Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
INTRUSION DETECTION SYSTEMS MADHUMANTI DEY ( ID – 110509022 )  SWETA SHARMA ( ID – 110509042 )
WHAT IS INTRUSION ?DEFINITION : An intrusion can be defined asa subversion of security to gain access to asystem. This int...
TYPES OF INTRUSION Unauthorized access to the resources     Password cracking     Scanning ports and services     Spoo...
TYPES OF INTRUSION (Contd) Denial of Service   Flooding     Ping flood     Mail flood   Compromising system     Buff...
TYPICAL INTRUSION SCENARIO                                -Find as much as info. As possibleInformation Gathering         ...
TRADITIONAL APPROACHES Antivirus Password protection Firewalls
FACTS !!! Anti-virus systems are only good at detecting viruses  they already know about Passwords can be hacked or stol...
WHAT IS AN IDS ?                       ? IDS : System trying to detect and alert on attempted  intrusions into a system o...
CAPABILITIES OF AN IDS Identify possible incidents   detect an attacker has compromised system Report administrator Lo...
WHY IDS WHEN WE HAVE            FIREWALLS ? IDS are used to monitor the rest of the security  infrastructure Today’s sec...
 Not all traffic may go through a firewall        i:e modem on a user computer   Not all threats originates from outside...
REAL LIFE ANALOGY !! Its like security at the airport... You can put up all the  fences in the world and have strict acce...
CHARACTERISTICS OF IDS Scalability : The IDS system must be able to  function in large (and fast) network architectures ....
COMPONENTS OF IDS Information Source Analysis Engine Response/Alert
INFORMATION SOURCE All IDS need an information source in which to monitor  for intrusive behavior. The information sourc...
ANALYSIS ENGINE The Analysis Engine is the “brains” behind IDS. This is the actual functionality that is used to identif...
RESPONSE Once an intrusive behavior is identified, IDS need to  be able to respond to the attack and alert the  appropria...
ALERTING MEASURES Alerting measures are used to bring the attack to the    attention of the proper individuals supporting...
An IDS Protected Enterprise                              20
IDS CLASSIFICATION
ANOMALY DETECTION BASED IDS Anomaly Detection:   Assumption: “Attacks differ from normal behaviour”   Analyses the netw...
METHODS THRESHOLD DETECTION - Threshold detection is  the process in which certain attributes of user and  computer syste...
 STATISTICAL MEASURES : These measures can be  parametric or non-parametric.   Parametric measures are used when a distr...
ADVANTAGES Very effective to detect unknown threats Example :Suppose computer is infected with a new type of malware. Th...
DISADVANTAGES Current implementations do not work very well (too  many false positives/negatives) Cannot categorize atta...
SIGNATURE DETECTION BASED   Misuse Detection                     IDS     Attacks are known in advance (signatures)     ...
ADVANTAGES Very few false alarms    Very effective to detect previously known threats FAST- There isn’t a need for the ...
DISADVANTAGES Cannot detect previously unknown attacks . Constantly needs to be updated with new rules that  represent n...
HOST-BASED IDS These are confined to monitoring activity on the local host  computer . Uses log files and network traffi...
TYPES OF HIDS Centralised host-based intrusion detection  system . Distributed host-based intrusion detection  system .
CENTRALISED HIDS ARCHITECTURE
DISTRIBUTED HIDS ARCHITECTURE
DISTRIBUTED REAL-TIME HIDS
ADVANTAGES Direct system information access. Since in distributed  HIDS , IDS exist directly on the host system, it can  ...
DISADVANTAGES The implementation of HIDS can get very complex in  large networking environments. With several thousand  p...
NETWORK-BASED IDS IDS are placed on the network, nearby  system(s) being monitored Monitors network traffic for particul...
 String Signature   Look text/string that may indicate possible attack   Example: UNIX system “cat” “+ +” > /.rhosts” ...
TYPES OF NIDS The network interface card placed in  promiscuous mode to capture all network  traffic . Network-node intr...
