1 / 25

An Introduction to Intrusion Detection

Outline. TerminologyClassificationGeneral ModelComplicationsSome Current SystemsResources. Terminology. What is an intrusion?Examples includeBreaching a locked doorPassword guessingEscalation of privilegeDenial of Service attacksRoot kits, worms, viruses, etc.Working definition: A violation, or attempted violation, of a security policy.

drew
Download Presentation

An Introduction to Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. An Introduction to Intrusion Detection Dr. James P. Early Department of Computer Sciences

    2. Outline Terminology Classification General Model Complications Some Current Systems Resources

    3. Terminology What is an intrusion? Examples include Breaching a locked door Password guessing Escalation of privilege Denial of Service attacks Root kits, worms, viruses, etc. Working definition: A violation, or attempted violation, of a security policy

    4. Terminology What is intrusion detection? Def: The process of observing events for evidence of security policy violations or attempts Some important operational questions What is observed? How is a security violation determined? What is the response?

    5. Classifications Based on operational behavior Host vs. Network Defines the event source Signature vs. Anomaly-based Defines model for assessing policy violations Active vs. Passive Probing versus monitoring

    6. Classifications Centralized vs. Distributed Location of analysis Real Time vs. Interval Determines when notification takes place

    7. Host-based IDS Data sources commonly found on a host Examples: System call sequences Audit logs files File attributes May be integral to OS (e.g., Solaris BSM) Lacks “big picture”; correlation

    8. Network-based IDS Observes packets and connections Visibility to potentially many hosts Identify violations before it impacts the intended victim (hopefully) Can be difficult to assess impact on individual hosts (more on this later)

    9. Signature-based IDS Use models of “bad” behavior Each “signature” is an observed policy violation Examples: Buffer overflow strings, SQL injection attacks, virus definitions Detection occurs when bad behavior is observed List of signatures must be kept current

    10. Anomaly-based IDS Uses model of “good” behavior Detection occurs when observed behavior deviates from “good” behavior Useful for detecting novel attacks May generate excessive false positives

    11. Active vs. Passive IDS Active IDS Probe systems to uncover attack artifacts May take corrective/preventive action Lockout a user ID Terminate a network connection and update a firewall rule Passive IDS Monitor (do not alter) event stream Alert the user; user responsible for response

    12. Centralized vs. Distributed Centralized Monitoring, analysis, and detection are performed by a single system Can we keep up with the event stream? Distributed Many monitoring points or agents contribute to the process How do we communicate securely among entities?

    13. Real Time vs. Interval Real Time Detection and response occur before intrusion can take place (hopefully) Necessary for autonomous response Interval Analysis and detection are reported over some time interval (e.g., once per day) User is responsible for response

    14. Let’s build an IDS! Assume a general model (not specific to host or network) Assume we will use both signature and anomaly-based detection What functional components do we need?

    15. General Model

    16. Important Dates in IDS History 1980 Anderson introduces idea of anomaly detection based on accounting logs 1986 D. Denning (Purdue grad!) formalizes definition of anomaly detection IDS (IDES) 1988 Morris Worm released. Spafford (Purdue prof!) discovers immunization process

    17. Important Dates in IDS History 1992 G. Kim (Purdue undergrad!) and Spafford create Tripwire 1994 S. Forrest, et. al propose IDS based on system call sequences 1998 W. Lee uses data mining to build anomaly profiles

    18. Complications Feature Extraction Evasion Performance Confidence with detection

    19. Feature Extraction What do we measure in order to identify intrusions? A fundamental question originally posed by D. Denning Much current research still focuses on this question

    20. Evasion Techniques Techniques employed by an attacker with knowledge of the system Designed to render IDS ineffective Examples Inject/drop/alter events Flood system with events Cause misclassification of events

    21. Evasion Example Described by Ptacek and Newsham (1997) Manipulate IP TTL field to cause packet drops

    22. Performance Issues Are models current/relevant? Keeping up with events False positives False negatives Vulnerability of the IDS Fail open versus fail closed

    23. Confidence in Detection How confident are we? Given confidence, what is an appropriate response? Can attacker exploit response to create a denial of service attack?

    24. Some Current Systems SNORT Open source signature-based network intrusion detection Also has SPADE, an anomaly detection component Bro Network IDS with a specification language

    25. Resources “Intrusion Detection”, Rebecca Bace, Macmillan Technical Publishing, 2000 Intrusion Detection FAQ, SANS Institute, http://www.sans.org/resources/idfaq/ Distributed Intrusion Detection System, http://www.dshield.com/

    26. Thank you! Any questions?

More Related