Tuesday, October 27, 2009

.:: || Intrusion Detection System || ::.

Intruders


  • significant issue hostile/unwanted trespass

  • User trespass - unauthorized logon, privilege abuse

  • Software trespass - virus, worm, or trojan horse

  • Classes of intruders: - masquerader, misfeasor, clandestine user



Security Intrusion & Detection

  • Security Intrusion - a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.


  • Intrusion Detection - a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.


Hackers

  • 1. motivated by thrill of access and status

  • 2. benign intruders might be tolerable

  • 3. IDS / IPS / VPNs can help counter


Intrusion Detection Systems

Classify intrusion detection systems (IDSs) as:

  • 1. Host-based IDS: monitor single host activity

  • 2. Network-based IDS: monitor network traffic


Logical components:

  • 1. sensors - collect data

  • 2. analyzers - determine if intrusion has

  • 3. occurred

  • 4. user interface - manage / direct / view IDS


IDS Principles

  • assume intruder behavior differs from

  • legitimate users

  • from past history


Types of IDS

  • 1. Host IDS

  • 2. Network IDS

  • 3. Distributed IDS


Intrusion Detection Techniques

  • signature detection

  • anomaly detection

  • when potential violation detected sensor sends an alert and logs information


Anomaly Detection
- threshold detection

  • checks excessive event occurrences over time

  • alone a crude and ineffective intruder detector

  • must determine both thresholds and time intervals



Signature Detection - observe events on system and applying a set of rules to decide if intruder

Honeypot

  • are decoy systems

  • filled with fabricated info

  • instrumented with monitors / event loggers

  • divert and hold attacker to collect activity info

  • without exposing production systems

  • initially were single systems

  • more recently are/emulate entire networks

Posted by Fahimie at 10:57 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
WP Gadget Review | Design: fahimie Blogger port by Kepit@n Copyright 2009 | Programmed by Muhd Fahimie