ADVANTAGES Trace activity Complements:   Firewalls – NIDS can interact with firewall      technologies to dynamically b...
DISADVANTAGES Cannot reassemble all fragmented traffic Cannot analyze all data or deal with packet-level  issues Firewa...
NIDS V/S HIDS
INTERVAL-BASED IDS work on audit logs Audit data is processed periodically, not real-time data mining
ON-THE-FLY PROCESSING audit data is processed real-time continuously may react and prevent an intrusion still going on
IDS MODELS   Predective Pattern Generation   Fuzzy Classifiers               Anomaly Detection   Neural Networks   Sup...
PREDICTIVE PATTERN             RECOGNITION Try to predict future events based on event  history e.g. Rule: E1 - E2 → (E3...
Fuzzy Classifiers (1)                                                 data mining No clear boundary between  normal and a...
Fuzzy Classifiers (2)   Detecting a Port Scan    if count of UNUSUAL SDPs on port N is HIGH    and count of DESTINATION H...
Neural Networks – IDS Prototypes(1) Perceptron Model   simplest form of NN   single neuron with adjustable synapses (we...
Neural Networks – IDS Prototypes(2) Backpropagation Model   Multilayer feedforward network   input layer + at least one...
Neural Networks – DataPreprocessing     1st round: Selection of data elements         protocol ID, source port, destinati...
Neural Networks –Detection Approaches (1) Detection by Weight Hamming Distance   Let Vn = {0,1}n be the n-dimensional ve...
Neural Networks –Detection Approaches (2)                                         NEW!  Improved Competitive   Learning N...
SVM / Support VectorMachines (1)List of n-FeaturesFeature       DescriptionName                                       F: n...
SVM / Support Vector                      Machines (2)                  e.g. n = 2 features                      num_faile...
Expert Systems             (forward-chaining)IF   condition1                     When the conditions are   conditon2      ...
Sample Grammar for ExpertSystems for Inference Rules BNF Grammar    Variable Definition     ‘VAR’ body_1     body_1 := v...
Decision Trees                                   • All nodes are represented by a  root = (null, All Rules, ∅, ∅)   tuple ...
WHICH IDS IS BETTER ?
LIMITATIONS OF IDS Sensitivity : IDS can never be perfect . Does not compensate for problems in the quality or  integrit...
Intrusion detection system
Intrusion detection system
Intrusion detection system
Intrusion detection system
Intrusion detection system
Upcoming SlideShare
Loading in …5
×

Intrusion detection system

  • Login to see the comments

Intrusion detection system

  1. 1. INTRUSION DETECTION SYSTEMS MADHUMANTI DEY ( ID – 110509022 ) SWETA SHARMA ( ID – 110509042 )
  2. 2. WHAT IS INTRUSION ?DEFINITION : An intrusion can be defined asa subversion of security to gain access to asystem. This intrusion can use multipleattack methods and can span long periodsof time. These unauthorized accesses to computer or network systems are often designed to study the system’s weaknesses for future attacks. Other forms of intrusions are aimed at limiting access or even preventing access to computer systems or networks.
