SlideShare a Scribd company logo

Intrusion detection 2001

Download as PPT, PDF
E
eaiti

This document summarizes a presentation on intrusion detection systems. It discusses the growing risks of e-business and need for intrusion detection strategies. It covers misuse and anomaly detection approaches, and tools that operate at the application, host, and network levels. It also addresses active and passive response techniques, system architectures, technical challenges, legal issues, and commercial and open source intrusion detection systems.

Technology
1 of 24
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Intrusion Detection CTO Forum November 9, 2001 Tom Casey Tcasey@pec.com 703.679.4900
2 Agenda • Risks Associated with E-business • Elements of an Intrusion Detection Strategy • Misuse and Anomaly Detection • Application, Host, and Network Based Tools • Active and Passive Response • Intrusion Detection System Architecture • Technical and Legal Issues • Commercial and Open Source ID systems
3 Reported Incidents Increasing Number of Incidents Reported 0 5000 10000 15000 20000 25000 30000 35000 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 *2001 Years NumberofIncidents *Q1-Q3 2001Cert.org Statistics October 15, 2001 34,754 21,756 2,412 132
4 Risks Associated with E-business • Defaced Websites • Denial of Service/DDOS • Theft of Company Proprietary Information • Theft of Customer Information • Downtime = Loss of Revenue • Negative Press = Negative Public Image • Internal and External Threats
5 History of Intrusion Detection • Intrusion Detection (ID) defined: – Process of monitoring computer networks and systems for violations of security policy • First ID System--manual “system audits” • 1980, ID was born – First document need for automated audit trail review to support security goals • Growth of Internet
6 The Importance of Intrusion Detection • A perfectly secure system is a myth – Firewalls and filtering routers aren’t enough to protect electronic assets • Effective audit information analysis required a tool • An IDS is one of many components supporting a robust security architecture-”Defense in Depth” – Firewalls, VPN, Virus Protection, Vulnerability Assessments etc. • Protect valuable information resources from internal and external threats
7 An IDS can accomplish the following • Prevents and/or mitigates the damage resulting from intrusion • Identifies a precursor of more serious activity • Identifies perpetrators • Discovers new attack patterns
8 Elements of a Complete Intrusion Detection Strategy • Policy! – Policy is living, constantly evolving – ID configuration/design must support policy • Intrusion Detection System (IDS) architecture • Institutionalized Incident Response – Responses map to policy – Working with law enforcement – CERTs • Trained security personnel • Awareness Programs - Support from Users
9 Time Line of an Attack Probing: •Port Sweeps •Address sweeps •Doorknob Ratting Break-in: •Operating System Bugs •Sniffed Passwords •Social Engineering •Back Door Malicious Actions: •Steal Data or Programs •Hop to other systems •Install Back Door •Setup Sniffer •Steal CPU time
10 Misuse Detection • Misuse, signature/pattern-matching • Reliably detecting “known” use patterns • Detects only known intrusions • Difficult handling large volumes of data • Does not handle uncertainty
11 Anomaly Detection • Anomaly Detection • Establish profile of “normal” user behavior • Patterns of abnormality, rare, unusual behavior • Accommodate adaptations to changes in user behavior • Statistical and Quantitative analysis • Assumes users exhibit predictable, consistent patterns of system usage
12 Anomaly Detection (con’t.) User Normal Behavior Anomaly in User Behavior System Administrator Secretary Programmer •Log in as root •Edit user’s access permissions •Run system configuration/ monitoring tools •Logged in locally during company working hours •Uses office automation software (word processing, etc) •Reads and sends emails •Logged in from early morning to late night •Uses software development tools •Browses Internet more often in the evening then the daytime •Becomes a programmer •Accesses Software Development tools •Accesses Software project sources •Logs in from a remote host •Assumes the role of a manager •Logs in as a human resources manager •Gains access to personnel database
