intrusion detection systems (1)
TRANSCRIPT
-
8/11/2019 Intrusion Detection Systems (1)
1/29
INTRUSION DETECTION SYSTEMS(IDS)
SUMANTAKUMAR DAS
0701218126P.I.E.TDATE:24.09.10
VENUE:SEMINARHALL (P.I.E.T)
-
8/11/2019 Intrusion Detection Systems (1)
2/29
What isintrusion? Attempting to break intoor misuse our system.
Intruders may be from outside
Intrusion can be a physical, system or remoteintrusion
A agent which may responsible forpolicyviolation
Apotentially unwantedobject which is harmfulto our system
-
8/11/2019 Intrusion Detection Systems (1)
3/29
Definition of intrusion detection. System(IDS)
An intrusion detection system(IDS) is a device or software
application , that monitors network and/or system activities for
malicious activities or policy violations and produces reports to
management station
Intrusion prevention is the process of performing intrusiondetection and attempting to stop detected possible incidents.
IDSs are software or hardware products that automate those
monitoring and analysis process
Hence IDS can help us from attacking malwares, poisonousprograms, security threats,finally a total protection can be
accomplished by an IDS
-
8/11/2019 Intrusion Detection Systems (1)
4/29
Why shoul I use IDS?
To prevent the problem behavior by increasingthe perceived risk of discovery and punishmentfor those who would attack or otherwise abusethe system
To detect attacks and other security violations thatare not prevented by other security measures
To document existing threats to an organizations
To detect and deal with intrusion
To provide useful information about intrusion and itsimapct on network
Finally protect our system from
attackers
-
8/11/2019 Intrusion Detection Systems (1)
5/29
Why should I use IDS I have a
firewall?
Todays security infrastucture are
becoming very complex which cannot be
accomplished by simple firewall
Failure to provide one components of the structere mayleads to attacked by attackers
Not all traffic may go through firewall, e.g:modem on a usercomputer.
Not all threats originate from outside, threat may be createdinside the system, which enters into the system byencrypted form.
Firewall doesnot protect appropiately against applicationlevel weakness and attacks .
Firewall cannot protect themselves, hence they subjectedto be attacked!
-
8/11/2019 Intrusion Detection Systems (1)
6/29
What an IDS can do for us
Monitor and analyze user and system activities
Auditing of system and configuration
vulnerabilities
Asses integrity, of critical system and data files
statistical analysis of abnormal activities Reorganization of pattern reflecting known
attacks.
-
8/11/2019 Intrusion Detection Systems (1)
7/29
What IDS cannot do for us??
Investigation of attacks without human interaction(mainly asks what to do when an intrusion isdetected)
Analyze all traffic on a very high speed network.
Deal adequately with attacks at the packet level. Guess the contents of the policies of your
organization policies
Deals adequately with modern network hardware
-
8/11/2019 Intrusion Detection Systems (1)
8/29
Types of IDS
Host based IDS(HIDS)
Network based IDS(NIDS)
Application based IDS(APIDS)
-
8/11/2019 Intrusion Detection Systems (1)
9/29
1. Host based IDS
Intrusion detection system is installed on ahost in the network
Host based IDS analyzes the traffic that isoriginated or is intended to that of host.
Made up of two parts 1.centralised manager2.server agent
Manger is used to administer and storepolicies, download policies to agents and store
information received by agents Agent is installed onto each server and
registered with manager. Agent use policies todetect and responds to specific events andattacks.
-
8/11/2019 Intrusion Detection Systems (1)
10/29
2. Network based IDS
Network based IDSs are placed in key areas ofnetwork infrastructure and monitors the traffic as itflows to other hosts
Unlike host based IDS, network based IDS have
the capability of monitoring the network anddetecting the malicious activities intended for thatnetwork
Strictly and transparently monitors the traffic or
network (by retaining all the policies of TCP/IP) In switched network, it can see the packets to and
from systems that it monitors
-
8/11/2019 Intrusion Detection Systems (1)
11/29
3. Aplication based IDS
Focuses its monitoring and analysis on a specificapplication protocol or protocol used by computer
system.
Monitor the dynamic behavior and state of theprotocol which is typically consists of a system or
agent that would typically sit between a process, agroup of servers, two devices connected etc.
Typical place for an application based IDS wouldbe between a web server and the database
management system (DBMS), monitoring SQLprotocol which interacts with database of an
organization
-
8/11/2019 Intrusion Detection Systems (1)
12/29
IDS and Firewall
A common misunderstanding is that firewalls recognizeattacks and block them, this is not true as firewall aresimply a device that shuts off everything, then turns
back on only a few well-chosen items.
A firewall is not the dynamic defensive system that usersimagine.
