Report: Intrusion Detection Systems

Download Report

Transcript Report: Intrusion Detection Systems 

Intrusion Detection System
Marmagna Desai
[ 520 Presentation]
Contents

Computer Security




IDS - Introduction
Intrusion Detection System




Network
System
Network Based (NIDS)
Host Based (HIDS)
ID Expert Systems
IDS Techniques


Misuse Detection
Anomaly Detection

Immune System Approach


Architecture
Requirements

Conclusion

References

Thanks
Computer Security – CIA
Confidentiality-Integrity-Authentication
 Network Security


Protecting
 Network equipment.
 Network servers and
transmissions.
 Eavesdropping.
Data Integrity
 System Security







User access
Authentication controls
Assignment of
privilege
Maintaining file and file
system integrity
Monitoring processes
Log-keeping
Backups
Intrusion Detection System
 IDS - Definition

Monitors either a Network boundary (Network
IDS) or a single host (Host IDS) in real-time,
looking for patterns that indicate Attacks.
 Functional Blocks..
Sensor
 Monitor
 Resolver
 Controller

 Sensor


System Specific Data Gathering Component.
Track Network traffic, Log files, System behaviour
 Monitor



Monitor Components, Get Events from Sensor.
Correlates Events against Behaviour-Model
Produce Alerts.
 Resolver


Determine Response against Alerts.
E.g. Logging, Changing System Mechanism,
Setting Firewall Rule etc.
 Controller - Coordination and Administration
Network IDS
 NIDS Sensors collect information from
Network Connections.
 Uses Packet Sniffing on NIC in Promiscuous
Mode.
 No Auditing / Logging required.
 Agents can introduced without affecting Data
Source at NIC level.
 Detects Network Level Attacks (e.g. SYN Atk)
 Can NOT scan Protocols or Content of
Network Traffic if encrypted.
Host IDS
 HIDS Sensors collect information reflecting the
System Activity.
 Based on Operating System Audit Trails, Logs
and Process Trees.
 User and Application Level Analysis
 Process Behaviour Analysis
 Operate in Encrypted Environments.
 Platform Specific, Large Overhead for OS and
Higher Management/Deployment Costs
ID Expert Systems
 A set of System Tools Working in Coordination
 Users Behave in a Consistent Manner
 Behaviour can be Summarised in a Profile.
 Profile can be generated by Advanced
Statistical Analysis.
 Oracle Database is used for Profiles.
 Provides Real-Time Response to Intrusion.
IDS Approaches
 Misuse Detection

Models Abnormal behaviour

E.G. HTTP request referring to the cmd.exe file
Uses Pattern Matching of system setting and
user activities against database of known
attacks. (Signature Analysis)
 Highly Efficient – Tightly Defined Signature.
 Vulnerable to novel attacks.

 Anomaly Detection

Models Normal Behaviour

E.g. Expected System Calls, generated by User
Process (Root/Non-root).
Statistical profiles for system objects are
created by measuring attributes of normal use.
 Detects Novel and Complex attacks.
 Low Efficiency
 False Positive


Legitimate action classified as Anomalous.
Anomaly Detection - continued
 Immune System Approach
Models in terms of Sequence of System Calls.
 Sequence for




Normal Behaviour
Error Condition
Anomaly
Kernel-Level System-Call Monitoring.
 E.g. “exec “ System call produces trace in all
above situations.

System Call Execution Process
System Call
Dispatcher
System Call
Implementation
User Process
Schedular
Kernel Level System Monitoring
System Call
Dispatcher
User Process
IDS Module
Schedular
System Call
Implementation
Architecture
 Monolithic
Single Application contains sensor, monitor,
resolver and controller
 Most Simplest Architecture, unable to detect
attack made by distributed normal events.

 Hierarchic
Resolver and Controller at root of hierarchy.
 Monitors at sub-system (logical group) level.
 Sensors at Node-Level
 Centralised controller correlates information
from different Monitors and Resolver take

Architecture – continued
 Agent Based
Distributed Sensors/Monitors/Resolver and
Controller.
 Multi-Hierarchy of Monitors
 High Scalability
 Recently used in various IDS.

Requirements
 Accuracy
 Prevention, not just detection
 Broad attack coverage
 Analyze all relevant traffic
 Highly granular detection and response
 Sophisticated forensics and reporting
 Maximum sensor uptime
 Wire-speed performance
Requirements...
 Accuracy
Reduced False +ve and -ve
 Thorough Protocol Analysis

 Prevention
Real Time Prevention
 Reconfiguration and Response
 Self Learning Profiles

 Broad Attack Coverage

Protects against all Attacks
Requirements...
 Analyze all relevant traffic (NIDS)

Deploy IDS to suit varying Networks Topology
 Granular Detection and Response

One size does not fit all.
 Forensic and Reporting

Extensive Historic Analysis and Report
 Wire-Speed

Multi – Giga bit Performance
Conclusion
 IDS will merge all Network components and
tools which exist today, into a complete and
cooperative system, dedicated to keeping
networks Stable and Secure.
 Distributed elements performing specific jobs.
 Hierarchical correlation and analysis.
 Novel approaches like AI, Data-Mining etc.
References
 http://www.securityfocus.com
 http://www.citeseer.com
 “Intrusion Detection Techniques and
Approaches” [ Theuns Verwoerd and Ray Hunt ]
 “Computer System Intrusion Detection: A
Survey” [ Anita K. Jones and Robert S. Sielken]
 http://www.insecure.org/
 http://nss.co.uk/
Thank You!!
Questions
?