IDS n n n NetworkBased IDS HostBased IDS
IDS的分類 n 根據資料蒐集的型態區分 n n Network-Based IDS Host-Based IDS Application-Based IDS 根據所使用的偵測方式區分 n n Misuse IDS Anomaly IDS 9
以資料蒐集型態區分 n Network-Based IDS n n n Host-Based IDS n n n 以分析網路封包為主 事先預警 以分析Logs為主 事後分析 Application-Based IDS n n 使用Application Logs 較易受攻擊 10
24
根據偵測方式的不同區分 n Misuse Detection n Anomaly Detection 26
Advantages of Misuse Detection n Misuse detectors are very effective at detecting attacks without generating an overwhelming number of false alarms. Misuse detectors can quickly and reliably diagnose the use of a specific attack tool or technique. This can help security managers prioritize corrective measures. Misuse detectors can allow system managers, regardless of their level of security expertise, to track security problems on their systems, initiating incident handling procedures. 28
Disadvantages of Misuse Detection n n Misuse detectors can only detect those attacks they know about – therefore they must be constantly updated with signatures of new attacks. Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks. State-based misuse detectors can overcome this limitation, but are not commonly used in commercial IDSs. 29
Advantages of Anomaly Detection n n IDSs based on anomaly detection detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. Anomaly detectors can produce information that can in turn be used to define signatures for misuse detectors. 31
Disadvantages of Anomaly Detection n n Anomaly detection approaches usually produce a large number of false alarms due to the unpredictable behaviors of users and networks. Anomaly detection approaches often require extensive “training sets” of system event records in order to characterize normal behavior patterns. 32
Network-Based IDSs的安置 n n Location 1: Behind each external firewall, in the network DMZ Location 2: Outside an external firewall Location 3: On major network backbones Location 4: On critical subnets 33
Location 1 Advantages n n Sees attacks,originating from the outside world,that penetrate the network’s perimeter defenses. Highlights problems with the network firewall policy or performance Sees attacks that might target the web server or ftp server, which commonly reside in this DMZ Even if the incoming attack is not recognized, the IDS can sometimes recognize the outgoing traffic that results from the compromised server 34
Location 2 Advantages n n Documents number of attacks originating on the Internet that target the network. Documents types of attacks originating on the Internet that target the network 35
Location 3 Advantages n n Monitors a large amount of a network’s traffic, thus increasing the possibility of spotting attacks. Detects unauthorized activity by authorized users within the organization’s security perimeter. 36
Location 4 Advantages n n Detects attacks targeting critical systems and resources. Allows focusing of limited resources to the network assets considered of greatest value. 37
兩種網路式入侵偵測系統實例 n 成大密碼與網路安全研究室所發展的兩 種Network-based IDS n n RD-NIDS (Distributed Network Intrusion Detection System with the Reconnaissance ability ) Neuro-IDS (Neural Network based Intrusion Detection System) 38
RD-NIDS的架構 39
SYSTEM OPERATION 40
41
COMPARISONS OF EXISTING IDSs 42
RD-NIDS的偵測實例(cont. ) 44
Neuro IDS原理 n Multilayer perceptron (MLP) with back-propagation algorithm n n Forward pass Backward pass 46
47
System Characteristics n Efficient n Real time n Intelligent n Adaptive n User friendly 48
Detection Model n Service-specific Model (FTP) n Attack Category Model (Probing) n General TCP Model n Training n DDo. S, DNS, Do. S, Lpr, RPC, SMTP, Telnet, Trojan, Remote file access, Useless service, Abnormal TCP, FTP. 49
System Performance Experiment I: n Connections: All normal. # of system inputs TCP Probe # of alert outputs False positives False negatives 31435 6 6 0 564 0 0 0 50
System Performance (cont. ) Experiment II: Normal Attacks: Nmap, TWWWscan, guest login attempt # of system inputs # of alert outputs False positives False negatives TCP 8952 1972 0 0 Probe 134 64 3 0 51
System Performance (cont. ) Experiment III: Normal Attacks: Buffer overflow, backdoor, Do. S. # of system inputs # of alert outputs False positives False negatives TCP 538 75 0 3 Probe 32 5 2 0 52
- Slides: 59