1 / 9

Intrusion Detection

Intrusion Detection. CS-480b Dick Steflik. Hacking Attempts. IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan promising ports for openness (80, 21, …) Service Evaluation determine the OS Target Selection

wiley
Download Presentation

Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection CS-480b Dick Steflik

  2. Hacking Attempts • IP Address Scans • scan the range of addresses looking for hosts (ping scan) • Port Scans • scan promising ports for openness (80, 21, …) • Service Evaluation • determine the OS • Target Selection • pick the most vulnerable host, most running services... • Vulnerability Probes • Automated password attacks • FTP, HTTP, NetBIOS, VNC PCAnywhere…. • Application specific attacks • try known vulnerabilities on present services

  3. Intrusion Detection Systems (IDS) • Inspection Based (Signature Based) • Uses a database of known attack signatures • observe the activity on a host or network and make judgements about whether or not an intrusion is in progress or has taken place • look for known indicators • ICMP Scans, port scans, connection attempts • CPU, RAM I/O Utilization • File system activity, modification of system files, permission modifications • Anomaly Based • baseline the normal traffic and then look for things that are out of the norm • Variations of IDS • Rule based • Statistical • Hybrid

  4. Decoys/Honeypots • Purposely place an incorrectly configured or unprotected system where it is easily found so that a hacker will try to use it as an attack vector. • All accesses will set off alarms that indicate an intrusion is in progress

  5. IDS Systems • Tripwire • Windows or UNIX • alarms on modification to system files • c:\ • c:\WINNT • c:\WINNT\system • c:\WINNT\system32 • CyberCop • Network Assoc. • suite of 4 ID tools • Sun/Symantec • iForce IDS Appliance • Sun/Solaris and Symantec’s ManHunt IDS • ID Analysis at 2 Gbits /sec • ManHunt uses distributed network sensors and a variety of methods to identify threats, including protocol-anomaly detection, signature detection, traffic-state profiling and statistical flow analysis.

  6. SNORT • Open Source ( http://www.snort.org ) • Uses: • Packet Sniffer • produces a tcpdump formatted output • Packet Logger • can log packets so that after-the-fact data mining tools can be used for analysis • Traffic Debugging and Analysis • Can design a ruleset that recognizes certain traffic patterns • Can do both anomaly based and Inspection based detection • SPADE (Silicon Defense) – a SNORT preprocessor that logs anomalies for later analysis

  7. ActiveScout • ForeScout Technologies ( http://www.forescout.com ) • Intrusion Prevention Tool • Method: • Watches for hacker reconnaissance (port scans, NetBios Scans, ect.) • Return bogus info to hacker • If hackers attempts to break in with the bogus data Active Scout sets off alarms or block any further traffic for the intruder • Downside: only works in conjunction with Check Point’s Firewall-1 • Requires little administration and eliminates many false positives • Cost w/T1 port is about $10K

  8. Manhunt • Symantec Corp. ( http://www.symantec.com ) • Advanced Threat Management System • Signature based hybrid detection • protocol anomaly detection • traffic rate monitoring • protocol state tracking • IP packet reassembly to provide a level of detection superior to other, signature-based systems. These detection capabilities can identify threats in real time, eve • Real-time Analysis and Correlation • collects information from security devices throughout the network to spot trends • Automatic Policy Based Responses • Scaleable Across Geographic Areas of an Enterprise • one Manhunt can be configured across 10 network segments

  9. Watson Researchers • Kanad Ghose • Doug Summerville • Viktor Skormann • Mark Fowler

More Related