Chapter_22_Slides

Chapter_22_Slides - 11/7/2010 Chapter 22: Intrusion...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
11/7/2010 1 Chapter 22: Intrusion Detection Principle • Principles •B a s i c s • Models of Intrusion Detection • Architecture of an IDS Oi t i Slide #22-1 • Organization • Incident Response Principles of Intrusion Detection Characteristics of systems not under attack • Characteristics of systems not under attack – User, process actions conform to statistically predictable pattern – User, process actions do not include sequences of actions that subvert the security policy – Process actions correspond to a set of specifications Slide #22-2 describing what the processes are allowed to do • Systems under attack do not meet at least one of these
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
11/7/2010 2 Example • Goal: insert a back door into a system Goal: insert a back door into a system – Intruder will modify system configuration file or program – Requires privilege; attacker enters system as an unprivileged user and must acquire privilege • Nonprivileged user may not normally acquire privilege (violates #1) Slide #22-3 • Attacker may break in using sequence of commands that violate security policy (violates #2) • Attacker may cause program to act in ways that violate program’s specification Basic Intrusion Detection Attack too is automated script designed to Attack tool is automated script designed to violate a security policy • Example: rootkit – Includes password sniffer – Designed to hide itself using Trojaned versions of various programs p l find netsta etc Slide #22-4 of various programs ( ps , ls , find , netstat , etc.) – Adds back doors ( login , telnetd , etc.) – Has tools to clean up log entries ( zapper, etc.)
Background image of page 2
11/7/2010 3 Detection Rootki configuration files cause l du etc Rootkit configuration files cause ls , , etc. to hide information ls lists all files in a directory • Except those hidden by configuration file dirdump (local program to list directory entries) lists them too Slide #22-5 • Run both and compare counts • If they differ, ls is doctored • Other approaches possible Key Point Rootki does no alter kernel or file Rootkit does not alter kernel or file structures to conceal files, processes, and network connections – It alters the programs or system calls that interpret those structures Slide #22-6 – Find some entry point for interpretation that rootkit did not alter – The inconsistency is an anomaly (violates #1)
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
11/7/2010 4 Denning’s Model Hypothesis: exploiting vulnerabilities • Hypothesis: exploiting vulnerabilities requires abnormal use of normal commands or instructions – Includes deviation from usual actions – Includes execution of actions leading to break- Slide #22-7 ins – Includes actions inconsistent with specifications of privileged programs Goals of IDS • Detect wide variety of intrusion Detect wide variety of intrusions – Previously known and unknown attacks – Suggests need to learn/adapt to new attacks or changes in behavior • Detect intrusions in timely fashion – May need to be be real-time, especially when system responds to intrusion
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/08/2012 for the course ITT 650 taught by Professor Dewey during the Spring '11 term at UNC Asheville.

Page1 / 37

Chapter_22_Slides - 11/7/2010 Chapter 22: Intrusion...

This preview shows document pages 1 - 5. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online