Intrusion Detection Systems - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Intrusion Detection Systems

Description:

... Lee, 'Intrusion Detection in Wireless Ad-Hoc Networks' ... in Wireless Ad-hoc Networks ... Intrusion Detection in Wireless Ad-hoc Networks. The solution: An ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 41
Provided by: franci73
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
  • Francis Chang ltfrancis_at_cse.ogi.edugt
  • Systems Software Lab
  • OGI

2
The Papers
  • 1 M. Crosbie, B. Kuperman, "A Building Block
    Approach to Intrusion Detection"
  • 2 M. Wetz, Andrew Hutchison, "Interfacing
    Trusted Applications with Intrusion Detection
    Systems"
  • 3 Y. Zhang, W. Lee, "Intrusion Detection in
    Wireless Ad-Hoc Networks"
  • 4 G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y.
    Nemoto, "Towards Trapping Wily Intruders in the
    Large"

3
A building Block Approachto Intrusion Detection
Lets first look at the first paper 1 M.
Crosbie, B. Kuperman, "A Building Block Approach
to Intrusion Detection"
4
A building Block Approachto Intrusion Detection
A new spin on how to build an IDS ..motors
the system looking for misuse actions that are
indicative of attack. These misuses actions are
called building blocks. Need for a better data
source for IDS (IDDS Intrusion Detection Data
Source)
5
A building Block Approachto Intrusion Detection
Examples of building blocks
  • Modification of a system file
  • Unexpected change user privileges of a running
    process
  • Modify log files
  • Change a global symbolic link
  • Creating setuid programs

6
A building Block Approachto Intrusion Detection
So what did they do? Build an in-kernel IDDS.
7
A building Block Approachto Intrusion Detection
Crosbie/Kuperman argue that traditional IDS data
sources are insufficient lets take a look at
their argument.
8
A building Block Approachto Intrusion Detection
syslogd
  • Often a popular IDS data source
  • Often syslogd is used when a daemon starts up,
    change configuration, encounter an error, or some
    other unusual behaviour occurs

9
A building Block Approachto Intrusion Detection
syslogd (continued)
  • Crosbie/Kuperman argues that the quality of the
    log messages is completely dependent on the
    programmers who wrote the system daemons.
  • Early versions of syslogd could be attacked
    buffer overflows, abnormal exits

10
A building Block Approachto Intrusion Detection
Network Packet Traces
  • If only using network packet traces, you often
    lose context, and thus, cannot detect certain
    types of attacks.

11
A building Block Approachto Intrusion Detection
Why is an in-kernel approach good?
  • Time inside the kernel is frozen
  • In-kernel design is more resilient to attack

12
Interfacing Trusted Apps
The next paper - 2 M. Wetz, Andrew Hutchison,
"Interfacing Trusted Applications with Intrusion
Detection Systems"
13
Interfacing Trusted Apps
This is funny
14
Interfacing Trusted Apps
The basic suggestion Rewrite existing
applications to take advantage of a syslogd/IDS
system.
15
Interfacing Trusted Apps
16
Intrusion Detection in Wireless Ad-hoc Networks
The problem
  • Open Medium attacks can come from anywhere, an
    go anywhere
  • No clear topology network is continually
    changing no central points

17
Intrusion Detection in Wireless Ad-hoc Networks
The solution An IDS at every node
Lets take a closer look at the IDS
18
Intrusion Detection in Wireless Ad-hoc Networks
19
Intrusion Detection in Wireless Ad-hoc Networks
Detecting Abnormal Routing Updates Give each
IDS a built-in GPS, and watch for unexpected of
route changes. (Statistical analysis)
20
Intrusion Detection in Wireless Ad-hoc Networks
Detecting abnormal activities in other
layers Various independent monitors to detect
anomolies in other protocol layers, and combine
results into a confidence rating.
21
Intrusion Detection in Wireless Ad-hoc Networks
Respond to intrusion detection by reconstructing
the routing tables, and routing around the
compromised node.
22
Towards Trapping Wily Intruders in the Large
G. Mansfield, K. Ohta, Y. Takei, N. Kato, Y.
Nemoto, "Towards Trapping Wily Intruders in the
Large"
The Basics Monitor the network, and collect
statistics. When the statistics deviate from
normal behaviour, flag it. Extend SNMP to allow
various networks to collaborate to track down the
intruder
23
Towards Trapping Wily Intruders in the Large
When a network is under attack, there is often a
lot of suspicious network traffic There are
usually more
  • TCP-RESET packets
  • ICMP echo response
  • ICMP Destination unreachable messages

24
Towards Trapping Wily Intruders in the Large
ICMP Echo Often occur in high volume when a
network is under attack
  • Mapping out a network
  • DDOS attacks
  • SMURF Attacks lets take a look

25
Towards Trapping Wily Intruders in the Large
SMURF Attack
1.1.1.2
1.1.1.3
1.1.1.1
Ping 1.1.1.255 from 3.3.3.3
2.2.2.2
3.3.3.3
26
Towards Trapping Wily Intruders in the Large
SMURF Attack
1.1.1.2
1.1.1.3
Ping 1.1.1.255 from 3.3.3.3
1.1.1.1
2.2.2.2
3.3.3.3
27
Towards Trapping Wily Intruders in the Large
SMURF Attack
1.1.1.2
1.1.1.3
Echo Reply
Echo Reply
1.1.1.1
2.2.2.2
3.3.3.3
28
Towards Trapping Wily Intruders in the Large
SMURF Attack
1.1.1.2
1.1.1.3
1.1.1.1
Many Echo Responses
2.2.2.2
3.3.3.3
29
Towards Trapping Wily Intruders in the Large
TCP Resets They do not occur too frequently in
normal network traffic but very often when a
network is being attacked. Eg.
  • Port Scanning
  • Inverse Mapping lets take a look at this.

30
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Successful routing)
1.1.1.2
1.1.1.3
1.1.1.1
ACK from 1.1.1.2
2.2.2.2
2.2.2.3
31
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Successful routing)
1.1.1.2
1.1.1.3
1.1.1.1
TCP Reset
2.2.2.2
2.2.2.3
32
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Successful routing)
1.1.1.2
1.1.1.3
TCP Reset
1.1.1.1
2.2.2.2
2.2.2.3
33
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Successful routing)
1.1.1.2
1.1.1.3
No Response
1.1.1.1
2.2.2.2
2.2.2.3
34
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Unsuccessful routing)
1.1.1.2
1.1.1.3
1.1.1.1
ACK from 1.1.1.4
2.2.2.2
2.2.2.3
35
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Unsuccessful routing)
1.1.1.2
1.1.1.3
1.1.1.1
TCP Reset
2.2.2.2
2.2.2.3
36
Towards Trapping Wily Intruders in the Large
Inverse Mapping (Unsuccessful routing)
1.1.1.2
1.1.1.3
1.1.1.1
ICMP No Route to Host
2.2.2.2
2.2.2.3
37
Towards Trapping Wily Intruders in the Large
So, now that we know what were looking for, how
do we find it? Lets just use some simple math
isolate patterns with least-squares curve
fitting, and find corelations between network
traffic.
38
Towards Trapping Wily Intruders in the Large
39
Towards Trapping Wily Intruders in the Large
Tracing an attack
40
Towards Trapping Wily Intruders in the Large
  • This system does not rely on specific types of
    attack/patterns/signatures, and does not attempt
    to reconstruct a detailed transaction log,
    relying only on statistics.
  • Can traceback the flow of the attack
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Intrusion Detection Systems" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!