Chapter 8 Intrusion Detection

Ace your homework & exams now with Quizwiz!

NIDS Sensor Deployment: Location 2 (just outside external firewall)

+: Documents attacks originating on the Internet that target the network -: Highest processing burden of any location

NIDS Sensor Deployment: Location 4 (on specific department networks)

+: Focuses limited resources to network assets considered greatest value

NIDS Sensor Deployment: Location 3 (on backbone networks that support internal servers and databases)

+: Monitors a large amount of internal network traffic thus increasing the possibility of spotting attacks +: Detects unauthorized activity by authorized users inside organization +: Monitors both internal and external attacks

Honeypot Deployment: Location 3 (internal)

+: can catch internal attacks + can detect mis-configured firewall (based on traffic from Internet to internal network) -: if honeypot is compromised or hijacked, it can attack other internal systems -: firewall must be adjusted to allow attackers to come in to internal network, possibly compromise internal network

Honeypot Deployment: Location 1 (outside external firewall)

+: can track attempts to connect to unused IP addresses in network +: avoid danger of compromising system behind firewall +: attracts many potential attacks, it reduces alerts issued by firewall and internal IDSs -: no ability to trap internal attackers if external firewall filters traffic in both directions

Honeypots

- Honeypots are decoy systems that + Lure a potential attacker away from critical systems + Collect information about the attacker's activity + Encourage the attacker to stay on the system long enough for administrators to respond - Systems are filled with fabricated information that a legitimate user of the system wouldn't access - Resources that have no production value + Therefore incoming communication is most likely a probe, scan, or attack + Initiated outbound communication suggests that the system has probably been compromised

rule-based heuristic identification

- Involves the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses - Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage - Typically rules used are specific

Honeypot Classifications

- Low interaction honeypot + Consists of a software package that emulates particular IT services or systems well enough to provide a realistic initial interaction, but does not execute a full version of those services or systems + Provides a less realistic target + Often sufficient for use as a component of a distributed IDS to warn of imminent attack - High interaction honeypot + A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers + Is a more realistic target that may occupy an attacker for an extended period + However, it requires significantly more resources + If compromised could be used to initiate attacks on other systems

NIDS Sensor Deployment: Location 1 (just inside external firewall)

- Sees attacks from external world that succeeded in penetrating perimeter defense - Highlights problems with perimeter defense - Can sometimes recognize outgoing traffic from a compromised server

Intrusion Detection Exchange Format: Manager

- The ID component or process from which the operator manages the various components of the ID system. - management functions: sensor configuration, analyzer configuration, event notification management, data consolidation and reporting

Logging of Alerts

- When a sensor detects a potential violation, it sends an alert (and related logs), which are + used by analysis module to refine intrusion detection parameters and algorithms + used by security administrator to design prevention techniques

Host-based Intrusion Detection (HIDSs)

- add a specialized layer of security software to vulnerable or sensitive systems; such as database servers and administrative systems - monitor activity on the system in a variety of ways to detect suspicious behavior - can detect both external and internal intrusions, something that is not possible either with network-based IDSs or firewall

user interface

- an IDS enables a user to view output from system or control the behavior of the system - some system the system user interface may equate to a manager, director, or console component

Intrusion Detection Exchange Format: Sensor

- collect data from data source - sensor forwards events to the analyzer

Anomaly Detection

- collection and processing sensor data from the normal operation of the monitored system in a training phase - occur at distinct times, or there may be a continuous process of monitoring and evolving the model over time - two key issues: + monitor data: ensures that data gathered from variety of possible sources is provided in standard form for analysis + statistical approaches: use the captured sensor data to develop a statistical profile of the observed metrics

Distributed or hybrid IDS

- combines information from a number of sensors, often both host and network-based, in a central analyzer that is able to better identify and respond to intrusion activity

Intrusion Detection Exchange Format: Operator

- human that is the primary user of the IDS manager - operator often monitors the output of the IDS and initiates or recommends further action

Intrusion Detection Exchange Format: Administrator

- human with overall responsibility for setting the security policy of the organization and decision about deploying and configuring the IDS

inline sensor

- inserted into a network segment so that the traffic that it is monitoring must pass through sensor - combined NIDS sensor logic with another network device (firewall or LAN switch)

signature approaches

- match a large collection of know patterns of malicious data against data stored on a system or in transit over a network - need to be large enough to minimize the false alarm rate, while still detecting a sufficiently large fraction of malicious data + advantage: relatively low cost in time and resource use, and its wide acceptance + disadvantage: significant effort required to constantly identify and review new malware to create signatures able to identify it, and the inability to detect zero-day attacks for which no signatures exist.

