LEC 9.pptx

Full Transcript

CYB236 Chapter 8 Host-based Intrusion Detection Systems And Prevention lecture 8 Host-based Intrusion Detection Systems And Prevention 2 01 Lecture Objectives Components and Architecture Security 02Capabilities Taxonomy of Anomaly Detection IDS Exchange Systems Format 03 3 Management Host-Based IDPS  A host-based IDPS monitors the characteristics of a single host and the events occurring within that host for suspicious activity 4 Components and Architecture Typical Components Most host-based IDPSs have detection software known as Agents installed on the hosts of interest. Each agent monitors activity on a single host and performs prevention actions. 5 Components and Architecture  Each agent is designed to protect one of the following:  A server. Besides monitoring the server’s operating system (OS), the agent may also monitor some common applications.  A client host (desktop or laptop). Agents designed to monitor users’ hosts usually monitor the OS and common client applications such as e-mail clients and Web browsers.  An application service. Some agents perform monitoring for a specific application service only, such as a Web server program or a database server program. This type of agent is also known as an application-based IDPS. 6 Components and Architecture Network Architectures Agent deploy to existing hosts on the organization’s networks, components communicate over same networks. Most products encrypt their communications, preventing eavesdroppers from accessing sensitive information. Appliance-based agents are deployed inline immediately in front of the hosts that they are protecting. 7 Components and Architecture Host Architectures shim is a layer of code placed between existing layers of code. Shim used to intercept, analyse and then determine allowing or denying. Can use shim to alter the internal architecture of the hosts, however some IDPS monitor activity without shims. 8 Security Capabilities Logging Capabilities Data fields logged by host-based IDPSs are: Timestamp (usually date and time) Event or alert type Rating (e.g., priority, severity, impact, confidence) Event details specific to the type of event, such as IP address and port information, application information, filenames and paths, and user IDs Prevention action performed (if any). 9 Security Capabilities Detection Capabilities Types of events detected - Code Analysis. - Network Traffic Analysis. - Network Traffic filtering. - Filesystem Monitoring. - Log Analysis. - Network Configuration Monitoring. 10 Security Capabilities Detection accuracy Tuning and customization Technology limitations. - Alert Generation Delays. - Centralized Reporting Delays. - Host Resource Usage. - Conflicts with Existing Security Controls. - Rebooting Hosts. 11 Security Capabilities Prevention Capabilities Code Analysis; prevent code from being executed. Network Traffic Filtering; stop unauthorized access and acceptable use policy violations. Filesystem Monitoring; prevent files from being accessed, modified, replaced, or deleted. 12 Security Capabilities Other Capabilities Removable Media Restriction; prevent malware from being transferred or copied to or from the host. Audiovisual Device Monitoring; indicate if the host has been compromised Host Hardening. detect the disability of security function and enable it again. 13 Security Capabilities Other Capabilities Process Status Monitoring; monitor the status of processes or services and the status of security programs. Network Traffic Sanitization; sanitize the network traffic that they monitor prevent sensitive information from being displayed on Web server pages. 14 Management Most host-based IDPSs offer similar management capabilities. Implementation Component Testing and Deployment. Securing the Components. Operation The only exception is in updating the agents an agent’s update capability is related to the type of operating system on which it is deployed. 15 THANKS! Best Regards!