SlideShare ist ein Scribd-Unternehmen logo

Chapter 3- Intrusion Detection.pdf

A
AmanuelZewdie4

intrusion detection

Bildung
1 von 18
Downloaden Sie, um offline zu lesen
Intrusion Detection Intrusion Detection System System
Intrusion and Intrusion Intrusion and Intrusion Detection Detection  Intrusion : Attempting to break into or Intrusion : Attempting to break into or misuse your system. misuse your system.  Intruders may be from outside the Intruders may be from outside the network or legitimate users of the network or legitimate users of the network. network.  Intrusion can be a physical, system or Intrusion can be a physical, system or remote intrusion. remote intrusion.
Different ways to intrude Different ways to intrude  Buffer overflows Buffer overflows  Unexpected combinations Unexpected combinations  Unhandled input Unhandled input  Race conditions Race conditions
Intrusion Detection System Intrusion Detection System Knowledge Base Response Model Alert Data- base Event Provider Analysis Engine Other machines
Intrusion Detection Intrusion Detection Systems (IDS) Systems (IDS)  Different ways of classifying an IDS Different ways of classifying an IDS IDS based on IDS based on – anomaly detection anomaly detection – signature based misuse signature based misuse – host based host based – network based network based – Stack based Stack based
Intrusion Detection Intrusion Detection Systems (IDS) Systems (IDS) Intrusion Detection Systems look for Intrusion Detection Systems look for attack signatures, which are specific attack signatures, which are specific patterns that usually indicate malicious patterns that usually indicate malicious or suspicious intent. or suspicious intent.
Anomaly based IDS Anomaly based IDS  This IDS models the normal usage of This IDS models the normal usage of the network as a noise the network as a noise characterization. characterization.  Anything distinct from the noise is Anything distinct from the noise is assumed to be an intrusion activity. assumed to be an intrusion activity. – E.g flooding a host with lots of packet. E.g flooding a host with lots of packet.  The primary strength is its ability to The primary strength is its ability to recognize novel attacks. recognize novel attacks.
Drawbacks of Anomaly Drawbacks of Anomaly detection IDS detection IDS  Assumes that intrusions will be Assumes that intrusions will be accompanied by manifestations that are accompanied by manifestations that are sufficiently unusual so as to permit sufficiently unusual so as to permit detection. detection.  These generate many false alarms and These generate many false alarms and hence compromise the effectiveness of the hence compromise the effectiveness of the IDS. IDS.
Signature based IDS Signature based IDS  This IDS possess an attacked This IDS possess an attacked description that can be matched to description that can be matched to sensed attack manifestations. sensed attack manifestations.  The question of what information is The question of what information is relevant to an IDS depends upon what relevant to an IDS depends upon what it is trying to detect. it is trying to detect. – E.g DNS, FTP etc. E.g DNS, FTP etc.
Signature based IDS Signature based IDS (contd.) (contd.)  ID system is programmed to interpret a certain ID system is programmed to interpret a certain series of packets, or a certain piece of data series of packets, or a certain piece of data contained in those packets,as an attack. For contained in those packets,as an attack. For example, an IDS that watches web servers might example, an IDS that watches web servers might be programmed to look for the string “phf” as an be programmed to look for the string “phf” as an indicator of a CGI program attack. indicator of a CGI program attack.  Most signature analysis systems are based off of Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi- this sub string (for example, the ``phf'' in ``GET /cgi- bin/phf?''), it identifies those network packets as bin/phf?''), it identifies those network packets as vehicles of an attack. vehicles of an attack.
Drawbacks of Signature Drawbacks of Signature based IDS based IDS  They are unable to detect novel They are unable to detect novel attacks. attacks.  Suffer from false alarms Suffer from false alarms  Have to programmed again for every Have to programmed again for every new pattern to be detected. new pattern to be detected.
Host/Applications based Host/Applications based IDS IDS  The host operating system or the The host operating system or the application logs in the audit application logs in the audit information. information.  These audit information includes These audit information includes events like the use of identification and events like the use of identification and authentication mechanisms (logins authentication mechanisms (logins etc.) , file opens and program etc.) , file opens and program executions, admin activities etc. executions, admin activities etc.  This audit is then analyzed to detect This audit is then analyzed to detect trails of intrusion. trails of intrusion.
Drawbacks of the host Drawbacks of the host based IDS based IDS  The kind of information needed to be The kind of information needed to be logged in is a matter of experience. logged in is a matter of experience.  Unselective logging of messages may Unselective logging of messages may greatly increase the audit and analysis greatly increase the audit and analysis burdens. burdens.  Selective logging runs the risk that Selective logging runs the risk that attack manifestations could be missed. attack manifestations could be missed.
Strengths of the host Strengths of the host based IDS based IDS  Attack verification Attack verification  System specific activity System specific activity  Encrypted and switch environments Encrypted and switch environments  Monitoring key components Monitoring key components  Near Real-Time detection and Near Real-Time detection and response. response.  No additional hardware No additional hardware
Stack based IDS Stack based IDS  They are integrated closely with the They are integrated closely with the TCP/IP stack, allowing packets to be TCP/IP stack, allowing packets to be watched as they traverse their way up watched as they traverse their way up the OSI layers. the OSI layers.  This allows the IDS to pull the packets This allows the IDS to pull the packets from the stack before the OS or the from the stack before the OS or the application have a chance to process application have a chance to process the packets. the packets.
Network based IDS Network based IDS  This IDS looks for attack signatures in This IDS looks for attack signatures in network traffic via a promiscuous network traffic via a promiscuous interface. interface.  A filter is usually applied to determine A filter is usually applied to determine which traffic will be discarded or which traffic will be discarded or passed on to an attack recognition passed on to an attack recognition module. This helps to filter out known module. This helps to filter out known un-malicious traffic. un-malicious traffic.
Strengths of Network Strengths of Network based IDS based IDS  Cost of ownership reduced Cost of ownership reduced  Packet analysis Packet analysis  Evidence removal Evidence removal  Real time detection and response Real time detection and response  Malicious intent detection Malicious intent detection  Complement and verification Complement and verification  Operating system independence Operating system independence
Future of IDS Future of IDS  To integrate the network and host To integrate the network and host based IDS for better detection. based IDS for better detection.  Developing IDS schemes for detecting Developing IDS schemes for detecting novel attacks rather than individual novel attacks rather than individual instantiations. instantiations.

