cs419 – spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for...
TRANSCRIPT
![Page 1: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/1.jpg)
CS419 – Spring 2010Computer Security
Vinod GanapathyLecture 13
Chapter 6: Intrusion Detection
![Page 2: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/2.jpg)
Security Intrusion & DetectionSecurity Intrusion
a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Intrusion Detectiona security service that monitors and analyzes system events for the purpose of finding, and providing realtime or near realtime warning of attempts to access system resources in an unauthorized manner.
![Page 3: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/3.jpg)
Principles of Intrusion Detection
• Characteristics of systems not under attack– User, process actions conform to statistically
predictable pattern– User, process actions do not include sequences of
actions that subvert the security policy– Process actions correspond to a set of
specifications describing what the processes are allowed to do
• Systems under attack do not meet at least one of these
![Page 4: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/4.jpg)
Example• Goal: insert a back door into a system
– Intruder will modify system configuration file or program
– Requires privilege; attacker enters system as an unprivileged user and must acquire privilege
• Nonprivileged user may not normally acquire privilege (violates #1)
• Attacker may break in using sequence of commands that violate security policy (violates #2)
• Attacker may cause program to act in ways that violate program’s specification
![Page 5: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/5.jpg)
Goals of IDS• Detect wide variety of intrusions
– Previously known and unknown attacks– Suggests need to learn/adapt to new attacks or
changes in behavior• Detect intrusions in timely fashion
– May need to be be realtime, especially when system responds to intrusion
• Problem: analyzing commands may impact response time of system
– May suffice to report intrusion occurred a few minutes or hours ago
![Page 6: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/6.jpg)
Goals of IDS• Present analysis in simple, easyto
understand format– Ideally a binary indicator– Usually more complex, allowing analyst to
examine suspected attack– User interface critical, especially when monitoring
many systems • Be accurate
– Minimize false positives, false negatives– Minimize time spent verifying attacks, looking for
them
![Page 7: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/7.jpg)
Intrusion Techniques objective to gain access or increase privileges initial attacks often exploit system or software
vulnerabilities to execute code to get backdoor e.g. buffer overflow
or to gain protected information e.g. password guessing or acquisition
![Page 8: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/8.jpg)
Intrusion Detection Systems classify intrusion detection systems (IDSs) as:
Hostbased IDS: monitor single host activity Networkbased IDS: monitor network traffic
logical components: sensors collect data analyzers determine if intrusion has occurred user interface manage / direct / view IDS
![Page 9: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/9.jpg)
Models of Intrusion Detection• Anomaly detection
– What is usual, is known– What is unusual, is bad
• Misuse detection– What is bad, is known– What is not bad, is good
• Specificationbased detection– What is good, is known– What is not good, is bad
![Page 10: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/10.jpg)
IDS Principles assume intruder behavior differs from
legitimate users expect overlap as shown observe deviations
from past history problems of:
• false positives• false negatives• must compromise
![Page 11: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/11.jpg)
IDS Requirements run continually be fault tolerant resist subversion impose a minimal overhead on system configured according to system security policies adapt to changes in systems and users scale to monitor large numbers of systems provide graceful degradation of service allow dynamic reconfiguration
![Page 12: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/12.jpg)
IDS Architecture
• Basically, a sophisticated audit system– Sensor: gathers data for analysis– Analyzer: it analyzes data obtained from the
sensor according to its internal rules– Notifier obtains results from analyzer, and takes
some action• May simply notify security officer• May reconfigure agents, director to alter collection,
analysis methods• May activate response mechanism
![Page 13: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/13.jpg)
Sensors
• Obtains information and sends to analyzer
• May put information into another form– Preprocessing of records to extract
relevant parts• May delete unneeded information• Analyzer may request agent send other
information
![Page 14: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/14.jpg)
Example• IDS uses failed login attempts in its
analysis• Sensor scans login log every 5 minutes,
sends director for each new login attempt:– Time of failed login– Account name and entered password
• Analyzer requests all records of login (failed or not) for particular user– Suspecting a bruteforce cracking attempt
![Page 15: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/15.jpg)
HostBased Sensors
