Chapter 3iii Flashcards
Why do we need IDS?
IDS = Intrusion Detection System
Most systems have vulnerabilities: what?
Attacks can be detected: how?
What do we want to detect?
- Vulnerabilities may be known or unknown, may potentially be used to carry out attacks
- Unusual or suspicious actions, unusual or suspicious alterations of information
- Intrusion preambles, Intrusion accesses from the outside, Abusive behaviours from the inside
Define Intrusion & Intrusion Detection System
Intrusion
* Compromise of a defined Security Requirement
* Manifestation through e.g. unauthorised or abnormal activities or data
Intrusion Detection System
* Software that has the function to detect and identify intrusions
* Not all IDS take countermeasures
* IDS that also take countermeasures are IDPS (Intrusion Detection and Prevention System)
Optional extension in IDS
Honeypot:
* Closely ..
* Allows for…
* Provides….
* Distracts …
* Can be used as origin for further attacks
monitored computing resource which is intended to be compromised
in-depth examination of conducted exploits
early-warning about new attack trends
adversaries from more valuable targets
Classification of Intrusions
What is this? What’s the idea behind it?
Detection Method: Misuse Detection
- Store signatures of attacks in a database
- Monitor traffic for signatures
- Frequently update signature database
What are the difficulties associated with this method?
Diurnal patterns:
* Time of day (very few users at night)
* Day of week (very few users on weekends)
* Time of year (fewer users during semester break)
* Random events (public holidays, festivities…)
Long-term patterns:
* Number of users will grow over time
- Real-word use typically limited to narrow edge cases
Compare detection methods: misuse detection and anomaly detection.
Detection Delay
When is the information processed?
Real-time detection
…
- Data and control flows are intercepted
- Information processing while target system is running
- Short detection time
- Interferes with system performance
- Information is logged
- Processing and analysis conducted later
- Longer detection time
- Easily parallelized
How does the system react to an attack?
* Passive
…
* Active
..
- Only detect and report the results
- Logging and record creation
- Response mechanism to the attacks
- Close Connections: TCP RST
- Perform system or operational modifications like reconfiguration of routers, firewalls, …
- Estimation: What is used in practice by large companies? (reaction to an attack)
- They avoid …
- Reasoning is that false/too strict reactions might —
Example: Port scan detected, Firewall bans IP address range, production control cut off as well, etc. - Also: …(important for highly safety-relevant systems as an aircraft)
- (Insights based on numerous discussions with industrial research partners)
automated responses! There is always a human in the loop.
cause more damage than the incident that triggered it
autonomous behavior is difficult to be certified
Data source for IDS: network based vs host-based
Intrusion Detection on end-to-end encrypted communication
How does an HIDS detect malicious data in encrypted traffic?
Which attacks can different IDS detect?
How are incidents analyzed further? Individual vs Cooperative.
Real-life examples: SNORT vs OSSEC
