Network Security: Attacks and Monitoring Slide ke-3 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki
Network Security: Attacks and Monitoring
Slide ke-3 Mata Kuliah: Keamanan Jaringan
Course Objectives
- Network Monitoring • Intrusion Detection System (IDS)
- Penetration Testing • Attack’s Method
Network Monitoring
accountable for their actions- Subject are held while authenticated on a system.
- It is also, the process to detect unauthorized or abnormal activities on the system.
- The audit trails created by recording system to
log can be used to evaluate a system’s health
and performance. - Log Event provide an audit trails for recreating
Network Monitoring (Cont.)
- Log Event provide an audit trails for recreating a step by step history of an event, intrusion, and system failure.
Intrusion Detection
- Intrusion Detection System (IDS) is primarily used to detect intrusion attempts, also, can be employed to detect system failure and overall performance.
- IDS alert can be sent with an on screen notification by playing a sound, sending an email notification, or recording information
(IDS)
IDSs Response
- A response from ADS can be classified into three types:
Directly affects malicious activity in the
- – Active: network traffic.
Doesn’t affects malicious activity, but
- – Passive:
record the information about the issue and notifies the administrator.
Stop unwanted activity, record information
- – Hybrid: about the event, and notifies the administrator.
IDSs Response
- Typical IDS responses for several actions, including blocking port, blocking protocol, blocking source address, and disabling all communication over some specific cable segment.
- When IDS discovers abnormal behavior or violation of its security rule, it record a log
Host- and Network-based IDS
- Host-based IDS
watches for questionable activity on a single computer system.
- Host-based IDS look at audit trails, event log, and application
- Network-based IDS watches for:
- – Questionable activity on the network medium by inspecting packet and observing network traffic pattern.
Network-based IDS based Detection
- IDS can detect malicious behavior with 2 common types:
- – Knowledge-based detection (also known as signature-based or pattern matching).
– Behavior-based detection, and commonly
known as statistical intrusion detection,
anomaly detection, and heuristic-based
detection.
Knowledge-based Detection
- Here, IDS use signature database and attempts to match all monitored event to its content.
- If a match is made, the IDS assumes that an attacks are taking place.
- This method is only effective for known attack method or behavior.
(Cont.)
- Knowledge-based IDS lacks a learning model, that is, it is unable to recognize new attack pattern as they occur.
- Therefore, the administrator should consider an up-to-date and correct signature.
– As mentioned before, it is like an antivirus
application, need to be update over period of
Behavior-based Detection
- Basically, behavior-based detection learns about the normal activities and events on your system by watching and tracking what it sees.
- Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities
Behavior-based Detection
- A behavior-based IDS can be labeled an expert system or artificial intelligence system because it can learn and make assumptions about events.
- In other words, the IDS can act like a human expert by evaluating current events against known events.
IDS Related Tools
- These IDS-related tools expand the usefulness and capabilities of IDSs and make them more efficient and less prone to false positives.
- These tools include
- – honeypots,
- – padded cells, and
Understanding Honeypots
- Individual computers or entire networks created to serve as a trap for intruders.
- – Look and
act like legitimate network , but they are totally fake .
un- patched and unprotected security vulnerabilities.
- Honeypots tempt intruders by presenting
- – Direct intruders into a restricted playground while
Deployment
(Cont.)
- Honeypots performing malicious activities long enough for the automated IDS to detect the intrusion and gather as much information about the intruder as possible.
- – Legitimated users never enter the Honeypots.
- – Thus, when honeypots access is detected, it is must be an authorized intruder.
(Cont.)
- The use of honeypots raises the issue of enticement vs. entrapment .
- A honeypot can be legally used as an enticement device if the intruder discovers it through no outward efforts of the honeypot owner.
- – It is known as Enticement .
(Cont.)
- Entrapment
, which is illegal, occurs when the honeypot owner actively solicits
visitors to access the site and then charges them with unauthorized intrusion.
- In other words, it is considered to be entrapment when you trick or encourage a
perpetrator into performing an illegal or
Understanding Padded Cells
- A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach.
