尊敬的 微信汇率:1円 ≈ 0.046166 元 支付宝汇率:1円 ≈ 0.046257元 [退出登录]
SlideShare a Scribd company logo

intrusion detection system (IDS)

Download as PPT, PDF
Aj Maurya
Aj Maurya

This document discusses intrusion detection systems (IDS). It defines intrusion, intrusion detection, and intrusion prevention. It explains the components of an IDS including audit data, detection models, and detection and decision engines. It describes misuse detection using signatures and anomaly detection using statistical analysis. It also discusses host-based and network-based IDS, their advantages and disadvantages, and limitations of exploit-based signatures. The document emphasizes the importance of selecting and properly deploying the right IDS for an organization's needs.

Education
1 of 33
INTRUSION DETECTION SYSTEMS (IDS) Presented by:
Definitions • Intrusion – A set of actions aimed to compromise the security goals, namely:- • Integrity, confidentiality, or availability, of a computing and networking resource. • Intrusion detection – The process of identifying and responding to intrusion activities. • Intrusion prevention – Extension of ID with exercises of access control to protect computers from exploitation.
REAL LIFE ANALOGY
Digging a Tunnel RelTunel – ICMP Tunnel • You spend great money on concrete walls (firewalls) but they are of no use if someone can dig through them.
WHY DO I NEED AN IDS, I HAVE A FIREWALL ?
Components of Intrusion Detection System • Audit Data Preprocessor •Audit Records •Activity Data •Detection • Models •Detection Engine •Alarms •Decision • Table •Decision Engine •Action/Report •system activities aresystem activities are observableobservable •normal and intrusivenormal and intrusive activities have distinctactivities have distinct evidenceevidence
E-COMMERCE + WELL KNOWN NAME = HACKER TARGET • A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. • ISCA Info Security Magazine Sept 2012 – Comparison E-Comm site (left column) vs Non E- Comm site (right column) Viruses/Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16%
Who are the targets ?? • Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. • Fast bandwidth is now a cheap commodity. • Cable modem and ADSL access is the equivalent of having a T1 link in your home. • Kids of all ages can scan a whole country in a very short time frame. • No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’
The biggest threat: EXPOSURE…!!!!! • The biggest threat of all is bad publicity and having your company reputation and name associated with an intrusion, site modification and defacement, or even attack to other sites using your resources as a launch platform. • It could kill all faith in the belief that you can offer a secure environment to conduct E-Commerce or other online activities. • Even though perception is often not the reality. Outsider and customers does not care that the specific site was on a bronze plan or that it was not hosted in house. • PEOPLE ONLY READ LARGE TITLES such as:
Intrusion Detection Approaches • Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based – Network based: monitor network traffic. – Host based: monitor computer processes.
Misuse Detection •Intrusion Patterns •activities •pattern matching •intrusion •Example: if (src_ip == dst_ip) then “land attack”
Anomaly Detection •activity measures 0 10 20 30 40 50 60 70 80 90 CPU Process Size normal profile abnormal •probable intrusion •Relatively high false positive rate • Anomalies can just be new normal activities. • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfiguration. •Any problem ?
TYPE OF ANALYSIS • Signature based (Pattern matching) – Similar to a virus scanner, look for a specific string in the network data being presented to the IDS • Statistical – Based on time, frequency, lenght of session – For example: cdupuis logs on at 0300 AM and has never done so in the past, it will raise a flag • Integrity Checker – Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems. • Anomaly Detection/Behavior Based • Flow Based
There are Two Types of IDS:-
Host-Based IDSs • Using OS auditing mechanisms –E.G., BSM on Solaris: logs all direct or indirect events generated by a user • Problems: user dependent –Have to install IDS on all user machines ! –Ineffective for large scale attacks
The Spread of Sapphire/Slammer Worms
HOST BASED (Advantages) • Monitor in term of who accessed what • Can map problem activities to a specific user id • System can track behavior changes associated with misused • Can operate in encrypted environment • Operates in switched networks • Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console
HOST BASED (Disavantages) • Cannot see all network activities. • Running audit mechanisms adds overload to system, performance may be an issue. • Audit trails can take lots of storage. • Escalation of false positive. • Greater deployment and maintenance cost.
Network IDS. • Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers • Inspecting network traffic – Watch for violations of protocols and unusual connection patterns. • Monitoring user activities – Look into the data portions of the packets for malicious code. • May be easily defeated by encryption – Data portions and some header information can be encrypted. – The decryption engine may still be there, especially for exploit.
Architecture of Network IDS •Packet capture libpcapPacket capture libpcap •TCP reassemblyTCP reassembly •Protocol identificationProtocol identification •Packet streamPacket stream •Signature matchingSignature matching •(& protocol parsing when(& protocol parsing when needed)needed)
Network Based IDSs • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage •Gateway routers •Internet • Our network • Host based detectio n
Requirements of Network IDS • High-speed, large volume monitoring – No packet filter drops • Real-time notification • Mechanism separate from policy • Extensible • Broad detection coverage • Economy in resource usage • Resilience to stress • Resilience to attacks upon the IDS itself!
NETWORK BASED (Advantages) • Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms • Does not affect network or data sources • Monitor and detects in real time networks attacks or misuses • Does not create system overhead
NETWORK BASED (Disavantages) • Cannot scan protocols if the data is encrypted • Can infer from network traffic what is happening on host but cannot tell the outcome • Hard to implement on fully switched networks • Has difficulties sustaining network with a very large bandwidth
Limitations of Exploit Based Signature • 1010 101 • 1011 1101 • 1111 1100 • 0001 0111 •Our network •Traffic Filtering •Internet •Signature: 10.*01 •X •X • Polymorphic worm might not have exact exploit based signature • Polymorphism!
Vulnerability Signature Work for polymorphic worms. Work for all the worms which target the same vulnerability. •Vulnerability signature traffic filtering •Internet •X •X • Our network • Vulnerabilit y •X •X
Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade • Vulnerable buffer • Protocol message Overflow!
Current State of IDS • Lots of people are still using Firewall and Router logs for Intrusion Detection (Home Brew) • IDS are not very mature. • Mostly signature based. • It is a quickly evolving domain. • Giant leap and progress every quarter. • As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’: Prévention Détection  Getting to this point today Response
•SNORT •FIRESTORM •PRELUDE •DRAGON •Sonic WALL
WHAT CAN IDS REALISTICLY DO…? – Monitor and analyse user and system activities – Auditing of system and configuration vulnerabilities – Asses integrity of critical system and data files – Recognition of pattern reflecting known attacks – Statistical analysis for abnormal activities – Data trail, tracing activities from point of entry up to the point of exit – Installation of decoy servers (HONEY POTS) – Installation of vendor patches (some IDS)
WHAT IDS CANNOT DO..? – Compensate for weak authentication and identification mechanisms. – Investigate attacks without human intervention. – Guess the content of your organization security policy. – Compensate for weakeness in networking protocols, for example: IP Spoofing. – Compensate for integrity or confidentiality of information. – Deal adequately with attack at the packet level.
SUMMARY • Select IDS you wish to use according to your needs and requirement (Short list). • Select Hardware. • Decide on positioning of IDS (total, per customer, per zone, etc…). • Acquire and Install HW and SW (perform tests) • Minimize false positive and false negative. • Deploy to production environment. • Monitor, tune, update, Monitor, tune, update…
intrusion detection system (IDS)

