Intrusion Detection and Correlation (eBook)
XIV, 118 Seiten
Springer US (Verlag)
978-0-387-23399-4 (ISBN)
Details how intrusion detection works in network security with comparisons to traditional methods such as firewalls and cryptography
Analyzes the challenges in interpreting and correlating Intrusion Detection alerts
Intrusion Detection and Correlation: Challenges and Solutions presents intrusion detection systems (IDSs) and addresses the problem of managing and correlating the alerts produced. This volume discusses the role of intrusion detection in the realm of network security with comparisons to traditional methods such as firewalls and cryptography.The Internet is omnipresent and companies have increasingly put critical resources online. This has given rise to the activities of cyber criminals. Virtually all organizations face increasing threats to their networks and the services they provide. Intrusion detection systems (IDSs) take increased pounding for failing to meet the expectations researchers and IDS vendors continually raise. Promises that IDSs are capable of reliably identifying malicious activity in large networks were premature and never tuned into reality.While virus scanners and firewalls have visible benefits and remain virtually unnoticed during normal operations, the situation is different with intrusion detection sensors. State-of-the-art IDSs produce hundreds or even thousands of alerts every day. Unfortunately, almost all of these alerts are false positives, that is, they are not related to security-relevant incidents.Intrusion Detection and Correlation: Challenges and Solutions analyzes the challenges in interpreting and combining (i.e., correlating) alerts produced by these systems. In addition, existing academic and commercial systems are classified; their advantage and shortcomings are presented, especially in the case of deployment in large, real-world sites.
Contents 6
List of Figures 9
List of Tables 10
Preface 11
1 INTRODUCTION 13
1. Motivating Scenario 15
2. Alert Correlation 18
3. Organization 19
2 COMPUTER SECURITY AND INTRUSION DETECTION 20
1. Security Attacks and Security Properties 20
2. Security Mechanisms 22
2.1 Attack Prevention 22
2.2 Attack Avoidance 23
2.3 Attack Detection 28
3. Intrusion Detection 28
3.1 Architecture 30
3.2 Taxonomy 31
3.3 Detection Method 32
3.4 Type of Response 36
3.5 Audit Source Location 36
3.6 Usage Frequency 39
3.7 IDS Cooperation and Alert Correlation 39
3 ALERT CORRELATION 40
4 ALERT CORRELATION ALERT COLLECTION 45
1. Alert Normalization 46
2. Alert Preprocessing 47
2.1 Determining the Alert Time 48
2.2 Determining the Alert’s Source and Target 52
2.3 Determining the Attack’s Name 52
5 ALERT AGGREGATION AND VERIFICATION 53
1. Alert Fusion 53
2. Alert Verification 55
2.1 Passive Approach 58
2.2 Active Approach 58
3. Attack Thread Reconstruction 62
4. Attack Session Reconstruction 63
5. Attack Focus Recognition 66
6 HIGH-LEVEL ALERT STRUCTURES 68
1. Multistep Correlation 68
2. Impact Analysis 72
3. Alert Prioritizing 74
4. Alert Sanitization 75
7 LARGE-SCALE CORRELATION 80
1. Pattern Specification 86
1.1 Definitions 86
1.2 Attack Specification Language 87
1.3 Language Grammar 88
2. Pattern Detection 89
2.1 Basic Data Structures 89
2.2 Constraints 91
2.3 Detection Process 92
2.4 Implementation Issues 99
8 EVALUATION 102
1. Evaluation of Traditional ID Sensors 102
1.1 Evaluation Efforts 103
1.2 Problems 104
2. Evaluation of Alert Correlators 104
2.1 Evaluation Efforts 105
2.2 Problems 107
2.3 Correlation Evaluation Truth Files 108
2.4 Factors Affecting the Alert Reduction Rate 109
9 OPEN ISSUES 111
1. Intrusion Detection 111
2. Alert Correlation 114
10 CONCLUSIONS 116
References 118
Index 123
Chapter 2 COMPUTER SECURITY AND INTRUSION DETECTION (p. 9-10)
The scenario in the previous section described an exemplary threat to computer system security in the form of an intruder attacking a company’s web server. This chapter attempts to give a more systematic view of system security requirements and potential means to satisfy them. We define properties of a secure computer system and provide a classification of potential threats to them. We also introduce the mechanisms to defend against attacks that attempt to violate desired properties.
Before one can evaluate attacks against a system and decide on appropriate mechanisms to fend off these threats, it is necessary to specify a security policy [Tanenbaum and van Steen, 2002]. A security policy defines the desired properties for each part of a secure computer system. It is a decision that has to take into account the value of the assets that should be protected, the expected threats and the cost of proper protection mechanisms. A security policy that is sufficient for the data of a normal home user may not be sufficient for a bank, as a bank is obviously a more likely target and has to protect more valuable resources.
1. Security Attacks and Security Properties
For the following discussion, we assume that the function of a computer system is to provide information. In general, there is a flow of data from a source (e.g., a host, a file, memory) to a destination (e.g., a remote host, another file, a user) over a communication channel (e.g., a wire, a data bus). The task of the security system is to restrict access to this information to only those parties (persons or processes) that are authorized to have access, according to the security policy in use.
The normal information flow and several categories of attacks that target it are shown in Figure 2.1 (according to [Stallings, 2000]).
1 Interruption: An asset of the system gets destroyed or becomes unavailable. This attack targets the source or the communication channel and prevents information from reaching its intended target (e.g., cutting the wire or overloading the link so that the information gets dropped because of congestion). Attacks in this category attempt to perform a kind of denial of service (DOS).
2 Interception: An unauthorized party gets access to the information by eavesdropping into the communication channel (e.g., by wiretapping).
3 Modification: The information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination. (e.g., by modifying the message content).
4 Fabrication: An attacker inserts counterfeit objects into the system without having the sender doing anything. When a previously intercepted object is inserted, this processes is called replaying. When the attacker pretends to be the legitimate source and inserts her desired information, the attack is called masquerading (e.g., replaying an authentication message or adding records to a file).
| Erscheint lt. Verlag | 29.12.2005 |
|---|---|
| Reihe/Serie | Advances in Information Security | Advances in Information Security |
| Zusatzinfo | XIV, 118 p. |
| Verlagsort | New York |
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Informatik ► Office Programme ► Outlook | |
| Informatik ► Theorie / Studium ► Algorithmen | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| Naturwissenschaften | |
| Wirtschaft ► Betriebswirtschaft / Management ► Marketing / Vertrieb | |
| Schlagworte | Computer Security • cryptography • Firewall • Internet • Intrusion Detection • Network Security • Online • organization • Scanner • security |
| ISBN-10 | 0-387-23399-7 / 0387233997 |
| ISBN-13 | 978-0-387-23399-4 / 9780387233994 |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)Größe: 2,3 MB
DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
