Definition of Intrusion Detection
What is intrusion detection?
The act of detecting unauthorized access to a computer system or network.
|
|
Intrusion Detection
IDS Burglar Alarms: A How-To Guide
It was 2001 when I first heard of the concept of intrusion detection devices that were like burglar alarms. Stephen Northcutt was speaking in a SANS GCIA class regarding SHADOW, the intrusion detection system he developed for the Naval Surface Warfare Center/Dahlgren Division. Part of the explanation was regarding the architecture of the SHADOW IDS. This architecture made a lot of sense to me, especially since the hardware available to me is made up of old workstations. Since these old workstations have less than ideal processing power, we want to make them do as little as possible outside of their primary task. This isn't that big a deal for the analyzers, since they don't have to capture packets.
Read the Article
|
Secure Setup of a Corporate Detection and Scanning Environment
This paper covers the secure deployment of a distributed intrusion detection environment as well as the secure deployment of a distributed vulnerability scanning environment. Since a lot of companies do not have the proper security budget (yet), the focus of this paper lays on using open source tools. The open source tools that are used are snort (with acid), nessus, nmap, nikto, inprotect and gherkin. The URL's of the websites of these tools can be found in the reference list and in the components description.
Read the Article
|
Distributed NIDS: A HOW-TO Guide
The goal of this guide is to cover these four components, and to leave the reader with a fully functional and powerful distributed NIDS as a result. The guide is laid out in two parts. The first part will cover the design of the system, explaining the logical layout of a distributed NIDS and applying the layout to a fictional corporate network. The first part will also detail the gathering of required hardware and software. The second part will explain the building of the system by leading the reader through the remaining components and observation and supervision steps.
Read the Article
|
The Human Factor - Adding Intelligence and Action to Intrusion Detection
Intrusion detection systems need to communicate with analysts on multiple levels. They need to be scaleable, reliable, effective, and efficient; in addition, they need to be responsive to human intelligence and intuition. To be safe from attack themselves, they need to be invisible to hackers. This paper explores the current state of Intrusion Detection Systems (IDS) technology with its roots dating from 1985. It identifies system requirements and essential elements in the context of an overall architecture; and it highlights several systems, available today, that fit nicely into the suggested architecture. The future of IDS will be much like its past. Technology will continue to evolve, attacks will become more difficult to detect, and humans will be needed more than ever.
Read the Article
|
Intrusion Detection with MOM - Going Above the Wire
There are several areas, or layers, where intrusions into a system can occur. At the "wire" or network layer, there are several tools that can successfully discern the nature of traffic for most commercial protocols. But how do you respond to the challenge of knowing what happens when you need to analyze "above the wire", at the operating system and application layers? What about when traffic is properly formed and does not trigger IDS rules? By focusing on the WAN/LAN layer traffic and looking for "exception traffic" - signatures within packets that are indicative of malicious intent - properly formed, legal traffic is virtually ignored. With attackers getting more sophisticated, the analyst needs to respond with tools that can be used above the wire at the application and operating system level.
Read the Article
|
Intelligent Correlator for NIDS
In today NIDS the number of alerts may be huge and the delay in between an alert is generated and the system administrator analyzes it, can be too long and the situation can be changed, e.g. with dual boot Unix-Windows machines. Therefore we would like to give a low priority or to filter out not relevant alerts. We would like also to gather more information about the target of the attack at the time the attack has been performed. The goal of this work is the realization of a prototype of a system that reduces the number of false positives of a NIDS by triggering a real time collects for information upon alert reception.
Read the Article
|
Intrusion Detection on a Large Network
This paper will describe in detail the steps for setting up and managing an intrusion detection system across a large corporate network. It will begin with a discussion of the potential problems and benefits of the use of a NIDS on a large network. The basics of installing, configuring and implementing the necessary software on a hypothetical network will be covered. Additional steps to automate, fail-safe and secure the system will be described. Finally, a brief discussion of the potential difficulties of tuning a rule-based system such as Snort that is deployed on a large, heterogeneous, well-secured network will be presented.
Read the Article
|
Packet Level Normalization
This paper proposes that any Signature Based Passive Network Intrusion Detection (NID) deployment is incomplete without an 'In-line' 'Packet Level Normaliser'. A number of published papers will be selectively reviewed, assessing their contribution to the development of this field. Focusing on the Network Layer, a 'walkthrough' of the IP protocol will be followed by a Lab where the Normaliser 'norm' will be employed to illustrate core concepts. Packets will be manufactured using 'NetDuDe' and 'Fragroute'. The output will be in 'tcpdump' format. The paper culminates with a brief review of current normaliser technology.
Read the Article
|
IDMEF "Lingua Franca" for Security Incident Management
The Intrusion Detection Working Group, chartered by the IETF has been working for some time on a set of specifications that will allow the transfer of intrusion detection information between the detection device (Analyzer) and a management station (Manager). These specifications provide for the format and structure of the messages and the protocols used to do the actual transfer. The relationship of these protocols is discussed as well as an overview of the specifications themselves. The importance of this development is also discussed as well as the current status of the protocols and a number of implementations.
Read the Article
|
Intrusion Prevention - Part of Your Defense in Depth Architecture?
The tools available to IT security professionals are becoming more proactive by attempting to prevent, rather than only detect, exploits from damaging critical assets. Intrusion prevention, in particular, has received a lot of attention in the IT press in the last several years. This paper will explore Intrusion Protection Systems (IPS) from the perspective of using IPS as part of a Defense in Depth strategy. First we will describe Defense in Depth. We will then explore various components of a traditional Defense in Depth architecture. This paper will explain the various technologies of IPS. We will conclude with a discussion of what these tools can and cannot do in a comprehension security program.
Read the Article
|
|
|
Page: 1 2 3 4 5 6 7 8 9 10 11
Members currently browsing this category:
|
|
