intrusion detection computer security peter reiher
play

Intrusion Detection Computer Security Peter Reiher November 18, - PowerPoint PPT Presentation

Jan 31, 2024 •100 likes •737 views

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

  1. Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014

  2. Outline • Introduction • Characteristics of intrusion detection systems • Some sample intrusion detection systems Lecture 11 Page 2 CS 136, Fall 2014

  3. Introduction • Many mechanisms exist for protecting systems from intruders – Access control, firewalls, authentication, etc. • They all have one common characteristic: – They don’t always work Lecture 11 Page 3 CS 136, Fall 2014

  4. Intrusion Detection • Work from the assumption that sooner or later your security measures will fail • Try to detect the improper behavior of the intruder who has defeated your security • Inform the system or system administrators to take action Lecture 11 Page 4 CS 136, Fall 2014

  5. Why Intrusion Detection? • If we can detect bad things, can’t we simply prevent them? • Possibly not: – May be too expensive – May involve many separate operations – May involve things we didn’t foresee Lecture 11 Page 5 CS 136, Fall 2014

  6. For Example, • Your intrusion detection system regards setting uid on root executables as suspicious – Yet the system must allow the system administrator to do so • If the system detects several such events, it becomes suspicious – And reports the problem Lecture 11 Page 6 CS 136, Fall 2014

  7. Couldn’t the System Just Have Stopped This? • Perhaps, but - • The real problem was that someone got root access – The changing of setuid bits was just a symptom • And under some circumstances the behavior is legitimate Lecture 11 Page 7 CS 136, Fall 2014

  8. Intrusions • “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource” 1 • Which covers a lot of ground – Implying they’re hard to stop 1 Heady, Luger, Maccabe, and Servilla, “The Architecture of a Network Level Intrusion Detection System,” Tech Report, U. of New Mexico, 1990. Lecture 11 Page 8 CS 136, Fall 2014

  9. Kinds of Intrusions • External intrusions • Internal intrusions Lecture 11 Page 9 CS 136, Fall 2014

  10. External Intrusions • What most people think of • An unauthorized (usually remote) user trying to illicitly access your system • Using various security vulnerabilities to break in • The typical case of a hacker attack Lecture 11 Page 10 CS 136, Fall 2014

  11. Internal Intrusions • An authorized user trying to gain privileges beyond those he should have • Used to be most common case • No longer the majority of problems – But often the most serious ones • More dangerous, because insiders have a foothold and know more Lecture 11 Page 11 CS 136, Fall 2014

  12. Information From 2010 Verizon Report 1 • Combines Verizon data with US Secret Service data • Indicates external breaches still most common • But insider attack components in 48% of all cases – Some involved both insiders and outsiders 1 http://www.verizonbusiness.com/resources/reports/rp_2010- data-breach-report_en_xg.pdf Lecture 11 Page 12 CS 136, Fall 2014

  13. Basics of Intrusion Detection • Watch what’s going on in the system • Try to detect behavior that characterizes intruders • While avoiding improper detection of legitimate access • At a reasonable cost Lecture 11 Page 13 CS 136, Fall 2014

  14. Intrusion Detection and Logging • A natural match • The intrusion detection system examines the log – Which is being kept, anyway • Secondary benefits of using the intrusion detection system to reduce the log Lecture 11 Page 14 CS 136, Fall 2014

  15. On-Line Vs. Off-Line Intrusion Detection • Intrusion detection mechanisms can be complicated and heavy-weight • Perhaps better to run them off-line – E.g., at nighttime • Disadvantage is that you don’t catch intrusions as they happen Lecture 11 Page 15 CS 136, Fall 2014

  16. Failures In Intrusion Detection • False positives – Legitimate activity identified as an intrusion • False negatives – An intrusion not noticed • Subversion errors – Attacks on the intrusion detection system Lecture 11 Page 16 CS 136, Fall 2014

  17. Desired Characteristics in Intrusion Detection • Continuously running • Fault tolerant • Subversion resistant • Minimal overhead • Must observe deviations • Easily tailorable • Evolving • Difficult to fool Lecture 11 Page 17 CS 136, Fall 2014

  18. Host Intrusion Detection • Run the intrusion detection system on a single computer • Look for problems only on that computer • Often by examining the logs of the computer Lecture 11 Page 18 CS 136, Fall 2014

  19. Advantages of the Host Approach • Lots of information to work with • Only need to deal with problems on one machine • Can get information in readily understandable form Lecture 11 Page 19 CS 136, Fall 2014

  20. Network Intrusion Detection • Do the same for a local (or wide) area network • Either by using distributed systems techniques • Or (more commonly) by sniffing network traffic Lecture 11 Page 20 CS 136, Fall 2014

