Lecture 1 Introduction to IDS PDF
Document Details
Uploaded by Deleted User
Dr. Siva Raja
Tags
Summary
This lecture introduces Intrusion Detection Systems (IDS). It covers key points, types of intruders, intrusion objectives and countermeasures, and different approaches to intrusion detection including statistical methods and rule-based methods. The material highlights the importance of IDS in detecting and preventing unauthorized intrusions into computer systems and networks.
Full Transcript
Chapter 1 Introdution to IDS Dr. Siva Raja 1 Key Points Unauthorized intrusion into a computer system or network is one of the most serious threats to computer security. Intrusion Detection Systems (IDS) have been depl...
Chapter 1 Introdution to IDS Dr. Siva Raja 1 Key Points Unauthorized intrusion into a computer system or network is one of the most serious threats to computer security. Intrusion Detection Systems (IDS) have been deployed to provide early warning of an intrusion so that defensive action can be taken to prevent or minimize damage. Intrusion detection involves detecting unusual patterns of activity or patterns of activity that are known to correlate with intrusions. 2 Intruders Three classes of intruders (hackers or crackers): Masquerader- unauthorized individual who exploits legitimate user’s account (outsider) Misfeasor- legitimate user, who misuses his or her privileges (insider) Clandestine user- individual who seizes supervisory control and uses it to evade auditing or access controls (insider or outsider) 3 Intrusion Objective 4 Intrusion Objective Objective of intruder is to gain access to the system or to increase range of privlileges. System maintain a file that associates a password with each authorized user. Password file can be protected with: One-way function Access Control 5 Intrusion Techniques 6 Intrusion Techniques Aim to increase privileges on system. Basic attack methodology: Target acquisition and information gathering. Initial access (e.g. use IP spoofing to gain initial access. Then, from there hijack another system) Privilege escalation. Covering tracks (using sniffer to track loopholes). Key goal often is to acquire passwords. Then exercise access rights. 7 Countermeasures 8 Countermeasures Detection Learning of an attack, either before or after it success. Prevention Attempts to thwart all possible attacks (a very challenging task) The attacker is free to try to find the weakest link in the defense chain and attack at that point. 9 Intrusion Detection 10 Intrusion Detection Ideally, Intrusion prevent will work but in real life, it might fail. Thus Intrusion detection has been the focus of much research. If intrusion is detected quickly, intruder can be identified and ejected from system before damage is done. An effective detection system acts as a deterrent, to prevent intrusions. Detection enables the collection of information to strengthen the system. 11 Intrusion Detection The goal of an intrusion detection system (IDS) is to detect that bad things are happening… …just as they start happening (hope so) How is this different from a firewall? Successful attack is usually (but not always) associated with an access control violation. 12 Intrusion Detection Symptoms: A buffer overflow has been exploited, and now attack code is being executed inside a legitimate program. Outsider gained access to a protected resource. A program or file has been modified. System is not behaving “as it should”. 13 Intrusion Detection Based on assumption that behavior of intruder differs from legitimate user. 14 Intrusion Detection 15 Approaches to Intrusion Detection 16 Approaches to Intrusion Detection Two approaches for Intrusion Detection: Statistical anomaly detection. Rule-based detection. 17 Statistical anomaly detection 18 Statistical anomaly detection Statistical anomaly detection Involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Two approaches : Threshold detection (frequency of events) Profile based (change in activity of user) 19 Statistical anomaly detection Threshold detection (frequency of events) This approach involves defining threshold (limit), independent of user, for the frequency of occurrence of various events. Profile based (change in activity of user) A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts. 20 Rule-based detection 21 Rule-based detection Rule based detection Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. Two approaches : Anomaly detection (rules detect deviation in behavior pattern) Penetration identification (searches for suspicious behavior) 22 Rule-based detection Anomaly detection (rules detect deviation in behavior pattern) Rules are developed to detect deviation from previous usage patterns. Penetration identification (searches for suspicious behavior) An expert system approach that searches for suspicious behavior. 23 Statistical anomaly detection vs. Rule-based detection Statistical approaches attempt to define normal, or expected behavior. Whereas rule-based approaches attempt to define proper behavior. Statistical works better against masqueraders, who are unlikely to mimic the behavior patterns of the accounts they appropriate. But it is not effective against misfeasors. Rule-based is better for misfeasors. 24 In practice, both approaches are used. Measures used for Intrusion Detection Login frequency by day and time. Frequency of login at different locations. Time since last login. Password failures at login. Execution frequency. Execution denials. Read, write, create, delete frequency. Failure count for read, write, create and delete. 25 Summary Type of Intruders. Intrusion Techniques and Countermeasures Intrusion Detection System (IDS) Statistical Anomalt Detection IDS Measured Used for IDS 26