Recommended

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 

Recommended

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Mohit Belwal
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
Not yet working. I am still studying
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
Bikrant Gautam
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Network scanning
Network scanningNetwork scanning
Network scanning
oceanofwebs
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
Paul Green
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
shraddha_b
 
BAIT1103 Chapter 5
BAIT1103 Chapter 5BAIT1103 Chapter 5
BAIT1103 Chapter 5
limsh
 

More Related Content

What's hot

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Mohit Belwal
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Akhil Kumar
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
Not yet working. I am still studying
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
Bikrant Gautam
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Network scanning
Network scanningNetwork scanning
Network scanning
oceanofwebs
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
Paul Green
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 

What's hot (20)

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Ids(final)
Ids(final)Ids(final)
Ids(final)
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
Security testing
Security testingSecurity testing
Security testing
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 

Viewers also liked

Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
shraddha_b
 
BAIT1103 Chapter 5
BAIT1103 Chapter 5BAIT1103 Chapter 5
BAIT1103 Chapter 5
limsh
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
Abdul Rahman
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
Michael Boman
 
Sistemas de Detección de Intrusos
Sistemas de Detección de IntrusosSistemas de Detección de Intrusos
Sistemas de Detección de Intrusos
Carlos Arturo Fyuler
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
VR Talsaniya
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
Pgp
PgpPgp
Pgp
precy02
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
Eng. Mohammed Ahmed Siddiqui
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)
Alberto Mayo Vega
 
