SlideShare a Scribd company logo

Ids 001 ids vs ips

Download as PPSX, PDF
J
jyoti_lakhani

Intrusion Detection System

Technology
1 of 43
Intrusion Detection System Introduction 1 (Copyright: Dr. Jyoti Lakhani)
Intrusion An intrusion is an active sequence of related events that deliberately try to cause harm, such as rendering a system unusable, accessing, unauthorized information, or manipulating such information. This definition refers to both successful and unsuccessful attempts. - Carl Enriolf IDS systems record information about both successful and unsuccessful attempts so that security professionals will have a more comprehensive understanding of the events on their networks. 2 (Copyright: Dr. Jyoti Lakhani)
One way this can be done is by placing devices that examine network traffic, called sensors, both in front of the firewall (the unprotected area) and behind the firewall (the protected area) and comparing the information recorded by the two. Internet Firewall 3 (Copyright: Dr. Jyoti Lakhani)
Collecting Data Port Mirroring or Spanning Network Taps 4 (Copyright: Dr. Jyoti Lakhani)
When copies of incoming and outgoing packets are forwarded from one port of a network switch to another port where the packets can be analyzed. Port Mirroring or Spanning 5 (Copyright: Dr. Jyoti Lakhani)
Network taps are put directly in-line of the network traffic, and they copy the incoming and outgoing packets and retransmit them back out on the network. Network Taps 6 (Copyright: Dr. Jyoti Lakhani)
What Is an Intrusion-Detection System (IDS)? The tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity It detects activity in traffic that may or may not be an intrusion. IDSs work at the network layer of the OSI model They analyze packets to find specific patterns in network traffic —if they find such a pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus software in that they use known signatures to recognize traffic patterns that may be malicious in intent. 7 (Copyright: Dr. Jyoti Lakhani)
Types of IDS Systems Host-based Intrusion- Detection System (HIDS) Network-based Intrusion- Detection System (NIDS) Hybrids 8 (Copyright: Dr. Jyoti Lakhani)
A HIDS system will require some software that resides on the system and can scan all host resources for activity some just scan syslog and event logs for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Host-based Intrusion-Detection System (HIDS) 9 (Copyright: Dr. Jyoti Lakhani)
A NIDS system is usually inline on the network, and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment, including switched networks (where this is not the default behavior) via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. Most NIDSs are equipped with facilities to log their activities and report or alarm on questionable events. In addition, many high- performance routers offer NID capabilities. Network-based Intrusion-Detection System (NIDS) 10 (Copyright: Dr. Jyoti Lakhani)
11 (Copyright: Dr. Jyoti Lakhani)
12 (Copyright: Dr. Jyoti Lakhani)
13 (Copyright: Dr. Jyoti Lakhani)
NIDS HIDS Broad in scope (watches all network activities) Narrow in scope (watches only specific host activities) Easier setup More complex setup Better for detecting attacks from the outside Better for detecting attacks from the inside Less expensive to implement More expensive to implement Detection is based on what can be recorded on the entire network Detection is based on what any single host can record Examines packet headers Does not see packet headers 14 (Copyright: Dr. Jyoti Lakhani)
NIDS HIDS Detects network attacks as payload is analyzed Detects local attacks before they hit the network Detects unsuccessful attack attempts Verifies success or failure of Attacks Near real-time response Usually only responds after a suspicious log entry has been made OS-independent OS-specific In computer networking and telecommunications, when a transmission unit is sent from the source to the destination, it contains both a header and the actual data to be transmitted. This actual data is called the payload. 15 (Copyright: Dr. Jyoti Lakhani)
The basic process for an IDS is that a NIDS or HIDS passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent 16 (Copyright: Dr. Jyoti Lakhani)
Standard IDS System 17 (Copyright: Dr. Jyoti Lakhani)
18 (Copyright: Dr. Jyoti Lakhani)
What Is an Intrusion-Prevention System (IPS)? It is still early in the development of intrusion-prevention systems (IPSs) An IPS sits inline on the network and monitors it, and when an event occurs, it takes action based on prescribed rules. This is unlike IDSs, which do not sit inline and are passive. 19 (Copyright: Dr. Jyoti Lakhani)
Types of IPS Systems Host-based Intrusion- Prevention System (HIPS) Network-based Intrusion- Prevention System (NIPS) Hybrids 20 (Copyright: Dr. Jyoti Lakhani)
User actions should correspond to actions in a predefined knowledge base; if an action isn’t on the accepted list, the IPS will prevent the action. Unlike an IDS, the logic in an IPS is typically applied before the action is executed in memory. Other IPS methods compare file checksums to a list of known good checksums before allowing a file to execute, and to work by intercepting system calls. 21 (Copyright: Dr. Jyoti Lakhani)
An IPS will typically consist of four main components: • Traffic normalizer • Service scanner • Detection engine • Traffic shaper 22 (Copyright: Dr. Jyoti Lakhani)
