Global Isuzu Diagnostic Service System (G-IDSS) -1- G-IDSS Global Isuzu Diagnostic Service System.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs Protocol Stack Monitor (like NIDS)...
-
Upload
cameron-evangeline-curtis -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs Protocol Stack Monitor (like NIDS)...
1
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Protocol Stack Monitor (like NIDS)
Collects the same type of information as a NIDS
Collects data even if host is in NIDS blind spot
Gives data specific to hosts; relevant for diagnosis
Might see data after decryption
2
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Operating System Monitors
Collect data on operating system events
Failed logins
Attempt to change system executables
Attempt to change system configuration (registry keys, etc.)
3
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Application Monitors (Monitor Specific Applications)
What users did in terms relevant to an application for easy interpretation
Filtering input data for buffer overflows
Signatures of application-specific attacks
4
Figure 10-4: Intrusion Detection Systems (IDSs)
Recap
Protocol monitor
Protocol events (suspicious packets, etc.)
Operating monitor
Operating system events (file changes, etc.)
Application monitor
Application events (application commands issued)
5
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Weaknesses of Host IDSs
Limited Viewpoint; Only see events on one host
If host is hacked, Host IDS can be attacked and disabled
6
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs Other host-based tools
File integrity checker programs
Create baseline message digests for sensitive files
After an attack, recompute message digests
This tells which files were changed; indicates Trojan horses, etc.
7
Figure 10-4: Intrusion Detection Systems (IDSs)
HOST IDSs
Other host-based tools
Operating system lockdown tools
Limits changes possible during attacks
Limits who may make crucial changes
May interfere with software functioning
8
Figure 10-4: Intrusion Detection Systems (IDSs)
Log Files
Flat files of time-stamped events
Individual logs
Integrated logs Aggregation of event logs from multiple IDS agents
(Figure 10-7)
Difficult to create because of format incompatibilities
Time synchronization of IDS event logs is crucial (NTP)
Can see suspicious patterns in a series of events across multiple devices
9
Figure 10-7: Event Correlation for an Integrated Log File
Sample Log File(Many Irrelevant Log Entries Not Shown)
1. 8:45:05. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)
2. 8:45:07. Host 60.3.4.5. Failed login attempt for account Lee(Host 60.3.4.5 log entry)
3. 8:45:08. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)
4. 8:49:10. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry)
5. 8:49:12. Host 60.3.4.5. Failed login attempt for account Lee(Host 60.3.4.5 log entry)
ExternalHost
InternalHost
10
Figure 10-7: Event Correlation for an Integrated Log File
Sample Log File(Many Irrelevant Log Entries Not Shown)
6. 8:49:13. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)7. 8:52:07. Packet from 1.15.3.6 to 60.3.4.5 (network IDS log entry) 8. 8:52:09. Host 60.3.4.5. Successful login attempt for account Lee
(Host 60.3.4.5 log entry)
9. 8:52:10. Packet from 60.3.4.5 to 1.15.3.6 (network IDS log entry)10. 8:56:12. Packet from 60.3.4.5 to 123.28.5.210. TFTP request
(network IDS log entry) 11. (no corresponding host log entry)12. 8:56:28. Series of packets from 123.28.5.210 to 60.3.4.5.
TFTP response (network IDS)13. (no more host log entries)
11
Figure 10-7: Event Correlation for an Integrated Log File
Sample Log File(Many Irrelevant Log Entries Not Shown)
14. 9:03:17. Packet from 60.3.4.5 to 1.17.8.40. SMTP (network IDS)
15. 9:06:12. Packet from 60.3.4.5 to 1.40.22.8. SMTP (network IDS)
16. 9:10:12. Packet from 60.3.4.5 to 60.0.1.1. TCP SYN=1, Destination Port 80 (network IDS)
17. 9:10:13: Packet from 60.3.4.5 to 60.0.1.2. TCP SYN=1,Destination Port 80 (network IDS)
12
Figure 10-4: Intrusion Detection Systems (IDSs)
Analysis Methods
Static packet filtering
Stateful filtering
Full protocol decoding (filters based upon stage in dialogue—login, etc.)
Statistical analysis (frequency thresholds for reporting)
Anomaly detection (compares normal and current operation)
Creates many false positives