Intrusion Detection System Part 2-Computer Network Security-Lecture Slides, Slides of Computer Security

Download Intrusion Detection System Part 2-Computer Network Security-Lecture Slides and more Slides Computer Security in PDF only on Docsity! Approaches of Intrusion Detection: Anomaly Detection  Users have certain habits in their system usage:  Duration of usage  Login times  Amount of file system usage  Executed programs, accessed files, etc.  Advantage:  An attack scenario needs not to be defined a priori  This approach can, in principle, detect unknown attacks 31 docsity.com Approaches of Intrusion Detection: Anomaly Detection  Problems:  Privacy of users:  Collecting user specific usage patterns  Work-related or personal habits  Requires continuing actualization of normal behavior patterns  High amount of false positives  If a normal behavior pattern matches an attack pattern, this kind of attack will not be detected (→ false negative) 32 docsity.com Misuse Detection pattern matching Intrusion | ————~ Sy intrusion intrusion Patterns Example: if (sre_ip == dst_ip && sre_port == dst_port) then “land attack” Can't detect new attacks 35 docsity.com 36 Types of Errors  Practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms  If too few intrusions detected -> false security  If too many false alarms -> ignore / waste time  False Positives  False Negatives  This is very hard to do  Existing systems seem not to have a good record docsity.com 37 Common Intrusion Detection Framework  E-boxes – event generators  Provides information about events  A-boxes – analysis engines  Analyze and extract relevent info  D-boxes – storage mechanisms  Stores info from E and A boxes  C-boxes – countermeasures  More than just alarm, preventing further attacks docsity.com 40 Distributed Intrusion Detection  Multi-agent Systems (MAS):  Multiple interacting intelligent agents.  Solve problems which are difficult or impossible for monolithic system (where processing, data and the user interface all reside on the same system).  Typical job of disaster response.  Intelligent Agents:  Actors which observe and act upon an environment and are capable of perception, action and goal directed behavior.  Can be a robot or an embedded real time software system.  Learning agents: continuously compute (learn) the detection models  Detection agents: use the (updated) models to detect intrusions docsity.com Intelligent Agents CO EEE (QT) messages access_log @o (QD secure @o ~~) sendmail G@ 41 docsity.com 42 messages xfer access_log secure sendmail One Security Log Intelligent Agents docsity.com Decision Making  Detection Models and Decision Tables might employ the use of data mining techniques.  Relevant data mining algorithms:  Classification: maps a data item into one of several pre-defined categories.  Link analysis: determines relations between fields in the database.  Sequence analysis: models sequence patterns. 45 docsity.com 46 Intrusion Prevention Systems-- IPS  A combination of access control and intrusion detection system.  Blocks malicious network activity in real time.  Have some basic firewall functionality  But firewalls block all traffic except that which they have a reason to pass.  IPS passes all traffic except that which it has a reason to block. docsity.com 47 Content-Based IPS  Block traffic based on attack signatures.  Worms that match a signature can be blocked.  Packets that do not comply to TCP/IP RFCs can be dropped.  The best content-based IPSs offer a range of techniques for identifying malicious content and many options for how to handle the attacks.  simply dropping bad packets  dropping future packets from the same attacker  reporting and alerting strategies  Content-based IPSs can be used to complement firewalls and provide security policy enforcement. docsity.com WELL, THAT'S) po STRANGE! Ost DON'T IGNORE STRANGE ACTIVITY ON YOUR SYSTEM. ALSO DON'T BE AFRAID TO REPORT PROBLEMS. 51 How to Defeat IDS??  3 Attack Types:  Insertion  Evasion  Resource Starvation docsity.com 52 Insertion Attack  Insert packets that the end-point server will ignore but picked up by IDS as valid packets.  An attacker can use insertion attacks to defeat signature analysis, allowing her to slip attacks past an IDS. docsity.com 55 Evasion Attack  Getting IDS to not see Data that the network may see.  Get IDS to reject certain packets… that the systems will accept!!  Kind of opposite of insertion, but same idea -> discrepancy between IDS and inner network docsity.com 56 Resource Starvation  DoS  Attacker finds operations that require a lot of memory and targets them until no more memory is left.  Solution: Garbage collection  Problems: May stop legitimate connections and may not keep up with collection.  Use IDS to deny others of service (spoof addresses, frame others).  Force IDS to block DNS servers??  More on attacks: http://insecure.org/stf/secnet_ids/secnet_ids.html docsity.com 57 Limitations of IDS  HIDS are vulnerable to attacks since they run on the monitored machine.  NIDS can become bottlenecks in high speed networks.  NIDS cannot deal with encrypted connections.  In particular IDS need to reconstruct fragments correctly.  Only “known” attacks can be detected. docsity.com