Intrusion Detection Systems

Similar documents
Intrusion Detection for Mobile Ad Hoc Networks

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Taxonomy of Intrusion Detection System

Chapter 9 Firewalls and Intrusion Prevention Systems

CSCE 465 Computer & Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Introduction of Intrusion Detection Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection System (IDS)

IDS / IPS. James E. Thiel S.W.A.T.

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

INTRUSION DETECTION SYSTEMS and Network Security

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2. Intrusion Detection and Prevention Systems

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Intrusion Detection Systems

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

IntruPro TM IPS. Inline Intrusion Prevention. White Paper

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Firewalls and Intrusion Detection

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Observation and Findings

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Network Based Intrusion Detection Using Honey pot Deception

Computer Security: Principles and Practice

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Intrusion Detections Systems

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Network- vs. Host-based Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection

Computer Security DD2395

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Network-Based and Host- Based Intrusion Detection. Harley Kozushko. Graduate Seminar

Name. Description. Rationale

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Intrusion Detection Systems Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

Barracuda Intrusion Detection and Prevention System

USING LOCAL NETWORK AUDIT SENSORS AS DATA SOURCES FOR INTRUSION DETECTION. Integrated Information Systems Group, Ruhr University Bochum, Germany

NETWORK SECURITY (W/LAB) Course Syllabus

Cisco IPS Tuning Overview

SURVEY OF INTRUSION DETECTION SYSTEM

Architecture Overview

Fuzzy Network Profiling for Intrusion Detection

Complete Protection against Evolving DDoS Threats

Intrusion Defense Firewall

Intrusion Detection Systems

Second-generation (GenII) honeypots

Intrusion Detection from Simple to Cloud

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

THE ROLE OF IDS & ADS IN NETWORK SECURITY

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Radware s Behavioral Server Cracking Protection

How To Design An Intrusion Prevention System

Proxy Server, Network Address Translator, Firewall. Proxy Server

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Denial of Service Attacks, What They are and How to Combat Them

Performance Evaluation of Intrusion Detection Systems

Computer Security DD2395

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

Network Security Monitoring: Looking Beyond the Network

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Getting Ahead of Malware

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

First Line of Defense to Protect Critical Infrastructure

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

The Truth about False Positives

From Network Security To Content Filtering

Our Security. History of IDS Cont d In 1983, Dr. Dorothy Denning and SRI International began working on a government project.

A Review on Network Intrusion Detection System Using Open Source Snort

Voice Over IP (VoIP) Denial of Service (DoS)

Intruders and viruses. 8: Network Security 8-1

Fuzzy Network Profiling for Intrusion Detection

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

IDS : Intrusion Detection System the Survey of Information Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Host-based Intrusion Prevention System (HIPS)

Course Title: Penetration Testing: Security Analysis

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Transcription:

Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado

Work Topics 1. Definition 2. Characteristics of IDS 3. Evolution of intrusion detection systems 4. Passive and/or reactive systems 5. Advantages and disadvantages of IDS 6. Comparisson with firewalls 7. Network Based Intrusion Detection System and Host Based Intrusion Detection system 8. Limitations of IDS 9. Evasion Techniques 10. Examples of Intrusion Detection systems 11. Terminology

Definition of Intrusion Detection Systems Device or software application that monitors network or system activities for malicious activities or policy violations Produces reports to a Management Station Burglar alarm for our network First line of defense in our system

Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system Intrusion detection systems are focused on identifying possible incidents, logging information about them, and reporting attempts They have become a necessary addition to the security infrastructure of nearly every organization

Help information systems prepare for, and deal with attacks. They accomplish this by collecting information from a variety of systems and network sources, and then analyzing the information for possible security problems. Provide: Monitoring and analysis of user and system activity Auditing of system configurations and vulnerabilities Assessing the integrity of critical system and data files Statistical analysis of activity patterns based on the matching to known attacks Abnormal activity analysis Operating system audit

Characteristics of Intrusion Detection systems It must run continually without human supervision. The system must be reliable enough to allow it to run in the background. It must be fault tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart. The system should be able to monitor itself to ensure that it has not been subverted.

It must impose minimal overhead on the system, meaning it must not slow down the computer. It must be easily tailored to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns. It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt.