13 Intrusion Detection Tools • Application-based – Collects information and detects intrusion at the application layer – Placement: E-commerce Server, WebServer • Host-based – Agent software on host – Monitors: event logs, critical system files, registry settings, etc – Alerts management console, reacts actively and/or passively depending upon policy • Network-based – Operates at the network level – Detects DOS or dangerous payloads before the reach destination – Dedicated host, two interfaces: Management and Stealth
14 Active Responses • User driven • Automatic Responses • System takes action to block the progress of attack – Closing holes, shutting down services, logging an intruder – Block IP address(es) • Collect more information (honey pots)
15 Passive Responses • System logs and reports problem • Alarms and notification – visual, audible, email paper • SNMP traps • Archiving and reporting
16 IDS Architecture Recommendations • Network based – At Internet connection points – Key internal network segments – In the DMZ – Just inside the Firewall (Intranet) – Behind WAP server, WAN router, modem pool • Host-based – Servers containing critical data – Domain servers • Optimum Architecture: Combine misuse and anomaly detection
17 Sample IDS Architecture Firewall Internet Router Web Server(S) DMZ Services Email Relay Border Directory Host IDS Agent Domain Controller Personnel Database User Workstations User Workstations IDS Central Management Console Network Sensor Network Sensor Network Sensor User WorkstationsStealth Mode Customer Database Corporate Private Network Web Server(s) File and Print Server
18 Technical Issues • Scalability – Scaling over space as the network grows • Management – Network Management – Sensor Controls – Investigative Support – Performance Loads – User Interface • Reliability – Quality of analysis engines – Response mechanisms
19 Technical Issues (con’t) • Analysis – Difficulties categorizing attacks/threats – False positives/negatives (tuning anomaly detection engines) – Trend analysis, event correlation, data mining • Interoperability – Tools to collect information from: multiple abstraction layers, hardware, software – Audit trail standards • Integration – Intrusion detection in a Switched Environment – Intrusion detection in a Crypto Environment
20 Legal Issues • Legislation – Computer fraud and abuse statutes – Electronic Communications Privacy Act Sec 2510 • System logs are circumstantial evidence – Requires proof of authenticity – Testimony of responsible parties – Expert to explain log file contents – Maintaining redundant event log records • Electronic Monitoring – System admin monitoring vs. Law enforcement monitoring • Cyber Forensics
21 Commercial and Open Source • Leading Commercial Vendors – Internet Security Systems (ISS): RealSecure – NetworkICE: BlackICE – Enterasys System: Dragon – Cisco Secure Systems: IDS – NFR: Network Intrusion Detection • Open Source – Snort.org • Managed Security Providers (MSPs) – Leverage the MSPs’ security expertise – Ideal for Small/Mid-sized business – Leverage MSP experience with other customers – Focus your staff and resources on your core business activities – 24X7X365 Monitoring and Notification
22 Current and Future Trends in IDS • Protocol Scanners • “Meta” Detection – Interoperability – Centralized Administration, Management, and Reporting • IDS Appliances – No general purpose OSes to configure and maintain – No patches/Drivers to install – Facilitates: accuracy, speed, and remote management – 100 Gigabit Detection
23 References • Internet Security Systems: www.iss.net • Enterasys Networks: www.enterasys.com • Cisco Systems: www.cisco.com • Snort: www.snort.org • NFR Security www.nfr.com • CERT @ Carnegie Melon: www.cert.org • Sans Institute: “The Twenty Most Critical Internet Security Vulnerabilities” http://www.sans.org/top20.htm • Computer Security Institute: "2001 Computer Crime and Security Survey" http://www.gocsi.com/prelea/000321.html
Web-Enabling Government SM

