Professional Documents
Culture Documents
JITHIN-C
INTRUSION DETECTION
The best intrusion prevention technique may even fail so its better to detect the intrusion at a earlier stage and prevent it. Effective intrusion detection system can serve as a deterrent ,so acting to prevent intrusions and also helps to improve the quality of the intrusion detection.
Intrusion detection is based on the assumption that the behaviour of the intruder differs from that of a legitimate (authorized) user. Pattern of legitimate users behavior can be established by observing past history and significant deviation from such patterns can be detected. A loose interpretation or tight interpretation of intrusion detection may cause problems.
AUDIT RECORDS
A fundamental tool for intrusion detection is the audit record.some records of ongoing activity of users must be maintained as input to intrusion detection system. Two plans are used under this Native audit records Detection specific audit records
Native audit records :All multiuser operating systems have some accounting softwares in it. It collects information about the activities but sometimes it may not conatin the needed information or may not contain it in a convenient form.
Detection specific audit records :A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system.
subject action
object
Exception condition
Resource usage
Time stamp
Approaches
There are two approaches to intrusion detection Statistically Anomaly Detection Rule Based Detection
involves the collection of data relating to the behavior of legitimate users over a period of time.then statistical tests are applied to observed behavior to determine the intrusion in the system Threshold detection Profile based
Threshold detection
Counting the number of occurrences of a specific event type over an interval of time . If the count surpasses the limit then intrusion is assumed. Ineffective for sophisticated attack. Thresholds may generate false positives or false negatives.
It focuses on characterising the past behaviour of individual users or group of users and then detecting significant deviations. It is based on audit records .it provides input to intrusion detection. First the designer decide on the number of quantitative metrics that can be used to measure user behavior . Second ,current audit records are the input used to detect intrusion.
Rule based detection It Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.
Rule based anomaly approach :historical audit records are analyzed to identify usage patterns and to generate rules .current behavior is then observed and matched with these rules. Rule based penetration identification :one based on expert system technology .collecting penetration scenarios and setting up rules based on that.Rules in the system are specific for that system or operating system only.
Honey pots
Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to -diverting attacker from accessing critical systems -collect information about the activity -encourage the attacker to stay on the system until the system administrator responds.
THANKYOU