SlideShare a Scribd company logo

Chapter-3-Intrusion-Detection-Systems-part-1.ppt

Download as PPT, PDF
M
madin20232022

system

Education
1 of 34
Chapter 3: Intrusion Detection Systems
CST255: INTRUSION DETECTION AND PREVENTION
Chapter Outline 1.0 Intrusion Detection Systems 1.1 Types of IDS 1.2 Technical Bypass of IDS 1.3 Fragmentation 1.4 Related Tools for Network IDS 1.5 Next Generation IDS 1.6 Zero-day Attack
OBJECTIVES AND DELIVERABLE • Understand the concept of IDS and the two major categorizations: by features/models, and by location. • Understand the pros and cons of each approach • Understand the difference between exploits and vulnerabilities
INTRUSION DETECTION SYSTEMS (IDS)
DEFINITIONS Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying, classifying and responding to intrusion activities Intrusion prevention Extension of ID with exercises of access control to protect computers from exploitation
(JJJLOLJI c_a^j dil^. (j-® ^ r j ^A Ajjul^^jl jl 4J^JJUO jl 4^O^JU0 4-ll<<i'^il tlil£dJUdll a <- q ^Ja Aii .}^)] |j L- fljlut iJj .lJ.l aJ <LlL aC. Cj'j^ V' 6^-^.l
INTRUSION DETECTION SYSTEM (IDS) An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. viljj JA(IDS) flkj jA^aJj 0jlulA il^iJ jjj^ , J UjlSlU ** •* What is intrusion detection? - Passive in design
MONITOR (DETECT) FOR ATTACKS Advantages of an IDS: • Works passively • Requires traffic to be mirrored in order to reach it • Network traffic does not pass through the IDS unless it is mirrored IDS: y> jjj^l A^j^ Q W! Jj^jJl '^JVJIDS ^ A^I jjj^ A£j^ V Intrusion Detection System Operation Switch IDS-enabled Target Management Console
ELEMENTS OF INTRUSION DETECTION Primary assumptions: ■ System activities are observable ■ Normal and intrusive activities have distinct evidence ;AjJjVl i*iK^lj3iVI A^^lj ALl l*J ApUJl Components of intrusion detection systems: ■ From an algorithmic perspective: ■ Features - capture intrusion evidences ■ Models - piece evidences together Algorithm ;JLuJl _ ^ljj£^ ;^jj'jA jj^J* j* JLuJl ALl .LM -AJ^VI From a system architecture perspective: ■ Various components: audit data processor, knowledge base, decision engine, alarm id responses System architecture Ajjj jj^J^ j^ ^lUljJ ^Jl*^; ^ljj£^ ^j^jJlj jljj^l cjljSJl ^J^^ cAij^^Jl
COMPONENTS OF INTRUSION DETECTION SYSTEM system activities are observable Audit Records Activity Data normal and intrusive activities have distinct evidence Action/Report 0 0 0
INTRUSION DETECTION APPROACHES Modeling ■ Features: evidences extracted from audit data (dataset) ■ Analysis approach: piecing the evidences together ■ Misuse detection (a.k.a. signature-based) ■ Anomaly detection (a.k.a. behavior-based) Deployment: Network-based or Host-based ■ Network based: monitor network traffic ■ Host based: monitor computer processes (^ULnJl (^ja jjJl ILk/l _jkj( £j-^ l (^jl^iJl ^Jo ^l l^iajl _ ajkjj(AjAuJl Qo _ aU£^l aj" ^^Jl ,^i»j jl A^JUJI ^Jo ,^i»j ; jUdJl A^JUJI JJJA A^j^. AjaljA ;A<JUJI ^Jo AAA*J jjjjj^^Jl ^/jJ^o Ajalj^ ;_j^AJl ^Jo A^A*J
1. MISUSE DETECTION Intrusion Patterns: Sequences of system calls, patterns of network traffic, ,etc. pattern matching intrusion activities Example: if (traffic contains “x90+de[Arn]{30}”) then “attack detected” Problems? Disadvantage: Can't detect new attacks
oUljd] AJ]^.IA]| AJ A^J]I V ^AjJl^aj ^1 .wn H^I &jui ^jc jl ^A3J]I ^JSJJJIJ i _^^J' J^XJ Misuse or Signature-based Detection 1. Contains a database of recognized (known) attacks 2. Activity is compared with signature database 3. Send alarm for suspicious activities 4. Can not detect new attacks .(Aijjx^]l) Igj AIUUJ SJelS Je. n AiJJ*^]' ol*JajJ]') oULu SAe-la (AJ^SJ!' J]') .LLAi]' Ajj-Li n AAJ^I jiijj juj n SJJJ^]I _^^]l ^S^J v n
All the following are functions of Misuse or Signature-based Detection in IDS except one: (a) Contains a database of recognized (known) attacks (b) Activity is compared with signature database (c) Can detect new attacks (d) Cannot detect new attacks (e) Sound alarm for suspicious activities
2. ANOMALY DETECTION Define a profile describin “normal” behavior, th detects deviations. Any problem ? actlvlty measure s __alxs 90 80 70 btr 50 40 30 20 10 0 / 71 CPU i r Process Size probable intrusion □ normal pi ofile □ abnormal Relatively high false positive rates ^ • Anomalies can just be new normal activities. • 4jale QpjQj| aii • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfig • Which method will detect DDoS SYN flooding ?
Anomaly or Behavior-based Detection JJC. jC ^ 1. Looks for usage anomalies 2. Sometimes called an expert system 3. Mostly result in more false positive than signature-based 4. Can detect new attacks (je. n n j]| ^1C i^li j* JJSI 4-plS 4JJUJ) gj/jj ^Ul ^ n Behaviour-based intrusion detection systems mostly result in more false positive than signature-based IDS. (Ture -False)
