CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department of Systems and Computer Engineering, Carleton University Privacy, Security and Trust October 2005
20
Embed
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES. Presented by Frédéric Massicotte Communications Research Centre Canada Department of Systems and Computer Engineering, Carleton University Privacy, Security and Trust October 2005. Motivations. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CONTEXT-BASEDINTRUSION DETECTION
USING SNORT, NESSUS AND BUGTRAQ DATABASES
Presented by Frédéric Massicotte
Communications Research Centre Canada
Department of Systems and Computer Engineering, Carleton University
Privacy, Security and Trust
October 2005
Motivations Current IDS Problems
– Some IDS do not provide a declarative rule specification language• Difficult to verify, compare and update attack scenarios
– Many IDS only rely on one packet or on one TCP stream to identify intrusions• More complex attacks need to be programmed (two specification systems)• False negatives and false positives
– Intrusion signatures do not include a precise network context• Increases the number of false positives (session state not enough)
IDS functionality needed– The IDS signature language should
• be a declarative rule specification language• be independent of the monitoring engine• enable multi-packet rules• specify network-context gathering other than alarms and session states• be used on well-defined models (Packet Model and Network Model)
– The IDS monitoring engine should• be multi-packet• maintain a network-context knowledge base
Our Contributions A multi-packet monitoring engine A declarative rule specification language that uses
the Object Constraint Language A formal packet model and a formal network
model A library of passive information gathering rules to
acquire the network context Missing :
– A library of intrusion detection rules with network context• Prove that these rules could be used to reduce the number
of false positives• Study the correlation potential and accuracy of freely