Intrusion Detection - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Intrusion Detection

Description:

Intrusion Detection CIT304 University of Sunderland Harry R. Erwin, PhD Resources B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1. – PowerPoint PPT presentation

Number of Views:213
Avg rating:3.0/5.0
Slides: 18
Provided by: HarryE153
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection


1
Intrusion Detection
  • CIT304
  • University of Sunderland
  • Harry R. Erwin, PhD

2
Resources
  • B. Schneier, 2000, Secrets and Lies, Wiley, ISBN
    0-471-25311-1.
  • E. Amoroso, 1999, Intrusion Detection,
    Intrusion.net, ISBN 0-9666700-7-8
  • R. G. Bace, 2000, Intrusion Detection, Macmillan
    Technical Publishing, ISBN 1-57870-185-6
  • We will mostly follow Schneier in this lecture.

3
Intrusion Detection Systems (IDS)
  • Network Monitorswatch your network looking for
    suspicious behavior
  • Often but not always based on Audit
  • Provide reactive rather than proactive security
  • Alert on successful and ongoing attacks
  • Need to be accurate in detecting attacks and in
    determining that an attack is not underway.
  • Also may provide diagnosis tools.

4
The False Alarm Problem
  • Base rate fallacysuppose you have a test that is
    99 accurate. Is this good?
  • Not necessarily!
  • Suppose the real attack rate is 1x10-6 per packet
    and there are 100,000,000 packets a day. This
    test will generate 10,000 false positives (100
    per day) for every real attack it detects (about
    4 per year). (Work it out)
  • If network attacks are rare, a test has to be
    powerful to be useful.
  • Hint this is a likely exam question.

5
The Timely Notification Problem
  • You may want to be warned in time to do
    something, but
  • What about slow attacks, running over hours or
    days? When should the IDS become suspicious and
    tell you?
  • What about ambiguous evidence? Do you really want
    to be warned about borderline cases?

6
The Response Problem
  • What do you do if you do hear an alarm? I.e., the
    current problem with giving out general warnings
    of terrorist activity.
  • Options include
  • Wait
  • Collect more information
  • Do something
  • Hope it goes away
  • You may be too busy fighting alligators to do
    anything intelligent about draining the swamp.

7
Approaches to Building an IDS
  • Misuse detection
  • IDS knows what an attack looks like and looks for
    it.
  • Network virus scanner
  • Fast, easy to build, has a low false positive
    rate.
  • Misses a lot and is easy to fool.
  • Probably will get better over time.

8
Approaches to Building an IDS (II)
  • Anomaly detection
  • Generates a statistical or neural network model
    of the network to figure out what is normal
  • Sounds an alarm for abnormal activity
  • Uses AI
  • Bayesian statistics
  • Neural networks
  • Expert systems

9
Problems with Anomaly Detection
  • Does the training data include an attack? Then
    hacking will be considered normal. 8(
  • New things happen on networks all the time.
    Successful retraining of an existing AI system to
    handle this is a hard problem, worth a PhD. 8(
  • How can it categorize attacks? That requires
    expert input. 8(
  • False positives are much higher. 8(
  • Attack indicators are brittle, so that hackers
    can sneak past them. 8(

10
Inline versus Audit-Based IDS
  • Should the IDS detect attacks in real-time or
    using audit log processing?
  • Inline will have incomplete data.
  • Inline is also computationally expensive.
  • Audit log processing is after the fact.
  • Audit log formats vary quite a bit.
  • A combined approach is feasible, but costly.

11
Host-Based versus Network-Based IDS
  • Network-based IDS is basically wire-tapping
  • Stealthy
  • Operating-system independent
  • Host-based IDS uses audit logs
  • From workstations, servers, switches, routers,
    etc.
  • Product-specific.

12
Make or Buy
  • Do your own monitoring or pay someone else?
  • Counterpane
  • Qinetiq
  • Trust issues particularly important.
  • In-house expertise requirement.

13
Honey Pots and Burglar Alarms
  • Burglar alarms are resources on the network that
    generate an alarm if accessed incorrectly.
  • Honey pots are burglar alarms dressed up to look
    attractive. May incorporate subnetworks and dummy
    computers.
  • Costly.
  • Have to look real to the attackers.
  • Legality important. Entrapment may be an issue,
    so intruders must be warned.
  • Read http//csrc.nist.gov/publications/secpubs/ber
    ferd.ps
  • See also http//www.strategypage.com/fyeo/howtomak
    ewar/default.asp?targetHTIW.HTM

14
Incident Handling Issues
  • Be prepared
  • Have procedures
  • Dont panic
  • When to call in the police?
  • Expectation management
  • Damage control
  • Dealing with witch hunts

15
IDS Requirements
  • Must be
  • Effective
  • Easy to use
  • Adaptable
  • Robust
  • Fast
  • Efficient
  • Safe

16
Future IDS Needs
  • Should be
  • Accommodating
  • Security enhancing
  • Scalable
  • Realistic
  • Hardened

17
Conclusions
  • We arent there yet,
  • But any IDS system is better than none at all.
  • This is the place to be if you want to work on
    secure systems development.
Write a Comment
User Comments (0)
About PowerShow.com