intrusion detection and prevention system ips technology
play

Intrusion Detection and Prevention System (IPS) Technology, - PowerPoint PPT Presentation

Nov 04, 2023 •419 likes •846 views

Intrusion Detection and Prevention System (IPS) Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail:

  1. Intrusion Detection and Prevention System (IPS) – Technology, Applications, and Trend Dr. Nen-Fu (Fred) Huang Professor, Department of Computer Science, National Tsing Hua University, Taiwan President, Broadweb Corp, Taiwan E-mail: nfhuang@broadweb.com, nfhuang@cs.nthu.edu.tw 2005/8/26 1/42

  2. Outline � Network Security Introduction � Attack Categories � Emerging IM/P2P Threats � IPS � Technology and Product Trends � Conclusion and Discussion 2005/8/26 2/42

  3. 3/42 Attacking Tools 2005/8/26

  4. 4/42 UDP Flooder DDoSPing Attacking Tools Pinger 2005/8/26

  5. Attacking Tools N-Stealth Scanner 2005/8/26 5/42

  6. Attack Categories � Denial of Service (DoS), Distributed Denial of Service (DDoS) � Network Invasion � Network Scanning � Network Sniffing � Torjan Horse and Backdoors � Worm 2005/8/26 6/42

  7. (1) DoS/ DDoS � Prevent another user from using network connection, or disable server or services: e.g. “Smurf” and “Fraggle” attacks, “Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”, SYN flooding, “Ping of death”, IGMP Nuke, buffer overflow. � Caused by protocol fault or program fault. � It damages the “Availability”. 2005/8/26 7/42

  8. DoS Example: Smurf attack � Uses ICMP echo/ reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic � Requires the ability to send spoofed packets ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim 2005/8/26 8/42

  9. (2) Network Invasion � Goal is to get into the target system and obtain information � Account usernames, passwords � Source code, business critical information � Usually caused by improper configurations or privilege setting, or program fault. 2005/8/26 9/42

  10. Example of network invasion: IIS unicode buffer overflow For IIS 5.0 on windows 2000 without this security patch, a simple URL string: http:/ / address.of.iis5.system/ sc ripts/ ..%c1%1c../ winnt/ system3 2/ cmd.exe?/ c+dir+c:\ will show the information of root directory. 2005/8/26 10/42

  11. (3) Network Scanning � Goal is to obtain the chance, the topology of victim’s network. � The name and the address of hosts and network devices. � The opened services . � Usually uses technique of ICMP scanning, X’mas scan, SYN-FIN scan, SNMP scan. � There are powerful tools: Nmap and Nessus. 2005/8/26 11/42

  12. (4) Sniffing � Goal is to obtain the content of communication � Account usernames, passwords, mail account � Network Topology � Hosts running the sniffer program (e.g. NetBus) is often compromised using host attack methods. 2005/8/26 12/42

  13. (5) Backdoor and Torjan horse � Usually, the backdoor and torjan horse is the consequences of invasion or hostile programs. � It may open a private communication channel and wait for remote commands. � Available toolkits: � Subseven, � BirdSpy, � Dragger � It can be detected by monitoring known control channel activities, but not with 100% precision. 2005/8/26 13/42

  14. (6) Worm � The chief intention of worm is to propagate and survive. � It takes advantages of system vulnerabilities to infect and then tries to infect any possible targets. � It may decrease the production of system, leave back doors, steal confidential information and so on. 2005/8/26 14/42

  15. Emerging P2P/ IM Threats � P2P (Peer-to-Peer) � IM (Instant Messenger) � Spyware � Adware � Tunneling 2005/8/26 15/42

  16. P2P: a new paradigm � Bottleneck of Server � Powerful PC � Flexible, efficient information sharing � P2P changes the way of Web (Internet) 2005/8/26 16/42

  17. Why P2P? � Bottleneck of Server � Powerful PC � Flexible, efficient information sharing � P2P changes the way of Web (Internet) 2005/8/26 17/42

  18. General Issues of P2P � How to find resources? � How to know on-line peers? � How to route requests? � How to download resources? � Flooding messages and � Huge number of connections to be established concurrently 2005/8/26 18/42

