1 / 48

A survey of commercial tools for intrusion detection

A survey of commercial tools for intrusion detection. Introduction Systems analyzed Methodology Results Conclusions Cao er Kai. INSA lab. 2003.09. 1. Introduction. Intrusion Detection Systems generic ID architecture

halil
Download Presentation

A survey of commercial tools for intrusion detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A survey of commercial toolsfor intrusion detection Introduction Systems analyzed Methodology Results Conclusions Cao er Kai. INSA lab. 2003.09

  2. 1. Introduction • Intrusion Detection Systems • generic ID architecture • Common Intrusion Detection Framework (CIDF) - DARPA (Defense Advanced Research Projects Agency) • Event generators (E-boxes) •Event analyzers (A-boxes) •Event databases (D-boxes) •Event response units (R-boxes)

  3. event generators • obtain information from sources and transformed into a standard format (gido) • event analyzers • statistical analysis and pattern recognition searching • event databases • storage of events and information (gidos) • response units • initiate the proper response

  4. 2. Systems analyzed

  5. 3. Methodology • Comparison criteria • Granularity of data processing • Source of audit data (raw events) • network-based : Ethernet (see all traffic) • IPSEC • host-based : security logs • Detection method • rule based • anomaly based • Response to detected intrusions • passive • active

  6. System organization • Centralized : data analysis • Distributed : data collection • Security : withstand attacks againstitself • Degree of interoperability • Exchange of audit data records • Exchange of audit data records • Exchange of misuse patterns or statistical information about user activities • Exchange of alarm reports and event notifications • Manageability • HP Openview , BMC Patrol • Adaptivity • System and network infrastructure requirements • TCP/IP

  7. Classification of comparison criteria

  8. 4. Results • Functional aspects • Granularity of data processing • real-time • T-Sight • Source of audit data (Raw events) • host-based (H) • both host-based and network-based (NW/H) • network-based (NW) switched networks network encryption • Response to detected intrusions • Passive responses • sending e-mails, paging or displaying alert messages. • Active response • network-based systems : terminating transport level sessions • Host-based systems : control processes, terminate network sessions • Interfaces to network management applications : SNMP (send traps) • Interfaces to network elements : firewall control sessions/connections • Service availability aspects • Legal aspects : “returning fire”

  9. Degree of interoperability • Exchange of audit data records • Exchange of security policies • Exchange of misuse patterns or statistical information about user activities • Exchange of alarm reports, event notifications and response mechanisms

  10. Adaptivity (customization) • Adding new intrusion patterns • Adopting rules for site specific protocols and applications • Detection method • Rule based detection • anomaly based detection • Detection capabilities • Physical and data-link layer • Network and transport layer • Operating Systems • Applications, databases, management and support systems, office automation

  11. Security aspects • Confidentiality of audit data • Integrity of audit data : using encryption • Confidentiality of the detection policy • Integrity of detection policy • Protection of response mechanisms • Availability • Encrypted communication channels • Heartbeat functions • Stealth behavior • Access control • Weaknesses of network-based systems

  12. Architectural aspects • System organization • distributed environment • single host or network segment • System and network infrastructure requirements • Operating systems • Network technology

  13. Operational aspects • Performance aspects • Communication overhead network-based intrusion detection, the overhead is caused by the distribution of audit data and the communication between the various subsystems of the IDS. • Computational overhead host-based IDS execute and collect audit data on the target they monitor.

  14. Management aspects • Configuration management management of the detection capability and the corresponding response mechanisms • Security management • Access security • Audit trails and security alarms • Security of management • Authenticity • Integrity • Confidentiality • Availability • Management interfaces • Management model • Many-to-Many • One-to-Many • One-to-one

  15. 5. Conclusions • The role of IDS in corporate security infrastructures: IDS are not a substitute for other security services such as firewalls, authentication servers etc • Host-based versus network-based IDS. • Security of IDS • Lack of modularity and interoperability • Background of vendors

  16. RealSecure

  17. RealSecure • Architecture: • RealSecure Engines • Network interface • Ethernet, fast Ethernet, FDDI and Token-ring • Packet Capture Module • Windows NT: network service • Solaris: Data Link Provider Interface • Filter Module • Attack recognition Module • Response Module

  18. RealSecure • RealSecure Agents • RealSecure Manager • Central real-time alarm • Central data management • Central engine configuration

  19. Intruder Alert

  20. Intruder Alert • Architecture • Interface console • Manager interface console and manager only runs on Windows NT/95 • Agents

  21. Intruder Alert • Intruder Alert Domains: groups of agents/hosts • Intruder Alert Policies • Drop & Detect Policies • Detect and respond Policies • Custom-configurable Policies • Carte Blanche

  22. NetRanger

  23. NetRanger • Architecture • Sensors Ethernet, Fast Ethernet, Token Ring and FDDI • Director • Post office

  24. Stake Out I.D

  25. Stake Out I.D • Architecture • Network Observation • Intrusion Detection • Evidence logging • Alert Notification • Incident Analyzer/Reporter

  26. Kane Security Monitor

  27. Kane Security Monitor • Architecture • Monitoring Console • Collection Auditor and Alerting Engine • Intelligent Agents

  28. Session Wall-3

  29. Session Wall-3 • Architecture • Network Usage Reporting • Network Security • WEB and Internal Usage Policy Monitoring and Controls • Company Preservation

  30. Entrax

  31. Entrax • Architecture • Command Console • Assessment Manager • Alert Manager • Detection Policy Editor • Audit Policy Editor • Collection Policy Editor • Report Manager • Target Agent

  32. CMDS (Computer Misuse Detection System)

  33. SecureNET PRO

  34. CyberCop

  35. CyberCop • Architecture • CyberCop Sensors • CyberCop Management Server

  36. INTOUCH INSA

  37. T-sight

  38. NIDES

  39. ID-Trak

  40. SecureCom

  41. POLYCENTER

  42. Network Flight Recorder

More Related