The document discusses intrusion detection and prevention. It describes different types of cyber attackers including cybercriminals, hacktivists, and state-sponsored organizations. It also discusses their skills ranging from apprentice to master level hackers. Common attack behaviors are also outlined. Intrusion detection systems, signature-based detection, and anomaly-based detection are examined. Host-based and network-based intrusion detection are compared. Firewalls, virtual private networks, and intrusion prevention systems are also summarized.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Embark on a journey into the clandestine world of cyber reconnaissance with our cyber security project presentation! This presentation demystifies the tools and technologies employed by both ethical hackers and malicious actors to gather intelligence on target systems. Explore the intricacies of passive and active reconnaissance methods, discover powerful tools like Nmap, Maltego, and Shodan, and learn how to fortify your defenses against information gathering attempts. Whether you're a cybersecurity enthusiast or a seasoned professional, this presentation empowers you with the knowledge to detect and counter reconnaissance efforts, keeping your organization's data safe. visit us for more such cyber security project presentation https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
The Pros and Cons of Different Security Detection Technologies.pdfSecurityDetectionSol
we provide an overview of leading Security Detection Solutions and technologies and discuss their relative advantages to help inform organizations’ decisions.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
Embark on a journey into the clandestine world of cyber reconnaissance with our cyber security project presentation! This presentation demystifies the tools and technologies employed by both ethical hackers and malicious actors to gather intelligence on target systems. Explore the intricacies of passive and active reconnaissance methods, discover powerful tools like Nmap, Maltego, and Shodan, and learn how to fortify your defenses against information gathering attempts. Whether you're a cybersecurity enthusiast or a seasoned professional, this presentation empowers you with the knowledge to detect and counter reconnaissance efforts, keeping your organization's data safe. visit us for more such cyber security project presentation https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
The Pros and Cons of Different Security Detection Technologies.pdfSecurityDetectionSol
we provide an overview of leading Security Detection Solutions and technologies and discuss their relative advantages to help inform organizations’ decisions.
Information Securityfind an article online discussing defense-in-d.pdfforladies
Information Security
find an article online discussing defense-in-depth. List your source and provide a paragraph
summary of what the article stated.
Solution
Abstract
The exponential growth of the Internet interconnections has led to a significant growth of cyber
attack incidents often with disastrous and grievous consequences. Malware is the primary choice
of weapon to carry out malicious intents in the cyberspace, either by exploitation into existing
vulnerabilities or utilization of unique characteristics of emerging technologies. The
development of more innovative and effective malware defense mechanisms has been regarded
as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we
first present an overview of the most exploited vulnerabilities in existing hardware, software, and
network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as
why they do or don\'t work. We then discuss new attack patterns in emerging technologies such
as social media, cloud computing, smartphone technology, and critical infrastructure. Finally, we
describe our speculative observations on future research directions.
A multi-layered approach to cyber security utilising machine learning and advanced analytics is
essential to defend against sophisticated multi-stage attacks including:
Insider Threats | Advanced Human Attacks | Supply Chain Infection | Ransomware |
Compromised User Accounts | Data Loss
Prepare for a cyber security incident or attack and how to adequately manage the aftermath with
an organised approach to Incident Response – coordinating resources, people, information,
technology and complying with regulations.
INSIDER THREATS
Insider threat can originate from employees, contractors, third party services or anyone with
access rights to your network, corporate data or business premises.
The challenge is to identify attacks and understand how they develop in real-time by analysing
and correlating the subtle signs of compromise that an insider makes when they infiltrate the
network.
Traditional security measures are no longer sufficient to combat insider threat. A more
sophisticated, intelligence-based approach is required. Cyberseer uses machine-learning
technology to form a behavioural baseline for every user to determine normal activity and spot
new, previously unidentified threat behaviours. The move to a more proactive approach towards
security will enable companies to take action to thwart developing situations escalating into
exfiltrated information or damaging incidents.
ADVANCED HUMAN ATTACKS
Advanced threats use a set of stealthy and continuous processes to target an organisation, which
is often orchestrated for business or political motives by individuals (or groups). The “advanced”
process signifies sophisticated techniques using malware to exploit vulnerabilities in
organisations systems. They are considered persistent because an external command and control
system .
Supervised Machine Learning Algorithms for Intrusion Detection.pptxssuserf3a100
Intrusion detection systems using supervised machine learning algorithms are considered one of the most important tools used in the field of information security. These systems analyze data and detect illegal activities and intrusions into networks and systems. These systems rely on machine learning techniques to classify data as either normal activity or a hack. These systems include training and testing phases, where the algorithms are trained on a set of pre-labeled data to learn the natural pattern of the data and distinguish between normal activities and intrusions. Many supervisory machine learning algorithms are available for intrusion detection systems, such as Gaussian Naive Bayes, Decision Tree, Random Forest, Support Vector Machine, and Logistic Regression.
