SlideShare a Scribd company logo

IP flow based intrusion detection

Download as PPT, PDF
Arangs Manickam
Arangs Manickam

This document discusses IP flow based intrusion detection. It notes issues with payload-based network intrusion detection systems and describes how flow-based detection addresses these issues by relying only on header information. It covers topics like flow sampling techniques, common types of attacks, and how flow-based detection is well-suited for detecting denial of service attacks, scans, worms, and botnets.

1 of 13
IP Flow based intrusion detection Arangamanikkannan Manickam
IP Flow based Intrusion Detection Presented by Arangamanikkannan Manickam
Section Title
Overview
Issues with payload based NIDS
Sampling  State information kept for each active flow  Flow look-up for each incoming packet puts heavy demand on CPU and memory resources  IETF PSAMP working group creating standards for sampling  Makes intrusion detection harder  Two categories: − Packet sampling − Flow Sampling
Sampling...  Packet Sampling − Systematic Sampling  Time-driven sampling  Event-driven sampling − Random Sampling  Probability distribution function is used − n-inN sampling − Probabilistic sampling
Sampling...  Flow Sampling − Similar to random packet sampling − Sample and hold method  A new incoming packet that does not belong to existing flow leads to the creation of new flow entry with probability p. − Smart Sampling  Dynamically controls the size of sampled data  Threshold sampling and priority sampling − Flow sampling probability depending on
Attack Classification  Physical attacks  Buffer overflow attacks  Password attacks  (Distributed) Denial of Service attacks  Information gathering attacks  Trojan horses  Worms  Viruses
Attack classification...  Botnets − Group of computers infected with malicious programs that cause them to operate against their owners' intentions and without their knowledge − Remotely controlled by bot-masters − Perfect for performing distributed attacks
Flow based Intrusion detection  As it relies only the header information it addresses the following attacks − Denial of service − Scans − Worms − Botnets
IP flow based intrusion detection

Recommended

Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkIOSR Journals
 
Optimal remote access trojans detection based on network behavior
Optimal remote access trojans detection based on network behaviorOptimal remote access trojans detection based on network behavior
Optimal remote access trojans detection based on network behaviorIJECEIAES
 
DDOS
DDOSDDOS
DDOSMaulik Kotak
 
Stock Motion/Gambit and deadpool part 2
Stock Motion/Gambit and deadpool part 2Stock Motion/Gambit and deadpool part 2
Stock Motion/Gambit and deadpool part 2maggotmatt676
 
Stock Motion/Gambit and deadpool 3
Stock Motion/Gambit and deadpool 3Stock Motion/Gambit and deadpool 3
Stock Motion/Gambit and deadpool 3maggotmatt676
 
Question 1 Updated
Question 1 UpdatedQuestion 1 Updated
Question 1 Updatedmaggotmatt676
 
Evalution: Question 1
Evalution: Question 1Evalution: Question 1
Evalution: Question 1maggotmatt676
 
Question 4
Question 4Question 4
Question 4maggotmatt676
 

Recommended

Procuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkProcuring the Anomaly Packets and Accountability Detection in the Network
Procuring the Anomaly Packets and Accountability Detection in the NetworkIOSR Journals
 
Optimal remote access trojans detection based on network behavior
Optimal remote access trojans detection based on network behaviorOptimal remote access trojans detection based on network behavior
Optimal remote access trojans detection based on network behaviorIJECEIAES
 
DDOS
DDOSDDOS
DDOSMaulik Kotak
 
Stock Motion/Gambit and deadpool part 2
Stock Motion/Gambit and deadpool part 2Stock Motion/Gambit and deadpool part 2
Stock Motion/Gambit and deadpool part 2maggotmatt676
 
Stock Motion/Gambit and deadpool 3
Stock Motion/Gambit and deadpool 3Stock Motion/Gambit and deadpool 3
Stock Motion/Gambit and deadpool 3maggotmatt676
 
Question 1 Updated
Question 1 UpdatedQuestion 1 Updated
Question 1 Updatedmaggotmatt676
 
Evalution: Question 1
Evalution: Question 1Evalution: Question 1
Evalution: Question 1maggotmatt676
 
Question 4
Question 4Question 4
Question 4maggotmatt676
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
Malware Analysis and Prediction System
Malware Analysis and Prediction SystemMalware Analysis and Prediction System
Malware Analysis and Prediction SystemAzri Hafiz
 
System hijacking using rat
System hijacking using ratSystem hijacking using rat
System hijacking using ratn|u - The Open Security Community
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Development, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyDevelopment, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyAntiy Labs
 
ids.ppt
ids.pptids.ppt
ids.pptAgostinho9
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 

More Related Content

Similar to IP flow based intrusion detection

Malware Analysis and Prediction System
Malware Analysis and Prediction SystemMalware Analysis and Prediction System
Malware Analysis and Prediction SystemAzri Hafiz
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networksantoniomorancardenas
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Development, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyDevelopment, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyAntiy Labs
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 

Similar to IP flow based intrusion detection (9)

Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Malware Analysis and Prediction System
Malware Analysis and Prediction SystemMalware Analysis and Prediction System
Malware Analysis and Prediction System
 
System hijacking using rat
System hijacking using ratSystem hijacking using rat
System hijacking using rat
 
Intrusion Detection with Neural Networks
Intrusion Detection with Neural NetworksIntrusion Detection with Neural Networks
Intrusion Detection with Neural Networks
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
Development, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot TechnologyDevelopment, Confusion and Exploration of Honeypot Technology
Development, Confusion and Exploration of Honeypot Technology
 
ids.ppt
ids.pptids.ppt
ids.ppt
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 

IP flow based intrusion detection

  • 1. IP Flow based intrusion detection Arangamanikkannan Manickam
  • 2. IP Flow based Intrusion Detection Presented by Arangamanikkannan Manickam
  • 5. Issues with payload based NIDS
  • 6.
  • 7. Sampling  State information kept for each active flow  Flow look-up for each incoming packet puts heavy demand on CPU and memory resources  IETF PSAMP working group creating standards for sampling  Makes intrusion detection harder  Two categories: − Packet sampling − Flow Sampling
  • 8. Sampling...  Packet Sampling − Systematic Sampling  Time-driven sampling  Event-driven sampling − Random Sampling  Probability distribution function is used − n-inN sampling − Probabilistic sampling
  • 9. Sampling...  Flow Sampling − Similar to random packet sampling − Sample and hold method  A new incoming packet that does not belong to existing flow leads to the creation of new flow entry with probability p. − Smart Sampling  Dynamically controls the size of sampled data  Threshold sampling and priority sampling − Flow sampling probability depending on
  • 10. Attack Classification  Physical attacks  Buffer overflow attacks  Password attacks  (Distributed) Denial of Service attacks  Information gathering attacks  Trojan horses  Worms  Viruses
  • 11. Attack classification...  Botnets − Group of computers infected with malicious programs that cause them to operate against their owners' intentions and without their knowledge − Remotely controlled by bot-masters − Perfect for performing distributed attacks
  • 12. Flow based Intrusion detection  As it relies only the header information it addresses the following attacks − Denial of service − Scans − Worms − Botnets