IDSintro - Auditing Introduction to Intrusion Detection...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
1 1 Intrusion Detection CS177 2011 Introduction to Intrusion Detection 2 Intrusion Detection CS177 2011 Auditing Logging: the recording of events or statistics to provide information about system use and performance Auditing: the analysis of log records to present information about the system in a clear and understandable manner Problems – what information to log – what information to audit 3 Intrusion Detection CS177 2011 Uses • Describe security state – Determine if system enters unauthorized state • Evaluate effectiveness of protection mechanisms – Determine which mechanisms are appropriate and working – Deter attacks because of presence of record 4 Intrusion Detection CS177 2011 Components of an Auditing System Logger – a mechanism that records information – called “audit records” Analyzer – analyzes the records to determine if the data needs to be changed and to detect some event or problem Notifier –informs the analyst of the results of the audit 5 Intrusion Detection CS177 2011 Audit Record Format • Existing audit collection mechanisms often collect too much non-essential data and may not collect all of the data relevant to a specific tool • However, in many cases all that is needed is an audit record preprocessor to translate an audit trail into the appropriate input for a specific tool • Standards for audit record format have been proposed • POSIX • DNSIX 6 Intrusion Detection CS177 2011 Definitions Threat – The potential for deliberate and unauthorized Access to information Manipulation of information Rendering a system inoperable or unreliable Attack – A scenario or set of actions formulated to carry out a threat Penetration or intrusion – A successful attack
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 7 Intrusion Detection CS177 2011 Attack Prevention • Authentication – Requires users to provide proof of identity • Authorization – Grants access only to those who are authorized • Cryptography – Protects transmitted data from eavesdropping & tampering 8 Intrusion Detection CS177 2011 Despite Prevention Efforts • Systems are not secure • Solution is Intrusion Detection 9 Intrusion Detection CS177 2011 Intrusion Detection Systems (IDSs) • Provide an extra layer of defense • Try to detect intruders by examining a time- ordered stream of events from a set of domains – Network (e.g., packets, streams) – Host (e.g., system calls, audit records) – Application (e.g., syslog, HTTP access logs) • Act as an early warning system • Produce alerts whenever an attack is detected 10 Intrusion Detection CS177 2011 IDS Architecture Event Provider Detection Analysis Engine Knowledge Base Response Module Alert Database 13 Intrusion Detection CS177 2011 Three Classes of Users (Anderson ‘80) • Masquerader An individual who penetrates a system’s authentication controls to exploit a legitimate user’s account • Misfeasor A legitimate user who participates in illicit activity • Clandestine user A user who seizes supervisory control of the system
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/27/2011 for the course CMPSC 117 taught by Professor Kemm during the Fall '09 term at UCSB.

Page1 / 18

IDSintro - Auditing Introduction to Intrusion Detection...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online