The problem of security and electronic breaches targeting networks is one of the biggest problems facing organizations today. To solve this problem, intrusion detection systems (IDS) and their tools can be used to detect and prevent these threats. This file provides an introductory overview of this problem
Security breaches
networks
Infiltration (IDS)
Algorithms
Machine learning
Intelligence Driven Threat Detection and ResponseEMC
This white paper examines how an intelligence-driven approach to threat detection and response can help organizations achieve predictably high standards of security despite today’s rapidly escalating and unpredictable threat environment.
Exploring Ethical Hacking for a Safer Digital Worldrashmicetpa20
Ethical hacking is the use of hacking techniques by friendly parties in an attempt to uncover, understand and fix security vulnerabilities in a network or computer system.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Information Securityfind an article online discussing defense-in-d.pdfforladies
Information Security
find an article online discussing defense-in-depth. List your source and provide a paragraph
summary of what the article stated.
Solution
Abstract
The exponential growth of the Internet interconnections has led to a significant growth of cyber
attack incidents often with disastrous and grievous consequences. Malware is the primary choice
of weapon to carry out malicious intents in the cyberspace, either by exploitation into existing
vulnerabilities or utilization of unique characteristics of emerging technologies. The
development of more innovative and effective malware defense mechanisms has been regarded
as an urgent requirement in the cybersecurity community. To assist in achieving this goal, we
first present an overview of the most exploited vulnerabilities in existing hardware, software, and
network layers. This is followed by critiques of existing state-of-the-art mitigation techniques as
why they do or don\'t work. We then discuss new attack patterns in emerging technologies such
as social media, cloud computing, smartphone technology, and critical infrastructure. Finally, we
describe our speculative observations on future research directions.
A multi-layered approach to cyber security utilising machine learning and advanced analytics is
essential to defend against sophisticated multi-stage attacks including:
Insider Threats | Advanced Human Attacks | Supply Chain Infection | Ransomware |
Compromised User Accounts | Data Loss
Prepare for a cyber security incident or attack and how to adequately manage the aftermath with
an organised approach to Incident Response – coordinating resources, people, information,
technology and complying with regulations.
INSIDER THREATS
Insider threat can originate from employees, contractors, third party services or anyone with
access rights to your network, corporate data or business premises.
The challenge is to identify attacks and understand how they develop in real-time by analysing
and correlating the subtle signs of compromise that an insider makes when they infiltrate the
network.
Traditional security measures are no longer sufficient to combat insider threat. A more
sophisticated, intelligence-based approach is required. Cyberseer uses machine-learning
technology to form a behavioural baseline for every user to determine normal activity and spot
new, previously unidentified threat behaviours. The move to a more proactive approach towards
security will enable companies to take action to thwart developing situations escalating into
exfiltrated information or damaging incidents.
ADVANCED HUMAN ATTACKS
Advanced threats use a set of stealthy and continuous processes to target an organisation, which
is often orchestrated for business or political motives by individuals (or groups). The “advanced”
process signifies sophisticated techniques using malware to exploit vulnerabilities in
organisations systems. They are considered persistent because an external command and control
system .
Supervised Machine Learning Algorithms for Intrusion Detection.pptxssuserf3a100
Intrusion detection systems using supervised machine learning algorithms are considered one of the most important tools used in the field of information security. These systems analyze data and detect illegal activities and intrusions into networks and systems. These systems rely on machine learning techniques to classify data as either normal activity or a hack. These systems include training and testing phases, where the algorithms are trained on a set of pre-labeled data to learn the natural pattern of the data and distinguish between normal activities and intrusions. Many supervisory machine learning algorithms are available for intrusion detection systems, such as Gaussian Naive Bayes, Decision Tree, Random Forest, Support Vector Machine, and Logistic Regression.
The problem of security and electronic breaches targeting networks is one of the biggest problems facing organizations today. To solve this problem, intrusion detection systems (IDS) and their tools can be used to detect and prevent these threats. This file provides an introductory overview of this problem
Security breaches
networks
Infiltration (IDS)
Algorithms
Machine learning
Intelligence Driven Threat Detection and ResponseEMC
This white paper examines how an intelligence-driven approach to threat detection and response can help organizations achieve predictably high standards of security despite today’s rapidly escalating and unpredictable threat environment.
Exploring Ethical Hacking for a Safer Digital Worldrashmicetpa20
Ethical hacking is the use of hacking techniques by friendly parties in an attempt to uncover, understand and fix security vulnerabilities in a network or computer system.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
1. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Cybersecurity
Intrusion detection and
prevention
Mauro Barni
University of Siena
2. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
You’d better know your enemy (goal)
• Cybercriminals: individuals or members of an organized
crime group with a goal of financial reward. For some years,
reports are quoting very large and increasing rewards.
