SlideShare a Scribd company logo

L2 Intrusion Detection System (IDS)

Download as PPT, PDF
Rushdi Shams
Rushdi Shams
Technology
1 of 30
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
 If a computer is on the Internet, or receives data from the Internet, including Web browsing or email, then security is a problem.  This is true for everyone, as automated scanners and worms do not make distinctions between targets.  Simply, if your system has vulnerabilities, it will be hit. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
 Because security problems are ubiquitous, security solutions should be also.  To be effective, this security must follow a "defense in depth" strategy or a layered approach. This means that security is layered in hopes that if an attack passes through one layer, it is caught by the next, or the next.  Defense in depth combines network security and host- based security (especially antivirus software).  While each layer is important, no layer is sufficient on its own.  Many end users make the mistake of thinking that a firewall, by itself, constitutes network security. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
 With market penetration of firewalls reaching more than 95 percent, security problems still persist for organizations large and small.  simply allowing Web traffic allows all Web traffic, including that which is malicious.  The next step that many organizations have taken is to install intrusion detection systems (IDS), which can monitor traffic for attack signatures that represent hostile activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
 Intrusion detection (ID) is a type of security management system for computers and networks.  An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both › intrusions (attacks from outside the organization) and › misuse (attacks from within the organization). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
 ID uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to assess the security of a computer system or network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
 Monitoring and analyzing both user and system activities  Analyzing system configurations and vulnerabilities  Assessing system and file integrity  Ability to recognize patterns typical of attacks  Analysis of abnormal activity patterns  Tracking user policy violations Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
 Typically, an ID system follows a two-step process.  The first procedures are host-based and are considered the passive component, › inspection of the system's configuration files to detect inadvisable settings › inspection of the password files to detect inadvisable passwords › inspection of other system areas to detect policy violations. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
 The second procedures are network-based and are considered the active component  mechanisms are set in place to reenact known methods of attack and to record system responses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
 Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic.  A network IDS, using either a network tap, span port, or hub collects packets that traverse a given network.  Using the captured data, the IDS system processes and flags any suspicious traffic.  The role of a network IDS is passive, only gathering, identifying, logging and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
 attempts to identify unauthorized, illicit, and anomalous behavior on a specific device.  HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity.  The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity.  The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
 A honeypot is a simply a system program or file that has absolutely no purpose in production.  Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to  Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
 A honeypot can also be a computer on your network to look and act like a legitimate computer but actually is configured to interact with potential hackers  Honeypots are known also as a sacrificial lamb, decoy, or booby trap.  The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems.  The longer the hacker stays using the honeypot, the more will be disclosed about their techniques.  This information can be used to identify what they are after, what is their skill level, and what tools do they use.  All this information is then used to better prepare your network and host defenses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
 Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame.  Step 4: Node C will also receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
 In order for a host to be used as a sniffing agent, the network interface must be set to 'promiscuous' mode.  Setting this mode requires root or administrator access.  After this mode is set, the network interface will no longer drop network frames which are addressed to other hosts.  Rather, it will pass them up to the higher network layers with the expectation that some software at a higher layer will process them. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
 Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive this frame and will accept it because the network interface has been set to 'promiscuous' mode. This allows a network interface to accept any frames, regardless of the MAC (Media Access Control) address in the frame  Step 4: Node C will also receive the frame and will process it as expected. It has no way of knowing that another host has also processed the frame. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
 Step 1: Node A transmits a frame to Node C.  Step 2: The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a 'private' connection.  Step 3: Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
ARP Spoofing  when Node A wants to communicate with Node C on the network, it sends an ARP request.  Node C will send an ARP reply which will include the MAC address.  Even in a switched environment, this initial ARP request is sent in a broadcast manner.  It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A.  This fake ARP reply will specify that Node B has the MAC address of Node C.  Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
MAC Flooding  On some switches, it is possible to bombard the switch with bogus MAC address data.  The switch, not knowing how to handle the excess data, will 'fail open'.  That is, it will revert to a hub and will broadcast all network frames to all ports.  At this point, one of the more generic network sniffers will work. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
MAC Duplicating  You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff.  This is easy to do on a Linux box if you have access to the 'ifconfig' command.  This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache.  In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
IP Filtering  By enabling IP filtering on your switch, you directly specify which traffic is allowed to flow to and from each port.  This can be a monumental effort to put in place and manage, especially if your environment is dynamic. Port Security  If your hub or switch has the ability to enable port security, this will help to protect you from both the MAC Flood and MAC Spoofing attacks.  These feature effectively prevents the hub or switch from recognizing more than 1 MAC address on a physical port. Routing Security  No workstations should be allowed to run a routing protocol as they may be compromised.  management of any of your network gear should be through a secure connection and not through telnet which passes the administrative login/password in cleartext. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
 knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities.  IDS contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities.  When such an attempt is detected, an alarm is triggered. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
 In other words, any action that is not explicitly recognized as an attack is considered acceptable.  Therefore, the accuracy of knowledge-based intrusion detection systems is considered good.  However, their completeness (i.e. the fact that they detect all possible attacks) depends on the regular update of knowledge about attacks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
 Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
 Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users.  The model of normal or valid behavior is extracted from reference information collected by various means.  The intrusion detection system later compares this model with the current activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
 When a deviation is observed, an alarm is generated.  In other words, anything that does not correspond to a previously learned behavior is considered intrusive.  Therefore, the intrusion detection system might be complete (i.e. all attacks should be caught), but its accuracy is a difficult issue (i.e. you get a lot of false alarms). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
 Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities.  They can even contribute to the (partially) automatic discovery of these new attacks.  They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability.  In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
 The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase.  Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
 The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30

