Chapter 9The Art of Intrusion Detection.ppt

NBD Pros and Cons Advantages: Low cost No interference Intrusion resistant Disadvantages: May not be able to analyze encrypted packets Hard to handle large volume of traffics in time Some intrusion activities are hard to identify Hard to determine whether the intrusion has been successfully carried out HBD Pros and Cons Advantages: Can detect data encrypted during transmissions Detect intrusions that cannot be detected by NBD Do not need special hardware devices Check system logs, more accurate Disadvantages: Require extra system managing Consume extra computing resources May be affected if host computers or servers affected Cannot be installed in routers or switches Signature Classification Signature Detection System Build-in System Store detection rules inside the system Provide an IDS editor to user User can select rules based on their needs Programming System Has default rules and a programming language Allow users to select rules and define their own rules Expert System More specific and comprehensive Require domain experts Events Measures Event Counter An integer variable for each type of events to record the total number of times this type of events occurs in a fixed period of time Event Gauge An integer variable for each measurable object in the system to denote the current value of the object Event Timer An integer variable for two related events in the system to denote the time difference of the occurrences of the first event and the second event Resource Utilization A variable for each resource in the system to record the utilization of the resource during a fixed period of time Behavioral Data Forensics Behavioral data forensics studies how to use data mining techniques to analyze event logs and search for useful information Data Mining Techniques Data Refinement Contextual Interpretation Source Combination Out-of-Band Data Drill Down A behavioral data forensic example (pp.339) Honeypots Definition: Any device, system, directory, or file used as a decoy