Deep Learning Approach for Intrusion Detection System (IDS ...
Intrusion Detection Systems (IDS)
-
Upload
gary-ashley -
Category
Documents
-
view
48 -
download
6
description
Transcript of Intrusion Detection Systems (IDS)
04/19/23 Jeramie Reese - IDS1
Intrusion Detection Systems (IDS)
Jeramie Reese
04/19/23Jeramie Reese - IDS2
Agenda
What is Intrusion Detection? Categorizing IDS Systems IDS Functionality Passive Scans Benefits IDS Products Open Source Project: Snort Conclusion References
04/19/23Jeramie Reese - IDS3
What is Intrusion Detection?
“An IDS does for a network what an antivirus software package does for files that enter a system.”
“An Intrusion Detection System (IDS) is a system for detecting misuse of network or computer resources.”
Sensors– Connection Requests– Log File Monitors– File Integrity Checker– User Account Auditing
04/19/23Jeramie Reese - IDS4
Categorizing IDS Systems
Misuse detection Anomaly detection Network-based Host-based systems Passive system Reactive system
04/19/23Jeramie Reese - IDS5
IDS Functionality
from http://www.snort.org/docs/idspaper/
04/19/23Jeramie Reese - IDS6
Passive Scans
Active (Intrusion Prevention System: IPS) vs. Passive Scans (IDS)
Collect / Analyze Information Looking for patterns of misuse
– Attack Signatures– Authorized users overstepping permissions– Patterns of abnormal activity
Failed password attempts Access times
04/19/23Jeramie Reese - IDS7
Benefits
Early warning of attack Flexible configuration options Alerts that a Network Invasion may be in progress Help identify the source of the incoming probes or
attacks Troubleshoot system anomalies Determine what has been compromised Catches insider hacking Identify attacker (proof)
04/19/23Jeramie Reese - IDS8
IDS Products (Commercial)
Cisco Intrusion Detection– Cisco Secure IDS Director Software ($4,900)
Internet Security Systems– Real Secure ($8,995 per sensor)
Symantec Corporation– Intruder Alert (server: $995, workstation: $295)
Tripwire Inc.– Tripwire Manager 2.4 ($6,995)
04/19/23Jeramie Reese - IDS9
IDS Products (Open Source)
Naval Surface Warfare Center– Shadow IDS– Originally started by the Cooperative Intrusion Detection
Evaluation and Response (CIDER) project
Developer: Stephen P. Berry– Shoki IDS
Developer: Marty Roesch– Snort IDS
04/19/23Jeramie Reese - IDS10
Snort
Packet Sniffing– Similar to tcpdump
Packet Monitoring– Useful for network traffic debugging
Intrusion Detection– Applies rules on all captured packets
04/19/23Jeramie Reese - IDS11
Snort Rules
Rule Actions Protocols IP Addresses Port Numbers The Direction Operator Activate/Dynamic Rules
04/19/23Jeramie Reese - IDS12
Snort Rules Examples
log tcp 192.168.1.0/24 <> 192.168.1.0/24 23 (content: "USER root"; msg: "FTP root login";)
alert icmp any any -> any any (msg: “Ping with TTL=100” ttl:100;)
log udp any any -> 192.168.1.0/24 1:1024 Response: Fast Mode, Full Mode, UNIX
Socket Mode, SNMP, SYSLOG, etc.
04/19/23Jeramie Reese - IDS13
Conclusion
IDS could benefit from standards Neighborhood Architecture
– IDS itself can be attacked– Altered to report incorrect data
Heuristic data collection More focus on internal attacks
04/19/23Jeramie Reese - IDS14
References
Honeypots; Intrusion Detection, Honeypots and Incident Handling Resources; 2001. http://www.honeypots.net/ids/products
Infosyssec; Intrusion Detection Systems FAQ; 2003. http://www.infosyssec.net/infosyssec/intdet1.htm
Network World Fusion; Buyer's Guide: Network-based intrusion-detection systems; 2001. http://www.networkworld.com/reviews/2001/1008bgtoc.html
Shimonski, Robert J.; What You Need to Know About Intrusion Detection Systems; 2001. http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html