Intrusion detection system ppt

31,889 views

Published on

Published in: Technology
1 Comment
19 Likes
Statistics
Notes
No Downloads
Views
Total views
31,889
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
2,111
Comments
1
Likes
19
Embeds 0
No embeds

No notes for slide

Intrusion detection system ppt

  1. 1. Intrusion DetectionIntrusion Detection SystemSystem
  2. 2. Intrusion and IntrusionIntrusion and Intrusion DetectionDetection  Intrusion : Attempting to break into orIntrusion : Attempting to break into or misuse your system.misuse your system.  Intruders may be from outside theIntruders may be from outside the network or legitimate users of thenetwork or legitimate users of the network.network.  Intrusion can be a physical, system orIntrusion can be a physical, system or remote intrusion.remote intrusion.
  3. 3. Different ways to intrudeDifferent ways to intrude  Buffer overflowsBuffer overflows  Unexpected combinationsUnexpected combinations  Unhandled inputUnhandled input  Race conditionsRace conditions
  4. 4. Intrusion Detection SystemIntrusion Detection System Knowledge Base Response Model Alert Data- base Event Provider Analysis Engine Other machines
  5. 5. Intrusion DetectionIntrusion Detection Systems (IDS)Systems (IDS)  Different ways of classifying an IDSDifferent ways of classifying an IDS IDS based onIDS based on – anomaly detectionanomaly detection – signature based misusesignature based misuse – host basedhost based – network basednetwork based – Stack basedStack based
  6. 6. Intrusion DetectionIntrusion Detection Systems (IDS)Systems (IDS) Intrusion Detection Systems look forIntrusion Detection Systems look for attack signatures, which are specificattack signatures, which are specific patterns that usually indicate maliciouspatterns that usually indicate malicious or suspicious intent.or suspicious intent.
  7. 7. Anomaly based IDSAnomaly based IDS  This IDS models the normal usage ofThis IDS models the normal usage of the network as a noisethe network as a noise characterization.characterization.  Anything distinct from the noise isAnything distinct from the noise is assumed to be an intrusion activity.assumed to be an intrusion activity. – E.g flooding a host with lots of packet.E.g flooding a host with lots of packet.  The primary strength is its ability toThe primary strength is its ability to recognize novel attacks.recognize novel attacks.
  8. 8. Drawbacks of AnomalyDrawbacks of Anomaly detection IDSdetection IDS  Assumes that intrusions will beAssumes that intrusions will be accompanied by manifestations that areaccompanied by manifestations that are sufficiently unusual so as to permitsufficiently unusual so as to permit detection.detection.  These generate many false alarms andThese generate many false alarms and hence compromise the effectiveness of thehence compromise the effectiveness of the IDS.IDS.
  9. 9. Signature based IDSSignature based IDS  This IDS possess an attackedThis IDS possess an attacked description that can be matched todescription that can be matched to sensed attack manifestations.sensed attack manifestations.  The question of what information isThe question of what information is relevant to an IDS depends upon whatrelevant to an IDS depends upon what it is trying to detect.it is trying to detect. – E.g DNS, FTP etc.E.g DNS, FTP etc.
  10. 10. Signature based IDSSignature based IDS (contd.)(contd.)  ID system is programmed to interpret a certainID system is programmed to interpret a certain series of packets, or a certain piece of dataseries of packets, or a certain piece of data contained in those packets,as an attack. Forcontained in those packets,as an attack. For example, an IDS that watches web servers mightexample, an IDS that watches web servers might be programmed to look for the string “phf” as anbe programmed to look for the string “phf” as an indicator of a CGI program attack.indicator of a CGI program attack.  Most signature analysis systems are based off ofMost signature analysis systems are based off of simple pattern matching algorithms. In most cases,simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a streamthe IDS simply looks for a sub string within a stream of data carried by network packets. When it findsof data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-this sub string (for example, the ``phf'' in ``GET /cgi- bin/phf?''), it identifies those network packets asbin/phf?''), it identifies those network packets as vehicles of an attack.vehicles of an attack.
  11. 11. Drawbacks of SignatureDrawbacks of Signature based IDSbased IDS  They are unable to detect novelThey are unable to detect novel attacks.attacks.  Suffer from false alarmsSuffer from false alarms  Have to programmed again for everyHave to programmed again for every new pattern to be detected.new pattern to be detected.
  12. 12. Host/Applications basedHost/Applications based IDSIDS  The host operating system or theThe host operating system or the application logs in the auditapplication logs in the audit information.information.  These audit information includesThese audit information includes events like the use of identification andevents like the use of identification and authentication mechanisms (loginsauthentication mechanisms (logins etc.) , file opens and programetc.) , file opens and program executions, admin activities etc.executions, admin activities etc.  This audit is then analyzed to detectThis audit is then analyzed to detect trails of intrusion.trails of intrusion.
  13. 13. Drawbacks of the hostDrawbacks of the host based IDSbased IDS  The kind of information needed to beThe kind of information needed to be logged in is a matter of experience.logged in is a matter of experience.  Unselective logging of messages mayUnselective logging of messages may greatly increase the audit and analysisgreatly increase the audit and analysis burdens.burdens.  Selective logging runs the risk thatSelective logging runs the risk that attack manifestations could be missed.attack manifestations could be missed.
  14. 14. Strengths of the hostStrengths of the host based IDSbased IDS  Attack verificationAttack verification  System specific activitySystem specific activity  Encrypted and switch environmentsEncrypted and switch environments  Monitoring key componentsMonitoring key components  Near Real-Time detection andNear Real-Time detection and response.response.  No additional hardwareNo additional hardware
  15. 15. Stack based IDSStack based IDS  They are integrated closely with theThey are integrated closely with the TCP/IP stack, allowing packets to beTCP/IP stack, allowing packets to be watched as they traverse their way upwatched as they traverse their way up the OSI layers.the OSI layers.  This allows the IDS to pull the packetsThis allows the IDS to pull the packets from the stack before the OS or thefrom the stack before the OS or the application have a chance to processapplication have a chance to process the packets.the packets.
  16. 16. Network based IDSNetwork based IDS  This IDS looks for attack signatures inThis IDS looks for attack signatures in network traffic via a promiscuousnetwork traffic via a promiscuous interface.interface.  A filter is usually applied to determineA filter is usually applied to determine which traffic will be discarded orwhich traffic will be discarded or passed on to an attack recognitionpassed on to an attack recognition module. This helps to filter out knownmodule. This helps to filter out known un-malicious traffic.un-malicious traffic.
  17. 17. Strengths of NetworkStrengths of Network based IDSbased IDS  Cost of ownership reducedCost of ownership reduced  Packet analysisPacket analysis  Evidence removalEvidence removal  Real time detection and responseReal time detection and response  Malicious intent detectionMalicious intent detection  Complement and verificationComplement and verification  Operating system independenceOperating system independence
  18. 18. Future of IDSFuture of IDS  To integrate the network and hostTo integrate the network and host based IDS for better detection.based IDS for better detection.  Developing IDS schemes for detectingDeveloping IDS schemes for detecting novel attacks rather than individualnovel attacks rather than individual instantiations.instantiations.

×