The traffic normalizer will interpret the network traffic and do packet analysis and packet reassembly, as well as performing basic blocking functions. The traffic is then fed into the detection engine and the service scanner. The service scanner builds a reference table that classifies the information and helps the traffic shaper manage the flow of the information. The detection engine does pattern matching against the reference table, and the appropriate response is determined. 23 (Copyright: Dr. Jyoti Lakhani)
24 (Copyright: Dr. Jyoti Lakhani)
IDS IPS Installed on network segments (NIDS) and on hosts (HIDS) Installed on network segments (NIPS) and on hosts (HIPS) Sits on network passively Sits inline (not passive) Cannot parse encrypted traffic Better at protecting applications Central management control Central management control Better at detecting hacking attacks Ideal for blocking web defacement Alerting product (reactive) Blocking product (proactive) 25 (Copyright: Dr. Jyoti Lakhani)
Why IDSs and IPSs are Important? 1. Greater proficiency in detecting intrusions than by doing it manually 2. In-depth knowledge bases to draw from 3. Ability to deal with large volumes of data 4. Near real-time alerting capabilities that help reduce potential damages 26 (Copyright: Dr. Jyoti Lakhani)
Why IPSs are Important? • Automated responses, such as logging off a user, disabling a user account, or launching automated scripts • Strong Deterrent* Value • Built-in Forensic Capabilities • Built-in Reporting Capabilities •Deterrent: a thing that discourages or is intended to discourage someone from doing something. •Eg. "cameras are a major deterrent to crime" 27 (Copyright: Dr. Jyoti Lakhani)
(Copyright: Dr. Jyoti Lakhani) 28 ASSIGNMENT 1 Q1. Explain architecture of IDS and IPS with suitable diagrams Q2. What are the pros and cons of IDS and IPS? Last Date of submission: 30/11/2020
MOST IMPORTANT 1. Legal and regulatory issues 2. Quantification of attacks 3. Establishment of an overall defense-in-depth strategy Why IPSs are Important? 29 (Copyright: Dr. Jyoti Lakhani)
IDS and IPS Analysis Schemes IDSs and IPSs perform analyses It is important to understand the analysis process: - what analysis does? - what types of analysis are available? - what the advantages and disadvantages of different analysis schemes are. 30 (Copyright: Dr. Jyoti Lakhani)
What Is Analysis? Analysis, in the context of intrusion detection and prevention, is the organization of the constituent parts of data and their interrelationships to identify any anomalous activity of interest. Real-time analysis is analysis done on the fly as the data travels the path to the network or host. Baseline Activities Anomalous Activities Relationship between Baseline and Anomalous Network Activity 31 (Copyright: Dr. Jyoti Lakhani)
Goals of intrusion-detection and intrusion-prevention analysis • Create records of relevant activity for follow-up • Determine flaws in the network by detecting specific activities • Record unauthorized activity for use in forensics or criminal prosecution of intrusion attacks • Act as a deterrent to malicious activity • Increase accountability by linking activities of one individual across systems 32 (Copyright: Dr. Jyoti Lakhani)
Intrusion Analysis Process Pre Processing Analysis Response Refinement Data Collected From Sensors 33 (Copyright: Dr. Jyoti Lakhani)
Pre Processing Pre Processing Analysis Response Refinemen t DB Sensors Data Baseline Activity Anomalous Activity Analysis Schemes Classification 34 (Copyright: Dr. Jyoti Lakhani)
Intrusion Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Classification Data Baseline Activity Anomalous Activity Analysis Schemes Core Analysis Engine • Detection of the modification of system log files • Detection of unexpected privilege escalation • Detection of Backdoor Netbus • Detection of Backdoor SubSeven • ORACLE grant attempt • RPC mountd UDP export request 35 (Copyright: Dr. Jyoti Lakhani)
Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB Templates for different anomaly cases • Once the prepossessing is completed, the analysis stage begins. • The data record is compared to the knowledge base, and the data record will either be logged as an intrusion event or it will be dropped. • Then the next data record is analyzed. 36 (Copyright: Dr. Jyoti Lakhani)
Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or RESPONSE of IDS and IPS (against anomaly) is a differentiating factor 37 (Copyright: Dr. Jyoti Lakhani)
Response Phase (IDS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS Log File ALARM 38 (Copyright: Dr. Jyoti Lakhani)
Response Phase (IPS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IPS Network System Blocked Intrusion Prevention 39 (Copyright: Dr. Jyoti Lakhani)
Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or Proactive Security Reactive Security 40 (Copyright: Dr. Jyoti Lakhani)
Proactive ADJECTIVE (of a person or action) creating or controlling a situation rather than just responding to it after it has happened. Eg. "employers must take a proactive approach to equal pay" 41 (Copyright: Dr. Jyoti Lakhani)
Refinement Phase Pre Processing Analysis Response Refinement DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS/IPS Tuning of IDS/IPS TOOLS Eg. CTR* *Cisco Threat Response (CTR): help with the refining stage by actually making sure that an alert is valid by checking whether you are vulnerable to that attack or not. 42 (Copyright: Dr. Jyoti Lakhani)
Detection Approaches Misuse Detection / Rule Based / Signature Detection / Pattern Matching Anomaly Detection / Profile Based Detection 43 (Copyright: Dr. Jyoti Lakhani)