Evolution of Intrusion Detection systems The concept of ids have been around for almost twenty years from now, but lately its popularity has raised and has been seen as an indispensable addition to software security. It has begun with a paper by James Anderson as he calls for a misuse and specific user events detection necessary. In 1983, Dr. Dorothy Denning began working on a project of these systems, and one year later he helped to develop the first model for intrusion detection. In 1988 there was a second model for the US air force that produced an IDS that analyzed audit data by comparing it with defined patterns. In the early 90 s Haystack Labs was the first commercial vendor of IDS tools, beginning a new era for network security.

Passive or Reactive systems A passive IDS simply detects and alerts an intrusion attempt. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way. Reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user

Advantages and disadvantages of IDS There are no doubts that an IDS is extremely important in keeping our network safe from malicious activities, we can actually tell that is indispensable to government or big business networks. round-the-clock activity; Versatile capability of these systems (they can adapt to a users need and allow custom-built network security).

Disadvantages: Incapability of distinguish malicious activity from a friend activity False positives and false negatives A false positive is a situation when and IDS triggers an alarm without a true security intrusion, which is problematic because diminish the value of real security alerts. False negative is the inability to detect true security events, meaning malicious activity is not detected.

Comparison with Firewalls There is a fine line between a firewall and IDS. Firewalls monitor computer communication ports, make computers invisible on the Internet, and can be programmed to alert the user to potential threats or to work quietly in the background, blocking unauthorized communications. Basically, a firewall is the first line of perimeter defense, however once the number of attacks and vulnerabilities are rising, network administrators are looking to extend firewalls.

Intrusion detection is considered by many to complement network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response. There is also technology called Intrusion Prevention System. An IPS is essentially a firewall which combines network-level and application-level filtering with reactive IDS to proactively protect the network. It seems that as time goes on firewalls, they take on more attributes from each other and blur the line even more.

Network Based Intrusion Detection System and Host Based Intrusion Detection system Network Based IDS Intrusion detection is network-based when the system is used to analyze network packets. Network packets are usually sniffed off the network, although they can derive from the output of switches and routers. There are many attack scenarios that would not be detected by host-based technology, thereby highlighting the differences between the two A NIDS examines packet traffic directed toward potentially vulnerable computer systems on a network while a hostbased system examines user and software activity on a host

Host Based IDS o A host-based IDS monitors all or parts of the dynamic behavior and the state of a computer system. o Host-based systems are designed more to deter insiders, but can t effectively deter outsiders. The exact opposite is true for network intrusion detection systems. o Host-based systems provide poor real-time response and cannot effectively protect against one-time catastrophic events. o They are, however, excellent at detecting and responding to long term attacks, such as data thieving or disgruntled employees. o Host-based intrusion detection systems also analyze user statistics to determine misuse. This method is called statistical analysis.

Limitations of IDS However necessary, an IDS cannot provide completely accurate detection. They have serious limitations, such as: Noise can severely limit an Intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate. It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored. Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies;

Other limitations to the IDS are the fact they can t perform a handful of basic functions, such as: Compensating for weak or missing security mechanisms in the protection infrastructure. Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network or processing load. Detecting newly published attacks or variants of existing attacks. Effectively responding to attacks launched by sophisticated attackers Automatically investigating attacks without human intervention. Resisting attacks that are intended to defeat or circumvent them Compensating for problems with the fidelity of information sources Dealing effectively with switched networks

Evasion Techniques IDS evasion techniques are modifications made to attacks in order to prevent detection. They may appear in many forms, such as: Obfuscating attack payload - An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. Fragmentation and Small Packets - One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack

Protocol Violations - Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. Overlapping Fragments - An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. Denial of Service - An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS

Examples of Intrusion Detection systems There are a lot of IDS available, due to the previously mentioned increase in information flow and consequently the increasing need for protection. Here are a few IDS software:

Types of IDS The most important and significant types of IDS are the previously mentioned Network Based IDS and the Host Based IDS, however, there are a few more and are worth mentioning. Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets. Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.

Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies. It works on the notion that attack behavior differs enough from normal user behavior such that it can be detected by cataloging and identifying the differences involved. Some IDS are knowledge-based, which preemptively alert security administrators before an intrusion occur using a database of common attacks. Alternatively, there are behavioral-based IDS that track all resource usage for anomalies, which is usually a positive sign of malicious activity.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information