intrusion detection systems (1)

8/11/2019 Intrusion Detection Systems (1)

1/29

INTRUSION DETECTION SYSTEMS(IDS)

SUMANTAKUMAR DAS

0701218126P.I.E.TDATE:24.09.10

VENUE:SEMINARHALL (P.I.E.T)


2/29

What isintrusion? Attempting to break intoor misuse our system.

Intruders may be from outside

Intrusion can be a physical, system or remoteintrusion

A agent which may responsible forpolicyviolation

Apotentially unwantedobject which is harmfulto our system


3/29

Definition of intrusion detection. System(IDS)

An intrusion detection system(IDS) is a device or software

application , that monitors network and/or system activities for

malicious activities or policy violations and produces reports to

management station

Intrusion prevention is the process of performing intrusiondetection and attempting to stop detected possible incidents.

IDSs are software or hardware products that automate those

monitoring and analysis process

Hence IDS can help us from attacking malwares, poisonousprograms, security threats,finally a total protection can be

accomplished by an IDS


4/29

Why shoul I use IDS?

To prevent the problem behavior by increasingthe perceived risk of discovery and punishmentfor those who would attack or otherwise abusethe system

To detect attacks and other security violations thatare not prevented by other security measures

To document existing threats to an organizations

To detect and deal with intrusion

To provide useful information about intrusion and itsimapct on network

Finally protect our system from

attackers


5/29

Why should I use IDS I have a

firewall?

Todays security infrastucture are

becoming very complex which cannot be

accomplished by simple firewall

Failure to provide one components of the structere mayleads to attacked by attackers

Not all traffic may go through firewall, e.g:modem on a usercomputer.

Not all threats originate from outside, threat may be createdinside the system, which enters into the system byencrypted form.

Firewall doesnot protect appropiately against applicationlevel weakness and attacks .

Firewall cannot protect themselves, hence they subjectedto be attacked!


6/29

What an IDS can do for us

Monitor and analyze user and system activities

Auditing of system and configuration

vulnerabilities

Asses integrity, of critical system and data files

statistical analysis of abnormal activities Reorganization of pattern reflecting known

attacks.


7/29

What IDS cannot do for us??

Investigation of attacks without human interaction(mainly asks what to do when an intrusion isdetected)

Analyze all traffic on a very high speed network.

Deal adequately with attacks at the packet level. Guess the contents of the policies of your

organization policies

Deals adequately with modern network hardware


8/29

Types of IDS

Host based IDS(HIDS)

Network based IDS(NIDS)

Application based IDS(APIDS)


9/29

1. Host based IDS

Intrusion detection system is installed on ahost in the network

Host based IDS analyzes the traffic that isoriginated or is intended to that of host.

Made up of two parts 1.centralised manager2.server agent

Manger is used to administer and storepolicies, download policies to agents and store

information received by agents Agent is installed onto each server and

registered with manager. Agent use policies todetect and responds to specific events andattacks.


10/29

2. Network based IDS

Network based IDSs are placed in key areas ofnetwork infrastructure and monitors the traffic as itflows to other hosts

Unlike host based IDS, network based IDS have

the capability of monitoring the network anddetecting the malicious activities intended for thatnetwork

Strictly and transparently monitors the traffic or

network (by retaining all the policies of TCP/IP) In switched network, it can see the packets to and

from systems that it monitors


11/29

3. Aplication based IDS

Focuses its monitoring and analysis on a specificapplication protocol or protocol used by computer

system.

Monitor the dynamic behavior and state of theprotocol which is typically consists of a system or

agent that would typically sit between a process, agroup of servers, two devices connected etc.

Typical place for an application based IDS wouldbe between a web server and the database

management system (DBMS), monitoring SQLprotocol which interacts with database of an

organization


12/29

IDS and Firewall

A common misunderstanding is that firewalls recognizeattacks and block them, this is not true as firewall aresimply a device that shuts off everything, then turns

back on only a few well-chosen items.

A firewall is not the dynamic defensive system that usersimagine.

Yes, your system will of course be attacked, still you

have the firewall

Firewall is that they are only at the boundary to yournetwork not beyond your network.


13/29

Reasons for adding IDS to your firewall

Double checks misconfigured firewalls Catches attacks that firewalls legitimate allow through

Catches attempts that fails

Catches insider hackings

Suddenly alerts users if any intrusion is detected Has the power to preven intrusion also

Greater potentiality against newly published intruders


14/29

Mechanism of putting IDS with firewall

After installing Netscape's Directory Server 4 forSolaris, one of the final options is to remove a file

called 'install.inf' which the install process claims

could contain sensitive information. Answering yes to

this question will delete the file. However there is another file left behind after

installation which contains the un-encrypted 'admin'

password. This file has world read permissions and is

located in /usr/netscape/server4/admin-serv/config/adm.conf


15/29

INTRUSION DTECTION MECH NISM

1. signature based detection

2.behavioral anomaly detection

Protocol anomaly detection


16/29

1.Signature based detction

For every exploit, the IDS vendor must code asignature specifically for that attack in order to detectit, and therefore the attacks must be known. So datapackets are compared with signature database andfind the fault one.

This IDS sensor Can operate at speed of 60mbps almost all IDS systems are structured around a large

signature database and attempt to compare everypackets to every signature in the database.

Another approach is that it provides the vendor toidentify new attacks, create a signature, and releasean update.


17/29

2 Behaviorial anomaly

detection

Ability to detect statistical anomalies

The framework of statistical anomaly

detection is the baseline of certain system

statistics, or pattern of behaviour that aretracked continually by the system, changes in

these patterns are used to indicate attacks

The benefit of this approach is that it can

detect the anomalies without having to

understand the underlying cause behind the

anomalies


18/29

3.Protocol anomaly detection

It is performed at the application protocol layer.

e.g:HTTP,FTP,SMTP,RPC etc

It focuses on the structure and content of thecommunications.

When protocol rules are modeled directly in thesensors, it is easy to identify traffics that violates therules, such as unexpected data, extra characters, andinvalid characters .

The IDS recognizes this attack as a protocol violations

and is reported to the system administrator .


19/29

OTHER APPROACHES OF SECURITY

You spend great money on concrete walls (firewalls)

but they are of no use of someone can dig throughthem.!!!


20/29

LAYERED APPROACH OFPROTECTION

We can align our intrusion sensors withfirewall which combining can reduce therisk.

3 layers:1.HIDS2.NIDS3.PASSIVE

When threats go through these layersthey will automatically be eliminated bythese layers


21/29

Intrusion detection in DNS

servers


22/29

http server

intrusion

detectionsystem


23/29

Computer attacks &vulnerabilities

Attack may be causedby violating following

In a system

Confidentiability!Integrity!

Availability!Control!


24/29

Types of computer attacks

commonly detected by IDS

Scanning attack

Port scan attack

A denial of service attack Peer to peer attack

Penetration attack


25/29

Limitations of IDS

Dealing effectively with switched

network

automatically investing attacks

Without human interaction May not effectively responding

To newly published attack or variants of

Existing attacks

Cannot automatically collect theOrganizations policy


26/29

Future of IDS

Even IDS research field is maturing still furtherimprovement is required to accomplish.

Reduce no. of false alarms

Effectively work with high speed & switchednetworks

To challenge newly published

threats To enhance more security


27/29

conclusion

IDS is now very useful to our nation aswell as our security system

We can get full information about threats

IDS is a challenge to threats

IDS can save our time and money(directly or indirectly

IDS opens new era of protection andsecurity


28/29

Queries?


29/29

intrusion detection systems (1)

Documents