chapter 25: intrusion detection
DESCRIPTION
Chapter 25: Intrusion Detection. Dr. Wayne Summers Department of Computer Science Columbus State University [email protected] http://csc.colstate.edu/summers. Principles. Computer Systems under attack - PowerPoint PPT PresentationTRANSCRIPT
Chapter 25: Intrusion Detection
Dr. Wayne Summers
Department of Computer Science
Columbus State University
http://csc.colstate.edu/summers
2Principles
Computer Systems under attack
– Actions of users and processes do not conform to a statistically predictable pattern
– Actions of users and processes include sequences of commands that attempt to subvert the security policy of the system
– Actions of processes do not conform to set of specifications that are allowed for the process
3Basic Intrusion Detection
Attack tool- automated script designed to violate a security policy (ex. rootkit)
Goals of an IDS
– Detect a wide variety of intrusions (inside / outside; known/unknown attacks)
– Detect intrusions in a timely fashion
– Present the analysis in simple, easy-to-use format
– Be accurate (minimize false positives and false negatives)
4Models
Anomaly Modeling – analyzes set of characteristics of system and compares behavior to expected values– Threshold metric: uses minimum/maximum values
– Statistical moments: uses mean/std. dev. & other measures of correlation
– Markov model: uses set of probabilities of transition (requires training data)
Misuse Modeling – determines whether a sequence of instructions being executed is known to violate the site security policy
Specification Modeling – determines whether a sequence of instructions violates a specification of how a program/system should execute
5Architecture
Agent – obtains information from data source (“logger”)– Host-based Intrusion Detection System (HIDS)
• Uses system and application logs
– Network-based Intrusion Detection System (NIDS)• Uses devices and software to monitor network traffic
Director – reduces log entries and then determines if an attack is underway (“analyzer”)
Notifier – accepts information from director and takes appropriate action (GUI, email)
6Architecture of IDS
HOST AHIDS
HOST BHIDS
HOST NNIDS
HOST CHIDS
Director(Analyzer
)
Notifier
HIDS: Host Intrusion Detection System
NIDS: Network Intrusion Detection System(logger)
7Host-based IDS
– Periodically analyze logs, perform file system integrity check.
– Examples: • Generic: ISS RealSecure Server Sensor.• Check host file system: Tripwire, AIDE• Check host network connections: BlackICE,
PortSentry• Check host’s log files: LogSentry, Swatch • Intrusion Prevention System: Cisco Security
Agent (Okena Stormwatch).
8Network-based IDS
– Analyze network traffic content and pattern for signs of intrusion
– Examples:• Snort • Cisco Sensors
9Organization of IDSs
Monitoring Network Traffic for Intrusions
– Network Security Monitor• Develops profile of expected usage of network
and compares current usage with the profile
– Distributed IDS – combines abilities of NSM with host-based IDS
– Autonomous Agents for ID – autonomous agents that work together
10IDS Placement
DNSServer
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
MailServer
WebServer
DMZ
Router
IDS
IDS
IDS
11Intrusion Response
Incident Prevention – Intrusion Prevention Systems– Identify attack before it completes
– Jail (sandbox) attacks
Intrusion Handling– Preparation for attack
– Identification of attack
– Containment of the attack
– Eradication of the attack (blocks further attacks)
– Recovery from the attack
– Follow-up to the attack• Pursue legal action• Tracing attack: thumbprinting, IP header markers