Improving intrusion detection system by honeypot
Improving intrusion detection system by honeypotImproving intrusion detection system by honeypot
Improving intrusion detection system by honeypot
mmubashirkhan
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
rajakhurram
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 

Viewers also liked (20)

Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
BAIT1103 Chapter 5
BAIT1103 Chapter 5BAIT1103 Chapter 5
BAIT1103 Chapter 5
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
 
Sistemas de Detección de Intrusos
Sistemas de Detección de IntrusosSistemas de Detección de Intrusos
Sistemas de Detección de Intrusos
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
 
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
Intrusion Detection System (IDS) & Disaster Recovery Plan (DRP)
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
 
Pgp
PgpPgp
Pgp
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...Intrusion detection and prevention system for network using Honey pots and Ho...
Intrusion detection and prevention system for network using Honey pots and Ho...
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)Sistemas de Detección de Intrusos (IDS)
Sistemas de Detección de Intrusos (IDS)
 
Improving intrusion detection system by honeypot
Improving intrusion detection system by honeypotImproving intrusion detection system by honeypot
Improving intrusion detection system by honeypot
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 

Similar to intrusion detection system (IDS)

Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
eaiti
 
ids.ppt
ids.pptids.ppt
ids.ppt
Agostinho9
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
Novell
 
ids.ppt
ids.pptids.ppt
ids.ppt
HaipengCai1
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
rajakhurram
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptx
ssuserc517ee1
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
Brian Pichman
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
Christine MacDonald
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
thilakrajc
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
useonlyfortech140
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 

Similar to intrusion detection system (IDS) (20)

Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
ids.ppt
ids.pptids.ppt
ids.ppt
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
ids.ppt
ids.pptids.ppt
ids.ppt
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptx
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 

More from Aj Maurya

My cab story
My cab storyMy cab story
My cab story
Aj Maurya
 
Web Technology for non techies
Web Technology for non techiesWeb Technology for non techies
Web Technology for non techies
Aj Maurya
 
Using Slack For Internal Communications
Using Slack For Internal CommunicationsUsing Slack For Internal Communications
Using Slack For Internal Communications
Aj Maurya
 
Handheld operting system
Handheld operting systemHandheld operting system
Handheld operting system
Aj Maurya
 
Online Job Portal SnapShots
Online Job Portal SnapShots Online Job Portal SnapShots
Online Job Portal SnapShots
Aj Maurya
 
Handheld operting system
Handheld operting systemHandheld operting system
Handheld operting system
Aj Maurya
 
Online examination system
Online examination systemOnline examination system
Online examination system
Aj Maurya
 
Online job portal
Online job portal Online job portal
Online job portal
Aj Maurya
 

More from Aj Maurya (8)

My cab story
My cab storyMy cab story
My cab story
 
Web Technology for non techies
Web Technology for non techiesWeb Technology for non techies
Web Technology for non techies
 
Using Slack For Internal Communications
Using Slack For Internal CommunicationsUsing Slack For Internal Communications
Using Slack For Internal Communications
 
Handheld operting system
Handheld operting systemHandheld operting system
Handheld operting system
 
Online Job Portal SnapShots
Online Job Portal SnapShots Online Job Portal SnapShots
Online Job Portal SnapShots
 
Handheld operting system
Handheld operting systemHandheld operting system
Handheld operting system
 
Online examination system
Online examination systemOnline examination system
Online examination system
 
Online job portal
Online job portal Online job portal
Online job portal
 

Recently uploaded

How to Create a Stage or a Pipeline in Odoo 17 CRM
How to Create a Stage or a Pipeline in Odoo 17 CRMHow to Create a Stage or a Pipeline in Odoo 17 CRM
How to Create a Stage or a Pipeline in Odoo 17 CRM
Celine George
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
Kalna College
 
The Science of Learning: implications for modern teaching
The Science of Learning: implications for modern teachingThe Science of Learning: implications for modern teaching
The Science of Learning: implications for modern teaching
Derek Wenmoth
 
Diversity Quiz Finals by Quiz Club, IIT Kanpur
Diversity Quiz Finals by Quiz Club, IIT KanpurDiversity Quiz Finals by Quiz Club, IIT Kanpur
Diversity Quiz Finals by Quiz Club, IIT Kanpur
Quiz Club IIT Kanpur
 
The basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptxThe basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptx
heathfieldcps1
 
(T.L.E.) Agriculture: "Ornamental Plants"
(T.L.E.) Agriculture: "Ornamental Plants"(T.L.E.) Agriculture: "Ornamental Plants"
(T.L.E.) Agriculture: "Ornamental Plants"
MJDuyan
 
