Intrusion Detection/Prevention Systems Objectives and Deliverable



Download 0,63 Mb.
bet6/6
Sana13.01.2022
Hajmi0,63 Mb.
#356067
1   2   3   4   5   6
Bog'liq
ids (1)

Architecture of Network IDS

  • Packet capture libpcap
  • TCP reassembly
  • Protocol identification
  • Packet stream
  • Signature matching
  • (& protocol parsing when needed)

Firewall/Net IPS VS Net IDS

  • Firewall/IPS
  • Network IDS
    • Passive monitoring
    • Fail-open
  • FW
  • IDS

Gartner Magic Quadrant for IPS

  • Ability to Execute
  • Product/Service
  • Overall Viability (Business Unit, Financial, Strategy, Organization)
  • Sales Execution/Pricing
  • Market Responsiveness and Track Record
  • Marketing Execution
  • Customer Experience
  • Operations
  • Completeness of Vision
  • Market Understanding
  • Marketing Strategy
  • Sales Strategy
  • Offering (Product) Strategy
  • Business Model
  • Vertical/Industry Strategy
  • Innovation
  • Geographic Strategy

Case Study: Snort IDS (not required for hw/exam except its signatures)

Backup Slides

Problems with Current IDSs

  • Inaccuracy for exploit based signatures
  • Cannot recognize unknown anomalies/intrusions
  • Cannot provide quality info for forensics or situational-aware analysis
    • Hard to differentiate malicious events with unintentional anomalies
      • Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration
    • Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.

Limitations of Exploit Based Signature

  • 1010101
  • 10111101
  • 11111100
  • 00010111
  • Our network
  • Traffic Filtering
  • Internet
  • Signature: 10.*01
  • X
  • X
  • Polymorphic worm might not have exact exploit based signature
  • Polymorphism!

Vulnerability Signature

  • Work for polymorphic worms
  • Work for all the worms which target the
  • same vulnerability
  • Vulnerability signature traffic filtering
  • Internet
  • X
  • X
  • Our network
  • Vulnerability
  • X
  • X

Example of Vulnerability Signatures

  • At least 75% vulnerabilities are due to buffer overflow
  • Sample vulnerability signature
  • Field length corresponding to vulnerable buffer > certain threshold
  • Intrinsic to buffer overflow vulnerability and hard to evade
  • Vulnerable buffer
  • Protocol message
  • Overflow!

Next Generation IDSs

  • Vulnerability-based
  • Adaptive
    • - Automatically detect & generate signatures for zero-day attacks
  • Scenario-based for forensics and being situational-aware
    • Correlate (multiple sources of) audit data and attack information

Related Tools for Network IDS (I)

  • While not an element of Snort, wireshark (used to called Ethereal) is the best open source GUI-based packet viewer
  • www.wireshark.org offers:
    • Support for various OS: windows, Mac OS.
  • Included in standard packages of many different versions of Linux and UNIX
  • For both wired and wireless networks

Related Tools for Network IDS (II)

  • Also not an element of Snort, tcpdump is a well-established CLI packet capture tool

Download 0,63 Mb.

Do'stlaringiz bilan baham:
1   2   3   4   5   6




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish