Network Security:
Attacks and Monitoring
Slide ke-3 Mata Kuliah: Keamanan Jaringan
Course Objectives
• Network Monitoring
• Intrusion Detection System (IDS) • Penetration Testing
Network Monitoring
• Subject are held accountable for their actions
while authenticated on a system.
• It is also, the process to detect unauthorized or abnormal activities on the system.
• The audit trails created by recording system to log can be used to evaluate a system’s health and performance.
Network Monitoring (Cont.)
• Log Event provide an audit trails for recreating a step by step history of an event, intrusion, and system failure.
Intrusion Detection
• Intrusion Detection System (IDS) is
primarily used to detect intrusion attempts, also, can be employed to detect system
failure and overall performance.
• IDS alert can be sent with an on screen
IDSs Response
• A response from ADS can be classified into three types:
– Active: Directly affects malicious activity in the network traffic.
– Passive: Doesn’t affects malicious activity, but
record the information about the issue and notifies the administrator.
IDSs Response
• Typical IDS responses for several actions, including blocking port, blocking protocol, blocking source address, and disabling all communication over some specific cable segment.
Host- and Network-based IDS
• Host-based IDS watches for questionable activity on a single computer system.
• Host-based IDS look at audit trails, event log, and application log.
• Network-based IDS watches for:
Knowledge- and
Behavior-based Detection
• IDS can detect malicious behavior with 2 common types:
– Knowledge-based detection (also known as signature-based or pattern matching).
Knowledge-based Detection
• Here, IDS use signature database and
attempts to match all monitored event to its content.
• If a match is made, the IDS assumes that an attacks are taking place.
• This method is only effective for known attack method or behavior.
Knowledge-based Detection
(Cont.)
• Knowledge-based IDS lacks a learning model, that is, it is unable to recognize new attack pattern as they occur.
• Therefore, the administrator should consider an up-to-date and correct signature.
– As mentioned before, it is like an antivirus
Behavior-based Detection
• Basically, behavior-based detection learns about the normal activities and events on your system by watching and tracking
what it sees.
• Once it has accumulated enough data about normal activity, it can detect
Behavior-based Detection
• A behavior-based IDS can be labeled an expert system or artificial intelligence
system because it can learn and make assumptions about events.
• In other words, the IDS can act like a
IDS Related Tools
• These IDS-related tools expand the
usefulness and capabilities of IDSs and make them more efficient and less prone to false positives.
• These tools include – honeypots,
– padded cells, and
Understanding Honeypots
• Individual computers or entire networks created to serve as a trap for intruders.
– Look and act like legitimate network, but they are totally fake.
• Honeypots tempt intruders by presenting un-patched and unprotected security
vulnerabilities.
Typical Honeypots
Deployment
Understanding Honeypots
(Cont.)
• Honeypots performing malicious activities long enough for the automated IDS to
detect the intrusion and gather as much information about the intruder as possible.
– Legitimated users never enter the Honeypots.
Understanding Honeypots
(Cont.)
• The use of honeypots raises the issue of
enticement vs. entrapment.
• A honeypot can be legally used as an
enticement device if the intruder discovers it through no outward efforts of the
honeypot owner.
Understanding Honeypots
(Cont.)
• Entrapment, which is illegal, occurs when the honeypot owner actively solicits
visitors to access the site and then
charges them with unauthorized intrusion. • In other words, it is considered to be
entrapment when you trick or encourage a perpetrator into performing an illegal or
Understanding Padded Cells
• A padded cell system is similar to a honeypot, but it performs intrusion isolation using a different approach.
– When an IDS detects an intruder, that intruder is automatically transferred to a padded cell. – Within the padded cell the intruder can neither
Understanding
Vulnerabilities Scanner
• Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses.
– May recommend applying patches or making specific configuration or security setting
changes to improve or impose security.
• An extension to the concept of the IDS is the intrusion prevention system (IPS),
Understanding
Vulnerabilities Scanner (Cont.)
• An IPS seeks to actively block
unauthorized connection attempts or illicit traffic patterns as they occur.
Penetration Testing
• A penetration occurs when an attack is
successful and an intruder is able to breach the perimeter around your environment.
– It is common for organizations to hire external consultants to perform penetration testing.
– So testers are not informed to confidential elements of the environment’s security
Penetration Testing (Cont.)
• There are open-source and commercial tools such as Metasploit and Core
IMPACT.
• To evaluate your system, benchmarking and testing tools are available for
Penetration Testing (Cont.)
• Keeping up with the latest attacks,
vulnerabilities, exploits, and demands that careful, attentive security professionals
keep up with security bulletins.
– U.S. Computer Emergency Readiness Team at www.us-cert.gov/cas/bulletins or those from the Common Vulnerabilities and Exposures
Method of Attacks
(List. 1)
• The following are the most common or well-known access control attacks or
attack methodologies (these are listed in alphabetical order):
– Brute force and dictionary attack – Denial of Services
Method of Attacks
(List. 2)
• The following are the most common or well-known access control attacks or
attack methodologies (these are listed in alphabetical order):
– Sniffing – Spamming
Brute Force and Dictionary
Attacks
• We discuss brute-force and dictionary
attacks together because they are waged against the same entity: passwords.
• A brute-force attack is an attempt to
discover passwords for user accounts by systematically attempting all possible
Denial of Services
Attacks
• Denial-of-service (DoS) attacks are attacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.
– The most common form of DoS is transmitting so many data packets to a server that it cannot process them all.
– DoS can result in system crashes, system
Denial of Services Attacks
Types
• Single attacking system flooding a single victim with a steady stream of packets.
– This simple form of DoS is easy to terminate just by blocking packets from the source IP address.
• A distributed denial of service (DDoS) occurs when the attacker compromises several
Spoofing Attacks
• Spoofing attacks consist of replacing a valid source and/or destination IP address and
node numbers with false ones.
– Art of pretending to be something you’re not.
• Spoofing is employed when:
– Uses a stolen username and password.
– An attacker changes the source address in a malicious packet.
Man in The Middle Attacks
• A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication.
– Sniffing the traffic between two parties; this is basically a sniffer attack.
– The other involves attackers positioning
Man in The Middle Attacks
(Cont. 2)
• A form of this attack, called hijack attack, a malicious user is positioned between a
Man in The Middle Attacks
(Cont. 3)
• Another type, a reply attack (playback attack).
– A malicious user records traffic between a client and server; then packets sent from the client to the server are played back or
retransmitted to that server with slight
Sniffing Attacks
• A sniffer attack (also known as a
snooping attack) is any activity that results in a malicious user obtaining information about a network or the traffic over that network.
• A sniffer is some kind of packet-capturing program that dumps the contents of
Spamming Attacks
• Spam: the term that describes unsolicited email, newsgroup, or discussion forum
messages.
– Spam can be as innocuous as an advertisement from a well-meaning vendor or as malignant as floods of unrequested messages with viruses or Trojan horses attached.
– Spamming attacks are directed floods of
Access Control Compensation
• Access control is used to regulate or specify which objects a subject can
access and what type of access is allowed or denied.
• To specify countermeasures for each of these attacks, you can use certain
Access Control Compensation
(Cont. 1)
• Backups are the best means of
compensation against access control violations.
• Having backup communication routes, mirrored servers, clustered systems,
failover systems, and so on can provide instant automatic or quick manual