Recommended

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
Seraphic Nazir
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 

Recommended

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
Seraphic Nazir
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Five Major Types of Intrusion Detection System (IDS)
Five Major Types of Intrusion Detection System (IDS)Five Major Types of Intrusion Detection System (IDS)
Five Major Types of Intrusion Detection System (IDS)
david rom
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Aparna Bhadran
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
idps
idpsidps
idps
iskrene
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 

More Related Content

What's hot

Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
Sheetal Verma
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
Albert Hui
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 

What's hot (20)

Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Five Major Types of Intrusion Detection System (IDS)
Five Major Types of Intrusion Detection System (IDS)Five Major Types of Intrusion Detection System (IDS)
Five Major Types of Intrusion Detection System (IDS)
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Incident Response Triage
Incident Response TriageIncident Response Triage
Incident Response Triage
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 

Similar to Ids 001 ids vs ips

Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
ijcsbi
 
Intrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring SystemIntrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring System
IJERA Editor
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
IOSR Journals
 
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack DetectionA Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
ijsrd.com
 
Intrusion detection system – a study
Intrusion detection system – a studyIntrusion detection system – a study
Intrusion detection system – a study
ijsptm
 
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
IIJSRJournal
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
Editor IJCATR
 

Similar to Ids 001 ids vs ips (20)

idps
idpsidps
idps
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
 
Information Security.pptx
Information Security.pptxInformation Security.pptx
Information Security.pptx
 
Intrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring SystemIntrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring System
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
N44096972
N44096972N44096972
N44096972
 
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack DetectionA Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Intrusion detection system – a study
Intrusion detection system – a studyIntrusion detection system – a study
Intrusion detection system – a study
 
A Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer NetworkA Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer Network
 
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
 
Intrusiond and detection
Intrusiond and detectionIntrusiond and detection
Intrusiond and detection
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection Systems
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
 
IS - Firewall
IS - FirewallIS - Firewall
IS - Firewall
 

More from jyoti_lakhani

Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
jyoti_lakhani
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
jyoti_lakhani
 

More from jyoti_lakhani (20)

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsx
 
Projections.pptx
Projections.pptxProjections.pptx
Projections.pptx
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsx
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsx
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptx
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsx
 
Doubly linked list
Doubly linked listDoubly linked list
Doubly linked list
 
Double ended queue
Double ended queueDouble ended queue
Double ended queue
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary tree
 
Priority queue
Priority queuePriority queue
Priority queue
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from front
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at end
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginning
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a node
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo code
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Ids 001 ids vs ips

