Network attacks and network intrusion detection systems

Prof. Evgeny Abramov
IT-Security Department, Taganrog Institute of Technology, Southern Federal University, Taganrog, Russia

22 hours, 5 credits

June 6 - June 10, 2011

Dipartimento di Ingegneria dell'Informazione: Elettronica, Informatica, Telecomunicazioni, via Caruso, meeting room, ground floor

Contacts: Prof. Michele Pagano

Summary

This series of lessons examines some of the most dangerous types of network attacks (buffer overflow, format string vulnerabilities, SQL-injection, XSS), methods for their detection and countermeasures. A classification of vulnerabilities based on CVE, CWE is presented. The most popular DDoS attacks and protection technologies are discussed, and some types of attacks that exploit buffer overflows and are part of many types of malicious scripts are considered.

Methods for detection and reaction are analyzed with reference to the use of personal firewalls and the Snort network intrusion detection systems (NIDS). We shall examine countermeasures to personal firewall bypass attempts, as are used by hackers to capture host control and install covert channels. An approach to develop effective Snort rules is illustrated, and a generalized method of testing NIDS effectiveness is presented.

Contents

Introduction
Terminology
Network attacks ontology
Practical classification
Signatures and anomalies
DoS, DDoS attacks
The use of design errors for DoS
Goals and scenarios for DDoS (bot-nets, etc)
Protection against DDoS
Remote access attacks
Buffer overflow
Format string vulnerabilities
SQL injection
XSS
Protection and detection
Personal security in the network
Personal firewalls
Anti-rootkit
Covert channels and their detection
Leak-tests of personal firewalls
Network intrusion detection systems (NIDS)
Analysis of NIDS approaches, their classification and vulnerabilities
Using Snort
Signature analysis of network attacks, development of effective rules for Snort
Testing NIDS effectiveness