More Related Content

PPTX
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Hassan EL ALLOUSSI
 
PDF
Cloud intrusion detection System
sadegh salehi
 
PDF
Security issue in Cloud computing
Seema Kumari
 
PPTX
The Top Cloud Security Issues
HTS Hosting
 
PDF
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Russia
 
PPTX
Security on Cloud Computing
Reza Pahlava
 
PPT
Cloud security
Tushar Kayande
 
PDF
IRJET - IDS for Wifi Security
IRJET Journal
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Hassan EL ALLOUSSI
 
Cloud intrusion detection System
sadegh salehi
 
Security issue in Cloud computing
Seema Kumari
 
The Top Cloud Security Issues
HTS Hosting
 
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design
Cisco Russia
 
Security on Cloud Computing
Reza Pahlava
 
Cloud security
Tushar Kayande
 
IRJET - IDS for Wifi Security
IRJET Journal
 

What's hot (20)

DOCX
Nice network intrusion detection and countermeasure
IEEEFINALYEARPROJECTS
 
PPTX
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
PDF
Cloud Security Introduction
GLC Networks
 
PPTX
Cloud computing security
gangal
 
PPTX
User Behavior based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
PDF
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
PPTX
Cloud computing
Shivam Singh
 
PPTX
Software Security
Integral university, India
 
PPTX
Cloud with Cyber Security
Niki Upadhyay
 
PDF
Cloud Security - Emerging Facets and Frontiers
Gokul Alex
 
PPTX
Security for cloud native workloads
Runcy Oommen
 
PDF
Data security in cloud environment
Shivam Singh
 
DOCX
resume IT security
Michael Moore
 
PPTX
Cloud security
Jhanvi Dattani
 
PDF
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh
 
PDF
G0314043
iosrjournals
 
PDF
IRJET- A Survey: Data Security in Cloud using Cryptography and Steganography
IRJET Journal
 
PPTX
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
PDF
Cloud Security - Made simple
Sameer Paradia
 
PDF
DTS Solution - Software Defined Security v1.0
Shah Sheikh
 
Nice network intrusion detection and countermeasure
IEEEFINALYEARPROJECTS
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Cloud Security Introduction
GLC Networks
 
Cloud computing security
gangal
 
User Behavior based Anomaly Detection for Cyber Network Security
Happiest Minds Technologies
 
Webinar - Reducing the Risk of a Cyber Attack on Utilities
WPICPE
 
Cloud computing
Shivam Singh
 
Software Security
Integral university, India
 
Cloud with Cyber Security
Niki Upadhyay
 
Cloud Security - Emerging Facets and Frontiers
Gokul Alex
 
Security for cloud native workloads
Runcy Oommen
 
Data security in cloud environment
Shivam Singh
 
resume IT security
Michael Moore
 
Cloud security
Jhanvi Dattani
 
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh
 
G0314043
iosrjournals
 
IRJET- A Survey: Data Security in Cloud using Cryptography and Steganography
IRJET Journal
 
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Cloud Security - Made simple
Sameer Paradia
 
DTS Solution - Software Defined Security v1.0
Shah Sheikh
 
Ad

Viewers also liked (20)

PPT
Intrusion detection system ppt
Sheetal Verma
 
PPT
Data Mining and Intrusion Detection
amiable_indian
 
PDF
Push to pull
eaiti
 
PPT
1 pigmentation
Ahmed Amer
 
PPT
Cc1 cancer derma
Ahmed Amer
 
PPT
Social apps 3_1_2008
eaiti
 
PDF
Tempus PROMIS Work Plan (September 2014)
PROMISproject
 
PDF
How To: Mobile "Hello World" With Xamarin and Visual Studio 2013
IndyMobileNetDev
 
PPT
Dc roundtablesmall webservices_2002
eaiti
 
PPT
It outsourcing 2005
eaiti
 
PPTX
PROMIS Tempus Project
PROMISproject
 
PPT
Middleware 2002
eaiti
 
PPTX
3 lesiones deportivas
angelamaria99
 
PPT
10 basics of human genetics
Ahmed Amer
 
PDF
Enterprise Mobility Management
eaiti
 
DOC
Manisha Garg_Resume modified
Manisha Garg, Prince2 ,CSM
 
DOCX
Ford
Bryan Richardson
 
PPTX
Autodesk inventor basic tools
Ashutosh Gupta
 
PPTX
Slide obseravasi pendidikan
kikiregar
 
PPTX
observasi psikologi pendidikan MAN 2 Model Medan
251304
 
Intrusion detection system ppt
Sheetal Verma
 
Data Mining and Intrusion Detection
amiable_indian
 
Push to pull
eaiti
 
1 pigmentation
Ahmed Amer
 
Cc1 cancer derma
Ahmed Amer
 
Social apps 3_1_2008
eaiti
 
Tempus PROMIS Work Plan (September 2014)
PROMISproject
 
How To: Mobile "Hello World" With Xamarin and Visual Studio 2013
IndyMobileNetDev
 
