IDS presentation may02

Information about IDS presentation may02

Published on September 13, 2007

Author: Sabatini

Source: authorstream.com

Content

The Many Faces of Intrusion Detection System:  The Many Faces of Intrusion Detection System Ameya Anil Velankar Department of Computer Science The University of Texas at Dallas Motivation:  Motivation On May 22, 1996, the U.S. General Accounting Office (GAO) disclosed that approximately 250,000 break-ins into Federal computer systems were attempted over the year 1995. 64% of these attacks were successful. It gets worse ! The number of attacks is doubling every one year. GAO estimates that only 1% of these attacks will be reported. Outline:  Outline Introduction to Intrusion Detection System (or IDS) Survey of current IDSs Conclusion - Desirable characteristics of IDS What is Intrusion?:  What is Intrusion? Intrusion is 'Any set of activities that attempt to compromise the integrity, confidentiality or availability of a resource'. Examples DoS – attempts to starve a host of resources needed to function correctly. Compromises – obtain privilege access to a host by known vulnerabilities. Why Intrusion Detection?:  Why Intrusion Detection? A conventional approach to secure a computer system is to identify and authenticate the users. This prevention-based approach has the following limitations: It is very difficult to build a useful system that is perfectly secure. Crypto-based systems cannot protect against lost or stolen keys and cracked passwords. System can be vulnerable to insiders abusing their privileges. Intrusion Detection:  Intrusion Detection An alternate approach – intrusion detection – proved to be more effective compared to prevention based approach. Intrusion detection is the process of identifying malicious activities of unauthorized users (outside threat) and abuse of privileges (inside threat). Model of Intrusion Detection:  Model of Intrusion Detection The model of intrusion detection is broadly categorized as Anomaly detection model: it statistically analyses user’s current sessions, compares them to the profile describing user’s normal behavior and reports significant deviations to security officer. Misuse detection model: it looks for attack signatures in the user’s behavior. Intrusion Detection System :  Intrusion Detection System Intrusion Detection System (or IDS) is a computer program that attempts to perform intrusion detection, preferably in real time, by either anomaly detection or misuse detection or a combination of both. Notion of IDS does not include prevention of intrusion from occurring, but only detecting intrusion and reporting it to an operator. Host-based vs. Network-based IDS:  Host-based vs. Network-based IDS Host-based systems employ audit data from a single host as the main source of input to detect intrusion. Network-based IDSs obtain the data by monitoring the traffic of the network to which hosts are connected to perform intrusion detection. Intrusion Detection Using Honey Pot:  Intrusion Detection Using Honey Pot Honey pot is a 'decoy' system that appears to have several vulnerabilities for easy access to its resources. It provides a mechanism so that intrusions can be trapped before attack is made on real assets. Intrusion Detection Using Honey Pot (cont.):  Intrusion Detection Using Honey Pot (cont.) Multi-level Log Mechanism (MLLM) MLLM logs the attacker’s activities into Remote Log Server Sniffer Server Intrusion Detection Using Honey Pot (cont.):  Intrusion Detection Using Honey Pot (cont.) AAIDHP (An Architecture for Intrusion Detection using Honey Pot) Intrusion Detection Using Honey Pot (cont.):  Intrusion Detection Using Honey Pot (cont.) Characteristics of AAIDHP Flexibility: A network environment that realistically mirrors the production network is created. Configurability: Data control and Route control can be deployed dynamically. Security: Intruders can be trapped in the honey pot before an attack is made on real assets. A Web-based IDS:  A Web-based IDS It is a web-based application providing remote monitoring of intrusions. The web-based IDS identifies anomalies in the network traffic using data mining techniques. A Web-based IDS (cont.):  A Web-based IDS (cont.) System Architecture A Web-based IDS (cont.):  A Web-based IDS (cont.) Data collection using Snort Snort generates alerts and captures network packets to form audit data. This raw data is stored in MySQL database for further mining. Data mining Clustering Sequence analysis Drilldown Visualization The rules mined from audit data are merged and added into aggregate rule set to detect intrusion. A Peer-based Hardware Protocol for IDS:  A Peer-based Hardware Protocol for IDS Why Hardware Protocol ? The security software is a common target of computer system intruders. It is logical to place as many of the security related functions as possible in hardware. A peer-based hardware protocol extends the Cooperative Security Manager (CSM) approach developed at Texas Aandamp;M University. A Peer-based Hardware Protocol for IDS (cont.):  A Peer-based Hardware Protocol for IDS (cont.) Co-operative Security Managers (CSM) Each host running a CSM is responsible for the activities of its own users CSMs co-ordinate among themselves for intrusion detection. Drawback: all components are implemented in