SlideShare ist ein Scribd-Unternehmen logo

ids.ppt

Als PPT, PDF herunterladen
H
HaipengCai1

IDS vs IPS

Bildung
1 von 28
Intrusion Detection/Prevention Systems
Definitions • Intrusion – A set of actions aimed to compromise the security goals, namely • Integrity, confidentiality, or availability, of a computing and networking resource • Intrusion detection – The process of identifying and responding to intrusion activities • Intrusion prevention – Extension of ID with exercises of access control to protect computers from exploitation
Elements of Intrusion Detection • Primary assumptions: – System activities are observable – Normal and intrusive activities have distinct evidence • Components of intrusion detection systems: – From an algorithmic perspective: • Features - capture intrusion evidences • Models - piece evidences together – From a system architecture perspective: • Various components: audit data processor, knowledge base, decision engine, alarm generation and responses
Components of Intrusion Detection System Audit Data Preprocessor Audit Records Activity Data Detection Models Detection Engine Alarms Decision Table Decision Engine Action/Report system activities are observable normal and intrusive activities have distinct evidence
Intrusion Detection Approaches • Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based – Network based: monitor network traffic – Host based: monitor computer processes
Misuse Detection Intrusion Patterns activities pattern matching intrusion Can’t detect new attacks Example: if (src_ip == dst_ip) then “land attack”
Anomaly Detection activity measures 0 10 20 30 40 50 60 70 80 90 CPU Process Size normal profile abnormal probable intrusion Relatively high false positive rate • Anomalies can just be new normal activities. • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfiguration Any problem ?
Host-Based IDSs • Using OS auditing mechanisms – E.G., BSM on Solaris: logs all direct or indirect events generated by a user – strace for system calls made by a program (Linux) • Monitoring user activities – E.G., analyze shell commands • Problems: user dependent – Have to install IDS on all user machines ! – Ineffective for large scale attacks
The Spread of Sapphire/Slammer Worms
Network Based IDSs • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage Gateway routers Internet Our network Host based detection
Network IDSs • Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers • Inspecting network traffic – Watch for violations of protocols and unusual connection patterns • Monitoring user activities – Look into the data portions of the packets for malicious code • May be easily defeated by encryption – Data portions and some header information can be encrypted – The decryption engine may still be there, especially for exploit
Key Metrics of IDS/IPS • Algorithm – Alarm: A; Intrusion: I – Detection (true alarm) rate: P(A|I) • False negative rate P(¬A|I) – False alarm (aka, false positive) rate: P(A|¬I) • True negative rate P(¬A|¬I) • Architecture – Throughput of NIDS, targeting 10s of Gbps • E.g., 32 nsec for 40 byte TCP SYN packet – Resilient to attacks
Architecture of Network IDS Packet capture libpcap TCP reassembly Protocol identification Packet stream Signature matching (& protocol parsing when needed)
Firewall/Net IPS VS Net IDS • Firewall/IPS – Active filtering – Fail-close • Network IDS – Passive monitoring – Fail-open FW IDS
Related Tools for Network IDS (I) • While not an element of Snort, Ethereal is the best open source GUI-based packet viewer • www.ethereal.com offers: – Windows – UNIX, e.g., www.ethereal.com/download.html – Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/
Related Tools for Network IDS (II) • Also not an element of Snort, tcpdump is a well-established CLI packet capture tool – www.tcpdump.org offers UNIX source – http://www.winpcap.org/windump/ offers windump, a Windows port of tcpdump • windump is helpful because it will help you see the different interfaces available on your sensor
Case Study: Snort IDS
Problems with Current IDSs • Inaccuracy for exploit based signatures • Cannot recognize unknown anomalies/intrusions • Cannot provide quality info for forensics or situational-aware analysis – Hard to differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration – Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
Limitations of Exploit Based Signature 1010101 10111101 11111100 00010111 Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worm might not have exact exploit based signature Polymorphism!
Vulnerability Signature Work for polymorphic worms Work for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Vulnerability X X
Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade Vulnerable buffer Protocol message Overflow!
Next Generation IDSs • Vulnerability-based • Adaptive - Automatically detect & generate signatures for zero-day attacks • Scenario-based for forensics and being situational-aware – Correlate (multiple sources of) audit data and attack information
Counting Zero-Day Attacks Protocol Classifier UDP 1434 Core algorithms Flow Classifier TCP 137 . . . TCP 80 TCP 53 TCP 25 Normal Traffic Pool Suspicious Traffic Pool Signatures Network Tap Known Attack Filter Normal traffic reservoir Real time Policy driven Honeynet/darknet, Statistical detection
Security Information Fusion • Internet Storm Center (aka, DShield) has the largest IDS log repository • Sensors covering over 500,000 IP addresses in over 50 countries • More w/ DShield slides
Backup Slides
Requirements of Network IDS • High-speed, large volume monitoring – No packet filter drops • Real-time notification • Mechanism separate from policy • Extensible • Broad detection coverage • Economy in resource usage • Resilience to stress • Resilience to attacks upon the IDS itself!
Architecture of Network IDS Network libpcap Event Engine Policy Script Interpreter Packet stream Filtered packet stream Event stream Alerts/notifications Policy script Event control tcpdump filters

