Intrusion detection - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion detection

Description:

Masquerading: legitimate login (but stolen) followed by abnormal usage pattern. ... or substituted program probably exhibits different usage of resources. ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 13
Provided by: PaulD109
Category:

less

Transcript and Presenter's Notes

Title: Intrusion detection


1
Intrusion detection
  • Anomaly detection models compare a users normal
    behavior statistically to parameters of the
    current session, in order to find significant
    deviations.
  • Misuse detection models compare a users session
    to known techniques used by attackers to
    penetrate a system.
  • Purpose is to reduce the amount of audit data to
    be manually reviewed.

2
Intrusion Detection Expert System
  • IDES is a real-time system developed at SRI. (Its
    model has been used in other systems.)
  • IDES monitors external threats (users trying to
    penetrate the system) and internal threats (users
    trying to abuse their authorizations).
  • IDES is based on experience and learning from
    watching the system, not on fixed rules.
  • IDES learns the normal behavior of users (in
    order to learn what abnormal behavior is.)

3
Intrusion Detection Expert System
  • Threats-behaviors relationships
  • Intrusion attempt many login attempts.
  • Masquerading legitimate login (but stolen)
    followed by abnormal usage pattern.
  • Penetration by legitimate users trying to
    circumvent the security controls if successful
    they start commands which were normally
    forbidden this behavior is then detected.
  • Spreading of data by authorized users user logs
    in at abnormal times, performs many reads, uses
    printers more, prints more copies, etc.

4
Intrusion Detection Expert System
  • Threats-behaviors relationships
  • Inference by authorized users confidential data
    is obtained by aggregation or inference. This
    probably involves abnormal frequency and type of
    queries.
  • Trojan Horses inserted or substituted program
    probably exhibits different usage of resources.
  • Viruses cause increased frequency of writing to
    executable files.
  • Denial of service intruder locks a resource, and
    exhibits high activity rate for that resource.

5
Intrusion Detection Expert System
  • Metrics
  • Event counter the normal frequency (time
    dependent) of different types of events is
    characterized, in order to detect abnormal usage.
  • Time interval the normal time interval between
    correlated events is computed, to detect abnormal
    (most likely short) intervals.
  • Resource measurement the normal use of
    resources of each type of action is computed.
    Abnormal use of resources can then be detected.

6
Intrusion Detection Expert System
  • Statistical models
  • Operational model compare observations to
    threshold which is determined by an expert.
  • Average and standard deviation model detect
    deviation beyond the standard deviation.
  • Multivaried model finds deviations in
    correlation between two or more metrics.
  • Markovian model uses types of events as state
    variables and a state transition matrix to
    characterize the frequencies of transitions.
  • Time series model uses event counter,
    measurement of resources and interval times.

7
Intrusion Detection Expert System
  • Login and session activity profiles
  • Login frequency detect logins at abnormal times
    or frequency.
  • Location frequency detect logins from locations
    never used by this user.
  • Last login useful to detect intrusion threats
    through dead accounts.
  • Session duration detect abnormally short or long
    sessions.
  • Session output detect sessions in which more
    output is generated than usual.

8
Intrusion Detection Expert System
  • Login and session activity profiles
  • CPU per session, I/O per session use standard
    deviation method to find abnormal resource usage.
  • Password failures count number of password
    failures before successful login.
  • Location failures locations from where failed
    logins are attempted are detected.

9
Intrusion Detection Expert System
  • Command and program execution profiles
  • Execution frequency for one user to detect
    attempts to break security for all users to
    detect Trojan Horse attack.
  • CPU per program, I/O per program to detect
    viruses or Trojan Horses.
  • Denied executions find users trying to execute a
    program they are not authorized for.
  • Saturation of program resources detect that a
    program often terminates abnormally this could
    be an attempt to use abnormal termination as a
    covert channel.

10
Intrusion Detection Expert System
  • File or record access profiles
  • Read, write, create and delete frequency
    anomalies in create/delete or read/write
    operations may indicate inference attempts or
    penetration by a user who does not normally have
    that access.
  • Read/written records number of different records
    read or written.
  • Read/write/delete/create failures user may be
    attempting something but (still) failing.
  • File resource exhaustion such failures may again
    indicate failures being used as a covert channel.

11
Intrusion Detection Expert System
  • IDES has been implemented using Oracle for
    management of all IDES information.
  • IDES runs on a different machine from the one
    with the main database
  • Performance the presence of IDES does not
    increase system response time of the database.
  • Security IDES can be protected from the
    monitored system.
  • Integration IDES can be easily adapted to
    different environments and integrated with
    various types of host system.

12
Other Intrusion Detection Systems
  • The Haystack system developed for the US Air
    Force computer systems (not specifically to audit
    databases).
  • The Multics Intrusion Detection and Alerting
    System (MIDAS) expert system developed for the
    US National Computer Security Center
    Multics-based network.
  • Wisdom and Sense anomaly detection system
    developed at Los Alamos National Laboratory.
Write a Comment
User Comments (0)
About PowerShow.com