Professional Documents
Culture Documents
Lecture 2 - B
Lecture 2 - B
Intrusion Detection
Spring 2013
Review
• Chapter 1: Basic Concepts and Terminology
• Chapter 2: Basic Cryptographic Tools
• Chapter 3 – User Authentication
• Chapter 4 – Access Control Lists
• Chapter 5 – Database Security (skipped)
• Chapter 6 – Malicious Software
• Networking Basics (not in book)
• Chapter 7 – Denial of Service
• Chapter 8 – Intrusion Detection
Chapter 8
Intrusion Detection
Intruders
l two most publicized threats to security are malware and
intruders
l generally referred to as a hacker or cracker
• classes:
masquerader misfeasor clandestine user
l network-based IDS
• sensors - collect data
l monitors network traffic • analyzers - determine if
and analyzes network, intrusion has occurred
transport, and application
protocols to identify • user interface - view
suspicious activity
output or control
system behavior
IDS Principles
Probability
density function
l assume intruder
profile of
profile of authorized user
intruder behavior behavior
behavior differs
overlap in observed
or expected behavior
from legitimate
users
l overlap in
behaviors causes
average behavior
of intruder
average behavior
of authorized user
Measurable behavior
parameter problems
Figure 8.1 Profiles of Behavior of Intruders and Authorized Users
l false positives
l false negatives
IDS Requirements
resist
run continually be fault tolerant
subversion
provide
scale to monitor
graceful allow dynamic
large numbers
degradation of reconfiguration
of systems
service
Host-Based IDS
• adds a specialized layer of security software to
vulnerable or sensitive systems
• monitors activity to detect suspicious behavior
– primary purpose is to detect intrusions, log suspicious
events, and send alerts
– can detect both external and internal intrusions
Host-Based IDS Approaches to
Intrusion Detection
anomaly detection signature detection
• threshold detection
– involves counting the • involves an attempt to
number of occurrences of a define a set of rules or
specific event type over an
interval of time attack patterns that can
be used to decide that a
– profile based given behavior is that of
– profile of the activity of each an intruder
user is developed and used
to detect changes in the
behavior of individual
accounts
native audit
records
• multiuser operating systems include accounting software that
collects information on user activity
• advantage is that no additional collection software is needed
• disadvantage is that records may not contain the needed
information or in a convenient form
detection-specific audit
record
• collection facility that generates records containing only
information required by the IDS
• advantage is that it could be made vendor independent and
ported to a variety of systems
• disadvantage is the extra overhead of having, in effect, two
accounting packages running on a machine
Measures
That May
Be Used For
Intrusion
Detection
Signature Detection
l rule-based anomaly • rule-based penetration
detection identification
l historical audit records are – key feature is the use of
analyzed to identify usage rules for identifying known
patterns penetrations or
penetrations that would
l rules are generated that exploit known weaknesses
describe those patterns
– rules can also be defined
l current behavior is that identify suspicious
matched against the set of behavior
rules
– typically rules are specific
l does not require to the machine and
knowledge of security operating system
vulnerabilities within the
system
l a large database of rules is
needed
USTAT Actions vs. SunOS Event Types
LAN Monitor Host Host
Agent
module
Distributed
Host-
Router Based IDS
Internet
Central Manager
Manager
module
IDS Logic
Alerts Query/
response
Modifications
comprised of a number of
sensors, one or more
analysis of traffic patterns
servers for NIDS
may be done at the sensor,
management functions,
the management server or
and one or more
a combination of the two
management consoles for
the human interface
NIDS Sensor
Deployment Network traffic
Monitoring interface
(no IP, promiscuous mode)
l inline sensor
l inserted into a network NIDS
segment so that the sensor
traffic that it is
monitoring must pass
through the sensor
Management interface
l passive sensors (with IP)
l monitors a copy of
network traffic
Figure 8.4 Passive NIDS Sensor (based on [CREM06])
internal server
and data resource Internet
networks
LAN switch
or router external
firewall
1
workstation
networks
service network
(Web, Mail, DNS, etc.)
4 LAN switch internal
or router firewall
Collaborative
DDI
policies PEP events
Network events
Platform policies
policies Platform
events
Platform
policies
Distributed detection
and inference
Platform
ip
goss events
ta Activity
Intrusion
Da e s or
c
sou
r Sen
Detection Sen
sor
Event
Notification
Format Security
policy
er
nag
Ma
Security
policy
Administrator
Honeypot
Honeypot
Deployment 3
LAN switch
or router
External
firewall
Honeypot
LAN switch
or router
Internal
network Honeypot
Service network
(Web, Mail, DNS, etc.)
• lightweight IDS
– real-time packet capture and rule analysis
– easily deployed on nodes
– uses small amount of memory and processor time
– easily configured Log
Detection
Packet Decoder Engine
Alert