• No results found

Intrusion Detection Systems

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Intrusion Detection Systems"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Intrusion Detection Systems

Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks

André Matos Luís Machado

(2)

Work Topics

1. Definition

2. Characteristics of IDS

3. Evolution of intrusion detection systems 4. Passive and/or reactive systems

5. Advantages and disadvantages of IDS 6. Comparisson with firewalls

7. Network Based Intrusion Detection System and Host Based Intrusion Detection system 8. Limitations of IDS

9. Evasion Techniques

10. Examples of Intrusion Detection systems 11. Terminology

(3)

Definition of Intrusion Detection Systems

 Device or software application that monitors network or system activities for malicious activities or policy violations

 Produces reports to a Management Station

 Burglar alarm for our network

 First line of defense in our system

(4)

 Some systems may attempt to stop an intrusion attempt

but this is neither required nor expected of a monitoring system

 Intrusion detection systems are focused on identifying possible incidents, logging information about them, and reporting attempts

 They have become a necessary addition to the security

infrastructure of nearly every organization

(5)

• Help information systems prepare for, and deal with attacks.

They accomplish this by collecting information from a variety of systems and network sources, and then analyzing the information for possible security problems.

• Provide:

– Monitoring and analysis of user and system activity – Auditing of system configurations and vulnerabilities – Assessing the integrity of critical system and data files

– Statistical analysis of activity patterns based on the matching to known attacks

– Abnormal activity analysis

– Operating system audit

(6)

Characteristics of Intrusion Detection systems

• It must run continually without human supervision. The system must be reliable enough to allow it to run in the background.

• It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart.

• The system should be able to monitor itself to ensure that

it has not been subverted.

(7)

It must impose minimal overhead on the system, meaning it must not slow down the computer.

It must be easily tailored to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns.

It must cope with changing system behavior over time as new

applications are being added. The system profile will change over time,

and the IDS must be able to adapt.

(8)

Evolution of Intrusion Detection systems

The concept of ids have been around for almost twenty years from now, but lately its popularity has raised and has been seen as an indispensable addition to software security.

It has begun with a paper by James Anderson as he calls for a misuse and specific user events detection necessary.

In 1983, Dr. Dorothy Denning began working on a project of these systems, and one year later he helped to develop the first model for intrusion detection.

In 1988 there was a second model for the US air force that produced an IDS that analyzed audit data by comparing it with defined patterns.

In the early 90’s Haystack Labs was the first commercial vendor of IDS tools, beginning a new era for network security.

(9)

Passive or Reactive systems

A passive IDS simply detects and alerts an intrusion attempt. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.

Reactive IDS will not only detect suspicious or malicious traffic and

alert the administrator, but will take pre-defined proactive actions to

respond to the threat. Typically this means blocking any further

network traffic from the source IP address or user

(10)

Advantages and disadvantages of IDS

• There are no doubts that an IDS is extremely important in keeping our network safe from malicious activities, we can actually tell that is indispensable to government or big business networks.

– “round-the-clock” activity;

– Versatile capability of these systems (they can adapt to a

users need and allow custom-built network security).

(11)

• Disadvantages:

– Incapability of distinguish malicious activity from a friend activity – False positives and false negatives

A false positive is a situation when and IDS triggers an alarm

without a true security intrusion, which is problematic because

diminish the value of real security alerts. False negative is the

inability to detect true security events, meaning malicious activity is

not detected.

(12)

Comparison with Firewalls

• There is a fine line between a firewall and IDS.

• Firewalls monitor computer communication ports, make computers invisible on the Internet, and can be programmed to alert the user to potential threats or to work quietly in the background, blocking unauthorized communications.

• Basically, a firewall is the first line of perimeter defense, however

once the number of attacks and vulnerabilities are rising, network

administrators are looking to extend firewalls.

(13)

• Intrusion detection is considered by many to complement network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response.

• There is also technology called Intrusion Prevention System. An IPS

is essentially a firewall which combines network-level and

application-level filtering with reactive IDS to proactively protect

the network. It seems that as time goes on firewalls, they take on

more attributes from each other and blur the line even more.

(14)

Network Based Intrusion Detection System and Host Based Intrusion Detection system

Network Based IDS

 Intrusion detection is network-based when the system is used to analyze network packets.

 Network packets are usually “sniffed” off the network, although they can derive from the output of switches and routers.

