Chapter 8

Publish in



Please download to get full document.

View again

of 31
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Chapter 8. Intrusion Detection. Intruders. two most publicized threats to security are malware and intruders generally referred to as a hacker or cracker. classes:. Examples of Intrusion. remote root compromise web server defacement guessing / cracking passwords
Chapter 8Intrusion DetectionIntruders
  • two most publicized threats to security are malware and intruders
  • generally referred to as a hacker or cracker
  • classes:
  • Examples of Intrusion
  • remote root compromise
  • web server defacement
  • guessing / cracking passwords
  • copying databases containing credit card numbers
  • viewing sensitive data without authorization
  • running a packet sniffer
  • distributing pirated software
  • using an unsecured modem to access internal network
  • impersonating an executive to get information
  • using an unattended workstation
  • Hackers
  • motivated by thrill of access and/or status
  • hacking community is a strong meritocracy
  • status is determined by level of competence
  • benign intruders consume resources and slow performance for legitimate users
  • intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are designed to help counter hacker threats
  • can restrict remote logons to specific IP addresses
  • can use virtual private network technology (VPN)
  • intruder problem led to establishment of computer emergency response teams (CERTs)
  • Hacker Patterns of BehaviorCriminals
  • organized groups of hackers now a threat
  • corporation / government / loosely affiliated gangs
  • typically young
  • often Eastern European, Russian, or southeast Asian hackers
  • meet in underground forums
  • common target is credit card files on e-commerce servers
  • criminal hackers usually have specific targets
  • once penetrated act quickly and get out
  • IDS / IPS can be used but less effective
  • sensitive data should be encrypted
  • Criminal EnterprisePatterns of BehaviorInsider Attacks
  • among most difficult to detect and prevent
  • employees have access and systems knowledge
  • may be motivated by revenge/entitlement
  • employment was terminated
  • taking customer data when moving to a competitor
  • IDS / IPS can be useful but also need:
  • enforcement of least privilege, monitor logs, strong authentication, termination process
  • Internal ThreatPatterns of Behavior The following definitions from RFC 2828 (Internet Security Glossary) are relevant to our discussion:Security Intrusion: A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.Intrusion Detection : A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.Intrusion Detection Systems (IDSs)host-based IDSmonitors the characteristics of a single host for suspicious activitynetwork-based IDSmonitors network traffic and analyzes network, transport, and application protocols to identify suspicious activityIDS Principlesassume intruder behavior differs from legitimate usersoverlap in behaviors causes problemsfalse positivesfalse negativesIDS RequirementsHost-Based IDS
  • adds a specialized layer of security software to vulnerable or sensitive systems
  • monitors activity to detect suspicious behavior
  • primary purpose is to detect intrusions, log suspicious events, and send alerts
  • can detect both external and internal intrusions
  • Host-Based IDS Approaches to Intrusion Detectionanomaly detectionsignature detectioninvolves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder
  • threshold detection
  • involves counting the number of occurrences of a specific event type over an interval of time
  • profile based
  • profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts
  • Audit RecordsTable 8.2MeasuresThat MayBe Used For IntrusionDetectionSignature Detection
  • rule-based anomaly detection
  • historical audit records are analyzed to identify usage patterns
  • rules are generated that describe those patterns
  • current behavior is matched against the set of rules
  • does not require knowledge of security vulnerabilities within the system
  • a large database of rules is needed
  • rule-based penetration identification
  • key feature is the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses
  • rules can also be defined that identify suspicious behavior
  • typically rules are specific to the machine and operating system
  • Table 8.3USTAT Actions vs. SunOS Event TypesDistributed Host-Based IDSDistributed Host-Based IDSNetwork-Based IDS (NIDS)NIDS Sensor Deploymentinline sensorinserted into a network segment so that the traffic that it is monitoring must pass through the sensorpassive sensorsmonitors a copy of network trafficIntrusion Detection Techniques
  • signature detection
  • at application, transport, network layers; unexpected application services, policy violations
  • anomaly detection
  • denial of service attacks, scanning, worms
  • when a sensor detects a potential violation it sends an alert and logs information related to the event
  • used by analysis module to refine intrusion detection parameters and algorithms
  • security administration can use this information to design prevention techniques
  • Intrusion Detection Exchange FormatHoneypot
  • decoy systems designed to:
  • lure a potential attacker away from critical systems
  • collect information about the attacker’s activity
  • encourage the attacker to stay on the system long enough for administrators to respond
  • filled with fabricated information that a legitimate user of the system wouldn’t access
  • resource that has no production value
  • incoming communication is most likely a probe, scan, or attack
  • outbound communication suggests that the system has probably been compromised
  • once hackers are within the network, administrators can observe their behavior to figure out defenses
  • Honeypot DeploymentSNORT
  • lightweight IDS
  • real-time packet capture and rule analysis
  • easily deployed on nodes
  • uses small amount of memory and processor time
  • easily configured
  • SNORT Rulesuse a simple, flexible rule definition languageeach rule consists of a fixed header and zero or more optionsExamplesof SNORT Rule OptionsSummary
  • intruders
  • masquerader
  • misfeasor
  • clandestine user
  • intruder behavior patterns
  • hacker
  • criminal enterprise
  • internal threat
  • security intrusion/intrusion detection
  • intrusion detection systems
  • host-based
  • network-based
  • sensors, analyzers, user interface
  • host-based
  • anomaly detection
  • signature detection
  • audit records
  • distributed host-based intrusion detection
  • network-based
  • sensors: inline/passive
  • distributed adaptive intrusion detection
  • intrusion detection exchange format
  • honeypot
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks