1 / 29

Intrusion-Detection Systems

Intrusion-Detection Systems. Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018). Objectives. Explain how intrusion-detection systems work Implement strategies for preventing intrusion

pennye
Download Presentation

Intrusion-Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion-Detection Systems Based on slides accompanying the book NetworkDefense and Countermeasures by Chuck Easttom (2018)

  2. Objectives • Explain how intrusion-detection systems work • Implement strategies for preventing intrusion • Identify and describe several popular intrusion-detection systems • Define the term honeypot • Identify and describe at least one honeypot implementation

  3. Introduction • What is an IDS? An Intrusion-Detection System (IDS) is a system that is designed to detect signs that someone (or something) is attempting to breach a system, and to alert the system administrator that suspicious activity is taking place.

  4. Introduction • Why do we use IDSs? Intrusion-detection systems enable system administrators to detect possible attacks to the network.

  5. Preemptive Blocking (as a primitive form of intrusion detection/prevention) • Sometimes called banishment vigilance • Attempts to detect impending intrusions through examining their footprinting (c.f., a virus’s signature) • Weaknesses? • Susceptible to false positives May block legitimate traffic (i.e., false positive, or mistakenly identifying a legitimate packet as part of a threat) • When an IP address is blocked, the attacker can switch to different IP addresses.

  6. True/False Positive/Negative ?

  7. IDS Detection Methodologies • Signature-based detection - Compares known threat signatures to observed events to identify incidents • Anomaly-based detection - Compares definitions of what activity is considered normal against observed events to identify significant deviations • Stateful protocol analysis - compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.

  8. Anomaly Detection • Anomaly Detection • Any activity that does not match normal use is noted and saved in a log. • Normal usage profiles are kept and updated and then compared to the user’s, the group’s, or the system’s behavior. • Most IDSs work this way. • Based on heuristics, and not on signatures or pre-stored patterns can detect previously unknown threats • Q: Examples of anomalous behavior?

  9. Anomaly Detection • Different ways an anomaly may be detected: • Threshold monitoring • Resource profiling • User/group work profiling • Executable profiling

  10. Types of Anomaly Detection • Threshold monitoring • Defines acceptable behaviors • Presets acceptable behavior levels – the threshold • Monitors the exceeding of these thresholds • Q: Example thresholds? • Weaknesses? • Can be difficult to set up the thresholds • Difficult to set times for monitoring behavior (i.e., When? How often?) • Susceptible to false positives and negatives

  11. Questions: • Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Give an example. • Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false positives? • Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? Give an example. • Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false negatives?

  12. Types of Anomaly Detection • Resource Profiling • Measures system-wide resource use to develop a historic usage profile. • Abnormal readings can indicate illicit activity. • c.f., threshold monitoring Q: What are the differences between resource profiling and threshold monitoring as means of anomaly detection?

  13. Types of Anomaly Detection • User/Group Work Profiling • Each user/group’s typical activities are stored in its work profile. • Activities not typical of that user or group are suspected. • Changes in work patterns need to be updated in the respective profiles. • Weaknesses? • Dynamic user base could be difficult to profile. Examples?

  14. Types of Anomaly Detection • User/Group Work Profiling Q: Compare work profiling with other methods, such as threshold monitoring and resource profiling.

  15. Types of Anomaly Detection • Executable Profiling • Measures and monitors how programs use system resources • Helpful in detecting many types of malware attacks • Profiles how system objects (files and printers) are normally used • Enables the IDS to identify activity that might indicate an attack

  16. IDS Components • Activity • Administrator • Sensor (or agent)– collects data and passes it to the analyzer for analysis • Analyzer • Alert – a message from the analyzer sent to the administrator • Manager (or management server) – part of the IDS (e.g., a console)

  17. IDS Components • Notification – the method by which the IDS manager notifies the operator • Operator -- administrator • Event – an occurrence of a suspicious activity • Data source – the raw data used by the IDS • Database server -- a repository for event information recorded by sensors, agents, and/or management servers

  18. IDS Components

  19. IDS vs IPSsource: https://www.youtube.com/watch?v=dYQMzyfFrTE

  20. IDS vs IPS Intrusion Detection System Intrusion Prevention System Active Takes steps to prevent an attack in progress Problem of false positives • Passive • Logs the activity • Alerts an administrator (perhaps) Intrusion Detection/Protection System (IDPS)

  21. Snort • Possibly the most well-known open source IDS • Available on multiple platforms including: • UNIX, Linux, and Windows • Three modes of operation: • Sniffer • Packet logger • Network intrusion-detection

  22. Snort Modes • Packet Sniffer Mode • Monitors all traffic coming and going on a computer (i.e., host-based IDS) • A good way to check encryption (because the console displays a continuous stream of the contents of all packets coming across that machine) • Helps determine potential sources of problems

  23. Snort Modes • Packet Logger Mode • Similar to sniffer mode • Packet contents are written to a text file • Contents can be searched for specific items

  24. Snort Modes • Network Intrusion-Detection Mode • Uses a heuristic approach to detect anomalous traffic (i.e., network-based IDS) • Rules-based • Command-line-based interface • Need to know commands and what they do

  25. Cisco Intrusion-Detection and Prevention • Past models • Cisco IDS 4200 Series Sensors • Cisco Catalyst 6500 Series Intrusion-Detection System Services Module (IDSM-2) • Current system offering • Cisco Next-Generation IPS Solution • There are a number of products in this group • Firepower 4100 series – smaller networks • Firepower 8000 series • Firepower 9000 series – large-scale networks

  26. Understanding and Implementing Honeypots • A honeypot is a single machine set up to appear to be an important (and possibly vulnerable) server • All traffic to the machine is suspicious; no legitimate users should connect • Honeypots can be configured to emulate many server services • Honeypots can help track and catch hackers

  27. Specter • A software honeypot solution • Can simulate AIX, Solaris, Unix, Linux, and Mac OS X • Works by appearing to run a number of services common to network servers • SMTP, FTP, TELNET, FINGER, POP3, IMAP4, HTTP, SSH, DNS, SUN-RPC, NETBUS, SUB-7, BO2K, GENERIC TRAP

  28. Specter • Can be set up in one of five modes: • Open • Secure • Failing • Strange • Aggressive • Fake password files can also be configured: • Easy • Normal • Hard • Fun • Warning

  29. Summary • A variety of intrusion-detection systems are available • Should be used with firewalls • Can run at the perimeter and internally as sensors • Ideally implemented on every server • Free IDS solutions are available • Honeypots entice hackers to a fake server

More Related