• Obtain information from logs– May use many logs as sources– May be securityrelated or not– May be virtual logs if agent is part of the kernel
• Very nonportable
• Sensor generates its information– Scans information needed by IDS, turns it into
equivalent of log record– Typically, check policy; may be very complex
![Page 16: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/16.jpg)
NetworkBased Sensors• Detects networkoriented attacks
– Denial of service attack introduced by flooding a network
• Monitor traffic for a large number of hosts• Examine the contents of the traffic itself• Agent must have same view of traffic as
destination– TTL tricks, fragmentation may obscure this
• Endtoend encryption defeats content monitoring– Not traffic analysis, though
![Page 17: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/17.jpg)
Network Issues
• Network architecture dictates agent placement– Ethernet or broadcast medium: one agent per
subnet– Pointtopoint medium: one agent per connection,
or agent at distribution/routing point• Focus is usually on intruders entering network
– If few entry points, place network agents behind them
– Does not help if inside attacks to be monitored
![Page 18: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/18.jpg)
Analyzer
• Reduces information from sensors– Eliminates unnecessary, redundant records
• Analyzes remaining information to determine if attack under way– Analysis engine can use a number of techniques,
discussed before, to do this• Usually run on separate system
– Does not impact performance of monitored systems
– Rules, profiles not available to ordinary users
![Page 19: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/19.jpg)
Notifier
• Accepts information from director• Takes appropriate action
– Notify system security officer– Respond to attack
• Often GUIs– Welldesigned ones use visualization to
convey information
![Page 20: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/20.jpg)
Example GUI
A E
D
C
B
• GUI showing the progress of a worm as it spreads through network
• Left is early in spread• Right is later on
![Page 21: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/21.jpg)
HostBased IDS specialized software to monitor system activity to
detect suspicious behavior primary purpose is to detect intrusions, log suspicious
events, and send alerts can detect both external and internal intrusions
two approaches, often used in combination: anomaly detection defines normal/expected behavior
• threshold detection• profile based
signature detection defines (im)proper behavior
![Page 22: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/22.jpg)
Audit Records a fundamental tool for intrusion detection two variants:
native audit records provided by O/S• always available but may not be optimum
detectionspecific audit records IDS specific• additional overhead but specific to IDS task• often log individual elementary actions• e.g. may contain fields for: subject, action, object,
exceptioncondition, resourceusage, timestamp
![Page 23: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/23.jpg)
Anomaly Detection threshold detection
checks excessive event occurrences over time alone a crude and ineffective intruder detector must determine both thresholds and time intervals
profile based characterize past behavior of users / groups then detect significant deviations based on analysis of audit records
• gather metrics: counter, guage, interval timer, resource utilization• analyze: mean and standard deviation, multivariate, markov
process, time series, operational model
![Page 24: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/24.jpg)
Threshold Metrics
• Counts number of events that occur– Between m and n events (inclusive)
expected to occur– If number falls outside this range,
anomalous• Example
– Windows: lock user out after k failed sequential login attempts. Range is (0, k–1).
• k or more failed logins deemed anomalous
![Page 25: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/25.jpg)
Difficulties
• Appropriate threshold may depend on nonobvious factors– Typing skill of users– If keyboards are US keyboards, and most
users are French, typing errors very common
• Dvorak vs. nonDvorak within the US
![Page 26: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/26.jpg)
Statistical Moments
• Analyzer computes standard deviation , other measures of correlation– If measured values fall outside expected
intervals, anomalous• Potential problem
– Profile may evolve over time; solution is to weigh data appropriately or alter rules to take changes into account
![Page 27: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/27.jpg)
Example: IDES• Developed at SRI International
– Represent users, login session, other entities as ordered sequence of statistics <q0,j, …, qn,j>
– qi,j (statistic i for day j) is count or time interval– Weighting favors recent behavior over past
behavior• Ak,j sum of counts making up metric of kth statistic on jth
day• qk,l+1 = Ak,l+1 – Ak,l + 2–rtqk,l where t is number of log
entries/total time since start, r factor determined through experience
![Page 28: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/28.jpg)
Potential Problems
• Assumes behavior of processes and users can be modeled statistically– Ideal: matches a known distribution such
as Gaussian or normal– Otherwise, must use techniques like
clustering to determine moments, characteristics that show anomalies, etc.