TYPES OF IDS • Host-Based IDS Implementations • Network-Based IDS Implementations
HOST-BASED IDS q^l^JI ^^3 A^hjl Use OS auditing and monitoring mechanisms to find applications taken over by attacker ■ Log all relevant system events (e.g., file/device accesses) ■ Monitor shell commands and system calls executed by user applications and system programs ■ Pay a price in performance if every system call is filtered IgjJo ^JjJ^il I t^'/ajjUjJl 10^1 Jji^u]| ^l^j ^j^AJ ^)U]| ^A^J^il ) j j ^ ^ j J i ^IA ^)IA^.I j ^^Ijjj ^A^J^I^II ^/QJJUJ lA^jijj ^Jj shell j^ij! Ajiij^ g.loAJml j£ 4ji^aJ l^uJ IA] ^IA^I £iA Problems: ■ User dependent: install/update IDS on all user machines! ■ If attacker takes over machine, can tamper with IDS binaries and modify audit logs j Only local view of the attack I^AVUHJI ojg^J JojDS ^JA^J/( Jl Jo AA!*J ^J^ajJ( ^jiAjJi JjA*JjjDS ^O^jJi Aj£^ji cjlg^Jl ^Jo ^/g^Jl ^JjJ^i IAJ .^j^Vi ^l^j^llj ^AIJ^JI -« . 4jjo ^JJI j/g^JJ oAljjJlj ojAl^aJl ^)Uljj]| ^laljJ
NETWORK IDS oS+AJb O*l*JI ^Ijj^l <*bJI Deploying sensors at strategic locations ■ For example, Packet sniffing via tcpdump at routers Inspecting network traffic ■ Watch for violations of protocols and unusual connection patterns ■ Look into the packet payload for malicious code Limitations ■ Cannot execute the payload or do any code analysis ! ■ Record and process huge amount of traffic ■ May be easily defeated by encryption, but can be mitigated with encryption only at the gateway/proxy Aj^JjIjJ“VI ^i jlxjl3“]VI j^j tcpdump jjo ^j^JI 3 ‘‘‘'"'“’i tJ/J^JI Jjj“ ^-io ^Jo A^j^ ^^^i jjo ^Uj jSjJjJjJl ^laIjJ A^UJI ** ^l^jlxjJl jo A^j^JI AJJ^^ ^i ^I^JI 6jl^tiJl ^jJxJl j^j^J] Jjl^j jj^j jl AJJ^^JI j^^j V jjj^JlA^j^ j^ AJJ/A AJ^£ 4^Il»^j “J jUj t jji^jJI jjjL jo AJj^“j Ai^jjA j£^j Jj£jJI/AjIjjJI V'Q Wai jji^jJlj Aa <aAJ
NETWORK-BASED IDS SENSORS
NETWORK BASED IDS Internet Gateway routers At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which has scalability issues. Thus they might not be able to detect the worm in its early stage.
HOST-BASED VS. NETWORK-BASED IDS Give an attack that can only be detected by host-based IDS but not network-based IDS Sample qn: ■ SQL injection attack Can you give an example only be detected by network-based IDS but not host-based IDS ? IDS j^Jj _ aJ‘^Jl IDS jo VI 4ilA£l j^^j V ~J^A qni^jo SQLj*^
KEY METRICS OF IDS/IPS Algorithm ■ Alarm: A; Intrusion: ■ Detection (true alarm) rate ■ False negative rate ■ False alarm (aka, false positive) rate ■ True negative rate Architecture ■ Throughput of NIDS, targeting 10s of Gbps ■ E.g., 32 nsec for 40 byte TCP SYN packet ■ Resilient to attacks
ALARM TRIGGERING MECHANISMS Understanding Alarm Types: Alarm Type Network Activity IPS Activity Outcome False positive Normal user traffic Alarm generated Tune alarm False negative Attack traffic No alarm generated Tune alarm True positive Attack traffic Alarm generated Ideal setting True negative Normal user traffic No alarm generated Ideal setting
QUESTIONS 2. An intrusion detection system did not notify the network administrator of any threat in the network, but on a close inspection, the administrator found that indeed there was malicious threats in the network. Which of the following metric best describes the situation. (a) True positive (b) False negative (c) True negative (d) False positive (e) None of the above
ARCHITECTURE OF NETWORK IDS Detection rules
FIREWALL/NET IPS VS NET IDS Firewall/IPS ■ Active filtering ■ Fail-close ^ A^^Jl Network IDS ■ Passive monitoring ■ Fail-open ^W$Jl V
TECHNICAL BYPASS TECHNIQUES NIDS ■ fragmentation ■ TCP un-sync (ATM: hi. data rate) Low TTL (Time To live) ‘Max' MTU (maximum Transmission unit) ■ HTTP Protocol ■ Telnet Protocol ■ ■ HIDS ■ Kernel Hacks ■ Bypassing stack protection ■ Library Hacks ■ HTTP Logging insertion techniques
ZERO-DAY ATTACKS
ZERO-DAY ATTACKS WHAT IS ZERO-DAY ATTACK? A zero-day vulnerability is a network vulnerability that is unknown before, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network
COUNTING ZERO-DAY ATTACKS Network W Protocol Tap W Classifier TCP TCP TCP TCP UDP 25 53 80 137 1434 Honeynet/darknet Statistical detection
PROBLEMS WITH CURRENT IDS 1. Inaccuracy for exploit based signatures 2. Cannot recognize unknown anomalies/intrusions 3. Cannot provide quality info for forensics or situational-aware analysis 4. Hard to differentiate malicious events with unintentional anomalies 5. Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration 6. Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
Thank you for your attention!