Empfohlen

Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
Netwax Lab
 
Ips and-ids
Ips and-idsIps and-ids
Ips and-ids
Adam Viet
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 

Empfohlen

Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
Loay Elbasyouni
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
Netwax Lab
 
Ips and-ids
Ips and-idsIps and-ids
Ips and-ids
Adam Viet
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion Detection Systems.pptx
Intrusion Detection Systems.pptxIntrusion Detection Systems.pptx
Intrusion Detection Systems.pptx
AnonymousEImkf6RGdQ
 
The way of network intrusion and their detection and prevention
The way of network intrusion and their detection and prevention The way of network intrusion and their detection and prevention
The way of network intrusion and their detection and prevention
MohammedAlmuhaimeed
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
Disha Bedi
 
L5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptxL5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptx
RebeccaMunasheChimhe
 
Ids vs ips
Ids vs ipsIds vs ips
Ids vs ips
Tapan Khilar
 
Intrusion Detection in WLANs
Intrusion Detection in WLANsIntrusion Detection in WLANs
Intrusion Detection in WLANs
ronrulzzz
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
Paul Green
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Programmer
 
Information Security.pptx
Information Security.pptxInformation Security.pptx
Information Security.pptx
DrRajapraveen
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
Tara Hardin
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
shraddha_b
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
Rineri1
 
arun.ppt
arun.pptarun.ppt
arun.ppt
SunilKatkar5
 
Ids
IdsIds
Ids
Suresh Reddy
 
arun.ppt
arun.pptarun.ppt
arun.ppt
DiyarAldusky
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptx
AmanuelZewdie4
 
Chapter-7.pptx
Chapter-7.pptxChapter-7.pptx
Chapter-7.pptx
AmanuelZewdie4
 

Weitere ähnliche Inhalte

Ähnlich wie Chapter 3- Intrusion Detection.pdf

Ähnlich wie Chapter 3- Intrusion Detection.pdf (20)

Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Intrusion Detection Systems.pptx
Intrusion Detection Systems.pptxIntrusion Detection Systems.pptx
Intrusion Detection Systems.pptx
 
The way of network intrusion and their detection and prevention
The way of network intrusion and their detection and prevention The way of network intrusion and their detection and prevention
The way of network intrusion and their detection and prevention
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
 
L5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptxL5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptx
 
Ids vs ips
Ids vs ipsIds vs ips
Ids vs ips
 
Intrusion Detection in WLANs
Intrusion Detection in WLANsIntrusion Detection in WLANs
Intrusion Detection in WLANs
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Information Security.pptx
Information Security.pptxInformation Security.pptx
Information Security.pptx
 
