8 - Intrusion Detection
unwanted/hostile
User trespass: unauthorized logon, privilege abuse
Software trespass: virus, worm, trojan horse
Intrusion Detection System
against security intrusion
Network-based IDS: monitors network traffic
Host-based IDS: monitors the events occuring within that host
anomaly detection: defines expected behavior
signature detection: defines proper behavior
passive: monitors copy of traffic
inline: part of other net device
three logical component
Analyzers
User Interface
Sensor
we cannot expect a exact distinction between intruder and normal user, there will be an overlap
Audit Records
security-relevant chronological record
Native audit records: provided by O/S, may be not optimum
Detection-specific audit records: additional overhead but specific to IDS tasks, often log individual elementary actions. May contains field for: subject, action, resourse-usage.
Anomaly Detection
2) compare the observed with the current model in order to classify it as either legitimate or anomalous activity
1) collect and processing data from the normal operation of the monitored system in a training phase
Signature Detection
observe events on system and applying a set of rules to decide if intruder
Rule-based penetration identification: identify known penetration/weakness
Rule-based anomaly detection: compare expected behavior with current one
Distributed Host-Based IDS
defend a distributed collection of hosts
LAN monitor agent module: same as Host agend module and analyzes LAN traffic
Central manager module: receive reports from LAN monitor and host agents and processes to detect intrusion
Host agent module: collect data from host
NIDS Sensor Deployment
All Internet traffic passes through an external
firewall that protects the entire facility
Traffic from the outside world is monitored
The external firewall also provides a degree of protection
Honeypots
designed to lure an attack away from critical system
collect information about the attacker's activity
encourage the attacker to stay on system long enough for administrators to respond
divert an attacker from accessing critical system