  3. 3. TYPES OF INTRUSION Unauthorized access to the resources  Password cracking  Scanning ports and services  Spoofing e.g. DNS spoofing  Network packet listening  Stealing information  Unauthorized network access  Uses of IT resources for private purpose Unauthorized alternation of resources  Falsification of identity  Information altering and deletion  Unauthorized transmission and creation of data  Configuration changes to systems and n/w services
  4. 4. TYPES OF INTRUSION (Contd) Denial of Service  Flooding  Ping flood  Mail flood  Compromising system  Buffer overflow  Remote system shutdown Web application attack
  5. 5. TYPICAL INTRUSION SCENARIO -Find as much as info. As possibleInformation Gathering -whois lookup and DNS Zone transfers -Normal browsing ; gather important info. -ping sweeps, port scanningFurther Information Gathering -web server vulnerabilities -version of application/services -start trying out different attacksAttack ! - UNICODE attack if has IIS installed -try to find misconfigured running services -Passive Attack / Active Attack -install own backdoors and delete log filesSuccessful Intrusion -replace existing services with own Trojen horses that have backdoor passwords or create own user accounts - Steal confidential information - Use compromised host to lunch further 6 Fun and Profit attacks - Change the web-site for FUN
  6. 6. TRADITIONAL APPROACHES Antivirus Password protection Firewalls
  7. 7. FACTS !!! Anti-virus systems are only good at detecting viruses they already know about Passwords can be hacked or stolen or changed by other Firewalls DO NOT recognize attacks and block them Simply a fence around your network  no capacity to detect someone is trying to break-in(digging a hole underneath it)  Can’t determine whether somebody coming through gate is allowed to enter or not.  Roughly 80% of financial losses occur hacking from inside the network “BEWARE OF INTERNAL INTRUDERS”
  8. 8. WHAT IS AN IDS ? ? IDS : System trying to detect and alert on attempted intrusions into a system or network . Reactive rather than proactive !! Sometimes provides diagnostic information as well . Usually does not prevent unauthorized users from entering the network, only identifies that an intrusion has occurred .
  9. 9. CAPABILITIES OF AN IDS Identify possible incidents  detect an attacker has compromised system Report administrator Log information  keep log of suspicious activities Can be configured to  Recognize violations of security policies Monitor file transfers  Copying a large database onto a user’s laptop
  10. 10. WHY IDS WHEN WE HAVE FIREWALLS ? IDS are used to monitor the rest of the security infrastructure Today’s security infrastructure are becoming extremely complex . It includes firewalls, identification and authentication systems, access control product, virtual private networks, encryption products, virus scanners, and more. Failure of one of the above component of your security infrastructure will render the system less secure .
  11. 11.  Not all traffic may go through a firewall i:e modem on a user computer Not all threats originates from outside. As networks uses more and more encryption, attackers will aim at the location where it is often stored unencrypted (Internal network) Firewall does not protect appropriately against application level weakenesses and attacks Firewalls are subject to attacks themselves Protect against misconfiguration or fault in other security mechanisms
  12. 12. REAL LIFE ANALOGY !! Its like security at the airport... You can put up all the fences in the world and have strict access control, but the biggest threat are all the PASSENGERS (packet) that you MUST let through! Thats why there are metal detectors to detect what they may be hiding (packet content). You have to let them get to the planes (your application) via the gate ( port 80) but without X-rays and metal detectors, you cant be sure what they have under their coats. Firewalls are really good access control points, but they arent really good for or designed to prevent intrusions. Thats why most security professionals back their firewalls up with IDS, either behind the firewall or at the host.
  13. 13. CHARACTERISTICS OF IDS Scalability : The IDS system must be able to function in large (and fast) network architectures . Low rate of false positives alerts : A false positive is, essentially, a false alarm . No false negative instances : A false negative is an instance when the network or system was under attack, but the IDS did not identify it as intrusive behavior, thus no alert was activated . Allow some anomalous events : without flagging an emergency alert. This doesnt mean it should allow true malicious behavior, but it should be flexible/smart enough to allow for the occasional user mistake or communication blip .
  14. 14. COMPONENTS OF IDS Information Source Analysis Engine Response/Alert
  15. 15. INFORMATION SOURCE All IDS need an information source in which to monitor for intrusive behavior. The information source can include: network traffic (packets), host resource (CPU, I/O operations, and log files), user activity and file activity, etc. The information can be provided in real-time or in a delayed manner.
  16. 16. ANALYSIS ENGINE The Analysis Engine is the “brains” behind IDS. This is the actual functionality that is used to identify the intrusive behavior. As mentioned previously, there are many ways in which IDS analyze intrusive behavior. The majority of IDS implementations differ in the method of intrusion analysis.
  17. 17. RESPONSE Once an intrusive behavior is identified, IDS need to be able to respond to the attack and alert the appropriate individuals of the occurrence. Response activities can include: applying firewall rules to drop traffic from a particular source IP, host port blocking, logging off a user, disabling an account, security software activation, system shutdown, etc.
