1

Intrusion Detection Methods

“Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

2

The Seven Fundamentals

1. What are the methods used2. How are IDS Organized3. What is an intrusion4. How do we trace and how do they hide5. How do we correlate information

6. How can we trap intruders7. Incident response

3

Internet Trap

• A set of functional and procedural components that use legal and authorized deception to divert the activity of potential intruder from real valued asset to bogus assets (and vice versa) for the purpose of gathering intrusion related information and initiating response.

4

Technical considerations

• Detecting the intruder

• Detecting the trigger

• Reversing decision about activity

• Remain Stealth

Real system

Trap

Real system

5

Types of Internet Traps

• Real environment with trap elements– Unix system with fake password file– Win2K with phony open shares– Web servers with phony vulnerable CGIs

• Small environment to large trap• Large environment to small trap• Mirrored environment and trap

– Trap serves as hot stand by system

6

Design considerations

• Proper design– Advisory notice– Keep the intruder in mind (what would cs485

students like to break into?)– Don’t be too obvious– Software tools as gifts

7

Design considerations (cont.)

• Bait– Administrator correspondence– Rigged email– Rigged scan points– System messages

• OOB Traps

• Legal considerations