LEC 9.pptx
Document Details
Uploaded by IntelligentJasper852
Full Transcript
CYB236 Chapter 8 Host-based Intrusion Detection Systems And Prevention lecture 8 Host-based Intrusion Detection Systems And Prevention 2 01 Lecture Objectives Components and Architecture Security 02Capabilities Taxonomy of Anomaly Detection IDS Exchange Systems Format 03 3 Management Host-Based IDPS...
CYB236 Chapter 8 Host-based Intrusion Detection Systems And Prevention lecture 8 Host-based Intrusion Detection Systems And Prevention 2 01 Lecture Objectives Components and Architecture Security 02Capabilities Taxonomy of Anomaly Detection IDS Exchange Systems Format 03 3 Management Host-Based IDPS A host-based IDPS monitors the characteristics of a single host and the events occurring within that host for suspicious activity 4 Components and Architecture Typical Components Most host-based IDPSs have detection software known as Agents installed on the hosts of interest. Each agent monitors activity on a single host and performs prevention actions. 5 Components and Architecture Each agent is designed to protect one of the following: A server. Besides monitoring the server’s operating system (OS), the agent may also monitor some common applications. A client host (desktop or laptop). Agents designed to monitor users’ hosts usually monitor the OS and common client applications such as e-mail clients and Web browsers. An application service. Some agents perform monitoring for a specific application service only, such as a Web server program or a database server program. This type of agent is also known as an application-based IDPS. 6 Components and Architecture Network Architectures Agent deploy to existing hosts on the organization’s networks, components communicate over same networks. Most products encrypt their communications, preventing eavesdroppers from accessing sensitive information. Appliance-based agents are deployed inline immediately in front of the hosts that they are protecting. 7 Components and Architecture Host Architectures shim is a layer of code placed between existing layers of code. Shim used to intercept, analyse and then determine allowing or denying. Can use shim to alter the internal architecture of the hosts, however some IDPS monitor activity without shims. 8 Security Capabilities Logging Capabilities Data fields logged by host-based IDPSs are: Timestamp (usually date and time) Event or alert type Rating (e.g., priority, severity, impact, confidence) Event details specific to the type of event, such as IP address and port information, application information, filenames and paths, and user IDs Prevention action performed (if any). 9 Security Capabilities Detection Capabilities Types of events detected - Code Analysis. - Network Traffic Analysis. - Network Traffic filtering. - Filesystem Monitoring. - Log Analysis. - Network Configuration Monitoring. 10 Security Capabilities Detection accuracy Tuning and customization Technology limitations. - Alert Generation Delays. - Centralized Reporting Delays. - Host Resource Usage. - Conflicts with Existing Security Controls. - Rebooting Hosts. 11 Security Capabilities Prevention Capabilities Code Analysis; prevent code from being executed. Network Traffic Filtering; stop unauthorized access and acceptable use policy violations. Filesystem Monitoring; prevent files from being accessed, modified, replaced, or deleted. 12 Security Capabilities Other Capabilities Removable Media Restriction; prevent malware from being transferred or copied to or from the host. Audiovisual Device Monitoring; indicate if the host has been compromised Host Hardening. detect the disability of security function and enable it again. 13 Security Capabilities Other Capabilities Process Status Monitoring; monitor the status of processes or services and the status of security programs. Network Traffic Sanitization; sanitize the network traffic that they monitor prevent sensitive information from being displayed on Web server pages. 14 Management Most host-based IDPSs offer similar management capabilities. Implementation Component Testing and Deployment. Securing the Components. Operation The only exception is in updating the agents an agent’s update capability is related to the type of operating system on which it is deployed. 15 THANKS! Best Regards!