  18. 18. ALERTING MEASURES Alerting measures are used to bring the attack to the attention of the proper individuals supporting the environment. For example,• an IDS alert can include an active measure, which may be sending an email or text page to the system administrator,• or it could simply write a detailed log of the event, which is a passive measure.
  19. 19. An IDS Protected Enterprise 20
  20. 20. IDS CLASSIFICATION
  21. 21. ANOMALY DETECTION BASED IDS Anomaly Detection:  Assumption: “Attacks differ from normal behaviour”  Analyses the network or system and infers what is “normal” (Establishes a “normal activity profile”) Activity measures such as “normal” behaviour as an intrusion  Interprets deviations from thisActivity measures such as CPU time used, number of Adjustment of threshold levels CPU time used, number of is very important network connections in anetwork connections in a update profile time period time period statistically deviant? AttackAudit Data System Profile State generate new profiles dynamically
  22. 22. METHODS THRESHOLD DETECTION - Threshold detection is the process in which certain attributes of user and computer system behavior are expressed in terms of counts, with some level established as permissible . For example,  such behavior attributes can include the number of files accessed by a given user over a certain period of time,  the number of failed attempts to login to the system,  the amount of CPU utilized by a process, etc.
  23. 23.  STATISTICAL MEASURES : These measures can be parametric or non-parametric.  Parametric measures are used when a distribution of the profiled attributes is assumed to fit a particular pattern (a standard probability distribution function ).  Non-parametric measures are used when the distribution of the profiled attribute is gathered from a set of historical values observed over time.
  24. 24. ADVANTAGES Very effective to detect unknown threats Example :Suppose computer is infected with a new type of malware. Themalware consumes large computer’s processor resources and sendlarge number of emails, initiating large number of networkconnections. This is definitely a significantly different behavior fromestablished profiles. It can produce information from the intrusive attack that can be used to define signatures for misuse detectors.
  25. 25. DISADVANTAGES Current implementations do not work very well (too many false positives/negatives) Cannot categorize attacks very well Difficult to train in highly dynamic environments The system may be gradually trained by intruders High false alarm rate  All activities excluded during training phase Making a profile is very challenging
  26. 26. SIGNATURE DETECTION BASED Misuse Detection IDS  Attacks are known in advance (signatures)  Matches signatures of well-known attacks against state-change in systems or stream of packets flowing through network  The attack signatures are usually specified as rules  Example of signatures :  A telnet attempt with username “root” which is violation of an organization’s security policy  An e-mail with a subject “Free Pictures” and an attachment “freepics.exe” - characteristics of a malware modify existing rules Rule match? AttackAudit Data System Profile State add new rules
  27. 27. ADVANTAGES Very few false alarms  Very effective to detect previously known threats FAST- There isn’t a need for the IDS to “learn” the network behavior before it can be of use. Easy to implement, deploy, update and understand
  28. 28. DISADVANTAGES Cannot detect previously unknown attacks . Constantly needs to be updated with new rules that represent newly discovered attacks or modified existing attacks . As good as the database of attack signatures .
  29. 29. HOST-BASED IDS These are confined to monitoring activity on the local host computer . Uses log files and network traffic in/out of that host as data source (audit data) . Monitors:  Incoming packets  Login activities  Root activities  File systems  Application logs such as syslog Host based IDS might monitor  Wired and wireless network traffic  Running process; file access/modification
  30. 30. TYPES OF HIDS Centralised host-based intrusion detection system . Distributed host-based intrusion detection system .
  31. 31. CENTRALISED HIDS ARCHITECTURE
  32. 32. DISTRIBUTED HIDS ARCHITECTURE
  33. 33. DISTRIBUTED REAL-TIME HIDS
  34. 34. ADVANTAGES Direct system information access. Since in distributed HIDS , IDS exist directly on the host system, it can directly access local system resources (operating system configurations, files, registry, software installations, etc). Can associate users with local computer processes. Since a host is part of the target, a HIDS can provide detailed information on the state of the system during the attack. Low resource utilization: HIDS only deal with the inspection of traffic and events local to the host.