Empfohlen

ids.ppt
ids.pptids.ppt
ids.pptAgostinho9
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 

Empfohlen

ids.ppt
ids.pptids.ppt
ids.pptAgostinho9
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfthilakrajc
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptxVuongPhm
 
arun.ppt
arun.pptarun.ppt
arun.pptSunilKatkar5
 
Ids
IdsIds
IdsSuresh Reddy
 
arun.ppt
arun.pptarun.ppt
arun.pptDiyarAldusky
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
012
012012
012chatakondu karthik uday bhaskar
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate EspionageUTD Computer Security Group
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsjyoti_lakhani
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolIssar Kapadia
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).pptseshas1
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionProgrammer
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdfDhananjaySingh23178
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxConquiztadors- the Quiz Society of Sri Venkateswara College
 

Weitere ähnliche Inhalte

Ähnlich wie ids.ppt

An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptxVuongPhm
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsjyoti_lakhani
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolIssar Kapadia
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).pptseshas1
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionProgrammer
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdfKIYALIBAN1
 

Ähnlich wie ids.ppt (20)

An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptx
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Ids
IdsIds
Ids
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
012
012012
012
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Ids 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systemsIds 00 introduction_ intrusion detection & prevention systems
Ids 00 introduction_ intrusion detection & prevention systems
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
 
1 (20 files merged).ppt
1 (20 files merged).ppt1 (20 files merged).ppt
1 (20 files merged).ppt
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber security
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
CyberSecurity101.pdf
CyberSecurity101.pdfCyberSecurity101.pdf
CyberSecurity101.pdf
 
network security.pdf
network security.pdfnetwork security.pdf
network security.pdf
 

Kürzlich hochgeladen

USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxPoojaSen20
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 

Kürzlich hochgeladen (20)

USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptxCulture Uniformity or Diversity IN SOCIOLOGY.pptx
Culture Uniformity or Diversity IN SOCIOLOGY.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 

