{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

lecture9-IDS - Lecture 9 Network Intrusion Detection...

Info icon This preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon
Lecture 9 Network Intrusion Detection Systems (NIDS) Edward Schwartz 18-731: Network Security Spring 2009 1 Overview square4 Administrative issues Project proposal draft due HW1 due 2/17 square4 In this lecture NIDS Slides based on lecture by John McHugh square4 Upcoming lectures NIDS evasion techniques (Sudeep Modi) Accountability in NGSI 2
Image of page 1

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Overview of NIDS square4 What is IDS? square4 The ad hoc nature of the practice Avoiding IDS and countermeasures (next lecture!) Open questions and difficulties Base-rate fallacy square4 Different approaches Analysis method (signature vs. anomaly based) Sensor method (network vs. host based) square4 Central question: can either signature- based or anomaly-based approaches form a foundation for intrusion detection? 3 What is an Intrusion Detection System? square4 Device on a network/computer that monitors traffic and/or host activity looking for the following: Malicious traffic, such as attempts to circumvent identification & authorization or other access controls Reconnaissance traffic, such as port scans Unusual traffic: type, level, source, etc. Activity on host systems that is outside of known patterns square4 Device then logs and reports activity in prescribed manner square4 An Intrusion Prevention System can also block this traffic from reaching its target Problems? 4
Image of page 2
Purpose square4 Application to Security approaches Prevention Detection and Recovery Resilience Deterrence square4 Must be able to detect successful attacks in order to recover from them and continue maintaining security properties square4 Must be able to detect attacks (and attempted attacks) to provide deterrence 5 Threat history (CERT) 6
Image of page 3

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
IDS Terminology square4 Sensor square4 Analyzer square4 Alert mechanism square4 Logging/audit mechanism square4 False negative square4 False positive 7 I A | ¬ I A ¬ | A = Alarm I = Intrusion Types of IDS Host-based 8 Network- based Signature- based Anomaly- based Host-based Analysis type Sensor type
Image of page 4
Classical Detection Theory square4 Classical Detection Theory provides ways to make an estimate as to whether a given sample comes from a signal plus noise distribution or from a noise distribution Intrusions are the signal, and normal usage is the noise. Signature-based IDS look only at the signal dist. Anomaly-based IDS look only at the noise dist. Challenge: we need to know the signal and noise distributions square4 We have no theory to describe either 9 So, what is an intrusion? square4 If we had a good model of intrusive behavior and its manifestations, we might be on the road to foundations for detecting intrusions We have some intuitions that give us moderate detection abilities, but these arise from point solutions rather than general principles Much of this is based on malicious activity that has been detected. What about the undetected behavior? (The most serious!) We will gain only modest improvements due to refinements in these approaches
Image of page 5

Info icon This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.
  • Spring '08
  • Perrig
  • Intrusion prevention system, Network intrusion detection system, Host-based intrusion detection system, Intrusion detection system, Morris worm

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern