Documente Academic
Documente Profesional
Documente Cultură
Definitions
Intrusion
A set of actions aimed to compromise p the security y goals, namely
Integrity, confidentiality, or availability, of a computing and networking resource
Intrusion detection
The process of identifying and responding to intrusion activities Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent intent.
Misuse Detection
pattern matching t hi Intrusion P Patterns activities intrusion
Example: if (src_ip == dst_ip) then land attack Limitation: Cant detect new attacks
Signature-Based Signature Based Intrusion Detection Systems Watch for patterns of events specific to known and documented attacks Typically connected to a large database which houses attack signatures Presumed to be able to detect only attacks known to its database Performance lag when intrusion patterns match several attack signatures
the term signature refers to a set of conditions that, when met, indicate some type of intrusion event. PMD detects a pattern which matches closely to the activity that is typical of a network intrusion, so if a pattern or set of events match this may indicate a specific attack on the system that has been previously documented documented. PMD usually associated with misuse intrusion (attacks from inside). Pattern Matching g looks for a fixed sequence q of bytes y within a single g packet, and traffic is filtered to a source or destination port. Informit.com
The primary primar strength is its ability abilit to recogni recognize e novel attacks.
A Assumes th that t i intrusions t i will ill be b accompanied i d by b manifestations if t ti that are sufficiently unusual so as to permit detection. generate many y false alarms and hence compromise p the These g effectiveness of the IDS.
Anomaly Detection
90 80 70 60 50 40 30 20 10 0 CPU Process Size
probable b bl intrusion
normal p profile abnormal
activity measures
Problem: Relatively high false positive rate anomalies can just be new normal activities.
Identify intrusions by detecting anomalies Works on notion that attack behavior differs enough from normal normal user behavior behavior System administrator defines the baseline of normal behavior Ability to detect new attacks Issues (False Positives, Heavy processing overheads, Time to create statistically significant baselines)
H ? How? The system keeps two distinct sets of data a long-term usage data profile and a short-term observed usage data profile. fil The long-term usage data profile is a combination of the usage patterns that were detected in the long run and vise versa. Long-term and short-term usage data are compared, and standard deviations are computed. If the deviations are statistically significant, then they are reported as potential attacks.
Network IDSs
Deploying sensors at strategic locations
E.G., E G Packet sniffing via tcpdump at routers
What is a Honeypot?
An information system y resource whose value lies in unauthorized or illicit use of that resource [Spitzner] Honeypot is put up for several reasons: To watch what attackers do, in order to learn about new attacks tt k To lure an attacker to a place in which one may be able to learn enough to identify and stop the attacker To distract adversaries from more valuable machines on a network
Uses of Honeypots