Upload
troy-camacho
View
19
Download
0
Embed Size (px)
DESCRIPTION
Intrusion Detection. By Vidya Satyanarayanan. What is Intrusion?. Intrusion is an unauthorized attempt or achievement to access, alter, render unavailable, or destroy information on a system or the system itself. The art of detecting such activities is known as Intrusion Detection. - PowerPoint PPT Presentation
Citation preview
Intrusion DetectionIntrusion Detection
ByBy
Vidya SatyanarayananVidya Satyanarayanan
What is Intrusion?What is Intrusion?Intrusion is an unauthorized attempt or achievement to
access, alter, render unavailable, or destroy information on a system or the system itself.
The art of detecting such activities is known as Intrusion Detection.
How do Intruders get into systems?How do Intruders get into systems? Physical Intrusion
System Intrusion
Remote Intrusion
Why can intruders get into systems?Why can intruders get into systems? Software bugs
System configuration
Password cracking
1. Clear-text sniffing
2. Encrypted sniffing
3. Replay attack
4. Password file stealing
Intrusion Detection SystemsIntrusion Detection Systems
IDSs fall into 2 categories:
1. Network-based IDSs
2. Host-based IDSs
Host-based IDSsHost-based IDSs
A host monitor looks at system logs for evidence of malicious or suspicious application activity.
More detailed logging. But can track only successful intrusions.
Monitoring happens in the host, so a successful attack can bring down the system and terminate the monitoring.
Can monitor changes to critical system files and changes in user privileges.
Can monitor TCP port activity and notify system admin when specific ports are accessed.
Drawbacks of Host-based IDSsDrawbacks of Host-based IDSs
Host-based IDSs are not real-time.
Tedious to secure the whole network.
Some Advantages:Some Advantages:
Can identify non-network-based attacks like activities of applications and process running on the host.
More likely to catch unknown attacks.
Network-based IDSsNetwork-based IDSsA network monitor watches live network packets and
looks for signs of computer crime, network attacks, network misuse and anomalies.
Can detect denial-of-service attack.
Ping-of-DeathPing-of-Death
SYN Flood SYN Flood
Land/Latierra Land/Latierra
Network-based IDSs become less effective as network traffic increases.
How are intrusions detected?How are intrusions detected?
Anomaly Detection (profile-based)Anomaly Detection (profile-based)
Misuse Detection (Signature-based)Misuse Detection (Signature-based)
Misuse DetectionMisuse Detection
Recognizes known attacks based on signatures and patterns. Starts defending the network immediately upon installation. Have low false alarm rate (false positives). Effective only against known threats. Ineffective against passive attacks such as n/w sniffing, wire
taps, IP or sequence number spoofing. Should constantly update the signature database.
Anomaly DetectionAnomaly Detection
Base-line measurements for “normal” user activity is developed and anything that deviates from the normal is detected.
Needs a lot of historical data for building an accurate model.
Can detect attempts to exploit new vulnerabilities.
Have high false alarms.
Can detect fraudulent activity of a privileged insider.
“Normal”
ActivityActivity
Normalizer
Alarming & Reporting
Rules
Engine
Known Malicious Activity
SensorActivity
Components of IDS
What happens after a NIDS What happens after a NIDS detects an attack?detects an attack?
Reconfigure firewall -Reconfigure firewall - Configure the firewall to filter out the IP address of the intruder.
Chime -Chime - Beep or play a .WAV file.
Log the attack -Log the attack - Save the attack information (timestamp, intruder IP address, victim IP address/port, protocol information).
Launch program -Launch program - Launch a separate program to handle the event.
Terminate the TCP session -Terminate the TCP session - Forge a TCP FIN packet to force a connection to terminate.
Honeypot – a deception systemHoneypot – a deception system
A honeypot is a system designed to look like something that an intruder can hack. Like installing a machine on the network with no particular purpose other than to log all attempted access.
Network-based IDS ProductsNetwork-based IDS ProductsCiscoSecure IDS 2.5
ISS RealSecure 7
Dragon 6
NFR
Snort 1.8.6
Host-based IDS ProductsReal Secure Server Sensor
DragonSquire
NFR HID
Entercept 2.5