Intrusion Detection - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Intrusion Detection

Description:

Intrusion Detection System collect information from a variety of system and ... translated into facts carrying their semantic signification in the expert system. ... – PowerPoint PPT presentation

Number of Views:233
Avg rating:3.0/5.0
Slides: 46
Provided by: iseB8
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection


1
Intrusion Detection
  • Omer Zaafrany
  • Diana Bakhajian

2
AGENDA
  • Definition Introduction
  • IDS classification
  • Detection Method
  • Behavior on Detection
  • Audit Source Location
  • Usage frequency
  • Demo
  • Questions

3
Intrusion Detection - Definition
  • Intrusion-detection aim at detecting attacks
    against computer systems and networks, or against
    information systems in general and respond to
    them.
  • Intrusion Detection System collect information
    from a variety of system and network sources then
    analyze the information for signs to intruders.

4
attackers
  • Legitimate users of the system
  • External parties.

5
Abuses
  • Given privileges
  • Exploit security vulnerabilities.

6
Why we need it?
  • Confidentiality.
  • Integrity.
  • Availability.

7
Efficiency of IDS measures
  • Accuracy.
  • Performance.
  • Completeness.
  • Fault tolerance.
  • Timeliness.

8
Basic Intrusion Detection
Monitor
Report
Respond
9
IDS - classification
  • Detection method
  • Behavior on detection
  • Audit source location
  • Usage frequency

10
Behavior
Behavior
Detection Method
Detection Method
Knowledge
Passive
Behavior on Detection
Active
Intrusion Detection Systems
Host Log Files
Audit Source Location
Network Packets
Continuous
Usage frequency
Periodic
11
Detection method
  • Describes the characteristics of the analyzer.
  • Behavior-based - uses information about the
    normal behavior of the system it monitors
  • Knowledge-base - uses information about the
    attacks.

12
Behavior-based (Anomaly) Detection
  • Building a model of normal/valid behavior.
  • Compare the model with the current activity.
  • Behavior that not correspond a previously learned
    behavior is considered intrusive.

13
Statistics.
  • User/system behavior is measured by a number of
    variables sampled over time.
  • The original model keeps averages of all these
    variables and detects whether thresholds are
    exceeded based on the standard deviation of the
    variable.

14
Expert systems
  • Checks the actions of users according to a set of
    rules that describe proper usage policy,

15
Neural networks.
  • Learn the behavior of users in the system.
  • Equivalence between ann models and statistics
    model.

16
User Intention Identification
  • Normal users behavior modeled as set of high
    level tasks they have to perform on the system.
  • These tasks are then refined into actions, which
    in turn are related to the audit events observed
    on the system.
  • The analyzer keeps a set of tasks that each user
    can perform.
  • Whenever an action occurs that does not fit the
    task pattern, an alarm is issued.

17
Computer immunology
  • technique builds a model of normal behavior of
    the UNIX network services.
  • Attacks that exploit flaws in the code are likely
    to take unusual execution paths.

18
Advantages Disadvantages
  • Advantages
  • Detect new/unforeseen vulnerabilities.
  • Less depended on the OS.
  • Detect abuse and not only vulnerabilities.
  • Disadvantages
  • High false alarm not the entire scope of the
    behavior covered in the learning phase.
  • Behavior can change over time

19
Behavior
Behavior
Detection Method
Detection Method
Knowledge
Knowledge
Passive
Behavior on Detection
Active
Intrusion Detection Systems
Host Log Files
Audit Source Location
Network Packets
Continuous
Usage frequency
Periodic
20
Knowledge-base (Misuse) Detection
  • Accumulated knowledge about specific attacks and
    system vulnerabilities.
  • Looks for attempts to exploit them.

21
Expert System
  • Contains a set of rules that describe attacks.
  • Audit events are then translated into facts
    carrying their semantic signification in the
    expert system.
  • Engine draws conclusions using these rules and
    facts.

22
Expert System - disadvantages
  • Knowledge engineering
  • Difficult extract knowledge about attacks.
  • Translate this knowledge to rolls.
  • Processing speed.

23
Signature analysis.
  • Contains a set of rules that describe attacks.
  • Transformed the attacks into information that can
    be found in the audit trail in a straightforward
    way.

24
Data Mining
  • Discover patterns of intrusions signatures of
    attacks.
  • Association rules algorithm determines
    relationship between the audit trail records.

25
Detection Method
Behavior on Detection
26
Behavior on detection
  • Passive - when an attack is detected, an alarm is
    generated, but no countermeasure is actively
    applied to thwart the attack.
  • This is used when a system can generate a large
    number of false alarms, having a negative impact
    on the availability of the system.

27
  • Active - when an attack is detected,
    countermeasure actively applied to thwart the
    attack.

28
Detection Method
Behavior on Detection
Audit Source Location
29
Audit source location
  • Host-based examine the host audit trail.
  • Network-based using the network traffic as the
    main source of input.

