Transcript Detecting Intrusions

DETECTING INTRUSIONS
By Matthew Morrow
WHAT ARE INTRUSIONS?
• Definition:
• “To compromise a computer system by breaking the security of such a system or
causing it to enter into an insecure state.” http://www.yourdictionary.com/intrusion
• Types:
• Eavesdropping:
• “Listen in” or interpret the traffic on a network
• Identity Spoofing:
• Can create fake IP addresses to gain access to network
• Denial-Of-Service:
• Prevents normal use of network
• Flood network with traffic until shutdown occurs
SOME TERMS
• Detection Rate: Number of intrusions detected by the system
• False Alarm Rate: Number of false positives
• False Positive: No Attack-Alert
• True Positive: Attack-Alert
• False Negative: Attack-No Alert
• True Negative: No Attack-No Alert
INTRUSION DETECTION SYSTEM
• Also known as IDS
• The system on the network to detect intrusions
• Two types of IDS
• HIDS
• Deals with individual host computers
• NIDS
•
•
•
•
•
Deals with the entire network
Placed at strategic points within the network
Monitors traffic
Usually attached to firewalls
Could bottleneck the network
MORE ON NIDS
• Looks for attack signatures to identify threats
• Usually a filter is applied to determine what should be discarded or passed
on to an attack recognition module
• Strengths
•
•
•
•
Ownership costs reduced
Real time detection and response
Independent operating system
Evidence removal
SOME IDS PRODUCTS
•
•
•
•
•
•
•
•
•
•
AnaDisk
BlackICE Defender
Cisco Secure IDS
CyberCop
Dragon Sensor
Forensic Toolkit
Klaxon
LSOF
Sentry
Etc.
ANADISK
• Not free
• Non-Commercial single-user registration fee of $25
• Commercial and multi-system site fee is $150
• Examines, edits, and analyzing diskettes
• Two programs
• Adinstal: Determines diskette configuration of the computer being used
• Anadisk.exe: Modifies with the diskette configuration info
• Manual:
• http://www.8bit-micro.com/anadisk-man.htm
DRAGON SENSOR
• Watches live network packets for signs of computer crimes
• Once finding an attack, it sends the pages, email, and takes action to stop
event and record for future forensic analysis
• Award winning UNIX based Intrusion Detection System from Enterasys
• http://www.intrusion-detection-system-group.co.uk/dragon.htm
SNORT
• Free and open source
• It is a prevention system and detection system for networks
• Developed by Sourcefire
• Real time traffic analysis and packet logging on Ips
• Demo:
• https://www.youtube.com/watch?v=6rCbgmuWldQ
REFERENCES
• Bradley, CISSP, MCSE2k, MCSA, A, Tony. "Introduction to Intrusion Detection Systems
(IDS)." 15 Jan. 2014. Web. 23 Apr. 2015.
<http://netsecurity.about.com/cs/hackertools/a/aa030504.htm>.
• "Intrusion Detection FAQ: What Is Intrusion Detection?" SANS:. Web. 23 Apr. 2015.
<http://www.sans.org/security-resources/idfaq/what_is_id.php>.
• "Intrusion Detection System." Wikipedia. Wikimedia Foundation, 1 Feb. 2014. Web. 14
Apr. 2015. <http://en.wikipedia.org/wiki/Intrusion_detection_system>.
• Mafra, P.m., J.s. Fraga, and A.o. Santin. "Algorithms for a Distributed IDS in
MANETs." Journal of Computer and System Sciences (2014). Print.
• Mafra, P.m., J.s. Fraga, and A.o. Santin. "Algorithms for a Distributed IDS in
MANETs." Journal of Computer and System Sciences (2014). Print.
• Scarfone, Karen, and Peter Mell. "Guide to Intrusion Detection and Prevention
Systems (IDPS)." NIST (2007). Print.