Intrusion Detection System Part 1-Computer Network Security-Lecture Slides, Slides of Computer Security

Download Intrusion Detection System Part 1-Computer Network Security-Lecture Slides and more Slides Computer Security in PDF only on Docsity! 1 Computer Network Security Intrusion Detection System (IDS) docsity.com 2 Agenda  Malicious Code  Intruders and Classes of Intruders  Intrusion Detection Systems (IDS)  Approaches to Intrusion detection  Anomaly Detection  Misuse Detection  Intrusion Prevention Systems (IPS)  Honey pots, Sugarcanes, Honey nets  Defeating IDS  Insertion  Evasion  Resource Starvation docsity.com 5 Malicious Code  In the computer world:  A program that claims to do bla bla bla…  The unsuspecting user executes the program  And the malicious code (soldiers) does something bad  This kind of program is often called a Trojan Horse after Odysseus’ invention  Trick is to get the user to execute the program  Disguise as a helpful attachment  A real program by the same name (but in a different path)  Overwriting a real program with a Trojan’ed one docsity.com 6 Trojan Example  1995: a program distributed as PKZ300B.EXE looked like a new version of PKZIP  Actually formatted your hard drive if run docsity.com 7 Trojans vs. Viruses  Both are malicious code  A Trojan does not replicate, while a Virus does:  Virus automatically tries to create copies of itself and “infect” other systems  Vectors for infections  Virus inserts its code into other executables  May insert itself into the boot sectors of disks  Key is that the program must still be run by the user somehow docsity.com Virus vs. Worm * Both are Malicious Code Virus Worm * Propagates by infecting * Propagates by copying other code itself to target system * ls not standalone code, * ls astandalone program rather is inserted into other code 10 docsity.com 11 Malicious Code Summary  Trojans:  Malicious programs disguised as legitimate ones.  Need to be executed by the user.  Do not propagate.  Viruses:  Sections of code copied into other executable code.  Spread by infecting binaries passed between computers.  Worms:  Self propagating.  Complete programs, often quite complex.  These are the worst and most dangerous kind! docsity.com 12 Secure System (CIA)  A secure system should provide the following services:-  Confidentiality of data  Integrity of data  Availability of data (assurance against denial-of-service) docsity.com 15 Intrusion and Intruders  Intrusion: A set of actions aimed to compromise the security goals, thereby attempting to break into or misuse the system.  Intruders may be from outside the network or legitimate users of the network.  Intrusion can be a physical, system or remote intrusion.  Intruder attacks range from the gentle (simply exploring net to see what is there); to the serious (who attempt to read privileged data, perform unauthorized modifications, or disrupt system) docsity.com 16 Intrusion and Intruders  A significant security problem for networked systems is hostile, or at least unwanted intrusion in the shape of:-  unauthorized login or use of a system  by local or remote users  or by software such as a virus, worm, or Trojan horse.  One of the most publicized threats to security is the intruder identified into three classes:  Masquerader  Misfeasor  Clandestine user docsity.com 17 Classes of Intruders  Masquerader  An individual who is not authorized to use the computer (outsider).  Penetrates into system’s access control and gains access to user accounts.  Misfeasor  A legitimate user who accesses resources he is not authorised to access (insider).  Who is authorised such access but misuses his privileges.  Clandestine user  An individual who grabs supervisory control of the system and uses this control to escape auditing and access controls (either). docsity.com 20 Password Capture  Another attack involves password capture  Watching over shoulder as password is entered   Using a Trojan Horse program to collect  Using sophisticated network monitoring tools to monitor an insecure network login  Extracting recorded info after successful login (web history/cache, last number dialled memory etc)  Using valid login/password can impersonate user  Users need to be educated to use suitable precautions/countermeasures to ensure they really are interacting with the computer system (trusted path).  To flush browser/phone histories after use etc. docsity.com Plain text password after Directory Server Install (10/04/2000)  After installing Netscape's Directory Server 4 for Solaris, one of the final options is to remove a file called 'install.inf' which the install process claims could contain sensitive information. Answering yes to this question will delete the file.  However there is another file left behind after installation which contains the un-encrypted 'admin' password. This file has world read permissions and is located in /usr/netscape/server4/admin- serv/config/adm.conf 21 docsity.com HACKING TOOLS (EASY TO GET, EASY TO USE, VERY POWERFULL) 22 docsity.com Classifications of IDS  Scope:  Host-based: analysis of system events  Network-based: analysis of exchanged information (IP packets)  Hybrid: combined analysis of system events and network traffic  Time of analysis:  Post Mortem  Online Analysis 25 docsity.com Schematic Overview of Intrusion vm CTO Reaction Alarm em (non) " 3 docsity.com Tasks of an IDS  Audit:  Recording of all security relevant events of a supervised system  Preprocessing and management of recorded audit data  Detection:  Automatic analysis of audit data  Principle Approaches:  Anomaly detection  Misuse detection (signature analysis)  Types of errors:  False positive: a non-malicious action is reported as an intrusion  False negative: an intrusion is not detected (a “non-event”) 27 docsity.com