1 / 11

Intrusion Detection Methods

Intrusion Detection Methods. “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”. The Seven Fundamentals. What are the methods used How are IDS Organized What is an intrusion

tevin
Download Presentation

Intrusion Detection Methods

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

  2. The Seven Fundamentals • What are the methods used • How are IDS Organized • What is an intrusion • How do we trace and how do they hide • How do we correlate information • How can we trap intruders • Incident response

  3. What is an intrusion?

  4. What is an intrusion A sequence of related actions by a malicious adversary that results in an occurrence of unauthorized security threats to a target computing or network domain.

  5. Temporal models of Intrusions

  6. Neumann—Parker Taxonomy of Intrusions • NP1: External misuse indicator • OOB indicators • NP2: Hardware misuse indicators • NP3: Masquerading indicators • NP4: Subsequent misuse indicators • Plans, backdoors, or bugs • NP5: Control bypass indicator • Users finding a way around a firewall (icq?)

  7. NP Taxonomy of Intrusions (cont.) • NP6: Active Resource misuse indicator • unknown users on your system • NP7:Passive resource misuse indicator • Users or systems know things they have no way of knowing without listening to others conversations • NP8: misuse via inaction indicators • Defensive measure not working. Things that should have been prevented are not! • NP9: Active Resource misuse indicator • System being used to brute force passwords offline

  8. How are intrusions indicated • The role of indication and warning (I&W) • Some evidence based indicators: • Repetition • Mistyped commands in an automated session • Exploitation on known vulnerabilities • Directional inconsistencies in traffic • Unexpected attributes of traffic • Unexplained problems • Out of band knowledge about intrusions • Suspicious character traffic on a network

  9. Repetition • Repetition thresholds • Time between repeat instances • Repetitive patterns: what is being repeated! • Example: • Syn flood • EHLO DOS

  10. Mistyped commands in an automated sessions • Human typing vs program output • ^H^H • Failed attempts followed by successful ones • Incremental learning/corrections • Example: • Bedford at AT&T

  11. Exploitation on known vulnerabilities • Detecting the scanning tools • Detecting the signature • Correlation between scanning and exploitation

More Related