- – When an IDS detects an intruder, that intruder is automatically transferred to a padded cell.
- – Within the padded cell the intruder can neither perform malicious activities nor access any confidential data.
Vulnerabilities Scanner
- Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses.
- – May recommend applying patches or making
specific configuration or security setting
changes to improve or impose security. - An extension to the concept of the IDS is the intrusion prevention system (IPS),
Vulnerabilities Scanner (Cont.)
- An IPS seeks to actively block unauthorized connection attempts or illicit traffic patterns as they occur.
- In fact, the line between IDSs and IPSs can be quite blurry in that many self - professed IDSs have IPS capabilities.
Penetration Testing
- A penetration occurs when an attack is
successful and an intruder is able to breach the perimeter around your environment.
- – It is common for organizations to hire external consultants to perform penetration testing.
- – So testers are not informed to confidential elements of the environment’s security configuration, network design, and other
Penetration Testing (Cont.)
- There are open-source and commercial tools such as Metasploit and Core IMPACT.
- To evaluate your system, benchmarking and testing tools are available for download a .
Penetration Testing (Cont.)
- Keeping up with the latest attacks, vulnerabilities, exploits, and demands that careful, attentive security professionals keep up with security bulletins.
- – U.S. Computer Emergency Readiness Team at .
(List. 1)
- The following are the most common or well-known access control attacks or attack methodologies (these are listed in alphabetical order):
- – Brute force and dictionary attack
- – Denial of Services – Malware: viruses, worms, Trojans, spyware, etc.
(List. 2)
- The following are the most common or well-known access control attacks or attack methodologies (these are listed in alphabetical order):
- – Sniffing – Spamming – And Spoofing.
Attacks
- We discuss brute-force and dictionary attacks together because they are waged against the same entity: passwords .
- A brute-force attack is an attempt to discover passwords for user accounts by systematically attempting all possible
combinations of letters, numbers, and
Attacks
• Denial-of-service (DoS) attacks are attacks
that prevent a system from processing or
responding to legitimate traffic or requests for resources and objects. transmitting
- – The most common form of DoS is
so many data packets to a server that it cannot process them all.
- – DoS can result in system crashes, system
Types
- Single attacking system flooding a single victim with a steady stream of packets.
- – This simple form of DoS is easy to terminate just by blocking packets from the source IP address.
occurs
- A distributed denial of service (DDoS)
when the attacker compromises several systems and uses them as launching platforms against one or more victims.
Spoofing Attacks
- Spoofing attacks consist of replacing a valid source and/or destination IP address and node numbers with false ones.
- – Art of pretending to be something you’re not.
- Spoofing is employed when : – Uses a stolen username and password.
- – An attacker changes the source address in a malicious packet.
Man in The Middle Attacks
- A man-in-the-middle attack occurs when a malicious user is able to gain a position
between the two endpoints of an ongoing
communication. - – Sniffing the traffic between two parties; this is basically a sniffer attack.
- – The other involves attackers positioning themselves in the line of communication where
(Cont. 2)
- A form of this attack, called hijack attack, a malicious user is positioned between a client and server then interrupt the session and take it over .
(Cont. 3)
- Another type, a reply attack (playback attack).
– A malicious user records traffic between a
client and server; then packets sent from the client to the server are played back or retransmitted to that server with slight variations in the time stamp and source IP address.
Sniffing Attacks
- A sniffer attack (also known as a snooping attack) is any activity that results in a malicious user obtaining information about a network or the traffic over that network.
- A sniffer is some kind of packet-capturing program that dumps the contents of
Spamming Attacks
- Spam: the term that describes unsolicited email, newsgroup, or discussion forum messages.
- – Spam can be as innocuous as an advertisement from a well-meaning vendor or as malignant as floods of unrequested messages with viruses or Trojan horses attached.
- – Spamming attacks are directed floods of unwanted messages to a victim’s email inbox or
Access Control Compensation
- Access control is used to regulate or specify which objects a subject can access and what type of access is allowed or denied.
- To specify countermeasures for each of these attacks, you can use certain measures to help compensate for access
(Cont. 1)