1 intrusion detection methods “intrusion detection is the process of identifying and responding to...
TRANSCRIPT
![Page 1: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/1.jpg)
1
Intrusion Detection Methods
“Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
![Page 2: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/2.jpg)
2
The Seven Fundamentals
1. What are the methods used2. How are IDS organized3. What is an intrusion4. How do we trace and how do they hide5. How do we correlate information6. How can we trap intruders7. Incident response
![Page 3: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/3.jpg)
3
Some fundamental questions
• Are ID methods only suited for manual use by experts?
• Are ID methods well defined enough to be automated?
• What are some of the manual methods used by experts?
• What ID methods are available in tools today?
![Page 4: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/4.jpg)
4
ID methods
• Audit trail processing
• On-the-fly processing
• Profiles of normal behavior
• Signatures of abnormal behavior• Parameter pattern matching or anomaly discovery
Are the above methods independent? Dependant?Mutually exclusive?
![Page 5: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/5.jpg)
5
Audit Trail Processing
• Activities are first logged and stored in a log file via audit probs.
• Audit probes are [mostly] selected based on what constitutes security critical events.
• System and security administrators (and designers) are changed with enabling/disabling probs.
Auditing vs. Performance? What are the issues?What are the TCSEC requirements for Audit? (See Page 40)
![Page 6: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/6.jpg)
6
Case study: TCP logs
<src_ip, dst_ip, src_port, dst_port, protocol, time, direction, status>
Internal net (in)
External net(out)
log
Router/Gateway
![Page 7: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/7.jpg)
7
Case study: TCP logs (cont.)
<in,in, 4050, 80, tcp, 07:02:22, inbound, success>
<outx,gw, 6025, 23, tcp, 07:51:12, inbound, failure>
<outx,gw, 6025, 23, tcp, 07:51:55, inbound, failure>
<outx,gw, 6025, 23, tcp, 07:52:17, inbound, failure>
<outx,gw, 6025, 23, tcp, 07:52:58, inbound, failure>
.
.
.
<outx,in, 3000, 23, tcp, 13:04:22, inbound, success>
<outy,gw, 6025, 23, tcp, 23:54:22, inbound, success>
![Page 8: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/8.jpg)
8
How much of the previous discussion can be automated?
![Page 9: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/9.jpg)
9
Examples of things to watch for!
• Users logging in at strange hours
• Unexpected reboots or clock changes
• Unusual error messages
• Failed login attempts
• Unauthorized use of the su command
• Users logging from unusual locations
![Page 10: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/10.jpg)
10
Problems to be considered while using logging systems
Most administrators don’t collect audits, and if they do, they rarely process them!
![Page 11: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/11.jpg)
11
Problems to be considered while using logging systems (cont.)• Large size of audit files
- About 5M per week for a workgroup server
- Becomes more problematic for centralized logging
![Page 12: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/12.jpg)
12
Problems to be considered while using logging systems (cont.)
• Degraded system performanceReached 85% on some typical unix and NT systems http://www.iamsam.com/papers/thesis/thesis.htm
![Page 13: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/13.jpg)
13
Problems to be considered while using logging systems (cont.)
• Difficulty in protecting the log
- Log files growing smaller!
- Print everything
![Page 14: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/14.jpg)
14
Problems to be considered while using logging systems (cont.)
• Unknown storage duration of logs
How long should logs be kept?
How long are they kept on your linux system?
![Page 15: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/15.jpg)
15
Unix Syslog
• Syslogd is a daemon (background process)• Receives message for the log file from:
– User processes running on the same mchaine (as syslogd) via /dev/log
– Kernel routines (/dev/klog)
– Processes on another machine via UDP port 514
• Syslogd defines an associated API for application authors
![Page 16: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/16.jpg)
16
# Log all kernel messages to the console.# Logging much else clutters up the screen.kern.* /dev/console
# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;news.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.authpriv.* /var/log/secure
# Log all the mail messages in one place.mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another# machine.*.emerg *
# Save mail and news errors of level err and higher in a# special file.uucp,news.crit /var/log/spooler
/etc/syslog.conf
![Page 17: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/17.jpg)
17
F25 21:37:44 rnd PAM_pwdb[17775]: (sshd) session opened for user sherif by (uid=0)F25 21:40:00 rnd CROND[17784]: (root) CMD ( /sbin/rmmod -as)F25 21:42:18 rnd PAM_pwdb[17789]: (sshd) session opened for user sherif by (uid=0)F25 21:50:01 rnd CROND[17813]: (root) CMD ( /sbin/rmmod -as)F25 21:51:24 rnd PAM_pwdb[17789]: (sshd) session closed for user sherifF25 21:52:27 rnd PAM_pwdb[17775]: (sshd) session closed for user sherifF25 22:00:00 rnd CROND[17851]: (root) CMD ( /sbin/rmmod -as)F25 22:01:00 rnd CROND[17856]: (root) CMD (run-parts /etc/cron.hourly)F25 22:10:00 rnd CROND[17887]: (root) CMD ( /sbin/rmmod -as)F25 22:20:01 rnd CROND[17969]: (root) CMD ( /sbin/rmmod -as)F25 22:30:00 rnd CROND[17999]: (root) CMD ( /sbin/rmmod -as)F25 22:40:01 rnd CROND[18034]: (root) CMD ( /sbin/rmmod -as)F25 22:50:00 rnd CROND[18061]: (root) CMD ( /sbin/rmmod -as)F25 23:00:00 rnd CROND[18087]: (root) CMD ( /sbin/rmmod -as)F25 23:01:01 rnd CROND[18092]: (root) CMD (run-parts /etc/cron.hourly)F25 23:10:01 rnd CROND[18123]: (root) CMD ( /sbin/rmmod -as)F25 23:20:00 rnd CROND[18149]: (root) CMD ( /sbin/rmmod -as)F25 23:30:00 rnd CROND[18175]: (root) CMD ( /sbin/rmmod -as)F25 23:40:00 rnd CROND[18201]: (root) CMD ( /sbin/rmmod -as)F25 23:50:01 rnd CROND[18228]: (root) CMD ( /sbin/rmmod -as)F26 00:00:00 rnd CROND[18264]: (root) CMD ( /sbin/rmmod -as)F26 00:01:01 rnd CROND[18269]: (root) CMD (run-parts /etc/cron.hourly)F26 00:10:00 rnd CROND[18302]: (root) CMD ( /sbin/rmmod -as)F26 00:20:01 rnd CROND[18352]: (root) CMD ( /sbin/rmmod -as)F26 00:28:17 rnd PAM_unix[18386]: (system-auth) session opened for user root by sherif(uid=500)F 26 00:30:00 rnd CROND[18426]: (root) CMD ( /sbin/rmmod -as)
