![Page 1: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/1.jpg)
Intrusion DetectionPresentation : 1 OF n
by Manish Mehta
01/24/03
![Page 2: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/2.jpg)
Introduction
3 fundamental needs of Computer Security– Prevention – Detection– Response
All 3 components are needed for Comprehensive Protection.
![Page 3: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/3.jpg)
Security in Business
• You can lock all the doors and stay safe
or you can open the doors and do some
business.
![Page 4: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/4.jpg)
What is Intrusion Detection (ID)?
• ID is the art of detecting and responding to computer misuse.
• Selection of ID system should be based on environment-specific requirements.(How do you want to define an Intrusion?)
![Page 5: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/5.jpg)
Terms you should know
• ID – Detecting unauthorized access to a computer and/or a network.
• Misuse Detection – Detecting behavior that matches patterns of misuse.
• Anomaly Detection – Detecting deviations from acceptable behavior profiles.
![Page 6: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/6.jpg)
Terms you should know (contd.)
• False-positive – An alarm that is not misuse.
• False-negative – Misuse that is not detected or alarmed.
• IDS – System that collects information from a variety of systems and network sources, and then analyze the information for signs of intrusion and misuse.
![Page 7: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/7.jpg)
In general we can say ..
• Intrusion – Attacks originating outside the organization.
• Misuse – Attacks originating inside the organization.
![Page 8: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/8.jpg)
Lets take a step back !ID – A historical perspective.
• ID has exploded in recent years, but the roots of ID are considerably more humble.
• Initially focused on host-based event log analysis.
![Page 9: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/9.jpg)
Brief Timeline of ID research
• 1980 – A technical report said that audit records can be used to identify misuse.
• 1985 – SRI was funded by US Navy to build prototype of ID Expert System. (IDES)
• 1986 – First paper “An ID model” • 1987 – First annual ID workshop at SRI.• 1989 – Student at UCD wrote Network Security
Monitor. (NSM)
![Page 10: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/10.jpg)
Timeline (Contd.)
• 1990 – US Navy completed study of ID research projects and selected one.
• 1992 – Computer Misuse Detection System (CMDS) developed by SAIC.
• 1994 – A research group at Air force created ASIM, a robust IDS.
• 1997 – Cisco began building network ID into Cisco router.
![Page 11: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/11.jpg)
Timeline (Contd.)
• 1999 – Federal ID Network (FIDNet) was created to detect network infrastructure attacks against government sites.
• After that – A lot of research papers and implementations.
![Page 12: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/12.jpg)
Network v/s Host based ID
• All ID methods are basically based on analysis of a set of discrete, time-sequenced events for patterns of misuse.
- Host based ID –examine event like file access,
application execution.- Network based ID –
examine network traffic.
![Page 13: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/13.jpg)
Which one do you need?
• For comprehensive detection? BOTH !
Each has pros and cons that should be measured against the requirements of the environment.
Systems using both detections are called “Hybrid Systems”.
![Page 14: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/14.jpg)
Anatomy of IDS
• ID Systems have 2 main tasks- Detecting- Responding
![Page 15: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/15.jpg)
Command Console
• Authority for controlling the entire system. (nerve system). “remote” feature?
• It has tools for setting policies and processing collected alarms.– Assessment manager – controls the collection of static
configuration info.
– Target manager – maintains connection with components on target side.
– Alert manager – collects and maintains Alert data.
![Page 16: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/16.jpg)
Network Sensors
• Basically 2 types
Promiscuous-mode sensors reside on dedicated machines.
Network-node sensors run on the machines they monitor.
![Page 17: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/17.jpg)
Alert Notification System
• Basic task is to notify security officer
• How ??- On-screen Alerts
- Audible Alerts
- Paging
- SNMP (wow !)
![Page 18: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/18.jpg)
Response Subsystem
• Take actions based on threats to the target systems.
- automatic
- system operator (manual)
What actions?
- reconfiguration
- shut down connection
![Page 19: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/19.jpg)
Database
• Repository for statistics
• Useful for damage assessment and investigation.
![Page 20: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/20.jpg)
ID Process
• Have a simple but effective policy
• Policy defines acceptable activity.e.g. ping sweep, packet from outside coming in with source address as that on inside.
• Policies make rules for IDS.
![Page 21: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/21.jpg)
Traditional audit v/s ID
• Understanding the difference will influence requirement definition.
Traditional Audit
- Counting and confirming periodically
- Password policies
- Security patches
- Guest account enabled (Shouldn’t be!!)
- Locking screen-savers enabled (Shouldn’t be!!)
![Page 22: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/22.jpg)
Then what is the difference?
• ID Systems look for differences in patterns of behavior as opposed to the state of control.
e.g.- A configuration scanner will check for password policy.
- An IDS looks for 3 failed login attempts
![Page 23: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/23.jpg)
Integrity Checkers
• Use MD5 or CRC- Tripwire- Tools in COPS
IDS can track the exact modification information. It is used for mission critical files only.
![Page 24: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/24.jpg)
Un/acceptable behavior
• Infinite possibilities
• Breaking down “misuse” in categories can help
- unauthorized access/reading
- unauthorized modification
- DoS
![Page 25: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/25.jpg)
Detecting deviation from acceptable behavior
• There is no HARD line between un/acceptable behavior.
3 models
- Perfect acceptable behavior model
- Real world behavior model
- Perfect unacceptable behavior model
![Page 26: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/26.jpg)
So, ID: Science or Art??
• Factor to be considered here is noise from ID
• ID tools are really best used as support systems as opposed to definitive measuring devices.
• So its more of an Art of defining rules.
p.s. Researchers don’t like their projects being compared with ‘Art’.
![Page 27: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/27.jpg)
Questions ?
![Page 28: Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03](https://reader036.vdocuments.net/reader036/viewer/2022070407/56649e195503460f94b06b77/html5/thumbnails/28.jpg)
Until then ..