Dc roundtablesmall webservices_2002
eaiti
 
It outsourcing 2005
eaiti
 
PROMIS Tempus Project
PROMISproject
 
Middleware 2002
eaiti
 
3 lesiones deportivas
angelamaria99
 
10 basics of human genetics
Ahmed Amer
 
Enterprise Mobility Management
eaiti
 
Manisha Garg_Resume modified
Manisha Garg, Prince2 ,CSM
 
Ford
Bryan Richardson
 
Autodesk inventor basic tools
Ashutosh Gupta
 
Slide obseravasi pendidikan
kikiregar
 
observasi psikologi pendidikan MAN 2 Model Medan
251304
 
Ad

Similar to Intrusion detection 2001 (20)

PPT
intrusion detection system (IDS)
Aj Maurya
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
PPTX
9 - Security
Raymond Gao
 
PDF
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
PDF
Security Monitoring Course - Ali Ahangari
Ali Ahangari
 
PPTX
Intrusion detection
CAS
 
PPTX
Synopsis-Data_Leaks_Detection-046(2).pptx
kalsdoyipode
 
PDF
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
PDF
Chapter 15 incident handling
newbie2019
 
PPTX
Lecture 10 intruders
rajakhurram
 
PDF
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
PPTX
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
AlfredObia1
 
PPTX
RuSIEM overview (english version)
Olesya Shelestova
 
PDF
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
PPT
mjr-00-asia-Intrusrrrrrrrrrrrrion-long.ppt
ijaz342
 
PPT
Intrusiondetection systemscyberinfom.ppt
SoundariyaSathish
 
PPTX
IBM i Security: Identifying the Events That Matter Most
Precisely
 
PDF
Preventing The Next Data Breach Through Log Management
Novell
 
PDF
Wc4
Said Wali
 
PDF
Soc analyst course content
ShivamSharma909
 
intrusion detection system (IDS)
Aj Maurya
 
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
9 - Security
Raymond Gao
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
Security Monitoring Course - Ali Ahangari
Ali Ahangari
 
Intrusion detection
CAS
 
Synopsis-Data_Leaks_Detection-046(2).pptx
kalsdoyipode
 
SIEM enabled risk management , SOC and GRC v1.0
Rasmi Swain
 
Chapter 15 incident handling
newbie2019
 
Lecture 10 intruders
rajakhurram
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
IGN MANTRA
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
AlfredObia1
 
RuSIEM overview (english version)
Olesya Shelestova
 
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
mjr-00-asia-Intrusrrrrrrrrrrrrion-long.ppt
ijaz342
 
Intrusiondetection systemscyberinfom.ppt
SoundariyaSathish
 
IBM i Security: Identifying the Events That Matter Most
Precisely
 
Preventing The Next Data Breach Through Log Management
Novell
 
Wc4
Said Wali
 
Soc analyst course content
ShivamSharma909
 

More from eaiti (18)