Creativity for Innovation and Speechmaking
Creativity for Innovation and SpeechmakingCreativity for Innovation and Speechmaking
Creativity for Innovation and Speechmaking
MattVassar1
 
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT KanpurDiversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Quiz Club IIT Kanpur
 
managing Behaviour in early childhood education.pptx
managing Behaviour in early childhood education.pptxmanaging Behaviour in early childhood education.pptx
managing Behaviour in early childhood education.pptx
nabaegha
 
Post init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP ModulePost init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP Module
Celine George
 
A Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by QuizzitoA Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by Quizzito
Quizzito The Quiz Society of Gargi College
 
The Rise of the Digital Telecommunication Marketplace.pptx
The Rise of the Digital Telecommunication Marketplace.pptxThe Rise of the Digital Telecommunication Marketplace.pptx
The Rise of the Digital Telecommunication Marketplace.pptx
PriyaKumari928991
 
How to stay relevant as a cyber professional: Skills, trends and career paths...
How to stay relevant as a cyber professional: Skills, trends and career paths...How to stay relevant as a cyber professional: Skills, trends and career paths...
How to stay relevant as a cyber professional: Skills, trends and career paths...
Infosec
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
TechSoup
 
Opportunity scholarships and the schools that receive them
Opportunity scholarships and the schools that receive themOpportunity scholarships and the schools that receive them
Opportunity scholarships and the schools that receive them
EducationNC
 
Keynote given on June 24 for MASSP at Grand Traverse City
Keynote given on June 24 for MASSP at Grand Traverse CityKeynote given on June 24 for MASSP at Grand Traverse City
Keynote given on June 24 for MASSP at Grand Traverse City
PJ Caposey
 
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
yarusun
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
Kalna College
 
Interprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdfInterprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdf
Ben Aldrich
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
MJDuyan
 

Recently uploaded (20)

How to Create a Stage or a Pipeline in Odoo 17 CRM
How to Create a Stage or a Pipeline in Odoo 17 CRMHow to Create a Stage or a Pipeline in Odoo 17 CRM
How to Create a Stage or a Pipeline in Odoo 17 CRM
 
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...220711130100 udita Chakraborty Aims and objectives of national policy on inf...
220711130100 udita Chakraborty Aims and objectives of national policy on inf...
 
The Science of Learning: implications for modern teaching
The Science of Learning: implications for modern teachingThe Science of Learning: implications for modern teaching
The Science of Learning: implications for modern teaching
 
Diversity Quiz Finals by Quiz Club, IIT Kanpur
Diversity Quiz Finals by Quiz Club, IIT KanpurDiversity Quiz Finals by Quiz Club, IIT Kanpur
Diversity Quiz Finals by Quiz Club, IIT Kanpur
 
The basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptxThe basics of sentences session 8pptx.pptx
The basics of sentences session 8pptx.pptx
 
(T.L.E.) Agriculture: "Ornamental Plants"
(T.L.E.) Agriculture: "Ornamental Plants"(T.L.E.) Agriculture: "Ornamental Plants"
(T.L.E.) Agriculture: "Ornamental Plants"
 
Creativity for Innovation and Speechmaking
Creativity for Innovation and SpeechmakingCreativity for Innovation and Speechmaking
Creativity for Innovation and Speechmaking
 
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT KanpurDiversity Quiz Prelims by Quiz Club, IIT Kanpur
Diversity Quiz Prelims by Quiz Club, IIT Kanpur
 
managing Behaviour in early childhood education.pptx
managing Behaviour in early childhood education.pptxmanaging Behaviour in early childhood education.pptx
managing Behaviour in early childhood education.pptx
 
Post init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP ModulePost init hook in the odoo 17 ERP Module
Post init hook in the odoo 17 ERP Module
 
A Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by QuizzitoA Quiz on Drug Abuse Awareness by Quizzito
A Quiz on Drug Abuse Awareness by Quizzito
 
The Rise of the Digital Telecommunication Marketplace.pptx
The Rise of the Digital Telecommunication Marketplace.pptxThe Rise of the Digital Telecommunication Marketplace.pptx
The Rise of the Digital Telecommunication Marketplace.pptx
 
How to stay relevant as a cyber professional: Skills, trends and career paths...
How to stay relevant as a cyber professional: Skills, trends and career paths...How to stay relevant as a cyber professional: Skills, trends and career paths...
How to stay relevant as a cyber professional: Skills, trends and career paths...
 
Accounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record ProperlyAccounting for Restricted Grants When and How To Record Properly
Accounting for Restricted Grants When and How To Record Properly
 
Opportunity scholarships and the schools that receive them
Opportunity scholarships and the schools that receive themOpportunity scholarships and the schools that receive them
Opportunity scholarships and the schools that receive them
 
Keynote given on June 24 for MASSP at Grand Traverse City
Keynote given on June 24 for MASSP at Grand Traverse CityKeynote given on June 24 for MASSP at Grand Traverse City
Keynote given on June 24 for MASSP at Grand Traverse City
 
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
Get Success with the Latest UiPath UIPATH-ADPV1 Exam Dumps (V11.02) 2024
 
220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology220711130097 Tulip Samanta Concept of Information and Communication Technology
220711130097 Tulip Samanta Concept of Information and Communication Technology
 
Interprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdfInterprofessional Education Platform Introduction.pdf
Interprofessional Education Platform Introduction.pdf
 
Information and Communication Technology in Education
Information and Communication Technology in EducationInformation and Communication Technology in Education
Information and Communication Technology in Education
 

intrusion detection system (IDS)

  • 2. Definitions • Intrusion – A set of actions aimed to compromise the security goals, namely:- • Integrity, confidentiality, or availability, of a computing and networking resource. • Intrusion detection – The process of identifying and responding to intrusion activities. • Intrusion prevention – Extension of ID with exercises of access control to protect computers from exploitation.
  • 4. Digging a Tunnel RelTunel – ICMP Tunnel • You spend great money on concrete walls (firewalls) but they are of no use if someone can dig through them.
  • 5. WHY DO I NEED AN IDS, I HAVE A FIREWALL ?
  • 6. Components of Intrusion Detection System • Audit Data Preprocessor •Audit Records •Activity Data •Detection • Models •Detection Engine •Alarms •Decision • Table •Decision Engine •Action/Report •system activities aresystem activities are observableobservable •normal and intrusivenormal and intrusive activities have distinctactivities have distinct evidenceevidence
  • 7. E-COMMERCE + WELL KNOWN NAME = HACKER TARGET • A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. • ISCA Info Security Magazine Sept 2012 – Comparison E-Comm site (left column) vs Non E- Comm site (right column) Viruses/Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16%
  • 8. Who are the targets ?? • Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. • Fast bandwidth is now a cheap commodity. • Cable modem and ADSL access is the equivalent of having a T1 link in your home. • Kids of all ages can scan a whole country in a very short time frame. • No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’
  • 9. The biggest threat: EXPOSURE…!!!!! • The biggest threat of all is bad publicity and having your company reputation and name associated with an intrusion, site modification and defacement, or even attack to other sites using your resources as a launch platform. • It could kill all faith in the belief that you can offer a secure environment to conduct E-Commerce or other online activities. • Even though perception is often not the reality. Outsider and customers does not care that the specific site was on a bronze plan or that it was not hosted in house. • PEOPLE ONLY READ LARGE TITLES such as:
  • 10. Intrusion Detection Approaches • Modeling – Features: evidences extracted from audit data – Analysis approach: piecing the evidences together • Misuse detection (a.k.a. signature-based) • Anomaly detection (a.k.a. statistical-based) • Deployment: Network-based or Host-based – Network based: monitor network traffic. – Host based: monitor computer processes.
  • 12. Anomaly Detection •activity measures 0 10 20 30 40 50 60 70 80 90 CPU Process Size normal profile abnormal •probable intrusion •Relatively high false positive rate • Anomalies can just be new normal activities. • Anomalies caused by other element faults • E.g., router failure or misconfiguration, P2P misconfiguration. •Any problem ?
  • 13. TYPE OF ANALYSIS • Signature based (Pattern matching) – Similar to a virus scanner, look for a specific string in the network data being presented to the IDS • Statistical – Based on time, frequency, lenght of session – For example: cdupuis logs on at 0300 AM and has never done so in the past, it will raise a flag • Integrity Checker – Based on hashing mechanism. Detects authorized and unauthorized changes to files within your systems. • Anomaly Detection/Behavior Based • Flow Based
  • 14. There are Two Types of IDS:-
  • 15. Host-Based IDSs • Using OS auditing mechanisms –E.G., BSM on Solaris: logs all direct or indirect events generated by a user • Problems: user dependent –Have to install IDS on all user machines ! –Ineffective for large scale attacks