Recommended

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Wormhole attack
Wormhole attackWormhole attack
Wormhole attackHarsh Kishore Mishra
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingRamchandraRegmi
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)JIEMS Akkalkuwa
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 

Recommended

Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemSweta Sharma
 
Honeypot honeynet
Honeypot honeynetHoneypot honeynet
Honeypot honeynetSina Manavi
 
Wormhole attack
Wormhole attackWormhole attack
Wormhole attackHarsh Kishore Mishra
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingRamchandraRegmi
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)JIEMS Akkalkuwa
 
Honeypots
HoneypotsHoneypots
HoneypotsJ. Scott Christianson
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Honeypot
HoneypotHoneypot
HoneypotSajan Sahu
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dosleminhvuong
 
Deep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemDeep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemAvinash Kumar
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Basic security & info
Basic security & infoBasic security & info
Basic security & infoTola LENG
 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malwareSetia Juli Irzal Ismail
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Torjan horse virus
Torjan horse virusTorjan horse virus
Torjan horse virussumitra22
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN securityRajan Kumar
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crimezahid_ned
 
Open Interconnect Consortium - Why & What
Open Interconnect Consortium - Why & WhatOpen Interconnect Consortium - Why & What
Open Interconnect Consortium - Why & WhatOpen Interconnect Consortium
 
L4 vpn
L4 vpnL4 vpn
L4 vpnRushdi Shams
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hackingRushdi Shams
 

More Related Content

What's hot

Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemDevil's Cafe
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Deep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemDeep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemAvinash Kumar
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Basic security & info
Basic security & infoBasic security & info
Basic security & infoTola LENG
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Torjan horse virus
Torjan horse virusTorjan horse virus
Torjan horse virussumitra22
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN securityRajan Kumar
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 

What's hot (20)

Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Honeypot
HoneypotHoneypot
Honeypot
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
Deep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemDeep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection system
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Basic security & info
Basic security & infoBasic security & info
Basic security & info
 
Materi Pelatihan analisa malware
Materi Pelatihan analisa malwareMateri Pelatihan analisa malware
Materi Pelatihan analisa malware
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Torjan horse virus
Torjan horse virusTorjan horse virus
Torjan horse virus
 
Wireless LAN security
Wireless LAN securityWireless LAN security
Wireless LAN security
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Open Interconnect Consortium - Why & What
Open Interconnect Consortium - Why & WhatOpen Interconnect Consortium - Why & What
Open Interconnect Consortium - Why & What
 

Viewers also liked

L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hackingRushdi Shams
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationRushdi Shams
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processingRushdi Shams
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logicRushdi Shams
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structureRushdi Shams
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representationRushdi Shams
 
Propositional logic
Propositional logicPropositional logic
Propositional logicRushdi Shams
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semanticsRushdi Shams
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: ParsingRushdi Shams
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translationRushdi Shams
 
Propositional And First-Order Logic
Propositional And First-Order LogicPropositional And First-Order Logic
Propositional And First-Order Logicankush_kumar
 

Viewers also liked (17)

L4 vpn
L4 vpnL4 vpn
L4 vpn
 
L5 understanding hacking
L5 understanding hackingL5 understanding hacking
L5 understanding hacking
 
