The unauthorized act of bypassing security measures to gain access to a system.
A hardware of software function responsible for gathering and analyzing information within a computer or a network to identify potential security intrusions.
Individuals or members of a organized crime group with financial goals in mind.
Their activities include:
- Identity theft
- Theft of financial credentials
- Corporate espionage
- Data theft
- Data ransoming
Typically young and tech savvy.
Individuals or part of group working together motivated by social or political cause.
Hacktivists (skill level is low)
Aim to to promote and publicize their cause through:
- website defacement
- denial of service attacks
- negative publicity
Group of hackers hired by government to conduct espionage or sabotage activities
Also known as APTs (Advanced Persistent Threats) due to covert nature and persistence over extended period of time.
Classical hackers motivated by technical challenges or by peer-group esteem and reputation.
Hobby hackers.
Responsible for discovering new categories of vulnerabilities.
- Minimal technical skills who just use available tools
- Easy to defend against
- Script-Kiddies (use existing scripts without much changes)
- Sufficient technical skills to modify, and extend attack toolkits to use newly discovered or purchased vulnerabilities.
- Able to locate new vulnerabilities to exploit
- High level technical skills capable of discovering new categories of vulnerabilities
- The write new powerful toolkits.
- Defense against them is hardest.
- Remote root compromise
- Web server defacement
- Guessing/cracking passwords
- Copying databases containing credit card numbers
Consist of three logical components
| Sensors | Analyzers | User Interface (UI) |
|---|---|---|
| Collect Data | Determine if intrusion has occurred | View output or control system behavior |
- Run continually
- Be fault tolerant
- Resist subversion
- Impose a minimal overhead
- Configured according to system security policies
- Adapt to changes in system
- Scalable to larger number of systems
- Provide graceful degradation
- Allow dynamic reconfiguration
Involves collection of data related to behavior of legitimate users to be termed as “normal”.
It then classifies any intruder behavior based on the normal authorized behavior of a typical user.
| Statistical | Analysis of observed behavior using univariate, multivariate, or time-series models. |
|---|---|
| Knowledge-based | Approaches use an expert system that classifies observed behavior according to a set of rules that model legitimate behavior. |
| Machine Learning | Automatically determines a suitable classification model from training data. |
Uses a set of known malicious data patterns or attack rules that are compared with current behavior.
Can only identify known attacks for which it has patterns or rules.
| Signature Approach | -Matches with a large collection of known patterns to determine class to which malicious intrusion belongs. |
|---|---|
| Rule-heuristic Approach | -Rules are used to identify known penetration attacks. |
-Rules can be defined that identify suspicious behavior and determine if its within bounds to be malicious. |
“Monitors the characteristics of a single host for malicious activity.”
Primary purpose is to detect intrusions, log suspicious behavior and send alerts.
Can use either anomaly based or heuristic based.
SENSORS: Fundamental component of intrusion detection are sensors that COLLECT DATA.
Data Sources include:
- System call traces
- Audit (log file)
- File integrity checksums
- Registry Access
“NIDS monitors traffic at selected points in a network.”
Examines traffic packet by packet in real time (at network, transport, or application level protocols).
Comprises of a number of sensors and one or more server for NIDS management.
Analysis of traffic patterns can be done at the sensor, the management server or a combination of both.
- Application layer reconnaissance attacks
- Transport layer reconnaissance attacks
- Network layer reconnaissance attacks
- Unexpected Application Services
- Policy violations
- Denial-of-Service Attacks DoS
- Scanning
- Worms
Its a subset of anomaly detection.
Compares network traffic with predetermined universal vendor supplied profiles of normal protocol traffic.
It is organization specific (meaning organization provides these profiles).
It requires high resources (disadvantage)
Decoy systems purposely designed to lure potential attacker away from resources.
They can also collect information about attacker’s activity.
Encourage attacker to stay on honeypot system long enough for administrators to respond.
These systems contain false or fabricated information.
| Low interaction honeypot | -Less realistic targets -Does not run a full version of services provided by system. -Used as part of a bigger IDS. | | --- | --- | | High interaction honeypot | -A real system running full OS and services. -A more realistic target. -Requires significantly more resources. |
