intrusion detection system ppt
DESCRIPTION
TRANSCRIPT
![Page 1: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/1.jpg)
Intrusion Detection Intrusion Detection SystemSystem
![Page 2: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/2.jpg)
Intrusion and Intrusion Intrusion and Intrusion DetectionDetection Intrusion : Attempting to break Intrusion : Attempting to break
into or misuse your system.into or misuse your system. Intruders may be from outside the Intruders may be from outside the
network or legitimate users of the network or legitimate users of the network.network.
Intrusion can be a physical, Intrusion can be a physical, system or remote intrusion.system or remote intrusion.
![Page 3: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/3.jpg)
Different ways to Different ways to intrudeintrude Buffer overflowsBuffer overflows Unexpected combinationsUnexpected combinations Unhandled inputUnhandled input Race conditionsRace conditions
![Page 4: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/4.jpg)
Intrusion Detection SystemIntrusion Detection System
KnowledgeBase
Response Model
Alert Data-base
Event Provider
Analysis Engine
Other machines
![Page 5: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/5.jpg)
Intrusion Detection Intrusion Detection Systems (IDS)Systems (IDS) Different ways of classifying an Different ways of classifying an
IDSIDS
IDS based onIDS based on– anomaly detectionanomaly detection– signature based misusesignature based misuse– host basedhost based– network basednetwork based– Stack basedStack based
![Page 6: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/6.jpg)
Intrusion Detection Intrusion Detection Systems (IDS)Systems (IDS)
Intrusion Detection Systems look Intrusion Detection Systems look for attack signatures, which are for attack signatures, which are specific patterns that usually specific patterns that usually indicate malicious or suspicious indicate malicious or suspicious intent.intent.
![Page 7: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/7.jpg)
Anomaly based IDSAnomaly based IDS
This IDS models the normal usage This IDS models the normal usage of the network as a noise of the network as a noise characterization.characterization.
Anything distinct from the noise is Anything distinct from the noise is assumed to be an intrusion activity.assumed to be an intrusion activity.– E.g flooding a host with lots of packet.E.g flooding a host with lots of packet.
The primary strength is its ability to The primary strength is its ability to recognize novel attacks.recognize novel attacks.
![Page 8: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/8.jpg)
Drawbacks of Anomaly Drawbacks of Anomaly detection IDSdetection IDS Assumes that intrusions will be Assumes that intrusions will be
accompanied by manifestations that accompanied by manifestations that are sufficiently unusual so as to permit are sufficiently unusual so as to permit detection.detection.
These generate many false alarms and These generate many false alarms and hence compromise the effectiveness of hence compromise the effectiveness of the IDS.the IDS.
![Page 9: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/9.jpg)
Signature based IDSSignature based IDS
This IDS possess an attacked This IDS possess an attacked description that can be matched description that can be matched to sensed attack manifestations.to sensed attack manifestations.
The question of what information The question of what information is relevant to an IDS depends is relevant to an IDS depends upon what it is trying to detect.upon what it is trying to detect.– E.g DNS, FTP etc.E.g DNS, FTP etc.
![Page 10: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/10.jpg)
Signature based IDS Signature based IDS (contd.)(contd.) ID system is programmed to interpret a certain ID system is programmed to interpret a certain
series of packets, or a certain piece of data series of packets, or a certain piece of data contained in those packets,as an attack. For contained in those packets,as an attack. For example, an IDS that watches web servers example, an IDS that watches web servers might be programmed to look for the string might be programmed to look for the string “phf” as an indicator of a CGI program attack. “phf” as an indicator of a CGI program attack.
Most signature analysis systems are based off Most signature analysis systems are based off of simple pattern matching algorithms. In most of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string cases, the IDS simply looks for a sub string within a stream of data carried by network within a stream of data carried by network packets. When it finds this sub string (for packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of identifies those network packets as vehicles of an attack.an attack.
![Page 11: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/11.jpg)
Drawbacks of Drawbacks of Signature based IDSSignature based IDS They are unable to detect novel They are unable to detect novel
attacks.attacks. Suffer from false alarmsSuffer from false alarms Have to programmed again for Have to programmed again for
every new pattern to be detected.every new pattern to be detected.
![Page 12: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/12.jpg)
Host/Applications Host/Applications based IDSbased IDS The host operating system or the The host operating system or the
application logs in the audit application logs in the audit information.information.
These audit information includes These audit information includes events like the use of identification events like the use of identification and authentication mechanisms and authentication mechanisms (logins etc.) , file opens and program (logins etc.) , file opens and program executions, admin activities etc.executions, admin activities etc.
This audit is then analyzed to detect This audit is then analyzed to detect trails of intrusion.trails of intrusion.
![Page 13: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/13.jpg)
Drawbacks of the host Drawbacks of the host based IDSbased IDS The kind of information needed to be The kind of information needed to be
logged in is a matter of experience.logged in is a matter of experience. Unselective logging of messages may Unselective logging of messages may
greatly increase the audit and greatly increase the audit and analysis burdens.analysis burdens.
Selective logging runs the risk that Selective logging runs the risk that attack manifestations could be attack manifestations could be missed.missed.
![Page 14: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/14.jpg)
Strengths of the host Strengths of the host based IDSbased IDS Attack verificationAttack verification System specific activitySystem specific activity Encrypted and switch environmentsEncrypted and switch environments Monitoring key componentsMonitoring key components Near Real-Time detection and Near Real-Time detection and
response.response. No additional hardwareNo additional hardware
![Page 15: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/15.jpg)
Stack based IDSStack based IDS
They are integrated closely with They are integrated closely with the TCP/IP stack, allowing packets the TCP/IP stack, allowing packets to be watched as they traverse to be watched as they traverse their way up the OSI layers.their way up the OSI layers.
This allows the IDS to pull the This allows the IDS to pull the packets from the stack before the packets from the stack before the OS or the application have a OS or the application have a chance to process the packets.chance to process the packets.
![Page 16: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/16.jpg)
Network based IDSNetwork based IDS
This IDS looks for attack signatures This IDS looks for attack signatures in network traffic via a promiscuous in network traffic via a promiscuous interface.interface.
A filter is usually applied to A filter is usually applied to determine which traffic will be determine which traffic will be discarded or passed on to an attack discarded or passed on to an attack recognition module. This helps to recognition module. This helps to filter out known un-malicious traffic.filter out known un-malicious traffic.
![Page 17: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/17.jpg)
Strengths of Network Strengths of Network based IDSbased IDS Cost of ownership reducedCost of ownership reduced Packet analysisPacket analysis Evidence removalEvidence removal Real time detection and responseReal time detection and response Malicious intent detectionMalicious intent detection Complement and verificationComplement and verification Operating system independenceOperating system independence
![Page 18: Intrusion detection system ppt](https://reader036.vdocuments.site/reader036/viewer/2022082804/546e8651af795971298b56b3/html5/thumbnails/18.jpg)
Future of IDSFuture of IDS
To integrate the network and host To integrate the network and host based IDS for better detection.based IDS for better detection.
Developing IDS schemes for Developing IDS schemes for detecting novel attacks rather detecting novel attacks rather than individual instantiations.than individual instantiations.