/var/log/messages
![Page 18: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/18.jpg)
18
F25 22:32:22 rnd sendmail[18009]: g1PKU1x18007:to=<[email protected]>,delay=00:02:21, xdelay=00:00:03, mailer=esmtp, pri=589605,relay=mx2.mail.yahoo.com. [64.157.4.88],dsn=2.0.0, stat=Sent (ok dirdel)
F25 22:32:42 rnd sendmail[18009]: g1PKU1x18007:to=<[email protected]>,delay=00:02:41, xdelay=00:00:20, mailer=esmtp, pri=589605,relay=ob-mail-com.mr.outblaze.com. [205.158.62.26],dsn=2.0.0, stat=Sent (g1PJVqt94451 Message accepted for delivery)
/var/log/mail
![Page 19: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/19.jpg)
19
SWATCH
• Simple and effective tool• Written in perl
/pattern/[, /pattern/] action[,action] duration
![Page 20: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/20.jpg)
20
Case Study : Secureview Firewall-1 Audit
Intranet InternetFirewall-1
Firewall-1log
OtherFirewall-1
Log Processing
Tools
ReportingModule
DataMart
DatabaseBuilder
AdminModule
Security Administrator
SecureITSecureView
![Page 21: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/21.jpg)
21
Mar 2 23:53:51 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 2 23:54:33 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 2 23:55:39 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 2 23:56:44 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 2 23:57:50 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 2 23:58:49 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 3 00:00:00 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 3 00:01:01 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 3 00:02:05 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 3 00:03:11 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
Mar 3 00:04:14 148.63.149.144:1072 -> 208.160.134.38:1214 VECNA ****P***
![Page 22: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/22.jpg)
22
![Page 23: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/23.jpg)
23
![Page 24: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/24.jpg)
24
On-the-fly processing
• Timeliness
• Processing method
• Storage requirements
• Information capacity
Probe Ponts selected by system administrators
TargetSystem
TargetSystem
IntrusionDetectionSystem
on-the-fly processing
Direct system feeds
![Page 25: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/25.jpg)
25
Network management and NIDS
• Use SNMP and RMON (RFC 1271) as a basis for ID collection and processing– Analyze traffic history and statistics– Examine network trends– initiate alarms– Traffic generation for testing
![Page 26: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/26.jpg)
26
Netmetrix
Enterprise WAN(SNMP transport)
Enterprise WAN(SNMP transport)
LanProbe
LanProbe
LAN(Ethernet)
LAN(token ring)
Noninvasivemonitors
Analysis applicationsfor trending, alarms, analysis, display, etc
![Page 27: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/27.jpg)
27
Case Study : NFR
TargetSystem
PacketSucker
DecisionEngine
Query
GUI
Alert Manager
Filter 2
Filter 3
Filter N
Filter 1
Backend
Backend
Backend
![Page 28: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/28.jpg)
28
Methods for extracting traffic from the network for processing• In-line diversion of traffic by network
components
• Off-line extraction (passive sniffing)– Most used: Ethernet promiscuous mode– Other examples:
• Serial lines
• Wireless networks
• Tempest effect aka The van Eck effect
![Page 29: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/29.jpg)
29
Case Study : BorderGuard Firewall Extraction for NetRanger Processing
• NSX device : local intrusion Monitoring Function
ProtectedSystem
BorderGuardFirewall
TargetSystem
NSXIntrusion Detection
Diverted Traffic forNetRanger IntrusionDetection
Gateway Traffic
![Page 30: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/30.jpg)
30
Normal Behavior profiling
User Profiling Method
SecurityAdministrator
UserProfile
UserActivity
UserActivity
Knowledge Base(Comparable users)
RefineUpdate
![Page 31: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/31.jpg)
31
Normal Behavior profiling
• Initial profiling of new systems and users based on estimations of expected behavior
• Observed user and system behavior should be used to fine-tune profiles
• Information from other (external) resources is used to improve the accuracy of prediction
![Page 32: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/32.jpg)
32
Concept of Profile-based Processing
System ActivitySystem Activity
Activity Observed(audit log)
Activity Expected(Profiles)
Compare and Respond
![Page 33: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/33.jpg)
33
Case study: IDES model
• Audit trail information is collected in protected logs
• Profile based tools as used for off-line analysis
SystemActivity
SystemActivity
AnomalyRecords
AuditTrail
User/SystemProfiles
IDESProcessing
Alarms
IDES Design
![Page 34: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/34.jpg)
34
Case study: IDES model (cont.)
<subject, object, profiles, audit-records, anomaly records, alarms>
• Subjects and Objects: from classical INFOSEC view of the initiator and the target of an activity
![Page 35: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/35.jpg)
35
Case study: IDES model (cont.)
• Profile: Characterization of behavior
• Audit records: the data structures used to capture the system’s observed behavior
• Anomaly records: the data structures used to capture anomalous behavior
• Alarms: problem reporting methods
![Page 36: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/36.jpg)
36
Toll fraud and similar problems
• How can toll fraud-like problems be solved using “Normal Behavior profiling?”
• How about credit card fraud?
• Phone card fraud?
![Page 37: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/37.jpg)
37
http://www.atcomm.com/advisor/basics/call-account.htm
• Boost Security– Highlight Suspicious Activity and Review
Unrecognizable Call Data for Hacker Detection– Prevent/Locate Unauthorized System Access – Real Time Notification of Exception Calling – Track After Hours Security Guards– Detect Bomb Threats– Selective Reporting/Display for Top Secret/Sensitive
Materials– Account for Calls But Delete Detail (Call Processing)– Password Security to Prevent Moving from Call
Processing – Keyboard Macro Available to Provide Additional
Security
![Page 38: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/38.jpg)
38
The Abnormal Behavior (Attack) Signature Method
• Commonly used in on-the-fly IDS
• Attack signatures– May require temporal and state machine like
modeling
• Special character strings– E.g.: /etc/password in an ftp session
![Page 39: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/39.jpg)
39
TargetSystem
TargetSystem
Strings
Profiles
Intrusion
Detection
Systems
Probe Point Feed
Selected via traffic content modeling of attack
Selected viaactivity sequencemodeling of attack
Should correlate string and profile based processing
![Page 40: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/40.jpg)
40
Case Study: SNORT rules
• http://www.snort.org/docs/writing_rules/
![Page 41: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/41.jpg)
41
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flags: A+;reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts";flags: A+; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root"; content: "cwd ~root"; nocase; flags: A+;reference:arachnids,318; classtype:bad-unknown; sid:336; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT aix overflow";flags: A+;dsize:>1300; content:"CEL "; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flags: A+; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:arachnids,453; classtype:attempted-user; sid:338; rev:1;)
![Page 42: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/42.jpg)
42
Parameter pattern matching or anomaly discovery
• Based on continuous monitoring of network and systems attributes
• The monitoring is not necessary security focused
• The use of day-to-day operational experience and the basis for detecting anomalies
![Page 43: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/43.jpg)
43
Target System
(network, OS,application, etc
Target System
(network, OS,application, etc
Operational View(Patterns)Noarmal
Operations
These monitoringoperations maynot be disciplined or predictable
Normal systemOperation andAdministration
IntrusionDetectionSystem
Interpretationsof Patterns(intrusion detection)
This interpretationis triggered by and detection of change from normal
![Page 44: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/44.jpg)
44
![Page 45: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/45.jpg)
45
![Page 46: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/46.jpg)
46
![Page 47: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/47.jpg)
47
![Page 48: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/48.jpg)
48
![Page 49: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/49.jpg)
49
![Page 50: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/50.jpg)
50
![Page 51: 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking](https://reader035.vdocuments.us/reader035/viewer/2022062407/56649e715503460f94b6ee83/html5/thumbnails/51.jpg)
51
recent criticism of intrusion detection method• on the fly traffic interpretation problem
• server audit interpretation problem
• fail-open nature of intrusion detection
• intrusion detection methods may be vulnerable to insertion attacks
• intrusion detection methods may be vulnerable to evasion attacks
• Intrusion detection methods may be vulnerable to denial of service attacks