• Activists (hacktivists): individuals or members of a large
group motivated by social or political causes. The aim of
their attacks is often to promote and publicize their cause
• State-sponsored organizations: groups of hackers
sponsored by governments, often associated to APTs
• Others: include classic hackers motivated by technical
challenge or by peer-group esteem and reputation.
3. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
You’d better know your enemy (skills)
• Apprentice: hackers with minimal technical skill who
primarily use existing attack toolkits. They are also known as
“script- kiddies” due to their use of existing scripts (tools)
• Journeyman: hackers with sufficient technical skills to
modify and extend attack toolkits to use newly discovered, or
purchased, vulnerabilities; or to focus on different target
groups
• Master: Hackers with high-level technical skills capable of
discovering brand new categories of vulnerabilities, or
writing new powerful attack toolkits. Often related to APT.
Defending against these attackers of the highest difficulty.
4. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
You’d better know your enemy: (behavior)
• Though attacks are generally different from each other they
share common functionalities
– Target Acquisition and Information Gathering
– Initial Access
– Privilege Escalation
– Information Gathering and/or System Exploit
– Maintaining Access
– Covering Tracks
8. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Intrusion detection
• Intrusion detection system: A hardware or software
function that gathers and analyzes information from
various areas within a computer or a network to identify
possible security intrusions
• Security intrusion: Unauthorized act of bypassing the
security mechanisms of a system.
9. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Intrusion detection: main components
Sensors Analyzer(s)
User interface
Observed
system
Host-based IDS (HIDS) vs Network-based IDS (NIDS) vs
Hybrid/Distributed IDS
• Sensors gather
information about: log
files, network packets,
system call traces
• The analyser detects
intrusions, identify kind
of intrusions, provides
evidence of intrusion,
suggests remedies
10. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Base-rate fallacy
• ID is a typical
Hypothesis testing
problem
• Trade-off between
false alarm and
missed detection
rates
• Lack of statistical
models makes the
problem difficult
(even in a Neyman
Pearson sense)
11. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Two approaches to ID
• Anomaly detection: Involves the collection of data relating to
the behavior of legitimate users over a period of time. Then,
current observed behavior is analyzed to determine whether this
behavior is that of a legitimate user or alternatively that of an
intruder
• Signature or Heuristic detection: Uses a set of known
malicious data patterns (signatures) or attack rules (heuristics)
that are compared with current behavior to decide if it is that of
an intruder. It is also known as misuse detection. This approach
can only identify known attacks for which it has patterns or rule
(problems with zero-day attacks)
12. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Systems based on anomaly-detection
• Statistical methods: Analysis of the observed behavior using
univariate, multivariate, or time-series models
– data gathering
– feature extraction
– statistical HT based on NP criterion
• Knowledge based methods: use an expert system that
classifies observed behavior according to a set of rules
– requires definition of rules and human intervention
• Machine-learning methods:
– feature based vs deep learning
– problems in gathering enough training data and with
generalization
13. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Signature-based and heuristic methods
• Complementary advantages and disadvantages of anomaly-
based detection
– characterize observations under the alternate hypothesis
– works well for known intrusions
• Signature-based approaches match a large collection of known
patterns of malicious data against data stored on a system or in
transit over a network. The signatures must be large enough.
• Rule-based approaches are based on rules for identifying known
penetrations or penetrations. Rules can also be defined that
identify suspicious behavior. The most fruitful approach to
developing such rules is to analyze attack tools and scripts
collected on the Internet.
14. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Host-based IDS
• Data collected by sensors
– System call traces: A record of the sequence of systems calls
by processes on a system. It works well on Unix and Linux
systems, they are problematic on Windows systems (DLL)
– Audit (log file) records: Most modern operating systems
include accounting software that collects information on user
activity.
– File integrity checksums: periodically scan critical files for
changes from the desired baseline.
– Registry access: An approach used on Windows systems is to
monitor access to the registry, given the amount of information
and access to it used by programs on these systems.
15. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Network-based IDS
• Data collected by sensors
– Packets and packets statistics: all kinds of packets can be
analyzed, network-, transport-, and/or application-level
packets
– Problems with encrypted traffic
• Deployment of sensors
– Inline vs passive sensors
– Position of NIDS within large organizations must be
designed carefully
16. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Deployment of sensors in NIDS
1. Focuses only on
attacks that passes
the firewall
2. Higher workload, it
can document all
kinds of (external)
attacks
3. Can detect internal
attacks, can focus on
more specific attacks
4. Similar to 3.
17. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Honeypots
• Honeypots are decoy systems that are designed to divert
potential attacker away from critical systems
• Honeypots are designed to:
– Divert an attacker from accessing critical systems
– Collect information about the attacker’s activity
– Encourage the attacker to stay on the system long enough
for administrators to respond
• Honeypot have no production value. Thus, any attempt to
communicate with the system is most likely a probe, scan, or
attack. If a honeypot initiates outbound communication, the
system has probably been compromised.
18. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Deployment of honeypots
1. High visibility, less
risky (an infected
honeypot does not risk
to compromise the rest
of the system)
2. Less visible (firewall
must let some traffic to
pass in), more risky.
Can attract internal
attacks
3. Fully internal
honeypots. Can catch
internal attacks, but it
is risky
20. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Need and role of firewalls
• Internet connectivity is no longer optional for most organizations
• Internet access enables the outside world to reach and interact
with local network assets raising new threats
• Host-based security only may not possible, for sure it is not
practical
• The firewall is inserted between the premises network and the
Internet to establish a controlled link and to erect an outer
security wall or perimeter: most security features are moved from
hosts to the perimeter
21. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
What a firewall does
• Single check point keeping unauthorized users out of the
protected network
• Provides a location for monitoring security-related
events.
• Convenient platform for several Internet functions that
are not security related
• Platform for IPSec. The firewall can be used to
implement virtual private networks.
22. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
What a firewall doesn’t do
• Cannot protect (completely) against internal threats
• Cannot protect against attacks that bypass the firewall,
e.g. systems with wired or mobile broadband capability
to connect to an ISP
• Protect against laptops, PDA, or other portable
storage device used and infected outside network,
then attached and used internally
23. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Types of filtering
• IP Address and Protocol Values: Controls access based
on the source or destination addresses and port numbers,
and other network and transport layer characteristics
• Application Protocol: Controls access on the basis of
authorized application protocol data.
• User Identity: Controls access based on the users identity,
(IPSec)
• Network Activity: Controls access based on
considerations such as the time or request, rate of
requests, or other activity patterns.
24. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Packet filtering firewalls
Filter is applied at the packet
level. Possible rules include:
- Source IP address
- Destination IP address
- Source and destination
transport-level address (the
transport-level (TCP or UDP)
port number, which defines
applications such as SNMP or
HTTP)
Default = discard: what is not expressly permitted is prohibited
Default = forward: what is not expressly prohibited is permitted.
25. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Limits of packet filtering
• Cannot prevent attacks that employ application-specific
vulnerabilities or functions.
• Most packet filter firewalls do not support advanced user
authentication schemes.
• Vulnerable to attacks based on address spoofing
• Improper configurations: it is easy to accidentally
configure a packet filter firewall to allow traffic types,
sources, and destinations that should be denied based on
an organization’s information security policy.
26. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Statefull packet filtering
Example: port numbers <
1024 are dedicated to
known services, port
numbers > 1024 are used
on the fly when
connections are created
Without state information
the firewalls must either
block all or no packets
coming from ports > 1024.
A stateful packet inspection firewall reviews the same packet information
as a packet filtering firewall, but also records information about TCP
connections.
27. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Statefull packet filtering
Outbound packets generated from ports > 1024 are accepted only for
destination ports and addresses for which a valid connection has been
established
28. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Application proxy firewalls
Proxy firewalls are more
secure than packet-
based firewalls, the
price to pay being a
computational
overhead.
Logging and monitoring
at application level can
also be implemented
easily at the proxy
The user contact the proxy asking to establish an application level
connection with a system inside the firewall. The gateway dispatches the
packets by running the proxy code
29. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Circuit-level proxy firewalls
If the system
administrator trusts
internal users the
gateway can be
configured to support
application-level or proxy
service on inbound
connections and circuit-
level functions for
outbound connections.
Similar to the application proxy, however when a connection is
established between a server and a client, no further application-level
control is made
30. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Where do firewalls reside
• Bastion host
– typically serves as a platform for application-level or
circuit-level gateways, or to support IPSec
– usually running a hardened operating system
– runs only essential services
– maintains detailed audit information
• Host based firewalls
– server firewalls
– personal
• Network device firewalls
• Virtual firewalls
31. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Where do firewalls reside
• In medium or large
corporate networks
several firewall-levels
coexist
• The DMZ network may
include e-mail servers,
corporate websites, DNS
• Internal firewalls protect
also from attacks
generated from the DNZ
and directed to the DMZ
from the internal
networks
32. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Virtual Private Networks (VPNs)
33. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
Intrusion Detection and Prevention
• IDS + firewall functionalities
– An IDS that after detection tries to prevent the intruder
to carry out its payload
– A firewall that filters packets according to the result of
an IDS analysis
• Positioning and strategies are similar to those
described for IDS and firewalls
34. University of Siena
Intrusion detection and prevention M. Barni, University of Siena
References
• W. Stallings, L. Brown, “Computer security: principles
and practices”, Pearson, 4-th edition. Chapters 8 and 9
• Lectures notes (these slides)