Your SlideShare is downloading. ×
0
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Intrusion Detection Systems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Intrusion Detection Systems

1,398

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,398
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
109
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Vamsikrishna Gandikota ACC 626, Section 001 Intrusion Detection Systems
  • 2. The Need for Intrusion Detection Systems <ul><li>Verizon poll </li></ul><ul><li>“ Insiders accounted for 17 per cent of corporate data-hacking incidents” </li></ul><ul><li>2011 Infosecurity Europe conference in London </li></ul><ul><ul><li>40% of 500 attendees professed that they would “find it easy to use their knowledge of encryption keys, shared passwords and loopholes in data security programs to walk off with any information they wanted.” </li></ul></ul><ul><ul><li>31 per cent said they had the ability to “hack in remotely and snoop, secretly alter files or shut down the data system” irrespective of whether they were still employed with the organization. </li></ul></ul>
  • 3. Intrusions <ul><li>Definition: </li></ul><ul><ul><ul><li>Intrusions are essentially events where an unauthorized party attempts to break into or misuse an information system. </li></ul></ul></ul><ul><li>Can be from within the organization or from the outside. </li></ul><ul><li>Intrusion Detection System (IDS) used to mitigate business risks that arise from unauthorized access to information system. </li></ul>
  • 4. IDSs and Firewalls <ul><li>Only monitor ports and services and determine whether to allow or block services passing through </li></ul><ul><li>Block broad ranges of traffic based on few criteria and do not track related activity patterns </li></ul><ul><li>IDSs can evaluate traffic that was let through by firewall for signs of an attack </li></ul><ul><li>IDSs and firewalls complement each other, not substitutes. </li></ul>
  • 5. IDSs Capabilities Capabilities Inherent Limitations <ul><li>Can detect when the information system is under attack </li></ul><ul><li>Capable of detecting errors in the system configuration </li></ul><ul><li>Can trace user activity from point of entry to point of impact </li></ul><ul><li>Able to recognize and report alterations to data </li></ul><ul><li>Able to automate the task of searching the Internet for the latest attacks </li></ul><ul><li>Could potentially guide the system administrator in establishing policies for the security aspects of the IT environment </li></ul><ul><li>Adds greater degree of integrity to the rest of the information system infrastructure </li></ul><ul><li>Does not compensate for weak identification and authentication mechanisms </li></ul><ul><li>Does not compensate for weaknesses in network protocols </li></ul><ul><li>Does not compensate for problems in the quality or integrity of information the system provides </li></ul><ul><li>Dependent on human intervention to investigate attacks </li></ul><ul><li>Does not analyze all the traffic on a busy network   </li></ul>
  • 6. Intrusion Detection Techniques – Anomaly Based <ul><li>Approach is based on the idea that an intrusion can be viewed as an abnormality </li></ul><ul><li>Traffic is studied by IDS for metrics such as CPU activity, peripheral devices used, number of network detections, etc. </li></ul><ul><li>Quantifiable expectation is developed for what is considered to be normal activity for these measures and statistically large variances are identified as abnormal behaviour and hence an intrusion. </li></ul><ul><li>One of the advantages of this detection technique is its ability to detect new and unforeseen vulnerabilities without knowing the specific details of the intrusion. </li></ul>
  • 7. Intrusion Detection Techniques – Signature-Based <ul><li>Can be likened to anti-viruses </li></ul><ul><li>Attack signatures stored on IDS which then monitors system for occurrence of patterns and sends alert when unacceptable behaviour takes place </li></ul><ul><li>Quicker to implement because it does not have to spend time studying the system’s traffic to come up with an expectation of what is considered to be normal or average </li></ul><ul><li>Number of false alarms generated considerably reduced as IDS tries to match intrusions to a set of signatures </li></ul>
  • 8. Intrusion Detection System Types – Host Based (HIDS) <ul><li>Consists of sensors that are located on servers or workstations to detect attacks on that specific server or workstation. </li></ul><ul><li>Advantages </li></ul><ul><ul><li>Detect attacks with greater accuracy and generate fewer false alarms </li></ul></ul><ul><ul><li>Monitors host activity on network </li></ul></ul><ul><ul><li>Detects attacks which NIDS sensors fail to pick up – protects hosts from internal attacks </li></ul></ul>
  • 9. Intrusion Detection System Types – Network Based (NIDS) <ul><li>Analyze traffic for unwanted or malicious events </li></ul><ul><li>Advantages: </li></ul><ul><ul><li>Can be installed for an entire segment of the network and not installed and maintained at each host. </li></ul></ul><ul><ul><li>Can perform packet level analysis for intrusions </li></ul></ul><ul><ul><li>Monitor live traffic which makes difficult for hacker to remove any evidence of the hack. </li></ul></ul><ul><ul><li>Detect intrusions in real-time which makes it possible for situation to be remedied with quicker response rates </li></ul></ul><ul><ul><li>If installed behind firewall, then NIDS can be used to detect which traffic the firewall failed to block </li></ul></ul>
  • 10. Which IDS is better?
  • 11. Implementation Challenges <ul><li>False Positives </li></ul><ul><ul><li>If legitimate traffic blocked out then disruptions to business processes likely </li></ul></ul><ul><ul><li>For anomaly detection, tuning IDS to the right level of sensitivity and setting appropriate thresholds for intrusions is critical </li></ul></ul><ul><ul><li>If IDSs too sensitive to variances from expected behaviour then number of false positives will become difficult to handle thus reducing the usability of the system </li></ul></ul><ul><li>False Negatives </li></ul><ul><ul><li>False negatives are attacks not detected by IDSs </li></ul></ul><ul><ul><li>An issue when IDS signatures are excessively tuned out and thus desensitized to attacks or if high tolerance levels are set for variations from normal behaviour </li></ul></ul>
  • 12. Implementation Challenges <ul><li>Taking Action on IDS Data </li></ul><ul><li>IDS sensors can limit the alert information they generate to simply the name of the alert, IP addresses, ports used, date and time </li></ul><ul><li>For larger organizations, this may not be sufficient to conduct an investigation or some sort of follow-up. </li></ul><ul><li>Report with enough detail needed so that action can be taken. </li></ul><ul><li>Must determine responsibility when it comes to following up on alerts generated by the IDS – assigning competent individuals </li></ul><ul><li>  </li></ul><ul><li>Other Considerations </li></ul><ul><li>For IDS to be effective administrator must keep updating and designing new signatures as vendor signatures may not completely cater to the needs of the organization and monitor IDS </li></ul><ul><li>IDS placement - identify network perimeter and identify points of entry into the network. IDS is only as good as the identification of vulnerable network access points. </li></ul>
  • 13. Some Takeaways and… Thank you for listening!

×