2. Intrusion
An intrusion is an active sequence of related events that
deliberately try to cause harm, such as rendering a system
unusable, accessing, unauthorized information, or manipulating
such information.
This definition refers to both successful and unsuccessful
attempts.
- Carl Enriolf
IDS systems record information about both successful and
unsuccessful attempts so that security professionals will have a
more comprehensive understanding of the events on their
networks.
2
(Copyright: Dr. Jyoti Lakhani)
3. One way this can be done is by placing devices that examine
network traffic, called sensors, both in front of the firewall
(the unprotected area) and behind the firewall (the protected
area) and comparing the information recorded by the two.
Internet
Firewall
3
(Copyright: Dr. Jyoti Lakhani)
5. When copies of incoming and outgoing packets are forwarded
from one port of a network switch to another port where the
packets can be analyzed.
Port Mirroring or Spanning
5
(Copyright: Dr. Jyoti Lakhani)
6. Network taps are put directly in-line of the network traffic, and
they copy the incoming and outgoing packets and retransmit them
back out on the network.
Network Taps
6
(Copyright: Dr. Jyoti Lakhani)
7. What Is an Intrusion-Detection System (IDS)?
The tools, methods, and resources to help identify, assess,
and report unauthorized or unapproved network activity
It detects activity in traffic that may or may not be an
intrusion.
IDSs work at the network layer of the OSI model
They analyze packets to find specific patterns in network
traffic —if they find such a pattern in the traffic, an alert is
logged, and a response can be based on the data recorded.
IDSs are similar to antivirus software in that they use known
signatures to recognize traffic patterns that may be malicious
in intent. 7
(Copyright: Dr. Jyoti Lakhani)
8. Types of IDS Systems
Host-based
Intrusion-
Detection
System
(HIDS)
Network-based
Intrusion-
Detection
System
(NIDS)
Hybrids
8
(Copyright: Dr. Jyoti Lakhani)
9. A HIDS system will require some software that resides on the
system and can scan all host resources for activity
some just scan syslog and event logs for activity.
It will log any activities it discovers to a secure database and
check to see whether the events match any malicious event
record listed in the knowledge base.
Host-based Intrusion-Detection System
(HIDS)
9
(Copyright: Dr. Jyoti Lakhani)
10. A NIDS system is usually inline on the network, and it analyzes
network packets looking for attacks. A NIDS receives all packets on
a particular network segment, including switched networks (where
this is not the default behavior) via one of several methods, such
as taps or port mirroring. It carefully reconstructs the streams of
traffic to analyze them for patterns of malicious behavior. Most
NIDSs are equipped with facilities to log their activities and report
or alarm on questionable events. In addition, many high-
performance routers offer NID capabilities.
Network-based Intrusion-Detection System
(NIDS)
10
(Copyright: Dr. Jyoti Lakhani)
14. NIDS HIDS
Broad in scope (watches all
network activities)
Narrow in scope (watches only
specific host activities)
Easier setup More complex setup
Better for detecting attacks from
the outside
Better for detecting attacks from
the inside
Less expensive to implement More expensive to implement
Detection is based on what can
be
recorded on the entire network
Detection is based on what any
single host can record
Examines packet headers Does not see packet headers
14
(Copyright: Dr. Jyoti Lakhani)
15. NIDS HIDS
Detects network attacks as
payload is analyzed
Detects local attacks before
they hit the network
Detects unsuccessful attack
attempts
Verifies success or failure of
Attacks
Near real-time response Usually only responds after a
suspicious log entry has been
made
OS-independent OS-specific
In computer networking and telecommunications, when a
transmission unit is sent from the source to the destination, it
contains both a header and the actual data to be transmitted.
This actual data is called the payload.
15
(Copyright: Dr. Jyoti Lakhani)
16. The basic process for an IDS is that a NIDS or HIDS passively
collects data and preprocesses and classifies them.
Statistical analysis can be done to determine whether the
information falls outside normal activity, and if so, it is then
matched against a knowledge base.
If a match is found, an alert is sent
16
(Copyright: Dr. Jyoti Lakhani)
19. What Is an Intrusion-Prevention System (IPS)?
It is still early in the development of intrusion-prevention
systems (IPSs)
An IPS sits inline on the network and monitors it, and when
an event occurs, it takes action based on prescribed rules.
This is unlike IDSs, which do not sit inline and are passive.
19
(Copyright: Dr. Jyoti Lakhani)
20. Types of IPS Systems
Host-based
Intrusion-
Prevention
System
(HIPS)
Network-based
Intrusion-
Prevention
System
(NIPS)
Hybrids
20
(Copyright: Dr. Jyoti Lakhani)
21. User actions should correspond to actions in a predefined
knowledge base; if an action isn’t on the accepted list, the IPS will
prevent the action.