software. A Peer-based Hardware Protocol for IDS (cont.):  A Peer-based Hardware Protocol for IDS (cont.) Hardware-based protcol for IDS: Directing functions of IDS are placed in hardware and system specific functions are managed by software. The CSM hardware platform detects intrusive activity on a host as well as coordinates activities among hosts; the Security Manager and Local IDS functions of CSM system. The User Interface, Intuder Handling and Command Monitor are system specific and will be implemented in software. Limitation if hardware-based protocol It requires that the majority of the systems connected to the network have the hardware platform attached. Intrusion Detection in Wireless Ad-Hoc Networks:  Intrusion Detection in Wireless Ad-Hoc Networks Architecture for IDS in wireless ad-hoc networks Intrusion Detection in Wireless Ad-Hoc Networks (cont.):  Intrusion Detection in Wireless Ad-Hoc Networks (cont.) A conceptual model for an IDS agent Intrusion Detection in Wireless Ad-Hoc Networks (cont.):  Intrusion Detection in Wireless Ad-Hoc Networks (cont.) Individual IDS agents are placed on each and every node. Each IDS agent monitors local activities independently, detects intrusion from local traces and initiates response if it has strong evidence of intrusion. If intrusion evidence is inconclusive, neighboring IDS agents will cooperatively participate in global intrusion detection action. IDS for ATM Networks:  IDS for ATM Networks Challenges: Point-to-point data flows can only be viewed by the intermediate switches. ATM networks can grow very large, requiring a large number of sensors. ATM encompasses a wide range of link rates, therefore IDS must support a variety of sensor types. IDS for ATM Networks (cont.):  IDS for ATM Networks (cont.) ATM Intrusion Detection Architecture IDS for ATM Networks (cont.):  IDS for ATM Networks (cont.) The four main components of in this system are Sensors – send network events to assessment engine. Assessment Engine – formulate the strategy to respond. Rule Editor – facilitates administrator in creating rule files. Responses – perform response actions. Autonomous Agents for Intrusion Detection (AAFID):  Autonomous Agents for Intrusion Detection (AAFID) Independently running agents facilitate reconfiguration without having to restart IDS. System can be made scalable by organizing the agents in a hierarchical structure. Each agent can implemented as per the requirements for the given task. IDS can cross the traditional boundaries between host-based and network-based IDSs. Autonomous Agents for Intrusion Detection (cont.):  Autonomous Agents for Intrusion Detection (cont.) Physical layout of the components in AAFID system Autonomous Agents for Intrusion Detection (cont.):  Autonomous Agents for Intrusion Detection (cont.) Logical organization of AAFID system Autonomous Agents for Intrusion Detection (cont.):  Autonomous Agents for Intrusion Detection (cont.) Components of AAFID Agents – monitor certain aspects of a host and report abnormal behavior to the appropriate transceiver. Transceivers – have two roles: control and data processing. Monitors – have control and data processing roles, also provide access point for the whole AAFID system. Autonomous Agents for Intrusion Detection (cont.):  Autonomous Agents for Intrusion Detection (cont.) Limitations of AAFID Monitors are single point of failure. Redundant monitors may produce inconsistencies in the system. Response time can be poor. Desirable Characteristics of IDS:  Desirable Characteristics of IDS IDS must have distributed and cooperative approach for intrusion detection. IDS should easily allow for 'back-hacking'. IDS should be scalable. IDS should offer a user friendly interface. IDS should combine host-based and network-based intrusion detection approaches. References:  References G. B. White and M. L. Huson, 'A peer-based hardware protocol for intrusion detection systems,' IEEE Military Communications Conference, MILCOM ’96 Conference Proceedings, Vol. 2, Pages: 468 - 472, 1996. A. Nalluri and D. Kar, 'A web-based system for intrusion detection,' ACM Journal of Computing Sciences in Colleges, Vol. 20, Issue: 4, 2005. T. D. Tarman, E. L. Witzke, K. C. Bauer, B. R. Kellogg, and W. F. Young, 'Asynchronous transfer mode (ATM) intrusion detection,' IEEE Military Communications Conference, MILCOM 2001 Conference Proceedings, Vol. 1 , Pages: 87 – 91, 2001. Y. Zhang and W. Lee, 'Intrusion detection in wireless ad - hoc networks,' 6th annual international Mobile computing and networking Conference Proceedings, 2000. References (cont.):  References (cont.) Z. Tian, B. Fang, and X. Yun, 'An architecture for intrusion detection using honey pot,' IEEE International Conference on Machine Learning and Cybernetics, Vol. 4, Pages: 2096 – 2100, 2003. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni, 'An architecture for intrusion detection using autonomous agents,' 14th Annual IEEE Computer Security Applications Conference Proceedings, Pages: 13 – 24, 1998. R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, 'Testing and evaluating computer intrusion detection systems,' Communications of the ACM, Vol. 42, Issue: 7, 1999. B. Mukherjee, L. T. Heberlein, K. N. Levitt, 'Network intrusion detection', IEEE Network, Vol. 8, Issue: 3, Pages: 26-41, 1994.