L1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translationL1 l2 l3 introduction to machine translation
L1 l2 l3 introduction to machine translation
 
Belief function
Belief functionBelief function
Belief function
 
Semi-supervised classification for natural language processing
Semi-supervised classification for natural language processingSemi-supervised classification for natural language processing
Semi-supervised classification for natural language processing
 
L1 phishing
L1 phishingL1 phishing
L1 phishing
 
Probabilistic logic
Probabilistic logicProbabilistic logic
Probabilistic logic
 
L3 defense
L3 defenseL3 defense
L3 defense
 
L15 fuzzy logic
L15 fuzzy logicL15 fuzzy logic
L15 fuzzy logic
 
Knowledge structure
Knowledge structureKnowledge structure
Knowledge structure
 
Knowledge representation
Knowledge representationKnowledge representation
Knowledge representation
 
Propositional logic
Propositional logicPropositional logic
Propositional logic
 
Syntax and semantics
Syntax and semanticsSyntax and semantics
Syntax and semantics
 
Natural Language Processing: Parsing
Natural Language Processing: ParsingNatural Language Processing: Parsing
Natural Language Processing: Parsing
 
First order logic
First order logicFirst order logic
First order logic
 
Types of machine translation
Types of machine translationTypes of machine translation
Types of machine translation
 
Propositional And First-Order Logic
Propositional And First-Order LogicPropositional And First-Order Logic
Propositional And First-Order Logic
 

Similar to L2 Intrusion Detection System (IDS)

Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot frameworkUltraUploader
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)Mumbai Academisc
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)IOSR Journals
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
Paper id 312201513
Paper id 312201513Paper id 312201513
Paper id 312201513IJRAT
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & AttacksNetwax Lab
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...IJERA Editor
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANAvoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANEditor IJCATR
 
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET Journal
 
aGHLecture2_2017.pptx
aGHLecture2_2017.pptxaGHLecture2_2017.pptx
aGHLecture2_2017.pptxRituParna42
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotEditor Jacotech
 

Similar to L2 Intrusion Detection System (IDS) (20)

Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
 
Honeypot
HoneypotHoneypot
Honeypot
 
A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)A wireless intrusion detection system and a new attack model (synopsis)
A wireless intrusion detection system and a new attack model (synopsis)
 
G011123539
G011123539G011123539
G011123539
 
Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)Intrusion Detection System using Hidden Markov Model (HMM)
Intrusion Detection System using Hidden Markov Model (HMM)
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
Wp ci securing_layer2
Wp ci securing_layer2Wp ci securing_layer2
Wp ci securing_layer2
 
CY.pptx
CY.pptxCY.pptx
CY.pptx
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Paper id 312201513
Paper id 312201513Paper id 312201513
Paper id 312201513
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & Attacks
 
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
A Secure Intrusion Detection System against DDOS Attack in Wireless Ad-Hoc Ne...
 
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LANAvoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
Avoiding Man in the Middle Attack Based on ARP Spoofing in the LAN
 
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
 
Open port vulnerability
Open port vulnerabilityOpen port vulnerability
Open port vulnerability
 
aGHLecture2_2017.pptx
aGHLecture2_2017.pptxaGHLecture2_2017.pptx
aGHLecture2_2017.pptx
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
1376841709 17879811
1376841709 178798111376841709 17879811
1376841709 17879811
 
An Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using HoneypotAn Approach to for Improving the Efficiency of IDS System Using Honeypot
An Approach to for Improving the Efficiency of IDS System Using Honeypot
 

More from Rushdi Shams

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchRushdi Shams
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IRRushdi Shams
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101Rushdi Shams
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process modelsRushdi Shams
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineeringRushdi Shams
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software failsRushdi Shams
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsRushdi Shams
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksRushdi Shams
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsRushdi Shams
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingRushdi Shams
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processesRushdi Shams
 
Lecture 3 and 4 threads
Lecture 3 and 4 threadsLecture 3 and 4 threads
Lecture 3 and 4 threadsRushdi Shams
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Rushdi Shams
 
My slide relational algebra
My slide relational algebraMy slide relational algebra
My slide relational algebraRushdi Shams
 

More from Rushdi Shams (14)

Research Methodology and Tips on Better Research
Research Methodology and Tips on Better ResearchResearch Methodology and Tips on Better Research
Research Methodology and Tips on Better Research
 