Recommended

Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Databse Intrusion Detection Using Data Mining Approach
Databse Intrusion Detection Using Data Mining ApproachDatabse Intrusion Detection Using Data Mining Approach
Databse Intrusion Detection Using Data Mining ApproachSuraj Chauhan
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
Ids 00 introduction_ intrusion detection &amp; prevention systems
Ids 00 introduction_ intrusion detection &amp; prevention systemsIds 00 introduction_ intrusion detection &amp; prevention systems
Ids 00 introduction_ intrusion detection &amp; prevention systemsjyoti_lakhani
 
Wc4
Wc4Wc4
Wc4Said Wali
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 

Recommended

Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection amiable_indian
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Databse Intrusion Detection Using Data Mining Approach
Databse Intrusion Detection Using Data Mining ApproachDatabse Intrusion Detection Using Data Mining Approach
Databse Intrusion Detection Using Data Mining ApproachSuraj Chauhan
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
Ids 00 introduction_ intrusion detection &amp; prevention systems
Ids 00 introduction_ intrusion detection &amp; prevention systemsIds 00 introduction_ intrusion detection &amp; prevention systems
Ids 00 introduction_ intrusion detection &amp; prevention systemsjyoti_lakhani
 
Wc4
Wc4Wc4
Wc4Said Wali
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusionKishor Datta Gupta
 
Self Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized ActivitySelf Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized ActivityIRJET Journal
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
 
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership FunctionDetecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership FunctionIRJET Journal
 
Es34887891
Es34887891Es34887891
Es34887891IJERA Editor
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfBSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfStevenJoeBiago
 
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET Journal
 
Security 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingSecurity 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingPrecisely
 
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS MUHAMMAD HUZAIFA CHAUDHARY
 
Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217ijceronline
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
A Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network SecurityA Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network SecurityIRJET Journal
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptxStevenJoeBiago
 
012
012012
012chatakondu karthik uday bhaskar
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 