  • 2. Intrusion An intrusion is an active sequence of related events that deliberately try to cause harm, such as rendering a system unusable, accessing, unauthorized information, or manipulating such information. This definition refers to both successful and unsuccessful attempts. - Carl Enriolf IDS systems record information about both successful and unsuccessful attempts so that security professionals will have a more comprehensive understanding of the events on their networks. 2 (Copyright: Dr. Jyoti Lakhani)
  • 3. One way this can be done is by placing devices that examine network traffic, called sensors, both in front of the firewall (the unprotected area) and behind the firewall (the protected area) and comparing the information recorded by the two. Internet Firewall 3 (Copyright: Dr. Jyoti Lakhani)
  • 4. Collecting Data Port Mirroring or Spanning Network Taps 4 (Copyright: Dr. Jyoti Lakhani)
  • 5. When copies of incoming and outgoing packets are forwarded from one port of a network switch to another port where the packets can be analyzed. Port Mirroring or Spanning 5 (Copyright: Dr. Jyoti Lakhani)
  • 6. Network taps are put directly in-line of the network traffic, and they copy the incoming and outgoing packets and retransmit them back out on the network. Network Taps 6 (Copyright: Dr. Jyoti Lakhani)
  • 7. What Is an Intrusion-Detection System (IDS)? The tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity It detects activity in traffic that may or may not be an intrusion. IDSs work at the network layer of the OSI model They analyze packets to find specific patterns in network traffic —if they find such a pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus software in that they use known signatures to recognize traffic patterns that may be malicious in intent. 7 (Copyright: Dr. Jyoti Lakhani)
  • 8. Types of IDS Systems Host-based Intrusion- Detection System (HIDS) Network-based Intrusion- Detection System (NIDS) Hybrids 8 (Copyright: Dr. Jyoti Lakhani)
  • 9. A HIDS system will require some software that resides on the system and can scan all host resources for activity some just scan syslog and event logs for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Host-based Intrusion-Detection System (HIDS) 9 (Copyright: Dr. Jyoti Lakhani)
  • 10. A NIDS system is usually inline on the network, and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment, including switched networks (where this is not the default behavior) via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. Most NIDSs are equipped with facilities to log their activities and report or alarm on questionable events. In addition, many high- performance routers offer NID capabilities. Network-based Intrusion-Detection System (NIDS) 10 (Copyright: Dr. Jyoti Lakhani)
  • 14. NIDS HIDS Broad in scope (watches all network activities) Narrow in scope (watches only specific host activities) Easier setup More complex setup Better for detecting attacks from the outside Better for detecting attacks from the inside Less expensive to implement More expensive to implement Detection is based on what can be recorded on the entire network Detection is based on what any single host can record Examines packet headers Does not see packet headers 14 (Copyright: Dr. Jyoti Lakhani)
  • 15. NIDS HIDS Detects network attacks as payload is analyzed Detects local attacks before they hit the network Detects unsuccessful attack attempts Verifies success or failure of Attacks Near real-time response Usually only responds after a suspicious log entry has been made OS-independent OS-specific In computer networking and telecommunications, when a transmission unit is sent from the source to the destination, it contains both a header and the actual data to be transmitted. This actual data is called the payload. 15 (Copyright: Dr. Jyoti Lakhani)
  • 16. The basic process for an IDS is that a NIDS or HIDS passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent 16 (Copyright: Dr. Jyoti Lakhani)
  • 19. What Is an Intrusion-Prevention System (IPS)? It is still early in the development of intrusion-prevention systems (IPSs) An IPS sits inline on the network and monitors it, and when an event occurs, it takes action based on prescribed rules. This is unlike IDSs, which do not sit inline and are passive. 19 (Copyright: Dr. Jyoti Lakhani)
  • 20. Types of IPS Systems Host-based Intrusion- Prevention System (HIPS) Network-based Intrusion- Prevention System (NIPS) Hybrids 20 (Copyright: Dr. Jyoti Lakhani)
  • 21. User actions should correspond to actions in a predefined knowledge base; if an action isn’t on the accepted list, the IPS will prevent the action. Unlike an IDS, the logic in an IPS is typically applied before the action is executed in memory. Other IPS methods compare file checksums to a list of known good checksums before allowing a file to execute, and to work by intercepting system calls. 21 (Copyright: Dr. Jyoti Lakhani)
  • 22. An IPS will typically consist of four main components: • Traffic normalizer • Service scanner • Detection engine • Traffic shaper 22 (Copyright: Dr. Jyoti Lakhani)