  35. 35. DISADVANTAGES The implementation of HIDS can get very complex in large networking environments. With several thousand possible endpoints in a large network, collecting and auditing the generated log files from each node can be a daunting task . If the IDS system is compromised, the host may cease to function resulting in a stop on all logging activity . Secondly, if the IDS system is compromised and the logging still continues to function , the trust of such log data is severely diminished .
  36. 36. NETWORK-BASED IDS IDS are placed on the network, nearby system(s) being monitored Monitors network traffic for particular network segments or devices Sensors placed on network segment to check the packets  Primary types of signatures are  String signature  Port Signature  Header Condition Signature
  37. 37.  String Signature  Look text/string that may indicate possible attack  Example: UNIX system “cat” “+ +” > /.rhosts” Port Signature  Watch for connection attempts to well-known, frequently attacked ports  Example : telnet (TCP port 23) Header Signature  Watch for dangerous or illogical combination of packet headers  Example : TCP packet with both SYN and FIN flags set  Request wished to start and stop the connection at the same time.
  38. 38. TYPES OF NIDS The network interface card placed in promiscuous mode to capture all network traffic . Network-node intrusion detection system that is used to sniff packets directed to a mission-critical target .
  39. 39. ADVANTAGES Trace activity Complements:  Firewalls – NIDS can interact with firewall technologies to dynamically block recognized intrusion behavior. System Management Competencies  Monitoring  Security Audits  Attack Recognition  Response
  40. 40. DISADVANTAGES Cannot reassemble all fragmented traffic Cannot analyze all data or deal with packet-level issues Firewalls serve best IDS sensors are susceptible to various attacks - Large volume of traffic can crash IDS sensor itself
  41. 41. NIDS V/S HIDS
  42. 42. INTERVAL-BASED IDS work on audit logs Audit data is processed periodically, not real-time data mining
  43. 43. ON-THE-FLY PROCESSING audit data is processed real-time continuously may react and prevent an intrusion still going on
  44. 44. IDS MODELS Predective Pattern Generation Fuzzy Classifiers Anomaly Detection Neural Networks Support Vector Machines Expert Systems Decision Trees Misuse Detection Keystroke Monitoring State Transition Analysis Pattern Matching
  45. 45. PREDICTIVE PATTERN RECOGNITION Try to predict future events based on event history e.g. Rule: E1 - E2 → (E3 = 80%, E4 = 15%, E5 = 5%) E3 p = 0.8 Intrusion: Left-hand side of the rule is matched but the right- E1 E2 E4 hand side is statistically deviant from prediction p = 0.15 p = 0.05 E5
  46. 46. Fuzzy Classifiers (1) data mining No clear boundary between normal and abnormal events Selection of features  Number of abnormal MEDIUM MEDIUM packets (invalid source or destination IP address) 1 LOW LOW MEDIUM HIGH HIGH  Number of TCP connections  Number of failed TCP connections  Number of ICMP packets  Number of bytes sent / received per connection 0 5 10 25 50 100  … fuzzy space of 5 fuzzy sets 49
  47. 47. Fuzzy Classifiers (2) Detecting a Port Scan if count of UNUSUAL SDPs on port N is HIGH and count of DESTINATION HOSTS is HIGH and count of SERVICE Ports observed is MEDIUM-LOW then Service Scan of Port N is HIGH Detecting a DoS Attack if count of UNUSUAL SDTs is HIGH and count of ICMPs is HIGH then DoS ALERT is HIGH SDP: source IP - destination IP - destination port SDT: source IP - destination IP - packet type 50
  48. 48. Neural Networks – IDS Prototypes(1) Perceptron Model  simplest form of NN  single neuron with adjustable synapses (weights) and threshold inputs threshold x1 w1 x2 w2 . . output y . Wn-1 xn-1 n ? xn wn Σ xi · wi > threshold i=1 51