passive sensor

- monitors a cop of network traffic; the actual traffic does not pass through the device

Network-based IDS (NIDS)

- monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity

Host-based IDS (HIDS)

- monitors the characteristic of a single host - the events occurring within that host, such as process identifiers and the system calls they make, for evidence of suspicious activity

knowledge based approaches

- observed data using a set of rules which developed during the training phase - formal tools used to describe are finite-state machine, or a standard description language + advantage: robustness and flexibility + disadvantage: difficulty and time required to develop high-quality knowledge from the data, and the need for human experts to assist with this process.

analyzers

- receive input from one or more sensors or from other analyzers which responsible for determining if an intrusion has occurred

sensors

- responsible for collecting data - input maybe any part of a system that could contain evidence of an intrusion - types of input: network packets, log files, and system call traces. - collect and forward information to the analyzer

Anomaly Detection Techniques: Worm

- spreading of worms among hosts can be detected because - Some worms use large amounts of bandwidth - They cause hosts to communicate with each other that typically do not - they can also cause hosts to use ports that they normally do not use

Intrusion Detection Exchange Format: Analyzer

- the ID component or process that analyzes the data collected by sensor for signs of unauthorized or undesired activity or for events that might be of interest to the security

Intrusion Detection Exchange Format: Data source

- the raw data that an IDS uses to detect unauthorized or undesired activity - common data such as network packets, operating system, audit logs, application audit logs, and system-generated checksum data

machine-learning approaches

- use data mining techniques to automatically develop a model using the labeled normal training data which able to classify subsequently observed data as either normal or anomalous + advantage: flexibility, adaptability, and ability to capture interdependencies between the observed metrics + disadvantage: process typically requires significant time and computational resources

time-series models (statistical)

- use the order and time between observed events to better classify the behavior - advantage: relative simplicity, low computation cost, and lack of assumptions about behavior expected - disadvantage: difficulty in selecting suitable metrics to obtain a reasonable balance between false positives and false negatives; and not all behaviors can be modeled using these approaches

signature or heuristic detection

- use to detect intrusion by observing events in the system and applying either a set of signature patterns to the data, or a set of rules that characterize the data, leading to a decision regarding whether the observed data indicates normal or anomalous behavior

Honeypot Deployment: Location 2 (in DMZ): other systems (e.g., email server) in DMZ must first be secured

-: systems on DMZ are not fully accessible, thus cannot trap as many attackers. Opening up firewall for honeypot is risky

Intrusion Detection Techniques

As with host-based intrusion detection, network-based intrusion detection uses - Signature detection - Anomaly detection

Intrusion Detection: Application layer reconnaissance and attacks

look for attack patterns targeting application protocols (DNS, HTTP, POP)

File integrity checksums

a common approach to detecting intruder activity on a system is to periodically scan critical files for changes from the desired baseline, by comparing a current cryptographic checksums for these files with record of known good values.

system call traces

a record of the sequence of systems calls by processes on a system, is widely acknowledge as the preferred data source for HIDS

Security Intrusion

a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so

Intrusion Detection

a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near-time warning of, attempts to access system resources in an unauthorized manner

Intrusion Detection: Network layer reconnaissance and attacks

analyze IPv4, IPv6, ICMP, and IGMP at this level

Intrusion Detection: Transport layer reconnaissance and attacks

analyze TCP and UDP traffic (e.g., unusual scans for vulnerable ports, SYN floods)

Intrusion Detection: Unexpected application services

attempts to determine if the activity on a transport connection is consistent with the expected application protocol

Audit (log file) records

most modern operating systems include accounting software that collects information on user activity + advantage: no additional collection software is needed + disadvantage: audit records may not contain the needed information or may not contain it in a convenient form + intruders may attempt to manipulate these records to hide their actions

Anomaly Detection Techniques: Scanning

occurs when attacker probes a target network by sending different kinds of packets

Intrusion Detection: Policy violations

prohibit inappropriate web sites and application protocols

Anomaly Detection Techniques: Denial-of-services (DoS) attacks

such attacks involve either significantly increased packet traffic or significantly increase connection attempts which overwhelm the target system

registry access

used on Windows systems is to monitor access to the registry, given the amount of information and access to it used by programs on these systems.


Related study sets

The Scientific Revolution Review

View Set

Chapter 35 - Assessment of Immune Function

View Set

Week 9: Female Reproductive Histo and Menstrual Cycle Hormones

View Set

NU272 HESI Case Study: Thyroid Disorders (week 4)

View Set

APUSH FINAL - Chapters 13, 14, and 15

View Set