Intrusion DetectionPrevention Systems.ppt

Example of Vulnerability Signatures At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature Field length corresponding to vulnerable buffer certain threshold Intrinsic to buffer overflow vulnerability and hard to evade Counting Zero-Day Attacks Security Information Fusion Internet Storm Center (aka, DShield) has the largest IDS log repository Sensors covering over 500,000 IP addresses in over 50 countries More w/ DShield slides In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate. * Problems: mainly accuracy * * Protection is not free/cheap. For example, an intrusion detection system (IDS) needs to analyze each packet. This requires a lot of computing power, usually a dedicated high-end workstation. If the IDS is real-time then its response time must be short. When there is insufficient resources, some protection mechanisms will simply not let data in (fail-close). For example, a firewall, which filters each packet, will simply drop packets when it is overloaded. The dropped packet will not be able to reach beyond the firewall into the internal network. The user experience may not be a happy one because of data loss. However, other protection mechanisms will check/analyze as much as they can but