-
masquerader
misfeasor
clandestine user
three classes of intruders
-
intruder (hacker or cracker) and malware
two most publicized threats to security
-
masquerader
an individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account - likely an outsider
-
misfeasor
a legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges - generally an insider
-
clandestine user
an individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection - insider or outsider
-
hackers - motivated by thrill
criminal enterprise - for money
insider attacks - motivated by revenge -difficult to detect
three intruder behavior patterns
-
security intrusion
a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so
-
intrusion detection
a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner
-
Intrusion Detection System
IDS
-
Intrusion Prevention System
IPS
-
Computer Emergency Response Team
CERT
-
host-based IDS
monitors the characteristics of a single host and the events occurring within that host for suspicious activity - can detect both external and internal intrusions
-
network-based IDS
monitors network traffic for particular network segments or devices and analyzes network, transport, and appliction protocols to identify suspicious activity - real-time or near real-time
-
host-based IDS
network-based IDS
two types/classifications of IDSs
-
sensors - collect data
analyzers - receive input from sensors
user interface - enables user to view output/control behavior of the system
three logical components that an IDS is comprised of
-
false positives
a loose intrepretation of intruder behavior which will catch more intruders - authorized users identified as intruders
-
false negatives - most dangerous b/c there is an incident, but no alarm
a tight interpretation of intruder behavior leads to intruders not identified as intruders
-
misfeasor
a legitimate user performing in an unauthorized fashion
-
anomaly detection - define "normal" or expected behavior (effective against masqueraders)
signature detection - define proper behavior (effective against misfeasors)
two general approaches to host-based IDS
-
threshold detection - defining thresholds, independent of user for the frequency of occurrence of various events
profile based - detect changes in the behavior of individual accounts
two approaches to statistical anomaly detection
-
native audit records
detection-specific audit records
two types of audit plans
-
rule-based anomaly detection
historical audit records are analyzed to identify usage patterns and to generate automaticallly rules that describe those patterns
-
rule-based penetration identification
the use of rules for identifying known penetrations or penetrations that would exploit known weaknesses - identifying suspicious behavior even if it's within the bounds of established patterns of usage
-
base-rate fallacy
the actual numbers of intrusions is low compared to the number of legitimate uses of a system, causing the false alarm rate to be high unless the test is extremely discriminating - the difficulty of meeting the standard of high rate of detections with a low rate of false alarms
-
distributed host-based intrusion detection
coordination and cooperation among IDSs across the network - rather than stand-alone IDSs on each host
-
inline sensor
a network sensor inserted into a network segment so that the traffic that it is monitoring must pass through the sensor - block an attack when one is detected (detection & prevention)
-
passive sensors (more efficient than inline as it doesn't interfere)
a network sensor that monitors a copy of network traffic; the actual traffic does not pass through the device
-
distributed adaptive intrusion detection (ie: autonomic enterprise security)
cooperated systems that can recognize attacks based on subtle clues and then adapt quickly - using each end host and each network device as potential sensors
-
security policy
the predefined, formally documented statement that defines what activities are allowed to take place on an organization's network or on particular hosts to support the organization's requirements
-
honeypot
decoy systems that are designed to lure a potential attacker away from critical systems - to: divert an attacker, collect info about the attacker, & encourage the attacker to stay long enough for admin to respond
|
|