Common evaluation measures in NLP and IR
Common evaluation measures in NLP and IRCommon evaluation measures in NLP and IR
Common evaluation measures in NLP and IR
 
Machine learning with nlp 101
Machine learning with nlp 101Machine learning with nlp 101
Machine learning with nlp 101
 
L2 l3 l4 software process models
L2 l3 l4 software process modelsL2 l3 l4 software process models
L2 l3 l4 software process models
 
L1 overview of software engineering
L1 overview of software engineeringL1 overview of software engineering
L1 overview of software engineering
 
L13 why software fails
L13 why software failsL13 why software fails
L13 why software fails
 
Lecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systemsLecture 14,15 and 16 file systems
Lecture 14,15 and 16 file systems
 
Lecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocksLecture 11,12 and 13 deadlocks
Lecture 11,12 and 13 deadlocks
 
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating SystemsLecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
Lecture 7, 8, 9 and 10 Inter Process Communication (IPC) in Operating Systems
 
Lecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu schedulingLecture 5, 6 and 7 cpu scheduling
Lecture 5, 6 and 7 cpu scheduling
 
Lecture 1 and 2 processes
Lecture 1 and 2 processesLecture 1 and 2 processes
Lecture 1 and 2 processes
 
Lecture 3 and 4 threads
Lecture 3 and 4 threadsLecture 3 and 4 threads
Lecture 3 and 4 threads
 
Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)Distributed Database Management Systems (Distributed DBMS)
Distributed Database Management Systems (Distributed DBMS)
 
My slide relational algebra
My slide relational algebraMy slide relational algebra
My slide relational algebra
 

Recently uploaded

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

L2 Intrusion Detection System (IDS)

