Download Intrusion Detection System Part 1-Computer Network Security-Lecture Slides and more Slides Computer Security in PDF only on Docsity! 1 Computer Network Security Intrusion Detection System (IDS) docsity.com 2 Agenda Malicious Code Intruders and Classes of Intruders Intrusion Detection Systems (IDS) Approaches to Intrusion detection Anomaly Detection Misuse Detection Intrusion Prevention Systems (IPS) Honey pots, Sugarcanes, Honey nets Defeating IDS Insertion Evasion Resource Starvation docsity.com 5 Malicious Code In the computer world: A program that claims to do bla bla bla… The unsuspecting user executes the program And the malicious code (soldiers) does something bad This kind of program is often called a Trojan Horse after Odysseus’ invention Trick is to get the user to execute the program Disguise as a helpful attachment A real program by the same name (but in a different path) Overwriting a real program with a Trojan’ed one docsity.com 6 Trojan Example 1995: a program distributed as PKZ300B.EXE looked like a new version of PKZIP Actually formatted your hard drive if run docsity.com 7 Trojans vs. Viruses Both are malicious code A Trojan does not replicate, while a Virus does: Virus automatically tries to create copies of itself and “infect” other systems Vectors for infections Virus inserts its code into other executables May insert itself into the boot sectors of disks Key is that the program must still be run by the user somehow docsity.com Virus vs. Worm
* Both are Malicious Code
Virus Worm
* Propagates by infecting * Propagates by copying
other code itself to target system
* ls not standalone code, * ls astandalone program
rather is inserted into other
code
10
docsity.com
11 Malicious Code Summary Trojans: Malicious programs disguised as legitimate ones. Need to be executed by the user. Do not propagate. Viruses: Sections of code copied into other executable code. Spread by infecting binaries passed between computers. Worms: Self propagating. Complete programs, often quite complex. These are the worst and most dangerous kind! docsity.com 12 Secure System (CIA) A secure system should provide the following services:- Confidentiality of data Integrity of data Availability of data (assurance against denial-of-service) docsity.com 15 Intrusion and Intruders Intrusion: A set of actions aimed to compromise the security goals, thereby attempting to break into or misuse the system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion. Intruder attacks range from the gentle (simply exploring net to see what is there); to the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system) docsity.com 16 Intrusion and Intruders A significant security problem for networked systems is hostile, or at least unwanted intrusion in the shape of:- unauthorized login or use of a system by local or remote users or by software such as a virus, worm, or Trojan horse. One of the most publicized threats to security is the intruder identified into three classes: Masquerader Misfeasor Clandestine user docsity.com 17 Classes of Intruders Masquerader An individual who is not authorized to use the computer (outsider). Penetrates into system’s access control and gains access to user accounts. Misfeasor A legitimate user who accesses resources he is not authorised to access (insider). Who is authorised such access but misuses his privileges. Clandestine user An individual who grabs supervisory control of the system and uses this control to escape auditing and access controls (either). docsity.com 20 Password Capture Another attack involves password capture Watching over shoulder as password is entered Using a Trojan Horse program to collect Using sophisticated network monitoring tools to monitor an insecure network login Extracting recorded info after successful login (web history/cache, last number dialled memory etc) Using valid login/password can impersonate user Users need to be educated to use suitable precautions/countermeasures to ensure they really are interacting with the computer system (trusted path). To flush browser/phone histories after use etc. docsity.com Plain text password after Directory Server Install (10/04/2000) After installing Netscape's Directory Server 4 for Solaris, one of the final options is to remove a file called 'install.inf' which the install process claims could contain sensitive information. Answering yes to this question will delete the file. However there is another file left behind after installation which contains the un-encrypted 'admin' password. This file has world read permissions and is located in /usr/netscape/server4/admin- serv/config/adm.conf 21 docsity.com HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) 22 docsity.com Classifications of IDS Scope: Host-based: analysis of system events Network-based: analysis of exchanged information (IP packets) Hybrid: combined analysis of system events and network traffic Time of analysis: Post Mortem Online Analysis 25 docsity.com Schematic Overview of Intrusion
vm CTO
Reaction
Alarm
em (non)
"
3 docsity.com
Tasks of an IDS Audit: Recording of all security relevant events of a supervised system Preprocessing and management of recorded audit data Detection: Automatic analysis of audit data Principle Approaches: Anomaly detection Misuse detection (signature analysis) Types of errors: False positive: a non-malicious action is reported as an intrusion False negative: an intrusion is not detected (a “non-event”) 27 docsity.com