Intrusion detection system

3,520 views

Published on

Its about intrusion detection system(IDS),types of IDS,different types of intrusion detection system.

Published in: Engineering
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,520
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
264
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Intrusion detection system

  1. 1. INTRUSION DETECTION SYSTEM
  2. 2. INTRUDERS • Many computer security incidents are caused -by insiders • Who could not be blocked by firewalls. • So as a next level of defense – we are using Intrusion detection system.
  3. 3. INTRUSION DETECTION SYSTEM • intrusion detection system (IDS) is a device • typically another separate computer, that monitors – activity to identify malicious or suspicious events. • An IDS is a sensor
  4. 4. FUNCTIONS • Monitoring users and system activity • auditing system configuration for vulnerabilities and misconfigurations • assessing the integrity of critical system and data files • recognizing known attack patterns in system activity
  5. 5. • identifying abnormal activity through statistical analysis • correcting system configuration errors
  6. 6. TYPES • Signature-based intrusion detection systems: – perform pattern-matching and – report situations that match a pattern corresponding to a known attack type. • Heuristic intrusion detection systems( anomaly based) build a – detection looks for behavior that is out of the ordinary.
  7. 7. • Intrusion detection devices can be – network based or – host based. • network-based IDS is a – stand-alone device attached to the network to monitor traffic throughout that network • host-based IDS runs on a single workstation or client or host, to protect that one host.
  8. 8. Signature-Based Intrusion Detection • The problem with signature-based detection is the signatures themselves. • An attacker will try to modify a basic attack in such a way that it will not match the known signature of that attack. • signature-based IDSs cannot detect a new attack for which a signature is not yet installed in the database
  9. 9. Heuristic Intrusion Detection • heuristic intrusion detection looks for behavior that is out of the ordinary. • Inference engine perform continuous analysis of the system • Raising an alert when systems dirtiness increase the threshold. • Inference engine works in 2 ways – State based intrusion detection system. – Model based intrusion detection system.
  10. 10. State based intrusion detection system: • see the system going through changes of overall state or configuration. • They try to detect when the system moves to unsafe state Model based intrusion detection system: • Map current activity into model of unacceptable activity • Raise an alarm when activity resembles the model.
  11. 11. Misuse intrusion detection: • intrusion detection can work from a model of known bad activity. • All heuristic intrusion detection activity is classified in one of three categories: – good/benign, – suspicious, – unknown. • Over time, specific kinds of actions can move from one of these categories to another,
  12. 12. Stealth Mode • An IDS is a network device . • Any network device is potentially vulnerable to network attacks. • To counter those problems,: • most IDSs run in stealth mode. • an IDS has two network interfaces: – one for the network being monitored – to generate alerts
  13. 13. • The IDS uses the monitored interface as input only – it never sends packets out through that interface. • If the IDS needs to generate an alert, – it uses only the alarm interface on a completely separate control network
  14. 14. Goals for Intrusion Detection Systems • an IDS should be – fast, – simple, – accurate, – while at the same time being complete. – It should detect all attacks with little performance penalty
  15. 15. • An IDS could use some—or all—of the following design approaches: – filter on packet headers – filter on packet content – maintain connection state – use complex, multipacket signatures – use minimal number of signatures with maximum effect – filter in real time, online – hide its presence – use optimal sliding time window size to match signatures
  16. 16. Responding to Alarms • Whatever the type, an intrusion detection system raises an alarm when it finds a match. • The alarm can range from something modest, such as writing a note in an audit log, to something significant, such as paging the system security administrator.
  17. 17. • responses fall into three major categories: – monitor – protect – call a human • Monitoring is appropriate for an attack of initial impact. • Perhaps the real goal is to watch the intruder, • to see : – what resources are being accessed or – what attempted attacks are tried. – This approach should be invisible to the attacker.
  18. 18. • Protecting can mean – increasing access controls and – even making a resource unavailable • In contrast to monitoring, protecting may be very visible to the attacker. • calling a human allows individual discrimination. • The IDS can take an initial defensive action immediately while also generating an alert to a human.
  19. 19. False Results • Intrusion detection systems are not perfect. – and mistakes are their biggest problem. • 2 main false result: – false positive-by raising an alarm for something that is not really an attack – false negative- not raising an alarm for a real attack. • Too many false positives means the administrator will be less confident of the IDS's warnings. • But false negatives mean that real attacks are passing the IDS without action.
  20. 20. IDS Strengths and Limitations • Strength: • IDSs detect an ever-growing number of serious problems. – And as we learn more about problems, we can add their signatures to the IDS model. – Thus, over time, IDSs continue to improve. • becoming cheaper • easier to administer.
  21. 21. • Limitation: • avoiding an IDS is a first priority for successful attackers. • An IDS that is not well defended is useless. • Similar IDS have identical vulnerabilities so – there selection criteria will miss similar attack. • IDS is sensitive – Which is difficult to measure and adjust. • An IDS does not run itself. • General: • IDS ARE EXCELLENT ADDITION TO NETWORK SECURITY
  22. 22. SNORT • It is a light weight open source network – intrusion prevention – Network intrusion detection system(NIDS) • based on signature detection. • It has real time alarming capacity.
  23. 23. • When an attack has occurred the alert tells us: – Date and time the attack occurred. – Source and destination IP address with port number. – Type of attack – Priority
  24. 24. LOCATION: • The snort have to be installed in those part of the network that have to be protected. • The snort can be distributed to different parts of network infrastructure and can send alarm to one central console. • Snort network interface card(NIC) captures all network traffic that goes by its NIC.
  25. 25. TOOLS: • Snort Alert Monitor: – Java based console. – Will give a quick look at the Snort alert – Can be configured to send e-mail when Snort alerts to an attempted exploit on your network. • Snortalog: – It is a Perl based Snort log analyser. – Allows to develop plaint text on HTML summery reports and graph representation of top attack that has been detected by Snort Sensor
  26. 26. • SnortFW: – It analyses incoming Snort alerts and updates iptables firewall to block the attacker. • IDSCenter: – It is an all-in-one centralized graphical utility for managing • Snort • Alerts • Rules • Configuration files • Distributing updates • Generate reports • Email • Auditable/visual alarm notification.

×