• Realtime computation a problem too
![Page 29: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/29.jpg)
Markov Model
• Past state affects current transition• Anomalies based upon sequences of events,
and not on occurrence of single event• Problem: need to train system to establish
valid sequences– Use known, training data that is not anomalous– The more training data, the better the model– Training data should cover all possible normal
uses of system
![Page 30: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/30.jpg)
Example: TIM• Timebased Inductive Learning• Sequence of events is abcdedeabcabc• TIM derives following rules:
R1: ab→c (1.0)R2: c→d (0.5)R3: c→e (0.5)R4: d→e (1.0) R5: e→a (0.5) R6: e→d (0.5)
• Seen: abd; triggers alert– c always follows ab in rule set
• Seen: acf; no alert as multiple events can follow c– May add rule R7: c→f (0.33); adjust R2, R3
![Page 31: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/31.jpg)
Misuse Detection observe events on system and applying a
set of rules to decide if intruder approaches:
rulebased anomaly detection• analyze historical audit records for expected
behavior, then match with current behavior rulebased penetration identification
• rules identify known penetrations / weaknesses• often by analyzing attack scripts from Internet• supplemented with rules from security experts
![Page 32: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/32.jpg)
Misuse Modeling• Determines whether a sequence of
instructions being executed is known to violate the site security policy– Descriptions of known or potential exploits
grouped into rule sets– IDS matches data against rule sets; on success,
potential attack found• Cannot detect attacks unknown to developers
of rule sets– No rules to cover them
![Page 33: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/33.jpg)
Example: NFR
• Built to make adding new rules easily• Architecture:
– Packet sucker: read packets from network– Decision engine: uses filters to extract
information– Backend: write data generated by filters to
disk• Query backend allows administrators to extract
raw, postprocessed data from this file• Query backend is separate from NFR process
![Page 34: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/34.jpg)
Domainspecific Language
• Example: ignore all traffic not intended for 2 web servers:# list of my web serversmy_web_servers = [ 10.237.100.189 10.237.55.93 ] ;# we assume all HTTP traffic is on port 80filter watch tcp ( client, dport:80 ){if (ip.dest != my_web_servers)
return;# now process the packet; we just write out packet inforecord system.time, ip.src, ip.dest to www._list;}www_list = recorder(“log”)
![Page 35: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/35.jpg)
Distributed HostBased IDS
![Page 36: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/36.jpg)
Combining Sources: DIDS• Neither networkbased nor hostbased
monitoring sufficient to detect some attacks– Attacker tries to telnet into system several times
using different account names: networkbased IDS detects this, but not hostbased monitor
– Attacker tries to log into system using an account without password: hostbased IDS detects this, but not networkbased monitor
• DIDS uses agents on hosts being monitored, and a network monitor– DIDS director uses expert system to analyze data
![Page 37: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/37.jpg)
Attackers Moving in Network
• Intruder breaks into system A as alice• Intruder goes from A to system B, and breaks
into B’s account bob• Hostbased mechanisms cannot correlate
these• DIDS director could see bob logged in over
alice’s connection; expert system infers they are the same user– Assigns network identification number NID to this
user
![Page 38: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/38.jpg)
Handling Distributed Data
• Agent analyzes logs to extract entries of interest– Agent uses signatures to look for attacks
• Summaries sent to director– Other events forwarded directly to director
• DIDS model has agents report:– Events (information in log entries)– Action, domain
![Page 39: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/39.jpg)
Distributed HostBased IDS
![Page 40: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/40.jpg)
NetworkBased IDS networkbased IDS (NIDS)
monitor traffic at selected points on a network in (near) real time to detect intrusion patterns may examine network, transport and/or
application level protocol activity directed toward systems
comprises a number of sensors inline (possibly as part of other net device) passive (monitors copy of traffic)
![Page 41: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/41.jpg)
NIDS Sensor Deployment
![Page 42: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/42.jpg)
Intrusion Detection Techniques signature detection
at application, transport, network layers; unexpected application services, policy violations
anomaly detection of denial of service attacks, scanning, worms
when potential violation detected sensor sends an alert and logs information used by analysis module to refine intrusion
detection parameters and algorithms by security admin to improve protection
![Page 43: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/43.jpg)
Intrusion Detection Exchange
Format
![Page 44: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/44.jpg)
Honeypots are decoy systems
filled with fabricated info instrumented with monitors / event loggers divert and hold attacker to collect activity info without exposing production systems
initially were single systems more recently are/emulate entire networks
![Page 45: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/45.jpg)
Honeypot Deployment
![Page 46: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/46.jpg)
SNORT lightweight IDS
realtime packet capture and rule analysis passive or inline
![Page 47: CS419 – Spring 2010€¦ · rulebased anomaly detection • analyze historical audit records for expected behavior, then match with current behavior rulebased penetration identification](https://reader034.vdocuments.mx/reader034/viewer/2022043012/5fa891c4ef24cc1dc57016fd/html5/thumbnails/47.jpg)
SNORT Rules use a simple, flexible rule definition language with fixed header and zero or more options header includes: action, protocol, source IP, source
port, direction, dest IP, dest port many options example rule to detect TCP SYNFIN attack:
Alert tcp $EXTERNAL_NET any > $HOME_NET any \(msg: "SCAN SYN FIN"; flags: SF, 12; \reference: arachnids, 198; classtype: attemptedrecon;)