More Related Content

Similar to Chapter-3-Intrusion-Detection-Systems-part-1.ppt

Self Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized ActivitySelf Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized ActivityIRJET Journal
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
Network forensics
Network forensicsNetwork forensics
Network forensicsArthyR3
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
 
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership FunctionDetecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership FunctionIRJET Journal
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfBSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfStevenJoeBiago
 
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET Journal
 
Security 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingSecurity 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingPrecisely
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
A Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network SecurityA Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network SecurityIRJET Journal
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptxStevenJoeBiago
 

Similar to Chapter-3-Intrusion-Detection-Systems-part-1.ppt (20)

Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusion
 
Self Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized ActivitySelf Monitoring System to Catch Unauthorized Activity
Self Monitoring System to Catch Unauthorized Activity
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
 
Network forensics
Network forensicsNetwork forensics
Network forensics
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber security
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
 
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership FunctionDetecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
Detecting Various Intrusion Attacks using A Fuzzy Triangular Membership Function
 
Es34887891
Es34887891Es34887891
Es34887891
 
BSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdfBSIT3CD_Continuation of Cyber incident response (1).pdf
BSIT3CD_Continuation of Cyber incident response (1).pdf
 
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
IRJET- A Review on Application of Data Mining Techniques for Intrusion De...
 
Security 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingSecurity 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and Reporting
 
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
IT SYSTEMS , CONTROLS , CAATS AND FLOWCHARTS
 
Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection Systems
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
 
A Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network SecurityA Study of Intrusion Detection and Prevention System for Network Security
A Study of Intrusion Detection and Prevention System for Network Security
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
infoAssurance (1).pptx
infoAssurance (1).pptxinfoAssurance (1).pptx
infoAssurance (1).pptx
 
012
012012
012
 

Recently uploaded

History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 

Recently uploaded (20)

