Lecture 18: Intrusion Detection

Network Intrusion Detection (NIDS)


What is an advantage of using a NIDS?




NIDS Evasion Attacks



Suppose we install a NIDS that alerts for a path traversal attack whenever it sees .. or its hex encoding in a packet. What evasion attack(s) could an attacker try on this scheme?




NIDS Issues


What is a disadvantage of using a NIDS?




Host-Based Intrusion Detection (HIDS)


What are some tradeoffs between HIDS and NIDS?




Logging


What are some advantages and disadvantages of logging?




System Call Monitoring


Which intrusion detection method would be most appropriate for detecting a DoS attack?




Note: This is one of the longer lectures of the semester. If you want to watch it in two sittings, this is a good halfway point to take a study break.


False Positives and False Negatives




Detection Tradeoffs, Base Rate Fallacy

System A has a false positive rate of 0.05% and a false negative rate of 1%. System B has a false positive rate of 1% and a false negative rate of 0.05%. The cost of a false positive is $100, and the cost of a false negative is $10000. Which system is better?




Signature-Based Detection


Does signature-based detection use a blacklist (default allow) or a whitelist (default deny)?




Vulnerability Signatures




Anomaly-Based Detection




Specification-Based Detection




Behavioral Detection


Which detection scheme is least useful for detecting never-before-seen attacks? A: Anomaly-based B: Signature-based C: Specification-based D: Behavioral-based




Summary of Evasion Issues




Antivirus




Intrusion Detection Conclusion