  19. Famous P2P Examples � BitTorrent � Shareaza � SoftEther � eZpeer � Direct-connect � iMESH � Kuro � Gnutella � MIB � eDonkey � Soulseek � WinMix � eMule � Opennap � WinMule � MLdonkey � Worklink � Skype � Gnutella � Opennext � Kazaa/ Morpheus � J elawat � PP 點點通 2005/8/26 19/42

  20. Instant Messenger (IM) � MSN � Yahoo Messenger � ICQ � YamQQ � AIM (AOL IM) � Google Talk (new) 2005/8/26 20/42

  21. Network Security Technology Trend � Layer-7 Content Inspection Technology � IPS (Layer-7) � Application Firewall (Layer-7) � UTM/ SCM � SOHO IPS Routers 2005/8/26 21/42

  22. Layer-7 Content Inspection Technology � Packet Normalizer � Pattern Matching Algorithms � Software Based � Hardware Based � Policy Engine 2005/8/26 22/42

  23. A Generic Layer-7 Engine � Packet Normalizer � Makes sure the integrity of incoming packets � Eliminates the ambiguity � Decodes URI strings if necessary � Pattern-Matching Engine � Where the pattern-matching operation executed. � Policy Engine � Gather information from pattern-matching engine and issue the verdict to allow/ drop the packets 2005/8/26 23/42

  24. Pattern Matching is Expensive! •~50 Instructions/ 1500 Byte packet •~30 Instructions/ Byte. 45K Instructions/1500 Byte packet Source: Intel Corp . 2005/8/26 24/42

  25. Pattern-Matching Engine � The most computation-intensive task in packet processing. Normally the pattern-matching engine needs to process every single byte in packet payloads while layer-4 operations deal with packet header only. � In Snort, the pattern matching routine accounts for 31% of the total execution time 2005/8/26 25/42

  26. Policy Engine � Collect the matching events from Pattern-Matching Engine. � Clarify the relationship between matched patterns: � Ordered: A policy may consists more than one pattern and should be matched in order. � Offset, Depth: The matched position should be within a certain range or location. � Distance, Within: The distance between two matched patterns should be taken into consideration also. � Trace Application States 2005/8/26 26/42

  27. Policy Engine (cont.) � Some applications are difficult to identify by using only one signature (e.g. P2P). � Policy Engine needs to track the connection state like the following diagram: Msg Data Request Exchange Exchange File S 1 S 0 S 2 S 3 2005/8/26 27/42

  28. Intrusion Detection and Prevention System (IPS) 2005/8/26 28/42

  29. 29/42 2005/8/26

  30. NK-3000 Features � Intrusion Detection & Prevention System (IPS) � Anti-Intrusion � Anti-Worm � Anti-P2P � Anti-IM (Instant Messenger) � Anti-Porn � Anti-Webpost 2005/8/26 30/42

  31. NK-3000 Features � Signature-based and Anomaly-based detection technology (1800+ signatures) � DoS/ DDoS attacks � Mydoom, NetSky � MS-Blaster, SQL Slammer, So-Big, Code Red � In-Line Mode/ IDS Mode/ Sniffer Mode � Hardware/ Software Bypass (Fail Open) � J ava-based Broadweb Extensible Management System (BEMS) � Automatic Signatures Update via Internet 2005/8/26 31/42

  32. BSST- BroadWeb Security Service Team � Team of Security Experts (CISSP) � Provide Security Service Consulting to Customers � Signatures Collection and Verification � Issued 1800+ Signatures, including top virus patterns � Security Technical Training � Issue Security Notes periodically � Issue certifications of Broadweb Certificated Security Engineer (BCSE) for NK products � http:/ / bsst.broadweb.com.tw 2005/8/26 32/42

  33. 33/42 Application Firewalls 2005/8/26

  34. Application Firewalls � Layer 7 Packet Deep Inspection Technology for better processing of � NAT/ ACL/ VPN � IDP � Worms (SQL Slammer, Blaster, NetSky, Sasser, etc) � Spam � IM (MSN, ICQ, QQ, etc) � P2P (e-Donkey, eMule, Bit-torrent, etc) � Webpost � Porn � Spyware/ Adware � Others 2005/8/26 34/42

