Download
application intrusion detection n.
Skip this Video
Loading SlideShow in 5 Seconds..
Application Intrusion Detection PowerPoint Presentation
Download Presentation
Application Intrusion Detection

Application Intrusion Detection

73 Views Download Presentation
Download Presentation

Application Intrusion Detection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Application Intrusion Detection Robert S. Sielken In Fulfillment Of Master of Computer Science Degree School of Engineering and Applied Science University of Virginia Application Intrusion Detection

  2. Outline • Introduction • State of Practice - OS IDS • Case Studies • Application Intrusion Detection • Construction of an Application Intrusion Detection System (AppIDS) • Conclusion Application Intrusion Detection

  3. Intrusion Detection determining whether or not some entity, the intruder, has attempted to gain, or worse, has gained unauthorized access to the system Intruders Internal External Objectives Confidentiality Integrity Availability Accountability Current State done at the OS level, but diminishing returns opportunities and limits of utilizing application semantics? Introduction Application Intrusion Detection

  4. Audit records operating system generated collections of the events that have happened in the system over a period of time Events results of actions taken by users, processes, or devices that may be related to a potential intrusion Threat Categories Denial of Service Disclosure Manipulation Masqueraders Replay Repudiation Physical Impossibilities Device Malfunctions State of Practice - OS IDS Application Intrusion Detection

  5. Anomaly Detection Static Tripwire, Self-Nonself Dynamic NIDES, Pattern Matching (UNM) Misuse Detection NIDES, MIDAS, STAT Extensions - Networks Centralized DIDS, NADIR, NSTAT Decentralized GrIDS, EMERALD OS IDS - Approaches Application Intrusion Detection

  6. OS IDS - Generic Characteristics • Relation- expression of how two or more values are associated • Statistical • Rule-Based • Observable Entities- any object (user, system device, etc.) that has or produces a value in the monitored system that can be used in defining a relation • Thresholds- determine how the result of the relation will be interpreted Application Intrusion Detection

  7. OS IDS - Generic Characteristics • Effectiveness • fine-tuning of thresholds • frequency of relation evaluation • number of correlated values • hierarchy Application Intrusion Detection

  8. AppIDS • Guiding Questions • Opportunity – what types of intrusions can be detected by an AppIDS? • Effectiveness – how well can those intrusions be detected by an AppIDS? • Cooperation – how can an AppIDS cooperate with the OS IDS to be more effective than either alone? Application Intrusion Detection

  9. Electronic Toll Collection numerous devices distributed complementary device values hierarchical gathers data about monitored external behavior accounting component Health Record Management non-hierarchical no devices beyond controlling computer no financial component limited access contains physical realities data collection and scheduling components Case Studies Application Intrusion Detection

  10. Devices Toll Lane Tag Sensor Automated Coin Basket Toll Booth Attendant Loop Sensor Axle Reader Weigh-In-Motion Scale Traffic Signal Video Camera Vehicle Tag (Active/Passive) Electronic Toll Collection (ETC) Application Intrusion Detection

  11. ETC - Hierarchy Application Intrusion Detection

  12. Threat Categories Specific Intrusions Methods Relations ETC - Application Specific Intrusions • Annoyance (3 methods) • Steal Electronic Money (10 methods) • Steal Vehicle (4 methods) • Device Failure (1 method) • Surveillance (2 methods) Application Intrusion Detection

  13. ETC - Steal Service Application Intrusion Detection

  14. Similarities detect intrusions by evaluating relations to differentiate between anomalous and normal behavior centralized or decentralized (hierarchical) same threat categories Differences anomaly detection using statistical and rule-based relations internal intruders event causing entity resolution tightness of thresholds event records periodic code triggers Application Intrusion Detection Application Intrusion Detection

  15. Dependencies OS IDS on AppIDS None AppIDS on OS IDS basic security services prevention of bypassing application to access application components Cooperation audit/event record correlation communication bi-directional request-response bundles complications terms of communication resource usage - lowest common denominator AppID (cont’d) Application Intrusion Detection

  16. Relation Specifier Relation Evaluator Relations Observable Entity Locations in the Application Relation – Code Connector Event Record Manager Event Record Specifier Anomaly Alarm Handler Event Record Structure Timings TOOLS GENERIC COMPONENTS Construction of an AppIDS Application Intrusion Detection

  17. Opportunity internal intruders (abusers) anomaly with statistical and rule-based relations same threat categories Effectiveness resolution tightness of thresholds Cooperation detection Construction tools generic components Conclusion Application Intrusion Detection

  18. Health Record Management (HRM) • Components • Patient Records • Orders – lists of all requests for drugs, tests, or procedures • Schedule – schedule for rooms for patient occupancy, laboratory tests, or surgical procedures (does not include personnel) • Users • doctors, laboratory technicians, and nurses Application Intrusion Detection

  19. Threat Categories Specific Intrusions Methods Relations HRM - Application Specific Intrusions • Annoyance (4 methods) • Steal Drugs (1 method) • Patient Harm (6 methods) • Surveillance (2 methods) Application Intrusion Detection

  20. HRM - Patient Harm Application Intrusion Detection

  21. ETC - Steal Service Application Intrusion Detection

  22. Steal Service (cont’d) Application Intrusion Detection

  23. HRM - Patient Harm Application Intrusion Detection