  • 16. The Spread of Sapphire/Slammer Worms
  • 17. HOST BASED (Advantages) • Monitor in term of who accessed what • Can map problem activities to a specific user id • System can track behavior changes associated with misused • Can operate in encrypted environment • Operates in switched networks • Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console
  • 18. HOST BASED (Disavantages) • Cannot see all network activities. • Running audit mechanisms adds overload to system, performance may be an issue. • Audit trails can take lots of storage. • Escalation of false positive. • Greater deployment and maintenance cost.
  • 19. Network IDS. • Deploying sensors at strategic locations – E.G., Packet sniffing via tcpdump at routers • Inspecting network traffic – Watch for violations of protocols and unusual connection patterns. • Monitoring user activities – Look into the data portions of the packets for malicious code. • May be easily defeated by encryption – Data portions and some header information can be encrypted. – The decryption engine may still be there, especially for exploit.
  • 20. Architecture of Network IDS •Packet capture libpcapPacket capture libpcap •TCP reassemblyTCP reassembly •Protocol identificationProtocol identification •Packet streamPacket stream •Signature matchingSignature matching •(& protocol parsing when(& protocol parsing when needed)needed)
  • 21. Network Based IDSs • At the early stage of the worm, only limited worm samples. • Host based sensors can only cover limited IP space, which might have scalability issues. Thus they might not be able to detect the worm in its early stage •Gateway routers •Internet • Our network • Host based detectio n
  • 22. Requirements of Network IDS • High-speed, large volume monitoring – No packet filter drops • Real-time notification • Mechanism separate from policy • Extensible • Broad detection coverage • Economy in resource usage • Resilience to stress • Resilience to attacks upon the IDS itself!
  • 23. NETWORK BASED (Advantages) • Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms • Does not affect network or data sources • Monitor and detects in real time networks attacks or misuses • Does not create system overhead
  • 24. NETWORK BASED (Disavantages) • Cannot scan protocols if the data is encrypted • Can infer from network traffic what is happening on host but cannot tell the outcome • Hard to implement on fully switched networks • Has difficulties sustaining network with a very large bandwidth
  • 25. Limitations of Exploit Based Signature • 1010 101 • 1011 1101 • 1111 1100 • 0001 0111 •Our network •Traffic Filtering •Internet •Signature: 10.*01 •X •X • Polymorphic worm might not have exact exploit based signature • Polymorphism!
  • 26. Vulnerability Signature Work for polymorphic worms. Work for all the worms which target the same vulnerability. •Vulnerability signature traffic filtering •Internet •X •X • Our network • Vulnerabilit y •X •X
  • 27. Example of Vulnerability Signatures • At least 75% vulnerabilities are due to buffer overflow Sample vulnerability signature • Field length corresponding to vulnerable buffer > certain threshold • Intrinsic to buffer overflow vulnerability and hard to evade • Vulnerable buffer • Protocol message Overflow!
  • 28. Current State of IDS • Lots of people are still using Firewall and Router logs for Intrusion Detection (Home Brew) • IDS are not very mature. • Mostly signature based. • It is a quickly evolving domain. • Giant leap and progress every quarter. • As stated by Bruce Schneier in his book ‘Secret and Lies in a digital world’: Prévention Détection  Getting to this point today Response
  • 30. WHAT CAN IDS REALISTICLY DO…? – Monitor and analyse user and system activities – Auditing of system and configuration vulnerabilities – Asses integrity of critical system and data files – Recognition of pattern reflecting known attacks – Statistical analysis for abnormal activities – Data trail, tracing activities from point of entry up to the point of exit – Installation of decoy servers (HONEY POTS) – Installation of vendor patches (some IDS)
  • 31. WHAT IDS CANNOT DO..? – Compensate for weak authentication and identification mechanisms. – Investigate attacks without human intervention. – Guess the content of your organization security policy. – Compensate for weakeness in networking protocols, for example: IP Spoofing. – Compensate for integrity or confidentiality of information. – Deal adequately with attack at the packet level.
  • 32. SUMMARY • Select IDS you wish to use according to your needs and requirement (Short list). • Select Hardware. • Decide on positioning of IDS (total, per customer, per zone, etc…). • Acquire and Install HW and SW (perform tests) • Minimize false positive and false negative. • Deploy to production environment. • Monitor, tune, update, Monitor, tune, update…

Editor's Notes

  1. Need “both” on all these.
  2. BSM: Basic Security Module
  3. In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.
  4. Problems: mainly accuracy
  翻译: