Jason Ewing Introduction What is an Intrusion Why
- Slides: 13
Jason Ewing
Introduction • What is an Intrusion • Why Detecting Signs of Intrusion is Important? • Types of Intrusion Detection Systems (IDS) • Approaches for Detection • Anomaly Detection • Signature Recognition • Protocol Analysis • Policy and Procedures • Questions
What is an Intrusion? • “Normal activities that leave signs of intrusion include but are not limited to attempts to gain unauthorized access to a system or its data, unauthorized exposure of information, disruption or denial of service, unauthorized data processing, unauthorized downloading, and changes to system hardware, firmware, or software without network administrators knowledge or consent (Kochmar et al 6)”.
Why It’s Important? • Without detection and damage assessment time to recover from attacks can increase along with damage • Legal Repercussions, Attackers could utilize system to launch other attacks • Loss of Business • Damaged Reputation
Types of Intrusion Detection Systems (IDS) Network Intrusion Detection Systems (NIDS) • Packet Monitoring system • Will Capture Packets Evaluate • Both Incoming and Outgoing traffic System Integrity Verifiers (SIV) • Monitors System Files • Windows Registry • Critical Components • No Real Time Alert
Types of Intrusion Detection Systems (IDS) Log File Monitors (LFM) • Monitors Generated Log Files • Identify Well-Known Patterns of attackers Decoy Systems • Trap Attackers • Rely on Deception • Honeypots • Fake Accounts Without Privileges
Approaches for Detection General Framework for Detection • Look for Suspicious Activity • Investigate any problems or strange behavior • If something is unexplainable assume there’s an intrusion Anomaly Detection Signature Recognition Protocol Analysis
Anomaly Detection Most Common Method Detects Statistical Anomalies Baseline of Network Activity • CPU Use • Disk Activity • User Activity • File Activity Alarm will activate when an anomaly occurs
Signature Recognition Similar to virus scanning Examines Network Traffic Looks for Well Known Patterns of Attackers Must be compared to a signature file Not very effective due to • Many different variations of attacks • Signatures created after an network or honeypot is attacked
Protocol Analysis Decodes Application-Layer Network Traffic Each protocol is decoded analyzed Searches for suspicious behavior • Unusual Packet Characteristics • Unusual Packet Source & Destination Example: • Malicious Code in a Header Field sent to a Web server
Policy and Procedures It’s very important to document types of threats and possible intrusions • Attempted attacks • Port scanning • Unauthorized access of information • Changes to the system – Hardware, Software, etc. Great documentation allows for great intrusion response and prevention Maintain all documentation
Questions
Sources • Allen, Julia H. The CERT Guide to System and Network Security Practices. Boston: Addison-Wesley, 2001. Print. • Berge, Matthew. "Intrusion Detection FAQ: What Is Intrusion Detection? " Intrusion Detection. SANS. Web. 9 Apr. 2012. <http: //www. sans. org/securityresources/idfaq/what_is_id. php>. • Ciampa, Mark D. Security+ Guide to Network Security Fundamentals. 3 rd ed. Boston, MA: Thomson/Course Technology, 2008. Print. • Graham, Robert. " Network Intrusion Detection Systems. " Network Security Articles for Windows Server 2003, 2008 & Vista. Windows Security, 16 Oct. 2002. Web. 09 Apr. 2012. <http: //www. windowsecurity. com/whitepapers/faq_network_intrusion_detec tion_systems_. html>. • Kochmar, John, Julia Allen, Christopher Alberts, Cory Cohen, Gary Ford, Barbara Fraser, Suresh Konda, Peter Kossakowski, and Derek Simmel. "Preparing to Detect Signs of Intrusion. " (2001): 1 -21. Carnegie Mellon Software Engineering Institute, 2001. Web. 09 Apr. 2012. <http: //www. dtic. mil/cgi-bin/Get. TRDoc? AD=ADA 351646>.
