22
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Embed Size (px)

Citation preview

Page 1: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION INTRUSION

DETECTION INTRUSION DETECTION

INTRUSION DETECTION

INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION

DETECTION INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION

INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION

INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION INTRUSION

DETECTION INTRUSION DETECTION INTRUSION

DETECTION

INTRUSION DETECTION

INTRUSION DETECTION INTRUSION DETECTION

DETECTION INTRUSION DETECTION

INTRUSION DETECTION INTRUSION

DETECTION INTRUSION DETECTION

Page 2: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

•Anomaly Detection

•Misuse Detection

A presentation over term paper

on

intrusion detection

byanuja jain

(MS in computer science)

monica achury(MS in computer science)

Page 3: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Definition

INTRUSION- The potential possibility of a deliberate unauthorized attempt to:•Access information•Manipulate information•Render a system unreliable or unusable

INTRUSION DETECTION- The process of identifying and responding to intrusion activities

Page 4: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Types of Intrusion

There are six types of Intrusions

•Attempted break-ins

•Masquerade attacks

•Penetration of the security control system

•Leakage

•Denial of service

•Malicious use

Page 5: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

•Anomaly DetectionStatic

Dynamic

•Misuse DetectionEx:- NIDES, MIDAS, STAT

Intrusion Detection Techniques

Page 6: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

• Statistical approachesTripwire, Self/Non-self

• Dynamic /Predictive pattern generationNIDES, Pattern Matching (UNM)

Anomaly Detection Systems

Page 7: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Anomaly Detection

activity measures

0102030405060708090

CPU ProcessSize

normal profileabnormal

probable intrusion

Relatively high false positive rate - anomalies can just be new normal

activities.

Page 8: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Misuse Detection Systems

•Expert Systems

•Keystroke Monitoring

•Model Based Intrusion Detection

Page 9: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Misuse Detection

Intrusion Patterns

activities

pattern matching

intrusion

Can’t detect new attacks

Example: if (src_ip == dst_ip) then “land attack”

Page 10: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

IDS Design

Page 11: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Components of IDS

Audit Data Preprocessor

Audit Records

Activity Data

Detection Models

Detection Engine

Alarms

Decision Table

Decision EngineAction/Report

system activities are observable

normal and intrusive activities have distinct

evidence

Page 12: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Important Features

•Fault tolerant.

•Minimum human supervision.

•Resist subversion.

•Minimal Overhead.

•Platform Independent

Continued…

Page 13: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

•Adaptable.

•Easy to Deploy.

•Detect different types of attacks.Anomaly detection schemesMisuse detection schemesCombination of both

•Hardware / Software must be synchronized.

•Good data mining techniques

Page 14: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Data Mining

Definition: The semi-automatic discovery of patterns, associations, changes, anomalies, rules, and statically significant structures and events in data.

Data such as,•Failed connection attempts•Connection delays•Source/Destination data packets

Page 15: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Data Mining Algorithms

Extract knowledge in the form of models from data.

• Classification• Regression• Clustering• Association rule abduction• Sequence Analysis • Others

Page 16: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Data Mining Techniques

It allows the system to collect useful knowledge that describes a user’s or program’s behavior from large audit data sets.Examples:•Statistics•Artificial Neural Network•Rule Learning•Neuro-Fuzzy

Page 17: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

IDS Evaluation

•Rate of false positives

•Attack detection rate

•Maintenance cost

•Total cost

Page 18: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

IDS for Mobile Wireless Systems

Page 19: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Designing for Wireless Networks

Problems with Wireless Networks

•Open Medium

•Dynamic changing network topology

•Lack of decentralized monitoring

•Less known security measures

•Data is harder to collect

Page 20: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

One proposed IDS design by Georgia Institute of Technology

•Individual IDS agents are placed on each an every node. Monitors local activities

User, system and communication activities

•Nodes cooperate with each other. Investigate together at a broader range

•A secure communication channel among the IDS Agent.

Page 21: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

references

•Chebrolu, S., Abraham, A., Thomas, J.P.: Feature Detection and Ensemble Design of Intrusion Detection Systems. Computers and security, http://dx.doi.org/10.1016/j.cose.2004.09.008•Zhang, Y., Lee, W., and Huang, Y. 2003. Intrusion detection techniques for mobile wireless networks. Wirel. Netw. 9, 5 (Sep. 2003), 545-556. DOI= http://dx.doi.org/10.1023/A:1024600519144 •J.P Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980•Eugene H Spafford. Security Seminar, Department of Computer Sciences, Purdue University, Jan 1996.•Biswanath Mukherjee, L Todd Heberlein and Karl N Levitt. Network Intrusion Detection , IEEE Network, May/June 1994, pages 26-41.

Page 22: INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION

Questions???