Bro Policy Assignment
Bro Policy AssignmentBro Policy Assignment
Bro Policy Assignment
 
Intrusion Detection System(IDS)
Intrusion Detection System(IDS)Intrusion Detection System(IDS)
Intrusion Detection System(IDS)
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Ids
IdsIds
Ids
 
arun.ppt
arun.pptarun.ppt
arun.ppt
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 

Mehr von AmanuelZewdie4

Chapter 7 Other Emerging Technologies.pptx
Chapter 7 Other Emerging Technologies.pptxChapter 7 Other Emerging Technologies.pptx
Chapter 7 Other Emerging Technologies.pptx
AmanuelZewdie4
 

Mehr von AmanuelZewdie4 (10)

Chapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptxChapter 7 - Wireless Network Security.pptx
Chapter 7 - Wireless Network Security.pptx
 
Chapter-7.pptx
Chapter-7.pptxChapter-7.pptx
Chapter-7.pptx
 
lecture04.ppt
lecture04.pptlecture04.ppt
lecture04.ppt
 
Chapter 7 Other Emerging Technologies.pptx
Chapter 7 Other Emerging Technologies.pptxChapter 7 Other Emerging Technologies.pptx
Chapter 7 Other Emerging Technologies.pptx
 
Chapter Introduction to Modular Programming.ppt
Chapter Introduction to Modular Programming.pptChapter Introduction to Modular Programming.ppt
Chapter Introduction to Modular Programming.ppt
 
Chapter 3 Telecom Sys.pptx
Chapter 3 Telecom Sys.pptxChapter 3 Telecom Sys.pptx
Chapter 3 Telecom Sys.pptx
 
Chapter 3 Software.ppt
Chapter 3 Software.pptChapter 3 Software.ppt
Chapter 3 Software.ppt
 
chapter 6 Ethics and Professionalism of ET.pptx
chapter 6 Ethics and Professionalism of ET.pptxchapter 6 Ethics and Professionalism of ET.pptx
chapter 6 Ethics and Professionalism of ET.pptx
 
Chapter 5 - Augmented Reality.pptx
Chapter 5 - Augmented Reality.pptxChapter 5 - Augmented Reality.pptx
Chapter 5 - Augmented Reality.pptx
 
chapter 6 Satellite Systems.pptx
chapter 6 Satellite Systems.pptxchapter 6 Satellite Systems.pptx
chapter 6 Satellite Systems.pptx
 

Kürzlich hochgeladen

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Kürzlich hochgeladen (20)

Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 

Chapter 3- Intrusion Detection.pdf

  • 2. Intrusion and Intrusion Intrusion and Intrusion Detection Detection  Intrusion : Attempting to break into or Intrusion : Attempting to break into or misuse your system. misuse your system.  Intruders may be from outside the Intruders may be from outside the network or legitimate users of the network or legitimate users of the network. network.  Intrusion can be a physical, system or Intrusion can be a physical, system or remote intrusion. remote intrusion.
  • 3. Different ways to intrude Different ways to intrude  Buffer overflows Buffer overflows  Unexpected combinations Unexpected combinations  Unhandled input Unhandled input  Race conditions Race conditions
  • 4. Intrusion Detection System Intrusion Detection System Knowledge Base Response Model Alert Data- base Event Provider Analysis Engine Other machines
  • 5. Intrusion Detection Intrusion Detection Systems (IDS) Systems (IDS)  Different ways of classifying an IDS Different ways of classifying an IDS IDS based on IDS based on – anomaly detection anomaly detection – signature based misuse signature based misuse – host based host based – network based network based – Stack based Stack based
  • 6. Intrusion Detection Intrusion Detection Systems (IDS) Systems (IDS) Intrusion Detection Systems look for Intrusion Detection Systems look for attack signatures, which are specific attack signatures, which are specific patterns that usually indicate malicious patterns that usually indicate malicious or suspicious intent. or suspicious intent.
  • 7. Anomaly based IDS Anomaly based IDS  This IDS models the normal usage of This IDS models the normal usage of the network as a noise the network as a noise characterization. characterization.  Anything distinct from the noise is Anything distinct from the noise is assumed to be an intrusion activity. assumed to be an intrusion activity. – E.g flooding a host with lots of packet. E.g flooding a host with lots of packet.  The primary strength is its ability to The primary strength is its ability to recognize novel attacks. recognize novel attacks.
  • 8. Drawbacks of Anomaly Drawbacks of Anomaly detection IDS detection IDS  Assumes that intrusions will be Assumes that intrusions will be accompanied by manifestations that are accompanied by manifestations that are sufficiently unusual so as to permit sufficiently unusual so as to permit detection. detection.  These generate many false alarms and These generate many false alarms and hence compromise the effectiveness of the hence compromise the effectiveness of the IDS. IDS.
  • 9. Signature based IDS Signature based IDS  This IDS possess an attacked This IDS possess an attacked description that can be matched to description that can be matched to sensed attack manifestations. sensed attack manifestations.  The question of what information is The question of what information is relevant to an IDS depends upon what relevant to an IDS depends upon what it is trying to detect. it is trying to detect. – E.g DNS, FTP etc. E.g DNS, FTP etc.
  • 10. Signature based IDS Signature based IDS (contd.) (contd.)  ID system is programmed to interpret a certain ID system is programmed to interpret a certain series of packets, or a certain piece of data series of packets, or a certain piece of data contained in those packets,as an attack. For contained in those packets,as an attack. For example, an IDS that watches web servers might example, an IDS that watches web servers might be programmed to look for the string “phf” as an be programmed to look for the string “phf” as an indicator of a CGI program attack. indicator of a CGI program attack.  Most signature analysis systems are based off of Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi- this sub string (for example, the ``phf'' in ``GET /cgi- bin/phf?''), it identifies those network packets as bin/phf?''), it identifies those network packets as vehicles of an attack. vehicles of an attack.
  • 11. Drawbacks of Signature Drawbacks of Signature based IDS based IDS  They are unable to detect novel They are unable to detect novel attacks. attacks.  Suffer from false alarms Suffer from false alarms  Have to programmed again for every Have to programmed again for every new pattern to be detected. new pattern to be detected.
  • 12. Host/Applications based Host/Applications based IDS IDS  The host operating system or the The host operating system or the application logs in the audit application logs in the audit information. information.  These audit information includes These audit information includes events like the use of identification and events like the use of identification and authentication mechanisms (logins authentication mechanisms (logins etc.) , file opens and program etc.) , file opens and program executions, admin activities etc. executions, admin activities etc.  This audit is then analyzed to detect This audit is then analyzed to detect trails of intrusion. trails of intrusion.
  • 13. Drawbacks of the host Drawbacks of the host based IDS based IDS  The kind of information needed to be The kind of information needed to be logged in is a matter of experience. logged in is a matter of experience.  Unselective logging of messages may Unselective logging of messages may greatly increase the audit and analysis greatly increase the audit and analysis burdens. burdens.  Selective logging runs the risk that Selective logging runs the risk that attack manifestations could be missed. attack manifestations could be missed.
  • 14. Strengths of the host Strengths of the host based IDS based IDS  Attack verification Attack verification  System specific activity System specific activity  Encrypted and switch environments Encrypted and switch environments  Monitoring key components Monitoring key components  Near Real-Time detection and Near Real-Time detection and response. response.  No additional hardware No additional hardware
  • 15. Stack based IDS Stack based IDS  They are integrated closely with the They are integrated closely with the TCP/IP stack, allowing packets to be TCP/IP stack, allowing packets to be watched as they traverse their way up watched as they traverse their way up the OSI layers. the OSI layers.  This allows the IDS to pull the packets This allows the IDS to pull the packets from the stack before the OS or the from the stack before the OS or the application have a chance to process application have a chance to process the packets. the packets.
  • 16. Network based IDS Network based IDS  This IDS looks for attack signatures in This IDS looks for attack signatures in network traffic via a promiscuous network traffic via a promiscuous interface. interface.  A filter is usually applied to determine A filter is usually applied to determine which traffic will be discarded or which traffic will be discarded or passed on to an attack recognition passed on to an attack recognition module. This helps to filter out known module. This helps to filter out known un-malicious traffic. un-malicious traffic.
  • 17. Strengths of Network Strengths of Network based IDS based IDS  Cost of ownership reduced Cost of ownership reduced  Packet analysis Packet analysis  Evidence removal Evidence removal  Real time detection and response Real time detection and response  Malicious intent detection Malicious intent detection  Complement and verification Complement and verification  Operating system independence Operating system independence
  • 18. Future of IDS Future of IDS  To integrate the network and host To integrate the network and host based IDS for better detection. based IDS for better detection.  Developing IDS schemes for detecting Developing IDS schemes for detecting novel attacks rather than individual novel attacks rather than individual instantiations. instantiations.