Lecture11 - IS 2150 / TEL 2810 Introduction to Security...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 11 Nov 22, 2011 Intrusion Detection, Auditing System
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Intrusion Detection
Background image of page 2
3 Intrusion Detection/Response Denning:   Systems under attack fail to meet one or  more  of the following characteristics 1. Actions of users/processes conform to  statistically predictable patterns 2. Actions of users/processes do not include  sequences of commands to subvert security  policy 3. Actions of processes conform to specifications  describing allowable actions
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Intrusion Detection Idea:   Attack can be discovered by one of the above being violated Practical  goals of intrusion detection systems: Detect a wide variety of intrusions (known + unknown) Detect in a timely fashion  Present analysis in a useful manner Need to monitor many components; proper interfaces needed  Be (sufficiently) accurate Minimize  false positives  and  false negatives
Background image of page 4
5 IDS Types: Anomaly Detection Compare system characteristics with  expected values Threshold metric :  statistics deviate / threshold E.g., Number of failed logins Statistical moments :  mean/standard deviation Number of user events in a system Time periods of user activity Resource usages profiles Markov model :  based on state, expected  likelihood of transition to new states If a low probability event occurs then it is considered  suspicious
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 IDS Types: Misuse Modeling Does sequence of instructions violate security policy? Problem:  How do we know all violating sequences? Solution: capture  known  violating sequences Generate a rule set for an  intrusion signature Alternate solution:  State-transition approach Known “bad” state transition from attack  Capture when transition has occurred (user   root)
Background image of page 6
7 Specification Modeling Does sequence of instructions violate  system specification? What is the system specification? Need to formally specify operations of  potentially critical code trusted  code Verify post-conditions met
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 IDS Systems Anomaly Detection Intrusion Detection Expert System (IDES) – successor is NIDES Network Security MonitorNSM  Misuse Detection Intrusion Detection In Our Time- IDIOT (colored Petri-nets) USTAT? ASAX (Rule-based) Hybrid NADIR (Los Alamos) Haystack (Air force, adaptive) Hyperview (uses neural network) Distributed IDS (Haystack + NSM)
Background image of page 8
9 IDS Architecture Similar to Audit system Log events Analyze log Difference: happens real-time -  timely   fashion (Distributed) IDS idea: Agent generates log Director analyzes logs
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 46

Lecture11 - IS 2150 / TEL 2810 Introduction to Security...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online