Intrusion detection system

11,416 views
11,303 views

Published on

hey guys here comes my new implementation of my learning i.e the IDS a concept of network security go through it and add your valuable comments

Published in: Education
3 Comments
11 Likes
Statistics
Notes
No Downloads
Views
Total views
11,416
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
1,351
Comments
3
Likes
11
Embeds 0
No embeds

No notes for slide

Intrusion detection system

  1. 1. Intrusion <br />Detection <br />System<br />By : Gaurav Koriya<br />
  2. 2. Content<br />Introduction<br />What is Intrusion<br />What is IDS<br />(i) Functions<br /> (ii)Principles<br /> (iii) Components<br /> (iv)Types <br />4. Conclusion<br />
  3. 3. INTRODUCTION<br />THREAT TO NETWORK SECURITY<br /> A significant security problem for networked system is, or at least unwanted, trespass by users or software. <br /><ul><li>User trespass can take form of unauthorized logon to a machine or, in case of an authorized user, acquisition of privileges or performance of actions beyond those that have been authorized.
  4. 4. Software trespass can take form of a virus, worm or Trojan horse.</li></li></ul><li>What is an intrusion?<br />Any set of actions that attempt to compromise the confidentiality, integrity, or availability of a computer resource<br />
  5. 5. Types of Intruders<br />In an early study of intrusion, Anderson identified three classes of intruders:<br /><ul><li>Masqueraders: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
  6. 6. Misfeasor: A legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
  7. 7. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions. </li></li></ul><li>Consequences of Intrusion<br />Intruder attacks range from benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internet and what is out there. At the serious end, intruder may attempt following:<br />Read privileged data.<br />Perform unauthorized modification to data.<br />Disrupt the system settings. <br />
  8. 8. Intrusion Detection System (IDS)<br />Analysis Engine<br />Response<br />Module<br />Knowledge <br />Base<br />Alert Database<br />Event<br />Provider<br />Other machines<br />
  9. 9. Intrusion Detection Systems (IDS)<br /><ul><li>Intrusion detection is the process of identifying and responding to malicious activity targeted at resources
  10. 10. IDS is a system designed to test/analyze network system traffic/events against a given set of parameters and alert/capture data when these thresholds are met.
  11. 11. IDS uses collected information and predefined knowledge-based system to reason about the possibility of an intrusion.
  12. 12. IDS also provides services to cop with intrusion such as giving alarms, activating programs to try to deal with intrusion, etc.</li></li></ul><li>Functions of IDS<br /><ul><li>An IDS detects attacks as soon as possible and takes appropriate action.
  13. 13. An IDS does not usually take preventive measures when an attack is detected.
  14. 14. It is a reactive rather than a pro-active agent.
  15. 15. It plays a role of informant rather than a police officer.</li></li></ul><li>Principles of Intrusion Detection Systems<br /><ul><li>An IDS must run unattended for extended periods of time
  16. 16. The IDS must stay active and secure
  17. 17. The IDS must be able to recognize unusual activity
  18. 18. The IDS must operate without unduly affecting the system’s activity
  19. 19. The IDS must be configurable</li></li></ul><li>Principles of Intrusion Detection Systems (continued)<br />
  20. 20. Components of IDS<br />Basically there are three components or modules in an Intrusion detection System:-<br /><ul><li>Sensor: Responsible for capturing packets and sending to the Console class.
  21. 21. Console: Responsible for analyzing packets captured by Sensor class.
  22. 22. It is the class responsible for displaying GUI and generating alerts.</li></li></ul><li>Types Of IDS<br /><ul><li>A network intrusion detection system (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts.. An example of a NIDS is Snort.
  23. 23. A protocol based intrusion detection system (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. </li></li></ul><li><ul><li>An application protocol based intrusion detection system (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols..
  24. 24. A host-based intrusion detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.</li></li></ul><li><ul><li>A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.
  25. 25. A reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.</li></li></ul><li>IDS Detection Approaches<br /><ul><li>Signature-based IDS
  26. 26. Statistical anomaly based IDS </li></li></ul><li>Signature Detection<br /><ul><li>Signature Detection to discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures. It is a technique often used in the Intrusion Detection System (IDS) and many anti-mal ware systems such as anti-virus and anti-spyware etc. In the signature detection process, network or system information is scanned against a known attack or malware signature database. If match found, an alert takes place for further actions. </li></li></ul><li>Statistical Anomaly Detection<br /><ul><li>Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.</li></ul> Statistical anomaly detection falls into two broad categories:<br /><ul><li>Threshold detection.
  27. 27. Profile based anomaly detection. </li></li></ul><li>Statistical Anomaly Detection continue…<br /><ul><li>Threshold detection involves counting the numbers of occurrences of specified event type over an interval of time
  28. 28. Profile-based anomaly detection focuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations</li></li></ul><li><ul><li>Examples of parameters that are useful for profile-based intrusion detection are the following:</li></ul>Counter: Typically, a count of certain event types is kept over a particular period of time. Examples include the numbers of logins, number of password failures, number of times a given command is executed during a single user session.<br />Interval timer: The length of time between two related events. Ex. is the length of time lapsed between two successive logins to an account.<br />
  29. 29. Intrusion Detection Architectures<br /><ul><li>Host-based IDS
  30. 30. Network-based IDS</li></li></ul><li>Host-based IDS<br /><ul><li>Monitor activities on hosts for
  31. 31. Known attacks or
  32. 32. Suspicious behavior
  33. 33. Designed to detect attacks such as
  34. 34. Buffer overflow
  35. 35. Escalation of privilege
  36. 36. Little or no view of network activities</li></li></ul><li>Placement of Host-based IDS<br /><ul><li>Deployment options
  37. 37. Key servers that contain mission-critical</li></ul>and sensitive information;<br /><ul><li>Web servers;
  38. 38. FTP and DNS servers;
  39. 39. E-commerce database servers, etc.
  40. 40. Workstations</li></li></ul><li>Placement of Host-based IDS<br />Internet<br />Sensor<br />Mailserver<br />Firewall<br />PerimeterNetwork<br />Webserver<br />Sensor<br />Human Resources Network<br />Console<br />Sensor<br />
  41. 41. Network-based IDS<br /><ul><li>Monitor activity on the network for
  42. 42. Known attacks
  43. 43. Suspicious network activity
  44. 44. Designed to detect attacks such as
  45. 45. Denial of service
  46. 46. Network probes
  47. 47. Malformed packets, etc.
  48. 48. Can be some overlap with firewall
  49. 49. Little or no view of host-based attacks</li></li></ul><li>Placement of Network-based IDS<br /><ul><li>Deployment options:
  50. 50. Outside firewall
  51. 51. Just inside firewall
  52. 52. Combination of both will detect attacks getting through firewall and may help to refine firewall rule set.
  53. 53. Behind remote access server
  54. 54. Between Business Units
  55. 55. Between Corporate Network and Partner Networks</li></li></ul><li>Placement of Network-based IDS<br />Internet<br />Sensor<br />Mailserver<br />Firewall<br />PerimeterNetwork<br />Sensor<br />Webserver<br />Sensor<br />Console<br />Protected Network<br />
  56. 56. Conclusions<br /><ul><li>Future research trends seem to be converging towards a model that is hybrid of the anomaly and misuse detection models.
  57. 57. It is slowly acknowledged that neither of the models can detect all intrusion attempts on their own.</li></li></ul><li>Thank you….<br />concept by :<br />© Korian Corp. <br />

×