25 - Chapter 25: Intrusion Detection Principles Basics...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-1 Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-2 Principles of Intrusion Detection Characteristics of systems not under attack User, process actions conform to statistically predictable pattern User, process actions do not include sequences of actions that subvert the security policy Process actions correspond to a set of specifications describing what the processes are allowed to do Systems under attack do not meet at least one of these
Background image of page 2
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-3 Example Goal: insert a back door into a system Intruder will modify system configuration file or program Requires privilege; attacker enters system as an unprivileged user and must acquire privilege Nonprivileged user may not normally acquire privilege (violates #1) Attacker may break in using sequence of commands that violate security policy (violates #2) Attacker may cause program to act in ways that violate program’s specification
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-4 Basic Intrusion Detection Attack tool is automated script designed to violate a security policy Example: rootkit Includes password sniffer Designed to hide itself using Trojaned versions of various programs ( ps , ls , find , netstat , etc.) Adds back doors ( login , telnetd , etc.) Has tools to clean up log entries ( zapper, etc.)
Background image of page 4
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-5 Detection Rootkit configuration files cause ls , du , etc. to hide information ls lists all files in a directory Except those hidden by configuration file dirdump (local program to list directory entries) lists them too Run both and compare counts If they differ, ls is doctored Other approaches possible
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-6 Key Point Rootkit does not alter kernel or file structures to conceal files, processes, and network connections It alters the programs or system calls that interpret those structures Find some entry point for interpretation that rootkit did not alter The inconsistency is an anomaly (violates #1)
Background image of page 6
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-7 Denning’s Model Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions Includes deviation from usual actions Includes execution of actions leading to break- ins Includes actions inconsistent with specifications of privileged programs
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
June 1, 2004 Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #25-8
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 105

25 - Chapter 25: Intrusion Detection Principles Basics...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online