical aspects
Legal and ethical aspects
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Human resources security
Human resources securityHuman resources security
Human resources security
 
Database security
Database securityDatabase security
Database security
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)Internet security association and key management protocol (isakmp)
Internet security association and key management protocol (isakmp)
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
 

Último

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Intrusion detection

  • 1. 1 INTRUSION DETECTION ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection Mr. RAJASEKAR RAMALINGAM Department of IT, College of Applied Sciences, Sur. Sultanate of Oman. http://vrrsekar.wixsite.com/raja Based on William Stallings, Lawrie Brown, Computer Security: Principles and Practice, Third Edition
  • 2. CONTENT 8.1 Intruders 8.2 Classes of intruders 8.3 Examples of Intrusion 8.4 Security Intrusion & Detection 8.5 Intrusion Techniques 8.6 Intrusion Detection Systems 8.7 IDS Principles 8.8 IDS Requirements 8.9 Host-Based IDS 8.10 Network-Based IDS 8.11 Intrusion Detection Exchange Format 8.12 Honeypot ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 2
  • 3. 8.1 INTRUDERS • A significant security problem for networked systems is unwanted trespass by users or software. 1) User trespass: Unauthorized logon to a machine, acquisition of privileges or performance of actions beyond those that have been authorized. 2) Software trespass: Form of a virus, worm, or Trojan horse. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 3
  • 4. 8.2 Classes of intruders: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 4
  • 5. 8.3 Examples of Intrusion • Remote root compromise • Web server defacement • Guessing / cracking passwords • Copying viewing sensitive data / databases • Running a packet sniffer • Distributing pirated software • Using an unsecured modem to access net • Impersonating a user to reset password • Using an unattended workstation ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 5
  • 6. 8.4 Security Intrusion & Detection 1) Security Intrusion A security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so. 2) Intrusion Detection A security service that monitors and analyzes system events for the purpose of finding, and providing real- time or near real-time warning of attempts to access system resources in an unauthorized manner. ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 6
  • 7. 8.5 Intrusion Techniques • Objective is to gain access to or increase privileges on a system. • Most initial attacks use system or software vulnerabilities that allow a user to execute code – To opens a back door into the system. E.g., buffer overflow. – To gain protected information. E.g., password. • Intruder behavior patterns – Hacker – Criminal Enterprise – Internal threat ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 7
  • 8. 8.5.1 Hackers • Motivated by thrill of access and status – Hacking community is a strong meritocracy. – Status is determined by level of competence. 1 • Select the target using IP lookup tools such as NSLookup, Dig, and others 2 • Map network for accessible services using tools such as NMAP 3 • Identify potentially vulnerable services (in this case, pcAnywhere) 4 • Brute force (guess) pcAnywhere password 5 • Install remote administration tool called DameWare 6 • Wait for administrator to log on and capture his password 7 • Use that password to access remainder of network ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 8
  • 9. 8.5.2 Criminal Enterprise • Organized groups of hackers now a threat – Corporation / government / loosely affiliated gangs – Typically young – Common target is a credit cards on e-commerce server Criminal Enterprise - Patterns of Behavior Act quickly and precisely to make their activities harder to detect Exploit perimeter via vulnerable ports Use Trojan horses (hidden software) to leave back doors for re-entry Use sniffers to capture passwords Do not stick around until noticed ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 9
  • 10. 8.5.3 Insider Attacks • Among most difficult to detect and prevent • Employees have access & systems knowledge Internal Threat - Patterns of Behavior Create network accounts for themselves and their friends Access accounts and applications they wouldn't normally use for their daily jobs E-mail former and prospective employers Conduct furtive instant-messaging chats Visit web sites that cater to disgruntled employees, such as f'dcompany.com Perform large downloads and file copying Access the network during off hours ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 10
  • 11. 8.6 Intrusion Detection Systems • Classify intrusion detection systems (IDSs) as: – Host-based IDS: monitor single host activity – Network-based IDS: monitor network traffic • Logical components: – Sensors - collect data – Analyzers - determine if intrusion has occurred – User interface - manage / direct / view IDS ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 11
  • 12. 8.7 IDS Principles • Assume intruder behavior differs from legitimate users – Expect overlap as shown – Observe deviations from past history – Problems of: • False positives • False negatives • Must compromise ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 12
  • 13. 8.8 IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 13
  • 14. 8.9 Host-Based IDS • Specialized software to monitor system activity to detect suspicious behavior – primary purpose is to detect intrusions, log suspicious events, and send alerts – can detect both external and internal intrusions • Two approaches, often used in combination: – anomaly detection - defines normal/expected behavior • Threshold detection • Profile based – signature detection - defines proper behavior ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 14
  • 15. 8.9.1 Anomaly Detection • Threshold detection – Checks excessive event occurrences over time – Alone a crude and ineffective intruder detector – Must determine both thresholds and time intervals • Profile based – Characterize past behavior of users / groups – Then detect significant deviations – Based on analysis of audit records • Gather metrics: counter, guage, interval timer, resource utilization • Analyze: mean and standard deviation, multivariate, markov process, time series, operational model ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 15
  • 16. 8.9.2 Signature Detection • Observe events on system and applying a set of rules to decide if intruder • Approaches: – Rule-based anomaly detection • Analyze historical audit records for expected behavior, then match with current behavior – Rule-based penetration identification • Rules identify known penetrations / weaknesses • Often by analyzing attack scripts from Internet • Supplemented with rules from security experts ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 16
  • 17. 8.10 Network-Based IDS • Network-based IDS (NIDS) – Monitor traffic at selected points on a network – In (near) real time to detect intrusion patterns – May examine network, transport and/or application level protocol activity directed toward systems • Comprises a number of sensors – Inline (possibly as part of other net device) – Passive (monitors copy of traffic) ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 17
  • 18. 8.10.1 NIDS Sensor Deployment • Inline sensor • inserted into a network segment so that the traffic that it is monitoring must pass through the sensor • Passive sensors • monitors a copy of network traffic ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 18
  • 19. • Sensor placement: ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 19
  • 20. 8.10.2 NIDS - Intrusion Detection Techniques • Signature detection – At application, transport, network layers; unexpected application services, policy violations • Anomaly detection – of denial of service attacks, scanning, worms • When potential violation detected sensor sends an alert and logs information – Used by analysis module to refine intrusion detection parameters and algorithms – By security admin to improve protection ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 20
  • 21. 8.11 Intrusion Detection Exchange Format ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 21
  • 22. 8.12 Honeypot • Decoy systems designed to: – lure a potential attacker away from critical systems – collect information about the attacker’s activity – encourage the attacker to stay on the system long enough for administrators to respond • filled with fabricated information that a legitimate user of the system wouldn’t access • resource that has no production value – incoming communication is most likely a probe, scan, or attack – outbound communication suggests that the system has probably been compromised • once hackers are within the network, administrators can observe their behavior to figure out defensesITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 22
  • 23. Honeypot Classifications • Low interaction honeypot – Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, • but does not execute a full version of those services or systems – Provides a less realistic target – Often sufficient for use as a component of a distributed IDS to warn of imminent attack ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 23
  • 24. • High interaction honeypot – A real system, with a full operating system, services and applications, • which are instrumented and deployed where they can be accessed by attackers – Is a more realistic target that may occupy an attacker for an extended period – However, it requires significantly more resources – If compromised could be used to initiate attacks on other systems ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 24
  • 25. Honeypot Deployment ITSY3104 COMPUTER SECURITY - A - LECTURE 8 - Intrusion Detection 25