ids.ppt

  • 2. Definitions • Intrusion – A set of actions aimed to compromise the security goals, namely • Integrity, confidentiality, or availability, of a computing and networking resource • Intrusion detection – The process of identifying and responding to intrusion activities • Intrusion prevention – Extension of ID with exercises of access control to protect computers from exploitation
  • 3. Elements of Intrusion Detection • Primary assumptions: – System activities are observable – Normal and intrusive activities have distinct evidence • Components of intrusion detection systems: – From an algorithmic perspective: • Features - capture intrusion evidences • Models - piece evidences together – From a system architecture perspective: • Various components: audit data processor, knowledge base, decision engine, alarm generation and responses
  • 4. Components of Intrusion Detection System Audit Data Preprocessor Audit Records Activity Data Detection Models Detection Engine Alarms Decision Table Decision Engine Action/Report system activities are observable normal and intrusive activities have distinct evidence
  • 5. Intrusion Detection Approaches • Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based – Network based: monitor network traffic – Host based: monitor computer processes
  • 6. Misuse Detection Intrusion Patterns activities pattern matching intrusion Can’t detect new attacks Example: if (src_ip == dst_ip) then “land attack”
  • 7. Anomaly Detection activity measures 0 10 20 30 40 50 60 70 80 90 CPU Process Size normal profile abnormal probable intrusion Relatively high false positive rate • Anomalies can just be new normal activities. • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfiguration Any problem ?
  • 8. Host-Based IDSs • Using OS auditing mechanisms – E.G., BSM on Solaris: logs all direct or indirect events generated by a user – strace for system calls made by a program (Linux) • Monitoring user activities – E.G., analyze shell commands • Problems: user dependent – Have to install IDS on all user machines ! – Ineffective for large scale attacks
  • 9. The Spread of Sapphire/Slammer Worms
  • 10. Network Based IDSs • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage Gateway routers Internet Our network Host based detection
  • 11. Network IDSs • Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers • Inspecting network traffic – Watch for violations of protocols and unusual connection patterns • Monitoring user activities – Look into the data portions of the packets for malicious code • May be easily defeated by encryption – Data portions and some header information can be encrypted – The decryption engine may still be there, especially for exploit
  • 12. Key Metrics of IDS/IPS • Algorithm – Alarm: A; Intrusion: I – Detection (true alarm) rate: P(A|I) • False negative rate P(¬A|I) – False alarm (aka, false positive) rate: P(A|¬I) • True negative rate P(¬A|¬I) • Architecture – Throughput of NIDS, targeting 10s of Gbps • E.g., 32 nsec for 40 byte TCP SYN packet – Resilient to attacks
  • 13. Architecture of Network IDS Packet capture libpcap TCP reassembly Protocol identification Packet stream Signature matching (& protocol parsing when needed)
  • 14. Firewall/Net IPS VS Net IDS • Firewall/IPS – Active filtering – Fail-close • Network IDS – Passive monitoring – Fail-open FW IDS
  • 15. Related Tools for Network IDS (I) • While not an element of Snort, Ethereal is the best open source GUI-based packet viewer • www.ethereal.com offers: – Windows – UNIX, e.g., www.ethereal.com/download.html – Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms/
  • 16.
  • 17. Related Tools for Network IDS (II) • Also not an element of Snort, tcpdump is a well-established CLI packet capture tool – www.tcpdump.org offers UNIX source – http://www.winpcap.org/windump/ offers windump, a Windows port of tcpdump • windump is helpful because it will help you see the different interfaces available on your sensor
  • 19. Problems with Current IDSs • Inaccuracy for exploit based signatures • Cannot recognize unknown anomalies/intrusions • Cannot provide quality info for forensics or situational-aware analysis – Hard to differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration – Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
  • 20. Limitations of Exploit Based Signature 1010101 10111101 11111100 00010111 Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worm might not have exact exploit based signature Polymorphism!
  • 21. Vulnerability Signature Work for polymorphic worms Work for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Vulnerability X X
  • 22. Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade Vulnerable buffer Protocol message Overflow!
  • 23. Next Generation IDSs • Vulnerability-based • Adaptive - Automatically detect & generate signatures for zero-day attacks • Scenario-based for forensics and being situational-aware – Correlate (multiple sources of) audit data and attack information
  • 24. Counting Zero-Day Attacks Protocol Classifier UDP 1434 Core algorithms Flow Classifier TCP 137 . . . TCP 80 TCP 53 TCP 25 Normal Traffic Pool Suspicious Traffic Pool Signatures Network Tap Known Attack Filter Normal traffic reservoir Real time Policy driven Honeynet/darknet, Statistical detection
  • 25. Security Information Fusion • Internet Storm Center (aka, DShield) has the largest IDS log repository • Sensors covering over 500,000 IP addresses in over 50 countries • More w/ DShield slides
  • 27. Requirements of Network IDS • High-speed, large volume monitoring – No packet filter drops • Real-time notification • Mechanism separate from policy • Extensible • Broad detection coverage • Economy in resource usage • Resilience to stress • Resilience to attacks upon the IDS itself!
  • 28. Architecture of Network IDS Network libpcap Event Engine Policy Script Interpreter Packet stream Filtered packet stream Event stream Alerts/notifications Policy script Event control tcpdump filters