Lecture 1 Introduction to IDS PDF

Summary

This lecture introduces Intrusion Detection Systems (IDS). It covers key points, types of intruders, intrusion objectives and countermeasures, and different approaches to intrusion detection including statistical methods and rule-based methods. The material highlights the importance of IDS in detecting and preventing unauthorized intrusions into computer systems and networks.

Full Transcript

Chapter 1

Introdution to
IDS
Dr. Siva Raja
1
 Key Points
 Unauthorized intrusion into a computer system
or network is one of the most serious threats to
computer security.
 Intrusion Detection Systems (IDS) have been
deployed to provide early warning of an intrusion
so that defensive action can be taken to prevent
or minimize damage.
 Intrusion detection involves detecting unusual
patterns of activity or patterns of activity that are
known to correlate with intrusions. 2
 Intruders
 Three classes of intruders (hackers or crackers):
 Masquerader- unauthorized individual who
exploits legitimate user’s account (outsider)

 Misfeasor- legitimate user, who misuses his or
her privileges (insider)

 Clandestine user- individual who seizes
supervisory control and uses it to evade auditing
or access controls (insider or outsider)
3
Intrusion Objective

4
 Intrusion Objective

 Objective of intruder is to gain access to the
system or to increase range of privlileges.

 System maintain a file that associates a
password with each authorized user.

 Password file can be protected with:
 One-way function
 Access Control

5
 Intrusion
Techniques

6
 Intrusion Techniques
 Aim to increase privileges on system.
 Basic attack methodology:
 Target acquisition and information gathering.
 Initial access (e.g. use IP spoofing to gain initial
access. Then, from there hijack another system)
 Privilege escalation.
 Covering tracks (using sniffer to track loopholes).

 Key goal often is to acquire passwords.
 Then exercise access rights. 7
Countermeasures

8
 Countermeasures
Detection

 Learning of an attack, either before or after it
success.
Prevention

 Attempts to thwart all possible attacks (a very
challenging task)

The attacker is free to try to find the weakest link in the
defense chain and attack at that point.
9
Intrusion Detection

10
 Intrusion Detection

 Ideally, Intrusion prevent will work but in real life, it might
fail. Thus Intrusion detection has been the focus of much
research.
 If intrusion is detected quickly, intruder can be identified
and ejected from system before damage is done.
 An effective detection system acts as a deterrent, to
prevent intrusions.
 Detection enables the collection of information to
strengthen the system.
11
 Intrusion Detection

 The goal of an intrusion detection system (IDS) is to
detect that bad things are happening…
 …just as they start happening (hope so)
 How is this different from a firewall?

 Successful attack is usually (but not always)
associated with an access control violation.

12
 Intrusion Detection

 Symptoms:
 A buffer overflow has been exploited, and now
attack code is being executed inside a legitimate
program.
 Outsider gained access to a protected resource.
 A program or file has been modified.
 System is not behaving “as it should”.
13
 Intrusion Detection
 Based on assumption that behavior of intruder
differs from legitimate user.

14
Intrusion Detection

15
Approaches to Intrusion
Detection

16
 Approaches to Intrusion Detection

 Two approaches for Intrusion Detection:

 Statistical anomaly detection.

 Rule-based detection.

17
Statistical anomaly
detection

18
 Statistical anomaly detection
 Statistical anomaly detection
 Involves the collection of data relating to the behavior
of legitimate users over a period of time.

 Then statistical tests are applied to observed behavior
to determine with a high level of confidence whether
that behavior is not legitimate user behavior.

 Two approaches :
 Threshold detection (frequency of events)
 Profile based (change in activity of user)
19
 Statistical anomaly detection

 Threshold detection (frequency of events)
This approach involves defining threshold (limit),
independent of user, for the frequency of occurrence of
various events.

 Profile based (change in activity of user)
A profile of the activity of each user is developed and
used to detect changes in the behavior of individual
accounts.

20
Rule-based
detection

21
 Rule-based detection
 Rule based detection
 Involves an attempt to define a set of rules that
can be used to decide that a given behavior is
that of an intruder.

 Two approaches :
 Anomaly detection (rules detect deviation in behavior
pattern)
 Penetration identification (searches for suspicious
behavior)
22
 Rule-based detection

 Anomaly detection (rules detect deviation in
behavior pattern)
Rules are developed to detect deviation from previous
usage patterns.

 Penetration identification (searches for suspicious
behavior)
An expert system approach that searches for suspicious
behavior.

23
 Statistical anomaly detection
vs. Rule-based detection
 Statistical approaches attempt to define normal, or
expected behavior.

 Whereas rule-based approaches attempt to define
proper behavior.

 Statistical works better against masqueraders, who are
unlikely to mimic the behavior patterns of the accounts
they appropriate. But it is not effective against
misfeasors.

 Rule-based is better for misfeasors.
24
 In practice, both approaches are used.
 Measures used for Intrusion
Detection
 Login frequency by day and time.
 Frequency of login at different locations.
 Time since last login.
 Password failures at login.
 Execution frequency.
 Execution denials.
 Read, write, create, delete frequency.
 Failure count for read, write, create and delete.

25
 Summary
 Type of Intruders.
 Intrusion Techniques and Countermeasures
 Intrusion Detection System (IDS)
 Statistical Anomalt Detection IDS
 Measured Used for IDS

26