  35. Unified Threat Management (UTM) and Security Content Management (SCM) 2005/8/26 35/42

  36. UTM and SCM � Unified Threat Management (UTM) � Firewall � Intrusion Detection and Prevention (IPS) � Anti-Virus � Secure Content Management (SCM) � Anti-Virus � Web Filtering � Messaging Security (P2P/ IM) 2005/8/26 36/42

  37. 37/42 UTM Appliance Revenue 2005/8/26

  38. 38/42 SOHO IPS Routers 2005/8/26

  39. Security SoC-based SOHO IPS Routers � Security Processor (SoC) � ARM922 RISC CPU � Hardware NAT (Layer-4) � Hardware Content Inspection Engine (Layer-7) � Two 10/ 100/ 1000 RJ -45 Ports � Embedded-Linux � For SOHO IPS Routers market 2005/8/26 39/42

  40. Conclusions � Multiple pattern matching is the key technology for layer 7 content inspection � More complex relationship between matched patterns. � Software issues � Multiple pattern matching algorithms � Protocol behavior analysis � Signature database � Hardware platform issues � Network Processor � Pentium + Content Inspection Co-processor � Security SoC � IPS will be introduced into SOHO market soon � IPS SOHO routers 2005/8/26 40/42

Recommend

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International

Intrusion Prevention and Detection in Grid computing - The ALICE Case 21st International Conference on Computing in High Energy and Nuclear Physics Outline: Introduction Threat model Intrusion prevention Intrusion detection

420 views • 16 slides
Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs.

Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs.

CS 166: Information Security Authorization: Intrusion Detection Prof. Tom Austin San Jos State University Prevention vs. Detection Most systems we've discussed focus on keeping the bad guys out. Intrusion prevention is a traditional

479 views • 34 slides
InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who am I? Samiux is an Information Security Enthusiast. - OSCE, OSCP, OSWP - Blogger - Linux user Hobbies : - Programming - Reading

261 views • 12 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July

OrchIDS: on the value of rigor in intrusion detection Jean Goubault-Larrecq CPS, Grenoble, July 08 2014 vendredi 11 juillet 14 Outline 1.A few scary stories about computer security 2. ORCHIDS : an intrusion prevention system 3. Semantics and

1.93k views • 177 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior

Basics of Intrusion Detection Watch whats going on in the system Try to detect behavior that characterizes intruders While avoiding improper detection of legitimate access At a reasonable cost Lecture 11 Page 1 CS 236 Online

426 views • 13 slides
Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to

SURFnet IDS / OS3 UvA Project Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP Michael Rave Coen Steenbeek 7 February 2007 Extension of the SURFnet Intrusion Detection System Sensors to Microsoft Windows XP

203 views • 18 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network

Expansion of the SURFnet Intrusion Detection System R. Buijs P. Siekerman System and Network Engineering 7-2-2007 R. Buijs P. Siekerman (SNE) Expansion of SURFnet IDS 7-2-2007 1 / 18 Contents Assignment 1 Intrusion Detection Systems 2

454 views • 18 slides
Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H.

Intrusion Detection Using Monitor Information Fusion Student: Atul Bohara P.I.: William H. Sanders Previous Work [1] Intrusion detection by combining and clustering diverse monitor data System Logs Firewall Logs Feature extraction Cluster

527 views • 49 slides
Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls

Firewalls and intrusion detection systems Markus Peuhkuri 2005-03-22 Lecture topics Firewalls Security model with firewalls Intrusion detection systems Intrusion prevention systems

644 views • 7 slides
Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks

Design and implementation of an intrusion detection system (IDS) for in-vehicle networks Presented by: Nors Salman Credits to my thesis partner: Marco Bresch Brief background: in-vehicle networks Controller Area Network (CAN) MOST

425 views • 23 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI,

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI,

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE ARIZONA STATE UNIVERSITY, USA CREDC Workshop 2017 1 What is Cyber Physical Intrusion Detection CPS Cyber Physical System

123 views • 11 slides

More recommend