 There are many attack scenarios that would not be detected by host-based technology, thereby highlighting the

differences between the two

 A NIDS examines packet traffic directed toward potentially

vulnerable computer systems on a network while a host-

based system examines user and software activity on a host

(15)

• Host Based IDS

o A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system.

o Host-based systems are designed more to deter insiders, but can’t effectively deter outsiders. The exact opposite is true for network intrusion detection systems.

o Host-based systems provide poor real-time response and cannot effectively protect against one-time catastrophic events.

o They are, however, excellent at detecting and responding to long term attacks, such as data thieving or disgruntled employees.

o Host-based intrusion detection systems also analyze user statistics to determine misuse. This method is called statistical analysis.

(16)

Limitations of IDS

• However necessary, an IDS cannot provide completely accurate detection.

• They have serious limitations, such as:

– Noise can severely limit an Intrusion detection system's effectiveness.

Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.

– It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.

– Many attacks are geared for specific versions of software that are

usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies;

(17)

• Other limitations to the IDS are the fact they can’t perform a handful of basic functions, such as:

Compensating for weak or missing security mechanisms in the protection infrastructure.

Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network or processing load.

Detecting newly published attacks or variants of existing attacks.

Effectively responding to attacks launched by sophisticated attackers

Automatically investigating attacks without human intervention.

Resisting attacks that are intended to defeat or circumvent them

Compensating for problems with the fidelity of information sources

Dealing effectively with switched networks

(18)

Evasion Techniques

IDS evasion techniques are modifications made to attacks in order to prevent detection. They may appear in many forms, such as:

• Obfuscating attack payload

- An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not.

• Fragmentation and Small Packets

- One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack

(19)

• Protocol Violations

- Some IDS evasion techniques involve deliberately violating

the TCP or IP protocols in a way the target computer will handle differently than the IDS.

• Overlapping Fragments

- An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap.

• Denial of Service

- An adversary can evade detection by disabling or overwhelming the IDS.

This can be accomplished by exploiting a bug in the IDS

(20)

Examples of Intrusion Detection systems

There are a lot of IDS available, due to the previously mentioned increase in

information flow and consequently the increasing need for protection. Here are a few IDS software:

(21)

Types of IDS

The most important and significant types of IDS are the previously mentioned Network Based IDS and the Host Based IDS, however, there are a few

more and are worth mentioning.

• Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse

their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.

• Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is

typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.

(22)

• Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies. It works on the notion that “attack behavior” differs enough from “normal user

behavior” such that it can be detected by cataloging and identifying the differences involved.

• Some IDS are knowledge-based, which preemptively alert security administrators before an intrusion occur using a database of common attacks. Alternatively, there are behavioral-based IDS that track all

resource usage for anomalies, which is usually a positive sign of malicious activity.

References

Download now ( PDF - 22 Page - 619.41 KB )

Related documents

An exploratory factor analysis and reliability analysis of the student online learning readiness (SOLR) instrument

Therefore, it is crucial to develop a more contemporary instrument to measure distance learners’ readiness by combining social, communication, and technical competencies, the

EDUC 688: Special Education Student Teaching Seminar

PLO7 Skills in the planning and design of meaningful learning activities that support and have positive impact on student learning based upon knowledge of subject matter,

Portable Color Spectrophotometer Measurements of Cotton Color in Remote Locations

AMS standard cotton batts, and routine loose cotton samples, comparative evaluations were performed to establish the relationships between the HVI Rd and +b and

The Effect of Two-Staged Warm Compress on the Pain Duration of First and Second Labor Stages and Apgar Score in Prim Gravida Women: a Randomized Clinical Trial

need for previous skills. Although few studies have been done on the application of heat and cold on labor, its effect was examined on other clinical conditions.

ENGINEERING EXPERIMENT STATION COLLEGE OF ENGINEERING THE UNIVERSITY OF ARIZONA TUCSON, ARIZONA USE OF A THREE-LAYER DISTRIBUTED RC NETWORK

When the three-layer network is used as a three-terminal element by connecting conducting terminal strips across the ends of one of the resistive layers and the center of the

FINAL REPORT. Challenges and Successes in Implementing the Chronic Disease Self-Management Program

Participants of the telefocus groups (N=21) were Master Trainers who were trained by the Stanford Patient Education Center to both teach the CDSMP and train future leaders to teach

Commercial Bank Risk Management: an Analysis of the Process

The banking industry has long viewed the problem of risk management as the need to control four of the above risks which make up most, if not all, of their risk exposure, viz.,

Comprehensive Consultation Psychological Services, P.C

 Provide evaluations and services to college level students with educational disabilities..  Also provide occupational and physical therapy evaluations as well as therapeutic