Intrusion Detection - Introduction to Computer Security - Lecture Slides, Slides of Computer Security

The major points which are very useful in understanding the concept of the computer security are:Intrusion Detection, Historical Research, Prevention, Plan For Loss, Prevention Techniques, Misuse Prevention, Secure Local and Network Resources, Techniques, Cryptography, Identification

Typology: Slides

2012/2013

Uploaded on 04/22/2013

satheesh
satheesh 🇮🇳

4.5

(11)

85 documents

1 / 33

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Intrusion Detection
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21

Partial preview of the text

Download Intrusion Detection - Introduction to Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!

Intrusion Detection

Historical Research - Prevention

It is better to prevent something than to plan for loss.

Contributing Factors for Misuse

  • Many security flaws in systems
  • Secure systems are expensive
  • Secure systems are not user-friendly
  • “Secure systems” still have flaws
  • Insider Threat
  • Hackers’ skills and tools improve

Need:

  • Intrusion Prevention : protect system resources
  • Intrusion Detection : (second line of defense) discriminate intrusion attempts from normal system usage
  • Intrusion Recovery : cost effective recovery models

Intrusion Detection - Milestones

  • 1980 : Deviation from historical system usage (Anderson)
  • 1987 : framework for general-purpose intrusion detection system (Denning)
  • 1988 : intrusion detection research splits
    • Attack signatures based detection (MIDAS)
    • Anomaly detection based detection (IDES)

Intrusion Detection - Milestones

  • Early 1990s : Commercial installations
    • IDES, NIDES (SRI)
    • Haystack, Stalker (Haystack Laboratory Inc.)
    • Distributed Intrusion Detection System (Air Force)
  • Late 1990s - today :
    • Integration of audit sources
    • Network based intrusion detection
    • Hybrid models
    • Immune system based IDS

Phases of Intrusion

  • Intelligence gathering : attacker observes the system to determine vulnerabilities
  • Planning : attacker decide what resource to attack (usually least defended component)
  • Attack : attacker carries out the plan
  • Hiding : attacker covers tracks of attack
  • Future attacks : attacker installs backdoors for future entry points

Times of Intrusion Detection

  • Real-time intrusion detection
    • Advantages:
      • May detect intrusions in early stages
      • May limit damage
    • Disadvantages:
      • May slow down system performance
      • Trade off between speed of processing and accuracy
      • Hard to detect partial attacks

Audit Data

  • Format, granularity and completeness depend on the collecting tool
  • Examples
    • System tools collect data (login, mail)
    • Additional collection of low system level
    • “Sniffers” as network probes
    • Application auditing
  • Needed for
    • Establishing guilt of attackers
    • Detecting subversive user activity

Audit-Based Intrusion Detection

Intrusion Detection System

Audit Data Profiles, Rules, etc.

Decision

Need :

  • Audit data
  • Ability to characterize behavior

False Positive vs. False Negative

  • False positive : non-intrusive but anomalous activity - Security policy is not violated - Cause unnecessary interruption - May cause users to become unsatisfied
  • False negative: non-anomalous but intrusive activity - Security policy is violated - Undetected intrusion

Intrusion Detection Techniques

  1. Anomaly Detection
  2. Misuse Detection
  3. Hybrid Misuse/Anomaly Detection
  4. Immune System Based IDS

Rules and Profiles

  • Rule-based techniques:
    • Define rules to describe normal behavior or known attacks
    • Good for both anomaly-based and misuse-based detection: - Anomaly-based: looks for deviations from previous usage - Misuse-based: define rules to represent known attacks

Anomaly Detection Techniques

Assume that all intrusive activities are necessarily anomalous  flag all system states that very from a “normal activity profile”.