Date post: | 25-Sep-2015 |
Category: |
Documents |
Upload: | muhammad-nabil |
View: | 287 times |
Download: | 8 times |
DahliaAsyiqin bt AhmadZainaddin
1
Classifications 1of2
Signaturevs.AnomalybasedDefinesmodelforassessingpolicyviolations
A ti P iActivevs.PassiveProbing(snoop)versusmonitoring
Hostvs.NetworkDefinestheeventsourceDefinestheeventsource
2
Classifications 2of2
Centralizedvs.DistributedLocationofanalysis
R lTi I lRealTimevs.IntervalDetermineswhennotificationtakesplace
3
WaystoDetectanIntrusionSignatureRecognition
Catchtheintrusionsintermsofthecharacteristicsofknownattacksorsystemvulnerabilities.
AnomalyDetection Detectanyactionthatsignificantlydeviatesfromthenormalbehavior.
4
Signature RecognitionSignatureRecognition
alsoknownasmisuserecognitionBasedonknownattackactions.UsemodelsofbadbehaviorEachsignatureisanobservedpolicyviolation
Examples:Bufferoverflowstrings,SQLinjectionattacks,virusdefinitions
DetectionoccurswhenbadbehaviorisobservedDetectionoccurswhenbadbehaviorisobservedListofsignaturesmustbekeptcurrent
5
SignatureRecognitiong gMethods&System
Method System
Rule based Languages RUSSEL P BESTRule-based Languages RUSSEL,P-BEST
State Transition Analysis STAT f il (STAT USTAT NSTAT N tSTAfamily(STAT,USTAT,NSTAT,NetSTAT)
Colored Petri Automata IDIOT
Expert System IDES,NIDX,P-BEST,ISOA
Case Based reasoning AutiGUARD
6
Anomaly DetectionAnomalyDetection
UsesmodelofgoodbehaviorDetectionoccurswhenobservedbehaviordeviatesf db h ifromgoodbehaviorUsefulfordetectingnovelattacksM i f l i iMaygenerateexcessivefalsepositives
7
AnomalyDetectionMethods&ySystem
Method SystemStatisticalmethod IDES,NIDES,EMERALD
MachineLearningtechniquesTime BasedinductiveTimeBasedinductiveMachineInstanceBasedLearningN lN t kNeuralNetwork
Dataminingapproaches JAM,MADAMID
8
AnomalyDetectionDisadvantages
Basedonauditdatacollectedoveraperiodofnormaloperation.
Wh i (i i )d i h i i d i illWhenanoise(intrusion)datainthetrainingdata,itwillmakeamisclassification.
Howtodecidethefeaturestobeused.Thefeaturesareusuallydecidedbydomainexperts.Itmaybenotcompletely.
9
Signature Recognition vs. AnomalySignatureRecognitionvs.AnomalyDetection
Advantage Disadvantage
Signature Recognition
Accurately and generate much fewer
Cannot detect novel or unknown attacksRecognition generate much fewer
false alarmor unknown attacks
Anomaly Is able to detect High false-alarmAnomaly Detection
Is able to detect unknown attacks based on audit
High false alarm and limited by training data.
10
TypesofIntrusionDetection
HostBasedIDS(HIDS)
Network BasedIDS(NIDS)NetworkBasedIDS(NIDS)
Hybrid
11
HIDSHostbasedintrusiondetectionsystemsorHIDSareinstalledasagentsonahostH b dIDS h kf i i b h ki HostbasedIDSscheckforintrusionsbycheckinginformationatthehostoroperatingsystemlevel.TheseIDSsexaminemanyaspectsofyourhosts suchTheseIDSsexaminemanyaspectsofyourhosts,suchassystemcalls,auditlogs,errorandmessageslogs.Todetectanyintruderactivity.y y
12
HIDS:BENEFITSIthasfirsthandinformationonthesuccessoftheattack.