History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 

Chapter-3-Intrusion-Detection-Systems-part-1.ppt

  • 3. Chapter Outline 1.0 Intrusion Detection Systems 1.1 Types of IDS 1.2 Technical Bypass of IDS 1.3 Fragmentation 1.4 Related Tools for Network IDS 1.5 Next Generation IDS 1.6 Zero-day Attack
  • 4. OBJECTIVES AND DELIVERABLE • Understand the concept of IDS and the two major categorizations: by features/models, and by location. • Understand the pros and cons of each approach • Understand the difference between exploits and vulnerabilities
  • 6. DEFINITIONS Intrusion A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying, classifying and responding to intrusion activities Intrusion prevention Extension of ID with exercises of access control to protect computers from exploitation
  • 7. (JJJLOLJI c_a^j dil^. (j-® ^ r j ^A Ajjul^^jl jl 4J^JJUO jl 4^O^JU0 4-ll<<i'^il tlil£dJUdll a <- q ^Ja Aii .}^)] |j L- fljlut iJj .lJ.l aJ <LlL aC. Cj'j^ V' 6^-^.l
  • 8. INTRUSION DETECTION SYSTEM (IDS) An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. viljj JA(IDS) flkj jA^aJj 0jlulA il^iJ jjj^ , J UjlSlU ** •* What is intrusion detection? - Passive in design
  • 9. MONITOR (DETECT) FOR ATTACKS Advantages of an IDS: • Works passively • Requires traffic to be mirrored in order to reach it • Network traffic does not pass through the IDS unless it is mirrored IDS: y> jjj^l A^j^ Q W! Jj^jJl '^JVJIDS ^ A^I jjj^ A£j^ V Intrusion Detection System Operation Switch IDS-enabled Target Management Console
  • 10. ELEMENTS OF INTRUSION DETECTION Primary assumptions: ■ System activities are observable ■ Normal and intrusive activities have distinct evidence ;AjJjVl i*iK^lj3iVI A^^lj ALl l*J ApUJl Components of intrusion detection systems: ■ From an algorithmic perspective: ■ Features - capture intrusion evidences ■ Models - piece evidences together Algorithm ;JLuJl _ ^ljj£^ ;^jj'jA jj^J* j* JLuJl ALl .LM -AJ^VI From a system architecture perspective: ■ Various components: audit data processor, knowledge base, decision engine, alarm id responses System architecture Ajjj jj^J^ j^ ^lUljJ ^Jl*^; ^ljj£^ ^j^jJlj jljj^l cjljSJl ^J^^ cAij^^Jl
  • 11. COMPONENTS OF INTRUSION DETECTION SYSTEM system activities are observable Audit Records Activity Data normal and intrusive activities have distinct evidence Action/Report 0 0 0
  • 12. INTRUSION DETECTION APPROACHES Modeling ■ Features: evidences extracted from audit data (dataset) ■ Analysis approach: piecing the evidences together ■ Misuse detection (a.k.a. signature-based) ■ Anomaly detection (a.k.a. behavior-based) Deployment: Network-based or Host-based ■ Network based: monitor network traffic ■ Host based: monitor computer processes (^ULnJl (^ja jjJl ILk/l _jkj( £j-^ l (^jl^iJl ^Jo ^l l^iajl _ ajkjj(AjAuJl Qo _ aU£^l aj" ^^Jl ,^i»j jl A^JUJI ^Jo ,^i»j ; jUdJl A^JUJI JJJA A^j^. AjaljA ;A<JUJI ^Jo AAA*J jjjjj^^Jl ^/jJ^o Ajalj^ ;_j^AJl ^Jo A^A*J
  • 13. 1. MISUSE DETECTION Intrusion Patterns: Sequences of system calls, patterns of network traffic, ,etc. pattern matching intrusion activities Example: if (traffic contains “x90+de[Arn]{30}”) then “attack detected” Problems? Disadvantage: Can't detect new attacks
  • 14. oUljd] AJ]^.IA]| AJ A^J]I V ^AjJl^aj ^1 .wn H^I &jui ^jc jl ^A3J]I ^JSJJJIJ i _^^J' J^XJ Misuse or Signature-based Detection 1. Contains a database of recognized (known) attacks 2. Activity is compared with signature database 3. Send alarm for suspicious activities 4. Can not detect new attacks .(Aijjx^]l) Igj AIUUJ SJelS Je. n AiJJ*^]' ol*JajJ]') oULu SAe-la (AJ^SJ!' J]') .LLAi]' Ajj-Li n AAJ^I jiijj juj n SJJJ^]I _^^]l ^S^J v n
  • 15. All the following are functions of Misuse or Signature-based Detection in IDS except one: (a) Contains a database of recognized (known) attacks (b) Activity is compared with signature database (c) Can detect new attacks (d) Cannot detect new attacks (e) Sound alarm for suspicious activities
  • 16. 2. ANOMALY DETECTION Define a profile describin “normal” behavior, th detects deviations. Any problem ? actlvlty measure s __alxs 90 80 70 btr 50 40 30 20 10 0 / 71 CPU i r Process Size probable intrusion □ normal pi ofile □ abnormal Relatively high false positive rates ^ • Anomalies can just be new normal activities. • 4jale QpjQj| aii • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfig • Which method will detect DDoS SYN flooding ?
  • 17. Anomaly or Behavior-based Detection JJC. jC ^ 1. Looks for usage anomalies 2. Sometimes called an expert system 3. Mostly result in more false positive than signature-based 4. Can detect new attacks (je. n n j]| ^1C i^li j* JJSI 4-plS 4JJUJ) gj/jj ^Ul ^ n Behaviour-based intrusion detection systems mostly result in more false positive than signature-based IDS. (Ture -False)
