lecture9-IDS - Lecture 9 Network Intrusion Detection...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon
Lecture 9 Network Intrusion Detection Systems (NIDS) Edward Schwartz 18-731: Network Security Spring 2009 1 Overview s Administrative issues Project proposal draft due HW1 due 2/17 s In this lecture NIDS Slides based on lecture by John McHugh s Upcoming lectures NIDS evasion techniques (Sudeep Modi) Accountability in NGSI 2
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Overview of NIDS s What is IDS? s The ad hoc nature of the practice Avoiding IDS and countermeasures (next lecture!) Open questions and difficulties Base-rate fallacy s Different approaches Analysis method (signature vs. anomaly based) Sensor method (network vs. host based) s Central question: can either signature- based or anomaly-based approaches form a foundation for intrusion detection? 3 What is an Intrusion Detection System? s Device on a network/computer that monitors traffic and/or host activity looking for the following: Malicious traffic, such as attempts to circumvent Reconnaissance traffic, such as port scans Unusual traffic: type, level, source, etc. Activity on host systems that is outside of known patterns s Device then logs and reports activity in prescribed manner s An Intrusion Prevention System can also block this traffic from reaching its target Problems? 4
Background image of page 2
Purpose s Application to Security approaches Prevention Detection and Recovery Resilience Deterrence s Must be able to detect successful attacks in order to recover from them and continue maintaining security properties s Must be able to detect attacks (and attempted attacks) to provide deterrence 5 Threat history (CERT) 6
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
IDS Terminology s Sensor s Analyzer s Alert mechanism s Logging/audit mechanism s False negative s False positive 7 I A | ¬ I A ¬ | A = Alarm I = Intrusion Types of IDS Host-based 8 Network- based Signature- based Anomaly- based Host-based Analysis type Sensor type
Background image of page 4
Classical Detection Theory s Classical Detection Theory provides ways to make an estimate as to whether a given sample comes from a signal plus noise distribution or from a noise distribution Intrusions are the signal, and normal usage is the noise. Signature-based IDS look only at the signal dist. Anomaly-based IDS look only at the noise dist. Challenge: we need to know the signal and noise distributions s We have no theory to describe either 9 So, what is an intrusion? s If we had a good model of intrusive behavior and its manifestations, we might be on the road to foundations for detecting intrusions We have some intuitions that give us moderate detection abilities, but these arise from point solutions rather than general principles Much of this is based on malicious activity that has been detected. What about the undetected behavior? (The most serious!) We will gain only modest improvements due to refinements in these approaches We need a better understanding of the whole security process, including a precise framework for defining and discussing intrusions 10
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 29

lecture9-IDS - Lecture 9 Network Intrusion Detection...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online