Intrusion Detection Systems
- Type
- Slides
- Tags
- IDS, intrusion detection
- Authors
- Matthias Petermann
- Event
- Chaos Communication Congress 22th (22C3) 2005
- Indexed on
- Mar 27, 2013
- URL
- http://events.ccc.de/congress/2005/fahrplan/attachments/638-22c3_ids.pdf
- File name
- 638-22c3_ids.pdf
- File size
- 580.8 KB
- MD5
- 9279177608ce9c6ad5ae6b6f7e8bcc74
- SHA1
- 87b6b1dced20141e09878dca20bf83f13e013885
Currently there exist many different IDS techniques. However, none of them is the superior one. Best results can only be determined by a combination of them. We introduce an approach how to do that efficiently. Currently there exist many different Intrusion Detection techniques. Starting from network based systems, such as pattern matching, traffic correlation, traffic anomaly detection... or host based systems such as file integrity checkers, log file parsers or root kit detectors up to things like Honeypots are widely used. Todays major problem is that most people simply don't have enough monitors to look at all the different IDS consoles at the same time. Also, for some quite popular IDSs there doesn't exist a usable console at all. Since each IDS has it's own analysis tools, correlation of the big variety of events detected by different systems has to be done manually - if even possible. That gets even more tricky if one has multiple IDSs at certain places in the network. So, how to deal with that complexity? What we are going to introduce first is the IDMEF (Intrusion Detection Message Exchange Format) approach to normalize and standardize log events that are coming out of IDSs. That gives you all the events of all those different IDSs in a common format. So far so good. But how to get valuable clues out of all this data? To correlate IDS events in order to get an automatic decision if a certain system has been attacked or misused isn't that simple - obviously. Is an outbound connection of let's say a web server ok? Maybe not if the admin is not logged in. Is changing /etc/shadow valid if there is just a web server running? It may depend on many things as the time of the day, source, further events on the system, who is logged on, what other processes are running, certain system states, system load ... We will present a method correlating those IDS events using Fuzzy Logic and Neural Networks as an extension of the Prelude Hybrid IDS framework. After a short introduction of the Prelude framework we explain how those methods can be used to get more reliable results out of this hybrid IDS. To illustrate the concept behind in a more demonstrative way we will use IDS events of common attacks to give an idea how it can be employed to make IDSs work more efficiently.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