Yes, your system will of course be attacked, still you
have the firewall
Firewall is that they are only at the boundary to yournetwork not beyond your network.
-
8/11/2019 Intrusion Detection Systems (1)
13/29
Reasons for adding IDS to your firewall
Double checks misconfigured firewalls Catches attacks that firewalls legitimate allow through
Catches attempts that fails
Catches insider hackings
Suddenly alerts users if any intrusion is detected Has the power to preven intrusion also
Greater potentiality against newly published intruders
-
8/11/2019 Intrusion Detection Systems (1)
14/29
Mechanism of putting IDS with firewall
After installing Netscape's Directory Server 4 forSolaris, one of the final options is to remove a file
called 'install.inf' which the install process claims
could contain sensitive information. Answering yes to
this question will delete the file. However there is another file left behind after
installation which contains the un-encrypted 'admin'
password. This file has world read permissions and is
located in /usr/netscape/server4/admin-serv/config/adm.conf
-
8/11/2019 Intrusion Detection Systems (1)
15/29
INTRUSION DTECTION MECH NISM
1. signature based detection
2.behavioral anomaly detection
Protocol anomaly detection
-
8/11/2019 Intrusion Detection Systems (1)
16/29
1.Signature based detction
For every exploit, the IDS vendor must code asignature specifically for that attack in order to detectit, and therefore the attacks must be known. So datapackets are compared with signature database andfind the fault one.
This IDS sensor Can operate at speed of 60mbps almost all IDS systems are structured around a large
signature database and attempt to compare everypackets to every signature in the database.
Another approach is that it provides the vendor toidentify new attacks, create a signature, and releasean update.
-
8/11/2019 Intrusion Detection Systems (1)
17/29
2 Behaviorial anomaly
detection
Ability to detect statistical anomalies
The framework of statistical anomaly
detection is the baseline of certain system
statistics, or pattern of behaviour that aretracked continually by the system, changes in
these patterns are used to indicate attacks
The benefit of this approach is that it can
detect the anomalies without having to
understand the underlying cause behind the
anomalies
-
8/11/2019 Intrusion Detection Systems (1)
18/29
3.Protocol anomaly detection
It is performed at the application protocol layer.
e.g:HTTP,FTP,SMTP,RPC etc
It focuses on the structure and content of thecommunications.
When protocol rules are modeled directly in thesensors, it is easy to identify traffics that violates therules, such as unexpected data, extra characters, andinvalid characters .
The IDS recognizes this attack as a protocol violations
and is reported to the system administrator .
-
8/11/2019 Intrusion Detection Systems (1)
19/29
OTHER APPROACHES OF SECURITY
You spend great money on concrete walls (firewalls)
but they are of no use of someone can dig throughthem.!!!
-
8/11/2019 Intrusion Detection Systems (1)
20/29
LAYERED APPROACH OFPROTECTION
We can align our intrusion sensors withfirewall which combining can reduce therisk.
3 layers:1.HIDS2.NIDS3.PASSIVE
When threats go through these layersthey will automatically be eliminated bythese layers
-
8/11/2019 Intrusion Detection Systems (1)
21/29
Intrusion detection in DNS
servers
-
8/11/2019 Intrusion Detection Systems (1)
22/29
http server
intrusion
detectionsystem
-
8/11/2019 Intrusion Detection Systems (1)
23/29
Computer attacks &vulnerabilities
Attack may be causedby violating following
In a system
Confidentiability!Integrity!
Availability!Control!
-
8/11/2019 Intrusion Detection Systems (1)
24/29
Types of computer attacks
commonly detected by IDS
Scanning attack
Port scan attack
A denial of service attack Peer to peer attack
Penetration attack
-
8/11/2019 Intrusion Detection Systems (1)
25/29
Limitations of IDS
Dealing effectively with switched
network
automatically investing attacks
Without human interaction May not effectively responding
To newly published attack or variants of
Existing attacks
Cannot automatically collect theOrganizations policy
-
8/11/2019 Intrusion Detection Systems (1)
26/29
Future of IDS
Even IDS research field is maturing still furtherimprovement is required to accomplish.
Reduce no. of false alarms
Effectively work with high speed & switchednetworks
To challenge newly published
threats To enhance more security
-
8/11/2019 Intrusion Detection Systems (1)
27/29
conclusion
IDS is now very useful to our nation aswell as our security system
We can get full information about threats
IDS is a challenge to threats
IDS can save our time and money(directly or indirectly
IDS opens new era of protection andsecurity
-
8/11/2019 Intrusion Detection Systems (1)
28/29
Queries?
-
8/11/2019 Intrusion Detection Systems (1)
29/29