IntrusionDetection

1、Intrusion DetectionCS-480bDick Steflik1Hacking AttemptsIP Address Scansscan the range of addresses looking for hosts (ping scan)Port Scansscan promising ports for openness (80, 21, )Service Evaluationdetermine the OS Target Selectionpick the most vulnerable host, most running services.Vulnerability

2、ProbesAutomated password attacksFTP, HTTP, NetBIOS, VNC PCAnywhere.Application specific attackstry known vulnerabilities on present services2Intrusion Detection Systems (IDS)Inspection Based (Signature Based)Uses a database of known attack signaturesobserve the activity on a host or network and make

3、 judgements about whether or not an intrusion is in progress or has taken placelook for known indicatorsICMP Scans, port scans, connection attemptsCPU, RAM I/O Utilization activity, modification of system files, permission modificationsAnomaly Basedbaseline the normal traffic and then look for thing

4、s that are out of the norm Variations of IDSRule basedStatisticalHybrid3Decoys/HoneypotsPurposely place an incorrectly configured or unprotected system where it is easily found so that a hacker will try to use it as an attack vector. All accesses will set off alarms that indicate an intrusion is in

5、progress4IDS SystemsTripwireWindows or UNIXalarms on modification to system filesc:c:WINNTc:WINNTsystemc:WINNTsystem32CyberCopNetwork Assoc.suite of 4 ID toolsSun/SymanteciForce IDS ApplianceSun/Solaris and Symantecs ManHunt IDSID Analysis at 2 Gbits /secManHunt uses distributed network sensors and

6、a variety of methods to identify threats, including protocol-anomaly detection, signature detection, traffic-state profiling and statistical flow analysis. 5SNORTOpen Source ( )Uses:Packet Snifferproduces a tcpdump formatted outputPacket Logger can log packets so that after-the-fact data mining tool

7、s can be used for analysisTraffic Debugging and AnalysisCan design a ruleset that recognizes certain traffic patternsCan do both anomaly based and Inspection based detectionSPADE (Silicon Defense) a SNORT preprocessor that logs anomalies for later analysis 6ActiveScoutForeScout Technologies ( )Intru

8、sion Prevention ToolMethod:Watches for hacker reconnaissance (port scans, NetBios Scans, ect.)Return bogus info to hackerIf hackers attempts to break in with the bogus data Active Scout sets off alarms or block any further traffic for the intruderDownside: only works in conjunction with Check Points

9、 Firewall-1Requires little administration and eliminates many false positivesCost w/T1 port is about $10K7ManhuntSymantec Corp. ( )Advanced Threat Management SystemSignature based hybrid detectionprotocol anomaly detection traffic rate monitoring protocol state trackingIP packet reassembly to provid

10、e a level of detection superior to other, signature-based systems. These detection capabilities can identify threats in real time, eveReal-time Analysis and Correlationcollects information from security devices throughout the network to spot trendsAutomatic Policy Based ResponsesScaleable Across Geogr