Related presentations


Other presentations created by Sabatini

energy Drink Presentation
26. 06. 2007
0 views

energy Drink Presentation

NatureV s Nurture
13. 09. 2007
0 views

NatureV s Nurture

Sponsorship
13. 09. 2007
0 views

Sponsorship

handout 185515
13. 09. 2007
0 views

handout 185515

R Piro
13. 09. 2007
0 views

R Piro

WelcomeTo GUSD Special Education
03. 10. 2007
0 views

WelcomeTo GUSD Special Education

FEMA BCA Tornado
05. 10. 2007
0 views

FEMA BCA Tornado

Reference list sensors 10 2002
11. 09. 2007
0 views

Reference list sensors 10 2002

greek yogurt with honey
13. 09. 2007
0 views

greek yogurt with honey

honey traceability
13. 09. 2007
0 views

honey traceability

ppoint59
07. 10. 2007
0 views

ppoint59

The Persian Empire
11. 12. 2007
0 views

The Persian Empire

fitp 06
02. 11. 2007
0 views

fitp 06

seal
07. 11. 2007
0 views

seal

Teotihuacan
21. 11. 2007
0 views

Teotihuacan

Ph237Lecture1b
20. 11. 2007
0 views

Ph237Lecture1b

W4 Williams
07. 12. 2007
0 views

W4 Williams

cee500 fall01 solar
16. 11. 2007
0 views

cee500 fall01 solar

Apresentacao EEG Kappa rogerio
28. 12. 2007
0 views

Apresentacao EEG Kappa rogerio

history of computers
05. 01. 2008
0 views

history of computers

amanda
13. 09. 2007
0 views

amanda

1diary
02. 01. 2008
0 views

1diary

disaster recovery bof
28. 09. 2007
0 views

disaster recovery bof

gdc1999
13. 09. 2007
0 views

gdc1999

Andre bindevevssykdommer imm
04. 01. 2008
0 views

Andre bindevevssykdommer imm

Culturally Sensitive Approaches
24. 02. 2008
0 views

Culturally Sensitive Approaches

Dealer Training on DealerWorld
26. 02. 2008
0 views

Dealer Training on DealerWorld

Aravindan Ravi Bharath Kaka
28. 02. 2008
0 views

Aravindan Ravi Bharath Kaka

Hess INL
04. 10. 2007
0 views

Hess INL

f5c
26. 06. 2007
0 views

f5c

Egan BDNF val66met
26. 06. 2007
0 views

Egan BDNF val66met

dvd rental forecast
26. 06. 2007
0 views

dvd rental forecast

dlf 20061
26. 06. 2007
0 views

dlf 20061

Discover alive
26. 06. 2007
0 views

Discover alive

Depression center Apr 05
26. 06. 2007
0 views

Depression center Apr 05

IndiaChinaStudentVer sion
26. 03. 2008
0 views

IndiaChinaStudentVer sion

DMA Enviroment Webinar
27. 11. 2007
0 views

DMA Enviroment Webinar

ChristyJR SoComp 0710
07. 04. 2008
0 views

ChristyJR SoComp 0710

file 3
24. 11. 2007
0 views

file 3

Peter Leung
30. 03. 2008
0 views

Peter Leung

Filipino American Elders
01. 10. 2007
0 views

Filipino American Elders

busactivity
09. 04. 2008
0 views

busactivity

WEBVersionCN12808 12708FINAL
10. 04. 2008
0 views

WEBVersionCN12808 12708FINAL

mapbdtv2003
13. 04. 2008
0 views

mapbdtv2003

QuarterlyPres30Jun03
17. 04. 2008
0 views

QuarterlyPres30Jun03

WestCoast05Jun02
22. 04. 2008
0 views

WestCoast05Jun02

AH2
13. 09. 2007
0 views

AH2

wondersofhoney
13. 09. 2007
0 views

wondersofhoney

Future Czech Workforce RM
18. 03. 2008
0 views

Future Czech Workforce RM

GarmanSS2005
13. 03. 2008
0 views

GarmanSS2005

READING  NONFICTION  4
17. 06. 2007
0 views

READING NONFICTION 4

professions
17. 06. 2007
0 views

professions

part1
17. 06. 2007
0 views

part1

Noch mehr Cartoons
17. 06. 2007
0 views

Noch mehr Cartoons

Newspaper
17. 06. 2007
0 views

Newspaper

zielinski Slide Show Final
17. 06. 2007
0 views

zielinski Slide Show Final

ynot march 2007
17. 06. 2007
0 views

ynot march 2007

touristen
17. 06. 2007
0 views

touristen

sites
17. 06. 2007
0 views

sites

simon 0600 isabel
17. 06. 2007
0 views

simon 0600 isabel

seks cartoons
17. 06. 2007
0 views

seks cartoons

What Every Employee Must Be Told
17. 06. 2007
0 views

What Every Employee Must Be Told

Violence
17. 06. 2007
0 views

Violence

Energy Film Festival
26. 06. 2007
0 views

Energy Film Festival

wolverhampton presentation
17. 06. 2007
0 views

wolverhampton presentation

fusionworkshop
11. 09. 2007
0 views

fusionworkshop

Ernte
12. 10. 2007
0 views

Ernte

ed price vide 2003
26. 06. 2007
0 views

ed price vide 2003

Media marktin Polen
17. 06. 2007
0 views

Media marktin Polen

riley1
17. 06. 2007
0 views

riley1

The Wacky Web and Other Goodies
17. 06. 2007
0 views

The Wacky Web and Other Goodies

p eilert codes standards cali
13. 09. 2007
0 views

p eilert codes standards cali

homelife
24. 02. 2008
0 views

homelife

oksupercompsymp2006 talk tummala
30. 12. 2007
0 views

oksupercompsymp2006 talk tummala

deca presentation
26. 06. 2007
0 views

deca presentation