PPT
Handheld device med_care_2001
eaiti
 
PPT
Ctolinux 2001
eaiti
 
PPT
J2ee 2000
eaiti
 
PPT
Xp presentation 2003
eaiti
 
PPT
Cto forum nirav_kapadia_2006_03_31_2006
eaiti
 
PDF
Cloud mz cto_roundtable
eaiti
 
PPT
Mobile 2000
eaiti
 
PPT
Stateof cto career_2002
eaiti
 
PPT
Dions globalsoa web2presentation1_2006
eaiti
 
PPT
Thads globalsoa web2presentation2_2006
eaiti
 
PPT
Ping solutions overview_111904
eaiti
 
PPT
Washdc cto-0905-2003
eaiti
 
PPT
Broadband tech 2005
eaiti
 
PPTX
Quantum technology
eaiti
 
PDF
BigData @ comScore
eaiti
 
PDF
Hemispheres of Data
eaiti
 
PDF
Using Hadoop
eaiti
 
PDF
Greenplum: Driving the future of Data Warehousing and Analytics
eaiti
 
Handheld device med_care_2001
eaiti
 
Ctolinux 2001
eaiti
 
J2ee 2000
eaiti
 
Xp presentation 2003
eaiti
 
Cto forum nirav_kapadia_2006_03_31_2006
eaiti
 
Cloud mz cto_roundtable
eaiti
 
Mobile 2000
eaiti
 
Stateof cto career_2002
eaiti
 
Dions globalsoa web2presentation1_2006
eaiti
 
Thads globalsoa web2presentation2_2006
eaiti
 
Ping solutions overview_111904
eaiti
 
Washdc cto-0905-2003
eaiti
 
Broadband tech 2005
eaiti
 
Quantum technology
eaiti
 
BigData @ comScore
eaiti
 
Hemispheres of Data
eaiti
 
Using Hadoop
eaiti
 
Greenplum: Driving the future of Data Warehousing and Analytics
eaiti
 

Recently uploaded (20)

PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 

Intrusion detection 2001

  • 1. Intrusion Detection CTO Forum November 9, 2001 Tom Casey Tcasey@pec.com 703.679.4900
  • 2. 2 Agenda • Risks Associated with E-business • Elements of an Intrusion Detection Strategy • Misuse and Anomaly Detection • Application, Host, and Network Based Tools • Active and Passive Response • Intrusion Detection System Architecture • Technical and Legal Issues • Commercial and Open Source ID systems
  • 3. 3 Reported Incidents Increasing Number of Incidents Reported 0 5000 10000 15000 20000 25000 30000 35000 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 *2001 Years NumberofIncidents *Q1-Q3 2001Cert.org Statistics October 15, 2001 34,754 21,756 2,412 132
  • 4. 4 Risks Associated with E-business • Defaced Websites • Denial of Service/DDOS • Theft of Company Proprietary Information • Theft of Customer Information • Downtime = Loss of Revenue • Negative Press = Negative Public Image • Internal and External Threats
  • 5. 5 History of Intrusion Detection • Intrusion Detection (ID) defined: – Process of monitoring computer networks and systems for violations of security policy • First ID System--manual “system audits” • 1980, ID was born – First document need for automated audit trail review to support security goals • Growth of Internet
  • 6. 6 The Importance of Intrusion Detection • A perfectly secure system is a myth – Firewalls and filtering routers aren’t enough to protect electronic assets • Effective audit information analysis required a tool • An IDS is one of many components supporting a robust security architecture-”Defense in Depth” – Firewalls, VPN, Virus Protection, Vulnerability Assessments etc. • Protect valuable information resources from internal and external threats
  • 7. 7 An IDS can accomplish the following • Prevents and/or mitigates the damage resulting from intrusion • Identifies a precursor of more serious activity • Identifies perpetrators • Discovers new attack patterns
  • 8. 8 Elements of a Complete Intrusion Detection Strategy • Policy! – Policy is living, constantly evolving – ID configuration/design must support policy • Intrusion Detection System (IDS) architecture • Institutionalized Incident Response – Responses map to policy – Working with law enforcement – CERTs • Trained security personnel • Awareness Programs - Support from Users
  • 9. 9 Time Line of an Attack Probing: •Port Sweeps •Address sweeps •Doorknob Ratting Break-in: •Operating System Bugs •Sniffed Passwords •Social Engineering •Back Door Malicious Actions: •Steal Data or Programs •Hop to other systems •Install Back Door •Setup Sniffer •Steal CPU time
  • 10. 10 Misuse Detection • Misuse, signature/pattern-matching • Reliably detecting “known” use patterns • Detects only known intrusions • Difficult handling large volumes of data • Does not handle uncertainty
  • 11. 11 Anomaly Detection • Anomaly Detection • Establish profile of “normal” user behavior • Patterns of abnormality, rare, unusual behavior • Accommodate adaptations to changes in user behavior • Statistical and Quantitative analysis • Assumes users exhibit predictable, consistent patterns of system usage
  • 12. 12 Anomaly Detection (con’t.) User Normal Behavior Anomaly in User Behavior System Administrator Secretary Programmer •Log in as root •Edit user’s access permissions •Run system configuration/ monitoring tools •Logged in locally during company working hours •Uses office automation software (word processing, etc) •Reads and sends emails •Logged in from early morning to late night •Uses software development tools •Browses Internet more often in the evening then the daytime •Becomes a programmer •Accesses Software Development tools •Accesses Software project sources •Logs in from a remote host •Assumes the role of a manager •Logs in as a human resources manager •Gains access to personnel database
  • 13. 13 Intrusion Detection Tools • Application-based – Collects information and detects intrusion at the application layer – Placement: E-commerce Server, WebServer • Host-based – Agent software on host – Monitors: event logs, critical system files, registry settings, etc – Alerts management console, reacts actively and/or passively depending upon policy • Network-based – Operates at the network level – Detects DOS or dangerous payloads before the reach destination – Dedicated host, two interfaces: Management and Stealth
  • 14. 14 Active Responses • User driven • Automatic Responses • System takes action to block the progress of attack – Closing holes, shutting down services, logging an intruder – Block IP address(es) • Collect more information (honey pots)
  • 15. 15 Passive Responses • System logs and reports problem • Alarms and notification – visual, audible, email paper • SNMP traps • Archiving and reporting
  • 16. 16 IDS Architecture Recommendations • Network based – At Internet connection points – Key internal network segments – In the DMZ – Just inside the Firewall (Intranet) – Behind WAP server, WAN router, modem pool • Host-based – Servers containing critical data – Domain servers • Optimum Architecture: Combine misuse and anomaly detection
  • 17. 17 Sample IDS Architecture Firewall Internet Router Web Server(S) DMZ Services Email Relay Border Directory Host IDS Agent Domain Controller Personnel Database User Workstations User Workstations IDS Central Management Console Network Sensor Network Sensor Network Sensor User WorkstationsStealth Mode Customer Database Corporate Private Network Web Server(s) File and Print Server
  • 18. 18 Technical Issues • Scalability – Scaling over space as the network grows • Management – Network Management – Sensor Controls – Investigative Support – Performance Loads – User Interface • Reliability – Quality of analysis engines – Response mechanisms
  • 19. 19 Technical Issues (con’t) • Analysis – Difficulties categorizing attacks/threats – False positives/negatives (tuning anomaly detection engines) – Trend analysis, event correlation, data mining • Interoperability – Tools to collect information from: multiple abstraction layers, hardware, software – Audit trail standards • Integration – Intrusion detection in a Switched Environment – Intrusion detection in a Crypto Environment
  • 20. 20 Legal Issues • Legislation – Computer fraud and abuse statutes – Electronic Communications Privacy Act Sec 2510 • System logs are circumstantial evidence – Requires proof of authenticity – Testimony of responsible parties – Expert to explain log file contents – Maintaining redundant event log records • Electronic Monitoring – System admin monitoring vs. Law enforcement monitoring • Cyber Forensics
  • 21. 21 Commercial and Open Source • Leading Commercial Vendors – Internet Security Systems (ISS): RealSecure – NetworkICE: BlackICE – Enterasys System: Dragon – Cisco Secure Systems: IDS – NFR: Network Intrusion Detection • Open Source – Snort.org • Managed Security Providers (MSPs) – Leverage the MSPs’ security expertise – Ideal for Small/Mid-sized business – Leverage MSP experience with other customers – Focus your staff and resources on your core business activities – 24X7X365 Monitoring and Notification
  • 22. 22 Current and Future Trends in IDS • Protocol Scanners • “Meta” Detection – Interoperability – Centralized Administration, Management, and Reporting • IDS Appliances – No general purpose OSes to configure and maintain – No patches/Drivers to install – Facilitates: accuracy, speed, and remote management – 100 Gigabit Detection
  • 23. 23 References • Internet Security Systems: www.iss.net • Enterasys Networks: www.enterasys.com • Cisco Systems: www.cisco.com • Snort: www.snort.org • NFR Security www.nfr.com • CERT @ Carnegie Melon: www.cert.org • Sans Institute: “The Twenty Most Critical Internet Security Vulnerabilities” http://www.sans.org/top20.htm • Computer Security Institute: "2001 Computer Crime and Security Survey" http://www.gocsi.com/prelea/000321.html