Security in Computing (3rd Edition)

Info icon This preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Intrusion Detection CS 161/194-1 Anthony D. Joseph September 14, 2005 September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 2 Outline • History Network-based Host Compromise Host-based Network Intrusion Detection – Signature-based – Anomaly-based Distributed Network Intrusion Detection – Honeypots – Tarpits An attack against an IDS September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 3 Intrusion Detection History Detecting attempts to penetrate our systems Used for post-mortem activities Related problem of extrusion (info leaking out) In pre-network days (centralized mainframes)… Primary concern is abuse and insider information access/theft Reliance on logging and audit trails But, highly labor intensive to analyze logs What is abnormal activity? – Ex: IRS employees snooping records – Ex: Moonlighting police officers September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 4 Network-based Host Compromises How do remote intruders gain access? They attempt network-based attacks that exploit OS & app bugs – Ex: Denial of service, spyware install, zombie, September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 5 Host-based Network Intrusion Detection At each host, monitor all incoming and outgoing network traffic – for each packet: – Analyze 4-tuple and protocol – Examine contents – … Challenge: Separate “signal” from “noise” Signal is an attack (intrusion) Noise is normal “background” traffic – Assumption: can separate signal and noise… September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 6 Some Challenges What is normal traffic? – Server, desktop, PDA, PDA/phone, … – My normal traffic ? your normal traffic – Lots of data for servers Why do we need sufficient signal and noise separation? – To avoid too many false alarms! What happens if signals are missed? – Possible intrusion!
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 7 Some Common False Positives Proximity probes Website load balancers will probe your machine for proximity Connect to website hosted by mirror-image.com, and >10 load balancers in 6 countries probe your machine Stale IP caches Using dynamic IP addresses, you may get the “old” address of someone who was running a P2P app Peers continue to try to “re-connect” Web posts with dynamic IP addresses – Spiders crawl machine currently using IP address September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 8 Lots and Lots of Data!! Network trace from Win2K desktop ZoneAlarmLogging Client v3.7.202 Windows 2000-5.0.2195-Service Pack 4-SP type,date,time,source,destination,transport FWIN,2004/01/15,13:17:38 -8:00 GMT,216.183.33.67:42645,128.32.168.229:6129,TCP (flags:S) FWOUT,2004/01/15,13:18:00 -8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP FWIN,2004/01/15,13:42:38 -8:00 GMT,61.178.60.11:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:42:48 -8:00 GMT,62.177.227.10:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWIN,2004/01/15,13:48:12 -8:00 GMT,128.32.41.80:1040,128.32.168.229:38293,UDP FWIN,2004/01/15,13:58:30 -8:00 GMT,24.224.253.230:2446,128.32.168.229:6129,TCP (flags:S) FWIN,2004/01/15,14:04:40 -8:00 GMT,80.116.4.42:0,128.32.168.229:0,ICMP (type:8/subtype:0) FWOUT,2004/01/15,14:04:44 -8:00 GMT,128.32.168.229:5000,68.26.217.204:5000,UDP
Image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern