tailieunhanh - The Art of Intrusion Detection

What is Intrusion? . Malice gets Alice’s user name & password and impersonates Alice Intruders are attackers who obtain login information of legitimate users and impersonate them | J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 9 The Art of Intrusion Detection J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 9 Outline Basic Ideas of Intrusion Detection Network-Based and Host-Based Detections Signature Detections Statistical Analysis Behavioral Data Forensics Honeypots J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Ideas of Intrusion Detection What is Intrusion? . Malice gets Alice’s user name & password and impersonates Alice Intruders are attackers who obtain login information of legitimate users and impersonate them J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Ideas of Intrusion Detection Observation! (Back to mid-1980’s) Intruder’s behavior is likely to be substantially different from the impersonated users The behavior differences can be “measured” to allow quantitative analysis Intrusion detection: Identify as . | J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 9 The Art of Intrusion Detection J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 9 Outline Basic Ideas of Intrusion Detection Network-Based and Host-Based Detections Signature Detections Statistical Analysis Behavioral Data Forensics Honeypots J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Ideas of Intrusion Detection What is Intrusion? . Malice gets Alice’s user name & password and impersonates Alice Intruders are attackers who obtain login information of legitimate users and impersonate them J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Ideas of Intrusion Detection Observation! (Back to mid-1980’s) Intruder’s behavior is likely to be substantially different from the impersonated users The behavior differences can be “measured” to allow quantitative analysis Intrusion detection: Identify as quick as possible intrusion activities occurred or are occurring inside an internal network Trace intruders and collect evidence to indict the criminals Common approach: Identify abnormal events How about building an automated tool to detect these behaviors? Intrusion Detection System (IDS) J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Methodology Log system events and analyze them Can be done manually if log file is small. But a log file could be big need sophisticated tools Can be generated to keep track of network-based activities and host based activities Network-based detection (NBD) Host-based detection (HBD) Both (hybrid detection) J. Wang. Computer Network Security Theory and Practice. Springer 2008 Basic Methodology Auditing Analyzing logs is often referred to as auditing Two kinds of audits Security profiles: static configuration information Dynamic events: dynamic user events Parameters Values Password Minimum length (bytes) Lifetime (days) .