BecauseahostbasedIDSexaminestrafficafteritreachesthetargetoftheattack(assuming thehostisthetarget)targetoftheattack(assuming,thehostisthetarget)WithanetworkbasedIDS,thealarmsaregeneratedonknownintrusiveactivityOnlyaHIDScandeterminetheactualsuccessoffailureofanattack
HIDScanusethehostsownIPstacktoeasilydealwithHIDScanusethehost sownIPstacktoeasilydealwithvariableTimeToLive(TTL)attacks
DifficulttodetectusinganetworkbasedIDS
13
HIDS
14
VARIABLETIMETOLIVEATTACKSAllpacketstravellingacrossthenetworkhaveaTTLvalue.EachrouterthathandlesthepacketdecreasestheTTLvaluebyone.valuebyone.IftheTTLvaluereacheszero,thepacketisdiscarded.Anattackercanlaunchanattackthatincludesbogus
k i h ll TTL l h h k h h packetwithsmallerTTLvaluesthanthepacketsthanthepacketthatmakeuptherealattack.Ifthenetworkbasedsensorseesallthepackets,buttheptargethostseesonlytheactualattackpackets,theattackerhasmanagedtodistorttheinformationthatthesensorused,causingthesensortopotentiallymisstheattack.g p y
15
VARIABLE TIMETOLIVE ATTACKSVARIABLETIME TO LIVEATTACKS(contd)
ThefakepacketsstartwithaTTLof3,whereastherealattackpacketsstartwiththeaTTLof7Th b h f k b h h Thesensorseesbothsetofpackets,butthetargethostseesonlytherealattackpackets.Althoughthisattackispossible itisnoteasytouseinAlthoughthisattackispossible,itisnoteasytouseinpracticebecauseitrequiresadetailedunderstandingofthenetworktopologyandlocationofIDSsensorsp gy
16
HIDS:DRAWBACKLimitednetworkview
MosthostbasedIDSs,forexample,donotdetectportscansagainstthehost.ItisalmostimpossibleforahostbasedIDStodetectreconnaissancescansagainstyournetwork.Thesescansrepresentakeyindicatortomoreattacksagainstyournetworknetwork.
MustoperateoneveryOSonthenetworkHIDSmustcommunicatethisinformationtosometypeofcentralmanagementfacility.centralmanagementfacility.Anattackmighttakeahostsnetworkcommunicationoffline.Thishostthencannotcommunicateanyinformationtothecentralmanagementfacility.
17
NIDSNetworkIDS(NIDS)NIDSareintrusiondetectionsystemsthatcapturedata
k li h k di ( bl packetstravelingonthenetworkmedia(cables,wireless)andmatchthemtoadatabaseofsignatures.DependinguponwhetherapacketismatchedwithanDependinguponwhetherapacketismatchedwithanintrudersignature,analertisgeneratedorthepacketisloggedtoafileordatabase.ggOnemajoruseofSnortisasaNIDS.
18
NIDS
19
NIDS:BENEFITSAnetworkbasedIDSexaminespackettolocateattacksagainstthenetwork.TheIDSsniffsthenetworkpacketsandcomparesthetrafficagainstnetworkpacketsandcomparesthetrafficagainstsignaturesforknownintrusiveactivity.Benefits:Benefits:
OverallnetworkperspectiveDoesnothavetorunoneveryOSonthenetworky
20
NIDS:DRAWBACKSBandwidth
Asnetworkpipesgrowlargerandlarger,itisdifficulttosuccessfullymonitorallthetrafficgoingacrossthenetworkatasinglepointinrealtime,withoutmissingpackets., g pNeedtoinstallmoresensorsthroughoutthenetworkatlocations
FragmentreassemblyNetworkpacketshaveamaximumsize.f d d d h d h b dIfaconnectionneedstosenddatathatexceedsthismaximumbound,thedatamustbesentinmultiplepacketsThisisknownasfragmentation.Whenthereceivinghostgetsthefragmentedpackets,itmustreassemblethedata.g pNotallhostsperformthereassemblyprocessinthesameorder.SomeOssstartwiththelastfragmentandworktowardthefirst.Othersstartatthefirstandworktowardthelast.Theorderdoesnotmatterifthefragmentsdonotoverlap.Iftheyoverlap,theresultdiffersforeachg p y preassemblyprocess.
21
HYBRIDCHARATERISTICHybridsystemscombinethefunctionalityfromseveraldifferentIDScategoriestocreate
22
Activevs.PassiveIDSActiveIDS
ProbesystemstouncoverattackartifactsMaytakecorrective/preventiveaction
LockoutauserIDTerminateanetworkconnectionandupdateafirewallruleTerminateanetworkconnectionandupdateafirewallrule
PassiveIDSMonitor(donotalter)eventstream( )Alerttheuser;userresponsibleforresponse
23
Centralizedvs.DistributedCentralized
Monitoring,analysis,anddetectionareperformedbyai l tsinglesystemCanwekeepupwiththeeventstream?
DistributedDistributedManymonitoringpointsoragentscontributetotheprocessHowdowecommunicatesecurelyamongentities?
24
RealTimevs.IntervalRealTime
Detectionandresponseoccurbeforeintrusioncantakel (h f ll )place(hopefully)
NecessaryforautonomousresponseIntervalInterval
Analysisanddetectionarereportedoversometimeinterval(e.g.,onceperday)Userisresponsibleforresponse
25
QuestionIsitactiveids=IPSCentralizeanddistributed
26