  • 23. The traffic normalizer will interpret the network traffic and do packet analysis and packet reassembly, as well as performing basic blocking functions. The traffic is then fed into the detection engine and the service scanner. The service scanner builds a reference table that classifies the information and helps the traffic shaper manage the flow of the information. The detection engine does pattern matching against the reference table, and the appropriate response is determined. 23 (Copyright: Dr. Jyoti Lakhani)
  • 25. IDS IPS Installed on network segments (NIDS) and on hosts (HIDS) Installed on network segments (NIPS) and on hosts (HIPS) Sits on network passively Sits inline (not passive) Cannot parse encrypted traffic Better at protecting applications Central management control Central management control Better at detecting hacking attacks Ideal for blocking web defacement Alerting product (reactive) Blocking product (proactive) 25 (Copyright: Dr. Jyoti Lakhani)
  • 26. Why IDSs and IPSs are Important? 1. Greater proficiency in detecting intrusions than by doing it manually 2. In-depth knowledge bases to draw from 3. Ability to deal with large volumes of data 4. Near real-time alerting capabilities that help reduce potential damages 26 (Copyright: Dr. Jyoti Lakhani)
  • 27. Why IPSs are Important? • Automated responses, such as logging off a user, disabling a user account, or launching automated scripts • Strong Deterrent* Value • Built-in Forensic Capabilities • Built-in Reporting Capabilities •Deterrent: a thing that discourages or is intended to discourage someone from doing something. •Eg. "cameras are a major deterrent to crime" 27 (Copyright: Dr. Jyoti Lakhani)
  • 28. (Copyright: Dr. Jyoti Lakhani) 28 ASSIGNMENT 1 Q1. Explain architecture of IDS and IPS with suitable diagrams Q2. What are the pros and cons of IDS and IPS? Last Date of submission: 30/11/2020
  • 29. MOST IMPORTANT 1. Legal and regulatory issues 2. Quantification of attacks 3. Establishment of an overall defense-in-depth strategy Why IPSs are Important? 29 (Copyright: Dr. Jyoti Lakhani)
  • 30. IDS and IPS Analysis Schemes IDSs and IPSs perform analyses It is important to understand the analysis process: - what analysis does? - what types of analysis are available? - what the advantages and disadvantages of different analysis schemes are. 30 (Copyright: Dr. Jyoti Lakhani)
  • 31. What Is Analysis? Analysis, in the context of intrusion detection and prevention, is the organization of the constituent parts of data and their interrelationships to identify any anomalous activity of interest. Real-time analysis is analysis done on the fly as the data travels the path to the network or host. Baseline Activities Anomalous Activities Relationship between Baseline and Anomalous Network Activity 31 (Copyright: Dr. Jyoti Lakhani)
  • 32. Goals of intrusion-detection and intrusion-prevention analysis • Create records of relevant activity for follow-up • Determine flaws in the network by detecting specific activities • Record unauthorized activity for use in forensics or criminal prosecution of intrusion attacks • Act as a deterrent to malicious activity • Increase accountability by linking activities of one individual across systems 32 (Copyright: Dr. Jyoti Lakhani)
  • 33. Intrusion Analysis Process Pre Processing Analysis Response Refinement Data Collected From Sensors 33 (Copyright: Dr. Jyoti Lakhani)
  • 35. Intrusion Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Classification Data Baseline Activity Anomalous Activity Analysis Schemes Core Analysis Engine • Detection of the modification of system log files • Detection of unexpected privilege escalation • Detection of Backdoor Netbus • Detection of Backdoor SubSeven • ORACLE grant attempt • RPC mountd UDP export request 35 (Copyright: Dr. Jyoti Lakhani)
  • 36. Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB Templates for different anomaly cases • Once the prepossessing is completed, the analysis stage begins. • The data record is compared to the knowledge base, and the data record will either be logged as an intrusion event or it will be dropped. • Then the next data record is analyzed. 36 (Copyright: Dr. Jyoti Lakhani)
  • 37. Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or RESPONSE of IDS and IPS (against anomaly) is a differentiating factor 37 (Copyright: Dr. Jyoti Lakhani)
  • 38. Response Phase (IDS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS Log File ALARM 38 (Copyright: Dr. Jyoti Lakhani)
  • 39. Response Phase (IPS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IPS Network System Blocked Intrusion Prevention 39 (Copyright: Dr. Jyoti Lakhani)
  • 40. Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or Proactive Security Reactive Security 40 (Copyright: Dr. Jyoti Lakhani)
  • 41. Proactive ADJECTIVE (of a person or action) creating or controlling a situation rather than just responding to it after it has happened. Eg. "employers must take a proactive approach to equal pay" 41 (Copyright: Dr. Jyoti Lakhani)
  • 42. Refinement Phase Pre Processing Analysis Response Refinement DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS/IPS Tuning of IDS/IPS TOOLS Eg. CTR* *Cisco Threat Response (CTR): help with the refining stage by actually making sure that an alert is valid by checking whether you are vulnerable to that attack or not. 42 (Copyright: Dr. Jyoti Lakhani)
  • 43. Detection Approaches Misuse Detection / Rule Based / Signature Detection / Pattern Matching Anomaly Detection / Profile Based Detection 43 (Copyright: Dr. Jyoti Lakhani)