intrusion detection

1. Intrusion Detection
Intrusion Detection
System
System

2. Intrusion and Intrusion
Intrusion and Intrusion
Detection
Detection
 Intrusion : Attempting to break into or
Intrusion : Attempting to break into or
misuse your system.
misuse your system.
 Intruders may be from outside the
Intruders may be from outside the
network or legitimate users of the
network or legitimate users of the
network.
network.
 Intrusion can be a physical, system or
Intrusion can be a physical, system or
remote intrusion.
remote intrusion.

3. Different ways to intrude
Different ways to intrude
 Buffer overflows
Buffer overflows
 Unexpected combinations
Unexpected combinations
 Unhandled input
Unhandled input
 Race conditions
Race conditions

4. Intrusion Detection System
Intrusion Detection System
Knowledge
Base
Response
Model
Alert
Data-
base
Event
Provider
Analysis Engine
Other
machines

5. Intrusion Detection
Intrusion Detection
Systems (IDS)
Systems (IDS)
 Different ways of classifying an IDS
Different ways of classifying an IDS
IDS based on
IDS based on
– anomaly detection
anomaly detection
– signature based misuse
signature based misuse
– host based
host based
– network based
network based
– Stack based
Stack based

6. Intrusion Detection
Intrusion Detection
Systems (IDS)
Systems (IDS)
Intrusion Detection Systems look for
Intrusion Detection Systems look for
attack signatures, which are specific
attack signatures, which are specific
patterns that usually indicate malicious
patterns that usually indicate malicious
or suspicious intent.
or suspicious intent.

7. Anomaly based IDS
Anomaly based IDS
 This IDS models the normal usage of
This IDS models the normal usage of
the network as a noise
the network as a noise
characterization.
characterization.
 Anything distinct from the noise is
Anything distinct from the noise is
assumed to be an intrusion activity.
assumed to be an intrusion activity.
– E.g flooding a host with lots of packet.
E.g flooding a host with lots of packet.
 The primary strength is its ability to
The primary strength is its ability to
recognize novel attacks.
recognize novel attacks.

8. Drawbacks of Anomaly
Drawbacks of Anomaly
detection IDS
detection IDS
 Assumes that intrusions will be
Assumes that intrusions will be
accompanied by manifestations that are
accompanied by manifestations that are
sufficiently unusual so as to permit
sufficiently unusual so as to permit
detection.
detection.
 These generate many false alarms and
These generate many false alarms and
hence compromise the effectiveness of the
hence compromise the effectiveness of the
IDS.
IDS.

9. Signature based IDS
Signature based IDS
 This IDS possess an attacked
This IDS possess an attacked
description that can be matched to
description that can be matched to
sensed attack manifestations.
sensed attack manifestations.
 The question of what information is
The question of what information is
relevant to an IDS depends upon what
relevant to an IDS depends upon what
it is trying to detect.
it is trying to detect.
– E.g DNS, FTP etc.
E.g DNS, FTP etc.

10. Signature based IDS
Signature based IDS
(contd.)
(contd.)
 ID system is programmed to interpret a certain
ID system is programmed to interpret a certain
series of packets, or a certain piece of data
series of packets, or a certain piece of data
contained in those packets,as an attack. For
contained in those packets,as an attack. For
example, an IDS that watches web servers might
example, an IDS that watches web servers might
be programmed to look for the string “phf” as an
be programmed to look for the string “phf” as an
indicator of a CGI program attack.
indicator of a CGI program attack.
 Most signature analysis systems are based off of
Most signature analysis systems are based off of
simple pattern matching algorithms. In most cases,
simple pattern matching algorithms. In most cases,
the IDS simply looks for a sub string within a stream
the IDS simply looks for a sub string within a stream
of data carried by network packets. When it finds
of data carried by network packets. When it finds
this sub string (for example, the ``phf'' in ``GET /cgi-
this sub string (for example, the ``phf'' in ``GET /cgi-
bin/phf?''), it identifies those network packets as
bin/phf?''), it identifies those network packets as
vehicles of an attack.
vehicles of an attack.

11. Drawbacks of Signature
Drawbacks of Signature
based IDS
based IDS
 They are unable to detect novel
They are unable to detect novel
attacks.
attacks.
 Suffer from false alarms
Suffer from false alarms
 Have to programmed again for every
Have to programmed again for every
new pattern to be detected.
new pattern to be detected.

12. Host/Applications based
Host/Applications based
IDS
IDS
 The host operating system or the
The host operating system or the
application logs in the audit
application logs in the audit
information.
information.
 These audit information includes
These audit information includes
events like the use of identification and
events like the use of identification and
authentication mechanisms (logins
authentication mechanisms (logins
etc.) , file opens and program
etc.) , file opens and program
executions, admin activities etc.
executions, admin activities etc.
 This audit is then analyzed to detect
This audit is then analyzed to detect
trails of intrusion.
trails of intrusion.

13. Drawbacks of the host
Drawbacks of the host
based IDS
based IDS
 The kind of information needed to be
The kind of information needed to be
logged in is a matter of experience.
logged in is a matter of experience.
 Unselective logging of messages may
Unselective logging of messages may
greatly increase the audit and analysis
greatly increase the audit and analysis
burdens.
burdens.
 Selective logging runs the risk that
Selective logging runs the risk that
attack manifestations could be missed.
attack manifestations could be missed.

14. Strengths of the host
Strengths of the host
based IDS
based IDS
 Attack verification
Attack verification
 System specific activity
System specific activity
 Encrypted and switch environments
Encrypted and switch environments
 Monitoring key components
Monitoring key components
 Near Real-Time detection and
Near Real-Time detection and
response.
response.
 No additional hardware
No additional hardware

15. Stack based IDS
Stack based IDS
 They are integrated closely with the
They are integrated closely with the
TCP/IP stack, allowing packets to be
TCP/IP stack, allowing packets to be
watched as they traverse their way up
watched as they traverse their way up
the OSI layers.
the OSI layers.
 This allows the IDS to pull the packets
This allows the IDS to pull the packets
from the stack before the OS or the
from the stack before the OS or the
application have a chance to process
application have a chance to process
the packets.
the packets.

16. Network based IDS
Network based IDS
 This IDS looks for attack signatures in
This IDS looks for attack signatures in
network traffic via a promiscuous
network traffic via a promiscuous
interface.
interface.
 A filter is usually applied to determine
A filter is usually applied to determine
which traffic will be discarded or
which traffic will be discarded or
passed on to an attack recognition
passed on to an attack recognition
module. This helps to filter out known
module. This helps to filter out known
un-malicious traffic.
un-malicious traffic.

17. Strengths of Network
Strengths of Network
based IDS
based IDS
 Cost of ownership reduced
Cost of ownership reduced
 Packet analysis
Packet analysis
 Evidence removal
Evidence removal
 Real time detection and response
Real time detection and response
 Malicious intent detection
Malicious intent detection
 Complement and verification
Complement and verification
 Operating system independence
Operating system independence

18. Future of IDS
Future of IDS
 To integrate the network and host
To integrate the network and host
based IDS for better detection.
based IDS for better detection.
 Developing IDS schemes for detecting
Developing IDS schemes for detecting
novel attacks rather than individual
novel attacks rather than individual
instantiations.
instantiations.