30
Host-based
  • System sources - commands to obtain a snapshot of
    information on the processes currently active on
    the computer.
  • Accounting - consumption of shared resources by
    the users of the system.
  • Syslog - This service receives a text string from
    the application, prefixes it with a time stamp
    and the name of the system on which the
    application runs.

31
Host-based
  • C2 security audit. The security audit records all
    potentially security-significant events on the
    system.
  • Disadvantage the audit trail can be changed
    before it was monitored.

32
Network-based
  • SNMP information - The Simple Network Management
    Protocol (SNMP) Management Information Base MIB
    is a repository of information used for network
    management purposes.
  • Network packets - gathering information about the
    events that occur on the network architecture. It
    capture the packets before they enter the server.
    is probably the most efficient way to monitor
    this server.

33
Behavior
Detection Method
Detection Method
Knowledge
Passive
Behavior on Detection
Behavior on Detection
Active
Intrusion Detection Systems
Host Log Files
Audit Source Location
Audit Source Location
Network Packets
Continuous
Usage frequency
Usage frequency
Periodic
34
Usage frequency
  • Continuous monitoring - real-time analysis by
    acquiring information about the actions taken on
    the environment immediately after they happen.
  • Periodic analysis - periodically takes a snapshot
    of the environment and analyzes this snapshot,
    looking for vulnerable software, configuration
    errors, and so on.

35
DEMO
36
ForeScout's Interactive Intrusion Prevention
  • ActiveScout provides an intrusion detection
    solution that
  • Protects your network from both known and unknown
    attacks.
  • Eliminates false positives.
  • Ensures zero-time-to-prevention.
  • Minimizes total cost-of-prevention.

37
How it works
  • ActiveScout works by identifying and marking
    attackers at the reconnaissance stage of the
    network attack - the earliest stage of the attack
    process.
  • Once marked, ActiveScout blocks or monitors
    attackers when they use the "mark" to attack the
    network. The ActiveScout Site Solution is
    composed of a Scout and a Site Manager.
  • The Scout operates outside the network perimeter,
    so that all traffic entering and exiting the
    network is visible to it.
  • The Scout identifies attackers and either
    prevents them from communicating with the
    network, or allows communication but monitors
    attacker activity.
  • The Site Manager enables viewing and analysis of
    attackers activity, as well as providing options
    for identification of and handling by the Scout.

38
(No Transcript)
39
What You See On Your Screen
  • View the location where real attackers were
    detected
  • See if attackers were prevented from
    communicating with the live network (blocked), or
    allowed communication (monitored)
  • Access extensive details about each attack event
    you see - for example the time and location it
    was detected, the host that was attacked, or the
    raw packet data that was transferred.

40
  • ActiveScout works by identifying and marking
    attackers at the reconnaissance stage of the
    network attack - the earliest stage of the attack
    process. Once marked, ActiveScout blocks or
    monitors attackers when they use the "mark" to
    attack the network. The ActiveScout Site Solution
    is composed of a Scout and a Site Manager.
  • Site Manager Tool Tips provides you with
    important information regarding the items on the
    Main Screen and on other Site Manager windows.
    Tool Tips can be viewed by leaving the cursor on
    an item you would like to get more information
    on.

41
  • The ActiveScout Site Manager Main Screen provides
    At-a-Glance information about attackers that
    tried to gain access to the network. ActiveScout
    refers to attackers as sources. A source is the
    IP address or host name from which a network scan
    or network attack was performed. (For this demo,
    the Reports and History features are disabled and
    other features may also appear as read only.)
  • Global Map Display Shows the location where
    sources were detected and the block or monitor
    state of each source.

42
MAIN SCREEN
Source Information Table Presents information
about the sources that ActiveScout is blocking or
monitoring, including the reason the source is
blocked or monitored, and when then block/monitor
period expires. Move your mouse over a table
entry to view important tool tip information
about the table entry.
Attack Alarm Indicator Sounds and blinks when a
sourceattempts to attack the network.Double-cli
ck to stop the alarm.
43
Source Details Window - Activity Tab
Event SectionPresents details about the event
you selected from the Source Information
Table.Click an entry to display more details
about the event type. The information appears in
the Details Section.
Details SectionPresents details about the event
type you selected in the Event Section.
Source State SummaryPresents a summary of source
activity, including the ratio of time the source
was monitored/blocked.
44
(No Transcript)
45
Reference
  • H. Debar, M Dacier, A Wespi, Towards a taxonomy
    of intrusion-detection systems, Computer
    Networks, 1999, Vol 31, pp. 805-822.
  • S. Noel, D. Wijesekera, C. Youman, Modern
    Intrusion Detection, Data Mining, and Degrees of
    Attack Guilt, in Applications of Data Mining in
    Computer Security, Daniel BarbarĂ  and Sushil
    Jajodia (eds.), Kluwer, 2002.
  • W. Lee, S.J. Stolfo, P. K. Chan, E. Eskin, W.
    Fan, M. Miller, S. Hershkop, J. Zhang, "Real Time
    Data Mining-based Intrusion Detection",
    Proceedings of DISCEX II, 2001
  • http//www.fattail.com/redir/redirect.asp?CID1586
    1
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!