Upload
barney
View
112
Download
1
Embed Size (px)
DESCRIPTION
Marmagna Desai [ 520 Presentation]. Intrusion Detection System. Contents. Computer Security Network System IDS - Introduction Intrusion Detection System Network Based (NIDS) Host Based (HIDS) ID Expert Systems IDS Techniques Misuse Detection Anomaly Detection Immune System Approach - PowerPoint PPT Presentation
Citation preview
Intrusion Detection System
Marmagna Desai[ 520 Presentation]
Contents Computer SecurityComputer Security
Network System
IDS - IntroductionIDS - Introduction Intrusion Detection SystemIntrusion Detection System
Network Based (NIDS) Host Based (HIDS) ID Expert Systems
IDS TechniquesIDS Techniques Misuse Detection Anomaly Detection
Immune System Approach ArchitectureArchitecture RequirementsRequirements
ConclusionConclusion
ReferencesReferences
ThanksThanks
Computer Security – CIAConfidentiality-Integrity-Authentication
Network Security Protecting
Network equipment. Network servers and
transmissions. Eavesdropping.
Data Integrity
System Security User access Authentication controls Assignment of
privilege Maintaining file and file
system integrity Monitoring processes Log-keeping Backups
Intrusion Detection System
IDS - Definition Monitors either a Network boundary (Network
IDS) or a single host (Host IDS) in real-time, looking for patterns that indicate Attacks.
Functional Blocks.. Sensor Monitor Resolver Controller
Sensor System Specific Data Gathering Component. Track Network traffic, Log files, System behaviour
Monitor Monitor Components, Get Events from Sensor. Correlates Events against Behaviour-Model Produce Alerts.
Resolver Determine Response against Alerts. E.g. Logging, Changing System Mechanism,
Setting Firewall Rule etc.
Controller - Coordination and Administration
Network IDS
NIDS Sensors collect information from Network Connections.
Uses Packet Sniffing on NIC in Promiscuous Mode.
No Auditing / Logging required. Agents can introduced without affecting Data
Source at NIC level. Detects Network Level Attacks (e.g. SYN Atk) Can NOT scan Protocols or Content of
Network Traffic if encrypted.
Host IDS
HIDS Sensors collect information reflecting the System Activity.
Based on Operating System Audit Trails, Logs and Process Trees.
User and Application Level Analysis Process Behaviour Analysis Operate in Encrypted Environments. Platform Specific, Large Overhead for OS and
Higher Management/Deployment Costs
ID Expert Systems
A set of System Tools Working in Coordination Users Behave in a Consistent Manner Behaviour can be Summarised in a Profile. Profile can be generated by Advanced
Statistical Analysis. Oracle Database is used for Profiles. Provides Real-Time Response to Intrusion.
IDS Approaches
Misuse Detection Models Abnormal behaviour
E.G. HTTP request referring to the cmd.exe file Uses Pattern Matching of system setting and
user activities against database of known attacks. (Signature Analysis)
Highly Efficient – Tightly Defined Signature. Vulnerable to novel attacks.
Anomaly Detection Models Normal Behaviour
E.g. Expected System Calls, generated by User Process (Root/Non-root).
Statistical profiles for system objects are created by measuring attributes of normal use.
Detects Novel and Complex attacks. Low Efficiency False Positive
Legitimate action classified as Anomalous.
Anomaly Detection - continued
Immune System Approach Models in terms of Sequence of System Calls. Sequence for
Normal Behaviour Error Condition Anomaly
Kernel-Level System-Call Monitoring. E.g. “exec “ System call produces trace in all
above situations.
System Call Execution Process
User Process
Schedular
System Call Implementation
System CallDispatcher
System Call
Kernel Level System Monitoring
User ProcessIDS Module
SchedularSystem Call Implementation
System CallDispatcher
System Call
Response
e.g.
Delay
Architecture
Monolithic Single Application contains sensor, monitor,
resolver and controller Most Simplest Architecture, unable to detect
attack made by distributed normal events. Hierarchic
Resolver and Controller at root of hierarchy. Monitors at sub-system (logical group) level. Sensors at Node-Level Centralised controller correlates information
from different Monitors and Resolver take decision
Architecture – continued
Agent Based Distributed Sensors/Monitors/Resolver and
Controller. Multi-Hierarchy of Monitors High Scalability Recently used in various IDS.
Requirements
Accuracy Prevention, not just detection Broad attack coverage Analyze all relevant traffic Highly granular detection and response Sophisticated forensics and reporting Maximum sensor uptime Wire-speed performance
Requirements...
Accuracy Reduced False +ve and -ve Thorough Protocol Analysis
Prevention Real Time Prevention Reconfiguration and Response Self Learning Profiles
Broad Attack Coverage Protects against all Attacks
Requirements...
Analyze all relevant traffic (NIDS) Deploy IDS to suit varying Networks Topology
Granular Detection and Response One size does not fit all.
Forensic and Reporting Extensive Historic Analysis and Report
Wire-Speed Multi – Giga bit Performance
Conclusion
IDS will merge all Network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks Stable and Secure.
Distributed elements performing specific jobs. Hierarchical correlation and analysis. Novel approaches like AI, Data-Mining etc.
References
http://www.securityfocus.com http://www.citeseer.com “Intrusion Detection Techniques and
Approaches” [ Theuns Verwoerd and Ray Hunt ] “Computer System Intrusion Detection: A
Survey” [ Anita K. Jones and Robert S. Sielken]
http://www.insecure.org/ http://nss.co.uk/
Thank You!!
Questions
?