  • 1. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 1
  • 2.  If a computer is on the Internet, or receives data from the Internet, including Web browsing or email, then security is a problem.  This is true for everyone, as automated scanners and worms do not make distinctions between targets.  Simply, if your system has vulnerabilities, it will be hit. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 2
  • 3.  Because security problems are ubiquitous, security solutions should be also.  To be effective, this security must follow a "defense in depth" strategy or a layered approach. This means that security is layered in hopes that if an attack passes through one layer, it is caught by the next, or the next.  Defense in depth combines network security and host- based security (especially antivirus software).  While each layer is important, no layer is sufficient on its own.  Many end users make the mistake of thinking that a firewall, by itself, constitutes network security. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 3
  • 4.  With market penetration of firewalls reaching more than 95 percent, security problems still persist for organizations large and small.  simply allowing Web traffic allows all Web traffic, including that which is malicious.  The next step that many organizations have taken is to install intrusion detection systems (IDS), which can monitor traffic for attack signatures that represent hostile activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 4
  • 5.  Intrusion detection (ID) is a type of security management system for computers and networks.  An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both › intrusions (attacks from outside the organization) and › misuse (attacks from within the organization). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 5
  • 6.  ID uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to assess the security of a computer system or network. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 6
  • 7.  Monitoring and analyzing both user and system activities  Analyzing system configurations and vulnerabilities  Assessing system and file integrity  Ability to recognize patterns typical of attacks  Analysis of abnormal activity patterns  Tracking user policy violations Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 7
  • 8.  Typically, an ID system follows a two-step process.  The first procedures are host-based and are considered the passive component, › inspection of the system's configuration files to detect inadvisable settings › inspection of the password files to detect inadvisable passwords › inspection of other system areas to detect policy violations. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 8
  • 9.  The second procedures are network-based and are considered the active component  mechanisms are set in place to reenact known methods of attack and to record system responses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 9
  • 10.  Network based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic.  A network IDS, using either a network tap, span port, or hub collects packets that traverse a given network.  Using the captured data, the IDS system processes and flags any suspicious traffic.  The role of a network IDS is passive, only gathering, identifying, logging and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 10
  • 11.  attempts to identify unauthorized, illicit, and anomalous behavior on a specific device.  HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity.  The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity.  The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 11
  • 12.  A honeypot is a simply a system program or file that has absolutely no purpose in production.  Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to  Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 12
  • 13.  A honeypot can also be a computer on your network to look and act like a legitimate computer but actually is configured to interact with potential hackers  Honeypots are known also as a sacrificial lamb, decoy, or booby trap.  The more realistic the interaction, the longer the attacker will stay occupied on honeypot systems and away from your production systems.  The longer the hacker stays using the honeypot, the more will be disclosed about their techniques.  This information can be used to identify what they are after, what is their skill level, and what tools do they use.  All this information is then used to better prepare your network and host defenses. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 13
  • 14.  Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive the frame and will examine the address in the frame. After determining that it is not the intended host, it will discard the frame.  Step 4: Node C will also receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 14
  • 15.  In order for a host to be used as a sniffing agent, the network interface must be set to 'promiscuous' mode.  Setting this mode requires root or administrator access.  After this mode is set, the network interface will no longer drop network frames which are addressed to other hosts.  Rather, it will pass them up to the higher network layers with the expectation that some software at a higher layer will process them. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 15
  • 16.  Step 1: Node A transmits a frame to Node C.  Step 2: The hub will broadcast this frame to each active port.  Step 3: Node B will receive this frame and will accept it because the network interface has been set to 'promiscuous' mode. This allows a network interface to accept any frames, regardless of the MAC (Media Access Control) address in the frame  Step 4: Node C will also receive the frame and will process it as expected. It has no way of knowing that another host has also processed the frame. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 16
  • 17.  Step 1: Node A transmits a frame to Node C.  Step 2: The switch will examine this frame and determine what the intended host is. It will then set up a connection between Node A and Node C so that they have a 'private' connection.  Step 3: Node C will receive the frame and will examine the address. After determining that it is the intended host, it will process the frame further. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 17
  • 18. ARP Spoofing  when Node A wants to communicate with Node C on the network, it sends an ARP request.  Node C will send an ARP reply which will include the MAC address.  Even in a switched environment, this initial ARP request is sent in a broadcast manner.  It is possible for Node B to craft and send an unsolicited, fake ARP reply to Node A.  This fake ARP reply will specify that Node B has the MAC address of Node C.  Node A will unwittingly send the traffic to Node B since it professes to have the intended MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 18
  • 19. MAC Flooding  On some switches, it is possible to bombard the switch with bogus MAC address data.  The switch, not knowing how to handle the excess data, will 'fail open'.  That is, it will revert to a hub and will broadcast all network frames to all ports.  At this point, one of the more generic network sniffers will work. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 19
  • 20. MAC Duplicating  You reconfigure Node B to have the same MAC address as the machine whose traffic you're trying to sniff.  This is easy to do on a Linux box if you have access to the 'ifconfig' command.  This differs from ARP Spoofing because, in ARP Spoofing, we are 'confusing' the host by poisoning it's ARP cache.  In a MAC Duplicating attack, we actually confuse the switch itself into thinking two ports have the same MAC address. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 20
  • 21. IP Filtering  By enabling IP filtering on your switch, you directly specify which traffic is allowed to flow to and from each port.  This can be a monumental effort to put in place and manage, especially if your environment is dynamic. Port Security  If your hub or switch has the ability to enable port security, this will help to protect you from both the MAC Flood and MAC Spoofing attacks.  These feature effectively prevents the hub or switch from recognizing more than 1 MAC address on a physical port. Routing Security  No workstations should be allowed to run a routing protocol as they may be compromised.  management of any of your network gear should be through a secure connection and not through telnet which passes the administrative login/password in cleartext. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 21
  • 22.  knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities.  IDS contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities.  When such an attempt is detected, an alarm is triggered. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 22
  • 23.  In other words, any action that is not explicitly recognized as an attack is considered acceptable.  Therefore, the accuracy of knowledge-based intrusion detection systems is considered good.  However, their completeness (i.e. the fact that they detect all possible attacks) depends on the regular update of knowledge about attacks. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 23
  • 24.  Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 24
  • 25.  Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users.  The model of normal or valid behavior is extracted from reference information collected by various means.  The intrusion detection system later compares this model with the current activity. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 25
  • 26.  When a deviation is observed, an alarm is generated.  In other words, anything that does not correspond to a previously learned behavior is considered intrusive.  Therefore, the intrusion detection system might be complete (i.e. all attacks should be caught), but its accuracy is a difficult issue (i.e. you get a lot of false alarms). Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 26
  • 27.  Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities.  They can even contribute to the (partially) automatic discovery of these new attacks.  They also help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability.  In short, this is the paranoid approach: Everything which has not been seen previously is dangerous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 27
  • 28.  The high false alarm rate is generally cited as the main drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase.  Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 28
  • 29.  The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 29
  • 30. Rushdi Shams, Lecturer, Dept of CSE, KUET, Bangladesh 30