1 / 12

Intrusion Detection and Information Fusion/Decision Making

Intrusion Detection and Information Fusion/Decision Making. By Ganesh Godavari. Outline of Talk. Need for Intrusion Detection and Information Fusion Intrusion Detection Message Exchange Format (IDMEF) Plan of action Conclusion. Intrusion Detection. Intrusion detection

stephensimon
Download Presentation

Intrusion Detection and Information Fusion/Decision Making

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari

  2. Outline of Talk • Need for Intrusion Detection and Information Fusion • Intrusion Detection Message Exchange Format (IDMEF) • Plan of action • Conclusion

  3. Intrusion Detection • Intrusion detection • process of discovering, analyzing, and reporting unauthorized or damaging network or computer activities • Goal is to discover violations of confidentiality, integrity, and availability of information and resources

  4. Problems with Intrusion Detection • Network traffic and computer activity falls in one of three categories: • Normal • Abnormal but not malicious • Malicious • Properly classifying these events are the single most difficult problem

  5. Problems contd.. • IDSes generally provide • a constant feed of new alerts • which are written into a log file • How can one minimize the number of alerts? • Does Alert Aggregation and correlation solve the problem?

  6. Problem in alert correlation • Alerts are correlated based on certain keywords • Is tomato a fruit? Or vegetable? • You want to get general information associated with an IPaddress , Port no’s • Solutions? • Can anyone suggest any? • Is this problem unique ? • No web search engines often encounter these problems • How about applying the Latent Semantic Indexing *? • Worked for search engines like google can work for information retrieval of Intrusion Detection alerts too!!.

  7. IDMEF Format

  8. Distributed IDs

  9. Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) • EMERALD HIDS provides • distributed scalable tool suite for tracking malicious activity through and across large networks • Requires Sun Microsystems Sparc platform running one of: • SunOS 5.6 (Solaris 2.6) with service patch 105621-24 or newer • Solaris 7 with service patch 106541-12 or newer • Solaris 8 with service patch 108875-07 or newer

  10. TripWire • Need to get the complete version inorder to perform tests using tripwire • Currently being negotiated between tripwire and dr chow

  11. Some of the important fields • IDS important fields • src/dest ipaddress or username • src/dest portnumber • Ip packet type • Detect time of the attack • Packet content on the attack packet or malicious activity report incase of HIDS • Any other packet information required?

  12. conclusion • Can perform packet capture normal and attack traffic on both NIDS and HIDS • For HIDS if I get license for tripwire or have a Solaris box using emerald would be helpful for capturing data • Shall provide the packet dumps and ASCII packet dumps.

More Related