Unlike an IDS, the logic in an IPS is typically applied before the
action is executed in memory. Other IPS methods compare file
checksums to a list of known good checksums before allowing a
file to execute, and to work by intercepting system calls.
21
(Copyright: Dr. Jyoti Lakhani)
22. An IPS will typically consist of four main components:
• Traffic normalizer
• Service scanner
• Detection engine
• Traffic shaper
22
(Copyright: Dr. Jyoti Lakhani)
23. The traffic normalizer will interpret the network traffic and do
packet analysis and packet reassembly, as well as performing
basic blocking functions.
The traffic is then fed into the detection engine and the service
scanner.
The service scanner builds a reference table that classifies the
information and helps the traffic shaper manage the flow of the
information.
The detection engine does pattern matching against the
reference table, and the appropriate response is determined.
23
(Copyright: Dr. Jyoti Lakhani)
25. IDS IPS
Installed on network segments
(NIDS) and on hosts (HIDS)
Installed on network segments
(NIPS) and on hosts (HIPS)
Sits on network passively Sits inline (not passive)
Cannot parse encrypted traffic Better at protecting applications
Central management control Central management control
Better at detecting hacking attacks Ideal for blocking web defacement
Alerting product (reactive) Blocking product (proactive)
25
(Copyright: Dr. Jyoti Lakhani)
26. Why IDSs and IPSs are Important?
1. Greater proficiency in detecting intrusions than by
doing it manually
2. In-depth knowledge bases to draw from
3. Ability to deal with large volumes of data
4. Near real-time alerting capabilities that help reduce
potential damages
26
(Copyright: Dr. Jyoti Lakhani)
27. Why IPSs are Important?
• Automated responses, such as logging off a user,
disabling a user account, or launching automated
scripts
• Strong Deterrent* Value
• Built-in Forensic Capabilities
• Built-in Reporting Capabilities
•Deterrent: a thing that discourages or is intended to discourage someone
from doing something.
•Eg. "cameras are a major deterrent to crime"
27
(Copyright: Dr. Jyoti Lakhani)
28. (Copyright: Dr. Jyoti Lakhani) 28
ASSIGNMENT 1
Q1. Explain architecture of IDS and IPS with suitable diagrams
Q2. What are the pros and cons of IDS and IPS?
Last Date of submission: 30/11/2020
29. MOST IMPORTANT
1. Legal and regulatory issues
2. Quantification of attacks
3. Establishment of an overall defense-in-depth
strategy
Why IPSs are Important?
29
(Copyright: Dr. Jyoti Lakhani)
30. IDS and IPS Analysis Schemes
IDSs and IPSs perform analyses
It is important to understand the analysis process:
- what analysis does?
- what types of analysis are available?
- what the advantages and disadvantages of different analysis
schemes are.
30
(Copyright: Dr. Jyoti Lakhani)
31. What Is Analysis?
Analysis, in the context of intrusion detection and prevention, is
the organization of the constituent parts of data and their
interrelationships to identify any anomalous activity of interest.
Real-time analysis is analysis done on the fly as the data travels
the path to the network or host.
Baseline Activities
Anomalous
Activities
Relationship between Baseline and Anomalous Network Activity
31
(Copyright: Dr. Jyoti Lakhani)
32. Goals of intrusion-detection and intrusion-prevention analysis
• Create records of relevant activity for follow-up
• Determine flaws in the network by detecting specific activities
• Record unauthorized activity for use in forensics or criminal
prosecution of intrusion attacks
• Act as a deterrent to malicious activity
• Increase accountability by linking activities of one individual
across systems
32
(Copyright: Dr. Jyoti Lakhani)
33. Intrusion Analysis Process
Pre Processing
Analysis
Response
Refinement
Data Collected
From Sensors
33
(Copyright: Dr. Jyoti Lakhani)
36. Analysis Process
Pre
Processing
Analysis
Response
Refinemen
t
DB
Sensors
Core Analysis
Engine
Classified Data
KB
Templates for
different
anomaly cases
• Once the prepossessing is completed,
the analysis stage begins.
• The data record is compared to the
knowledge base, and the data record
will either be logged as an intrusion
event or it will be dropped.
• Then the next data record is analyzed.
36
(Copyright: Dr. Jyoti Lakhani)
41. Proactive
ADJECTIVE
(of a person or action) creating or controlling a situation rather
than just responding to it after it has happened.
Eg. "employers must take a proactive approach to equal pay"
41
(Copyright: Dr. Jyoti Lakhani)