  • 18. TYPES OF IDS • Host-Based IDS Implementations • Network-Based IDS Implementations
  • 19. HOST-BASED IDS q^l^JI ^^3 A^hjl Use OS auditing and monitoring mechanisms to find applications taken over by attacker ■ Log all relevant system events (e.g., file/device accesses) ■ Monitor shell commands and system calls executed by user applications and system programs ■ Pay a price in performance if every system call is filtered IgjJo ^JjJ^il I t^'/ajjUjJl 10^1 Jji^u]| ^l^j ^j^AJ ^)U]| ^A^J^il ) j j ^ ^ j J i ^IA ^)IA^.I j ^^Ijjj ^A^J^I^II ^/QJJUJ lA^jijj ^Jj shell j^ij! Ajiij^ g.loAJml j£ 4ji^aJ l^uJ IA] ^IA^I £iA Problems: ■ User dependent: install/update IDS on all user machines! ■ If attacker takes over machine, can tamper with IDS binaries and modify audit logs j Only local view of the attack I^AVUHJI ojg^J JojDS ^JA^J/( Jl Jo AA!*J ^J^ajJ( ^jiAjJi JjA*JjjDS ^O^jJi Aj£^ji cjlg^Jl ^Jo ^/g^Jl ^JjJ^i IAJ .^j^Vi ^l^j^llj ^AIJ^JI -« . 4jjo ^JJI j/g^JJ oAljjJlj ojAl^aJl ^)Uljj]| ^laljJ
  • 20. NETWORK IDS oS+AJb O*l*JI ^Ijj^l <*bJI Deploying sensors at strategic locations ■ For example, Packet sniffing via tcpdump at routers Inspecting network traffic ■ Watch for violations of protocols and unusual connection patterns ■ Look into the packet payload for malicious code Limitations ■ Cannot execute the payload or do any code analysis ! ■ Record and process huge amount of traffic ■ May be easily defeated by encryption, but can be mitigated with encryption only at the gateway/proxy Aj^JjIjJ“VI ^i jlxjl3“]VI j^j tcpdump jjo ^j^JI 3 ‘‘‘'"'“’i tJ/J^JI Jjj“ ^-io ^Jo A^j^ ^^^i jjo ^Uj jSjJjJjJl ^laIjJ A^UJI ** ^l^jlxjJl jo A^j^JI AJJ^^ ^i ^I^JI 6jl^tiJl ^jJxJl j^j^J] Jjl^j jj^j jl AJJ^^JI j^^j V jjj^JlA^j^ j^ AJJ/A AJ^£ 4^Il»^j “J jUj t jji^jJI jjjL jo AJj^“j Ai^jjA j£^j Jj£jJI/AjIjjJI V'Q Wai jji^jJlj Aa <aAJ
  • 22. NETWORK BASED IDS Internet Gateway routers At the early stage of the worm, only limited worm samples. Host based sensors can only cover limited IP space, which has scalability issues. Thus they might not be able to detect the worm in its early stage.
  • 23. HOST-BASED VS. NETWORK-BASED IDS Give an attack that can only be detected by host-based IDS but not network-based IDS Sample qn: ■ SQL injection attack Can you give an example only be detected by network-based IDS but not host-based IDS ? IDS j^Jj _ aJ‘^Jl IDS jo VI 4ilA£l j^^j V ~J^A qni^jo SQLj*^
  • 24. KEY METRICS OF IDS/IPS Algorithm ■ Alarm: A; Intrusion: ■ Detection (true alarm) rate ■ False negative rate ■ False alarm (aka, false positive) rate ■ True negative rate Architecture ■ Throughput of NIDS, targeting 10s of Gbps ■ E.g., 32 nsec for 40 byte TCP SYN packet ■ Resilient to attacks
  • 25. ALARM TRIGGERING MECHANISMS Understanding Alarm Types: Alarm Type Network Activity IPS Activity Outcome False positive Normal user traffic Alarm generated Tune alarm False negative Attack traffic No alarm generated Tune alarm True positive Attack traffic Alarm generated Ideal setting True negative Normal user traffic No alarm generated Ideal setting
  • 26. QUESTIONS 2. An intrusion detection system did not notify the network administrator of any threat in the network, but on a close inspection, the administrator found that indeed there was malicious threats in the network. Which of the following metric best describes the situation. (a) True positive (b) False negative (c) True negative (d) False positive (e) None of the above
  • 27. ARCHITECTURE OF NETWORK IDS Detection rules
  • 28. FIREWALL/NET IPS VS NET IDS Firewall/IPS ■ Active filtering ■ Fail-close ^ A^^Jl Network IDS ■ Passive monitoring ■ Fail-open ^W$Jl V
  • 29. TECHNICAL BYPASS TECHNIQUES NIDS ■ fragmentation ■ TCP un-sync (ATM: hi. data rate) Low TTL (Time To live) ‘Max' MTU (maximum Transmission unit) ■ HTTP Protocol ■ Telnet Protocol ■ ■ HIDS ■ Kernel Hacks ■ Bypassing stack protection ■ Library Hacks ■ HTTP Logging insertion techniques
  • 31. ZERO-DAY ATTACKS WHAT IS ZERO-DAY ATTACK? A zero-day vulnerability is a network vulnerability that is unknown before, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network
  • 32. COUNTING ZERO-DAY ATTACKS Network W Protocol Tap W Classifier TCP TCP TCP TCP UDP 25 53 80 137 1434 Honeynet/darknet Statistical detection
  • 33. PROBLEMS WITH CURRENT IDS 1. Inaccuracy for exploit based signatures 2. Cannot recognize unknown anomalies/intrusions 3. Cannot provide quality info for forensics or situational-aware analysis 4. Hard to differentiate malicious events with unintentional anomalies 5. Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration 6. Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
  • 34. Thank you for your attention!