  49. 49. Neural Networks – IDS Prototypes(2) Backpropagation Model  Multilayer feedforward network  input layer + at least one hidden layer + output layer  Correct detection rate ≈ 80% with 2% false alarms x1 x2 . . . xn input layer hidden layer output layer 52
  50. 50. Neural Networks – DataPreprocessing  1st round: Selection of data elements protocol ID, source port, destination port, etc.  2nd round: Creation of relational databasesPrt Src Dest. Source Dest. ICMP ICMP Raw Data AttackID Port Port Addr. Addr. Type Code Data ID Len.0 2314 80 1573638018 -1580478590 1 1 401 3758 00 1611 6101 801886082 -926167166 1 1 0 2633 1  3rd round: Conversion of query results into an ASCII comma supervised learning delimited normalized format 0,2314,80,1573638018,-1580478590,1,1,401,3758,0 0,1611,6101,801886082,-926167166,1,1,0,2633,1 53
  51. 51. Neural Networks –Detection Approaches (1) Detection by Weight Hamming Distance  Let Vn = {0,1}n be the n-dimensional vector space over the binary field {0,1} where n = 0,1,…,∞  Let A,B Є Vm i=m Σ Wi (Ai ) • Find WHD between normal and current i=1  whd(A) = behaviour. m • If WHD > threshold then ALARM where Wi is the weight element 54
  52. 52. Neural Networks –Detection Approaches (2) NEW!  Improved Competitive Learning Network  When a training example is presented to the network, the output neurons compete  Winning and losing neurons update their weight vector differently Learning rate  Neurons become Effect of Distance of winning ICLN Update Rules neuron – current neuron specialized to detect different types of attacks Δw = - η x (dc - dj) x (Input-w) 55
  53. 53. SVM / Support VectorMachines (1)List of n-FeaturesFeature DescriptionName F: n-dimensional feature spaceDuration Length of connection (seconds)Protocol TCP, UDP, etc.TypeService Network Service on Training period: Destination (HTTP, Telnet, etc.) SVMs plot the training vectors in F and labelRoot_shell 1: root shell is obtained each vector 0: otherwiseNum of file # of file creation SVs make up a decisioncreations operations boundary in the feature… space 56
  54. 54. SVM / Support Vector Machines (2) e.g. n = 2 features num_failed_logins: number of failed login attempts num_SU_attempts: number of “su root” command attemptsnum_SU_attempts We feed the system with labeled vectors The system automatically draws the 5 boundaries or hyperplanes by an algorithm safe 5 num_failed_logins 57
  55. 55. Expert Systems (forward-chaining)IF condition1 When the conditions are conditon2 Antecedent satisfied, the rule is activated. ...THEN derived_fact1 Consequent derived_fact2 ... 58
  56. 56. Sample Grammar for ExpertSystems for Inference Rules BNF Grammar  Variable Definition ‘VAR’ body_1 body_1 := var_name var_value var_value := list_of(value) | value  Detection Rules ‘RULE’ Id body_2 Id := value /* Id is the identifier of the rule */ Body_2 := list_of(condition) | condition ‘=>’ alert condition := feature operator term operator := contain | = | in | > | < term := value | list_of(value) | var_name  Action Rules ‘BEHAVIOUR’ body_3 body_3 := condition ‘=>’ action_argument condition := boolean expression action := update | log | exit | continue 59
  57. 57. Decision Trees • All nodes are represented by a root = (null, All Rules, ∅, ∅) tuple (C, R, F, L) C = condition root (feature, operator, value) R = set of candidate detection rules F = feature set (already used to decompose tree) L = set of detection rules matched at that node 60
  58. 58. WHICH IDS IS BETTER ?
  59. 59. LIMITATIONS OF IDS Sensitivity : IDS can never be perfect . Does not compensate for problems in the quality or integrity of information the system provides Does not compensate for weaknesses in network protocols Dependent on human intervention to investigate attacks Does not analyze all the traffic on a busy network

×