  21. Advantages of Network Approach • Need not use up any resources on users’ machines • Easier to properly configure for large installations • Can observe things affecting multiple machines Lecture 11 Page 21 CS 136, Fall 2014

  22. Network Intrusion Detection and Data Volume • Lots of information passes on the network • If you grab it all, you will produce vast amounts of data • Which will require vast amounts of time to process Lecture 11 Page 22 CS 136, Fall 2014

  23. Network Intrusion Detection and Sensors • Use programs called sensors to grab only relevant data • Sensors quickly examine network traffic – Record the relevant stuff – Discard the rest • If you design sensors right, greatly reduces the problem of data volume Lecture 11 Page 23 CS 136, Fall 2014

  24. Wireless IDS • Observe behavior of wireless network – Generally 802.11 • Look for problems specific to that environment – E.g., attempts to crack WEP keys • Usually doesn’t understand higher network protocol layers – And attacks on them Lecture 11 Page 24 CS 136, Fall 2014

  25. Application-Specific IDS • An IDS system tuned to one application or protocol – E.g., SQL • Can be either host or network • Typically used for machines with specialized functions – Web servers, database servers, etc. • Possibly much lower overheads than general IDS systems Lecture 11 Page 25 CS 136, Fall 2014

  26. Styles of Intrusion Detection • Misuse intrusion detection – Try to detect things known to be bad • Anomaly intrusion detection – Try to detect deviations from normal behavior • Specification intrusion detection – Try to detect deviations from defined “good states” Lecture 11 Page 26 CS 136, Fall 2014

  27. Misuse Detection • Determine what actions are undesirable • Watch for those to occur • Signal an alert when they happen • Often referred to as signature detection Lecture 11 Page 27 CS 136, Fall 2014

  28. Level of Misuse Detection • Could look for specific attacks – E.g., SYN floods or IP spoofing • But that only detects already-known attacks • Better to also look for known suspicious behavior – Like trying to become root – Or changing file permissions Lecture 11 Page 28 CS 136, Fall 2014

  29. How Is Misuse Detected? • By examining logs – Only works after the fact • By monitoring system activities – Often hard to trap what you need to see • By scanning the state of the system – Can’t trap actions that don’t leave traces • By sniffing the network – For network intrusion detection systems Lecture 11 Page 29 CS 136, Fall 2014

  30. Pluses and Minuses of Misuse Detection + Few false positives + Simple technology + Hard to fool • At least about things it knows about – Only detects known problems – Gradually becomes less useful if not updated – Sometimes signatures are hard to generate Lecture 11 Page 30 CS 136, Fall 2014

  31. Misuse Detection and Commercial Systems • Essentially all commercial intrusion detection systems primarily detect misuse – Generally using signatures of attacks • Many of these systems are very similar – Differing only in details • Differentiated primarily by quality of their signature library – How large, how quickly updated Lecture 11 Page 31 CS 136, Fall 2014

  32. Anomaly Detection • Misuse detection can only detect known problems • And many potential misuses can also be perfectly legitimate • Anomaly detection instead builds a model of valid behavior – And watches for deviations Lecture 11 Page 32 CS 136, Fall 2014

  33. Methods of Anomaly Detection • Statistical models – User behavior – Program behavior – Overall system/network behavior • Expert systems • Pattern matching of various sorts • Misuse detection and anomaly detection sometimes blur together Lecture 11 Page 33 CS 136, Fall 2014

  34. Pluses and Minuses of Anomaly Detection + Can detect previously unknown attacks + Not deceived by trivial changes in attack – Hard to identify and diagnose nature of attacks – Unless careful, may be prone to many false positives – Depending on method, can be expensive and complex Lecture 11 Page 34 CS 136, Fall 2014

Recommend

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter

Intrusion Detection Systems CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 11 Page 1 CS 236 Online Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection

143 views • 12 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 13 Chapter 6: Intrusion Detection Security Intrusion & Detection Security Intrusion a security event, or combination of multiple security events, that constitutes a security

710 views • 47 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and

Intrusion Detection W enke Lee Com puter Science Departm ent Colum bia University Intrusion and Computer Security Com puter security: confidentiality, integrity, and availability Intrusion: actions to com prom ise security W hy

1.09k views • 63 slides
Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

859 views • 70 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

838 views • 67 slides
CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015

CS 5410 - Computer and Network Security: Intrusion Detection Professor Kevin Butler Fall 2015 Southeastern Security for Enterprise and Infrastructure (SENSEI) Center Locked Down Youre using all the techniques we will talk about over the

577 views • 19 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

585 views • 30 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some

Network Security: Intrusion Detection Seungwon Shin, KAIST most slides from Dr. Guofei Gu Some Definition Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and

814 views • 29 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides

More recommend