Security in Computing (3rd Edition)

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Intrusion Detection CS 161/194-1 Anthony D. Joseph September 14, 2005 September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 2 Outline • History • Network-based Host Compromise • Host-based Network Intrusion Detection – Signature-based – Anomaly-based • Distributed Network Intrusion Detection – Honeypots – Tarpits • An attack against an IDS September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 3 Intrusion Detection History • Detecting attempts to penetrate our systems – Used for post-mortem activities – Related problem of extrusion (info leaking out) • In pre-network days (centralized mainframes)… – Primary concern is abuse and insider information access/theft – Reliance on logging and audit trails • But, highly labor intensive to analyze logs – What is abnormal activity? – Ex: IRS employees snooping records – Ex: Moonlighting police officers September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 4 Network-based Host Compromises • How do remote intruders gain access? • They attempt network-based attacks that exploit OS & app bugs – Ex: Denial of service, spyware install, zombie, September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 5 Host-based Network Intrusion Detection • At each host, monitor all incoming and outgoing network traffic – for each packet: – Analyze 4-tuple and protocol – Examine contents – … • Challenge: Separate “signal” from “noise” Signal is an attack (intrusion) Noise is normal “background” traffic – Assumption: can separate signal and noise… September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 6 Some Challenges • What is normal traffic? – Server, desktop, PDA, PDA/phone, … – My normal traffic ? your normal traffic – Lots of data for servers • Why do we need sufficient signal and noise separation? – To avoid too many false alarms! • What happens if signals are missed? – Possible intrusion!
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 7 Some Common False Positives • Proximity probes – Website load balancers will probe your machine for proximity – Connect to website hosted by mirror-image.com, and >10 load balancers in 6 countries probe your machine • Stale IP caches – Using dynamic IP addresses, you may get the “old” address of someone who was running a P2P app – Peers continue to try to “re-connect” • Web posts with dynamic IP addresses – Spiders crawl machine currently using IP address September 14, 2005 CS161 Fal 2005 Joseph/Tygar/Vazirani/Wagner 8 Lots and Lots of Data!! • Network trace from Win2K desktop ZoneAlarmLogging Client v3.7.202 Windows 2000-5.0.2195-Service Pack 4-SP type,date,time,source,destination,transport FWIN,2004/01/15,13:17:38 -8:00 GMT,216.183.33.67:42645,128.32.168.229:6129,TCP (flags:S) FWOUT,2004/01/15,13:18:00 -8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,13:42:38 -8:00 GMT,61.178.60.11:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:42:48 -8:00 GMT,62.177.227.10:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:48:12 -8:00 GMT,128.32.41.80:1040,128.32.168.229:38293,UDP FWIN,2004/01/15,13:58:30 -8:00 GMT,24.224.253.230:2446,128.32.168.229:6129,TCP (flags:S) FWIN,2004/01/15,14:04:40 -8:00 GMT,80.116.4.42:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWOUT,2004/01/15,14:04:44 -8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 01/29/2008 for the course CS 194 taught by Professor Joseph during the Fall '05 term at University of California, Berkeley.

Page1 / 6

Intrusion detection - Outline History Network-based Host...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online