Network Monitoring for Intrusion Detection
In this article, I will present an introduction to network monitoring and traffic analysis. By combining basic network monitoring and traffic analysis with other intrusion detection methods, you can establish better overall security.
|
|
One of These Things is not Like the Others: The State of Anomaly Detection
It's easy to compare an Intrusion Detection System (IDS) with an Anomaly Detection System (ADS). They both look for "bad things" on a system or network, things that may be potential security incidents. Each can work well or produce loads of false alarms. And the final results are the same - a suspicious event is flagged for an administrator to investigate. However, despite these similarities, these tools work quite differently.
|
|
Preventing and Detecting Insider Attacks Using IDS
Shortly after lunch break, an employee angrily strides out of his supervisor's office, down two rows of desks, and into a single cubicle. He slumps down into his chair and releases an exasperated sigh, as he runs his hands through his hair in disappointment. The raise he thought he was in for has been turned down. He slowly stands up, peering over the cubicle walls to survey the area for other employees. But the area is deserted as most people are out enjoying lunch. Sitting back down, he turns to his computer console, goes to the command line and brings nmap to life against the company's accounting systems. The console displays accounting's SQL server. A few keystrokes later, the employee has edited a few columns in the database, giving himself the raise he had longed for.
|
|
Statistical-Based Intrusion Detection
Statistical-based systems (SBIDs) take a different approach to intrusion detection. The concept of the SBID system is simple: it determines "normal" network activity and then all traffic that falls outside the scope of normal is flagged as anomalous (not normal). SBID systems attempt to learn network traffic patterns on a particular network. This process of traffic analysis continues as long as the SBID system is active, so, assuming network traffic patterns remain constant, the longer the system is on the network, the more accurate it becomes. By analyzing network traffic and processing the information with complex statistical algorithms, SBID systems look for anomalies in the established normal network traffic patterns. All packets are given an anomaly score (indicating the degree of irregularity for the specific event) and if the anomaly score is higher than a certain threshold, the IDS will generate an alert.
|
|
Implementing Networks Taps with Network Intrusion Detection Systems
Over the past decade or so, the use of switches to replace hubs has increased substantially. This is largely due to the increased size of networks, and the requirement for increasingly faster and more efficient networks. On most networks, the data must now be dependable and timely. This transition from hubs to switches, however, has generated a conflict with already deployed and designed network intrusion detection systems. To combat design conflicts between network intrusion detection systems (NIDS) and switches, network taps were created. Network taps essentially allow all traffic on a network device to be monitored. Network taps are also very useful for passive network troubleshooting and analysis. Further, the tap makes the related NIDS system more secure, preventing attackers from being able to directly attack the NIDS system. This article will offer an introductory overview of taps, including: what taps are...
|
|
Intrusion Detection Preliminaries: Sanitizing Your E-Commerce Web Servers
Intrusion Detection involves detecting unauthorized access and destructive activity on your computer system. Intrusion Detection is a clear requirement for all e-commerce merchants. According to the annual study released March 22, 2000 by the Computer Security Institute and the FBI, 90% of the survey respondents detected a computer security breach within the last twelve months. The study showed that the most serious financial losses were caused by activities that concern e-commerce merchants directly: theft of proprietary information (e.g., stealing customer credit card numbers), and financial fraud (e.g., setting up a bogus storefront).
|
|
Intrusion Detection using Solaris' Basic Security Module
In our existing online world, intrusion detection has become a necessary expense. Not only does intrusion detection validate the effectiveness of border access controls (e.g., firewalls, screening routers, etc.), but it also helps combat the persistence of insider abuse and corporate espionage. For this reason, intrusion detection systems (IDSs) have become an essential component in creating any comprehensive network infrastructure. Intrusion detection systems rely on network traffic and/or system audit data as their main input sources. It is evident that an IDS can be only as powerful as the detail of the audit information fueling it. For instance, a host-based IDS monitoring only the syslog audit trail will be much less capable, than say, one that also examines /var/log/messages and the wtmp logs.
|
|
OS Finger Printing and Intrusion Detection
OS finger printing is the technique used to identify the target systems Operating System and some times the patch levels also. The starting point was "banner grabbing". By looking at the banners listed for different services, it was possible to make out that host's operating system.
|
|
|
|
The Use of Network Intrusion Detection System
Network Intrusion Detection System(NIDS) has been outsourced to vendor who installed and managed the system the past 3 years. NIDS alerts were received from the service provider about 1 to 3 times a day, and a monthly report that showed thousands of intrusion attempts. None of these alerts turned out to be security crisis. However, there were 2 occasions of attack, both started from employee's infected Laptops. Disappointed to say that the NIDS failed to detect the incidents.
|
|
Detecting Computer Security Attacks by Technical Methods
In this paper I will describe some of possible technologies of detecting computer attacks. I will also argue the case that it is impossible to detect computer attack as they are evolving to level beyond the scope of a single technology. There is a need of human intelligence to correlate information from various points in organization to detect attacks. Security attack detection should have two clear points: Human part and Technical part.
|
|
Intrusion Forecasting System
The paper describes an Intrusion Forecasting System which is the future of the present intrusion detection systems.It discusses the present intrusion detection systems, need to develop an Intrusion Forecasting System, architecture of the system, the implementation and explains the techniques to be used in developing such a system.
|
|
Correlation of IDS Events
Recently there have been much interest in Event correlation to computer network intrusion detection events to speculate the pattern of an attack. This paper explores some correlation techniques which can be applied to the Intrusion alerts and identify the patterns that are seen commonly across the events.
|
|
Issues Discovering Compromised Machines
This article discusses the discovery of compromised machines in large enterprise environments, and offers some suggestions on correlating NIDS and HIPS logs to avoid false positives.
|
|
Actions
Category Stats