Network intrusion detection systems (NIDS) monitor network traffic for malicious activity by analyzing network packets at choke points like borders or the demilitarized zone. NIDS identify intrusions by comparing traffic patterns to known attack signatures or by detecting anomalies from established baselines. While NIDS can detect both previously known and unknown attacks, they require frequent signature database updates and may generate false positives. NIDS provide visibility without affecting network performance but cannot inspect encrypted traffic or all traffic on very large networks.

1. BY
M.SUDHEER REDDY

3. AGENDA
INTRODUCTION
TYPES OF IDS
NETWORK INTRUSION DETECTION SYSTEM
HOW DOES IT PROTECT THE SENSITIVE SYSTEM
WORKING OF NIDS
DIFFERENCES BETWEEN NIDS AND FIREWALL

4. MISUSE DETECTION SYSTEMS
NEW ARCHITECTURE
IMPLEMENTED APPROACHES
ADVANTAGES AND DISADVANTAGES
CONCLUSION

5. INTRODUCTION
 An intrusion is somebody attempting to break into or
misuse your system.
 An intrusion detection system (IDS) is a device (or
application) that monitors network and/or system
activities for malicious activities or policy violations.

6. TYPES OF INTRUSION DETECTION
SYSTEM
 Intrusion Detection Systems are categorized into two
types
a) Network intrusion detection system(NIDS)
b) Host based intrusion detection system(HIDS)

7. NETWORK INTRUSION
DETECTION SYSTEM (NIDS)
 A network-based IDS or NIDS resides on a computer or
appliance connected to a segment of an organization's
network and monitors network traffic on that network.
 In a network-based intrusion-detection system
(NIDS), the sensors are located at choke points in
network to be monitored, often in the dematerialized
zone (DMZ) or at network borders.

8. HOW DOES NIDS PROTECT
SENSITIVE MATERIALS
 A Network Intrusion Detection System (NIDS)
performs the same function as a sophisticated alarm
system.
 NIDS observes and alerts. It will not affect network
performance. NIDS maintains a database – updated
daily – that contains a history, nearly a decade’s worth
of documented attack attempts, detecting similarities.

9. WORKING OF NIDS
HUBS:
 The NIDS device connects to a network hub or a switch that
connects to the network router or Firewall. All traffic
passing to or from the customer is inspected by the NIDS
device.

10. TAP:
 The network tap is another approach to
allowing the NIDS to see all the traffic on a
switched network.
 A tap is similar in function to a phone tap.
The tap will typically look like 3-port switch.
Port 1 will attach to Switch 1 Port 2 will attach to
Switch 2 and Port 3 will attach to the NIDS.

11. SPAN PORT:
Another popular option for adding a sniffer of
any type to a network is the use of a span port
on the switch being monitored
A span port is a port that is configured to have
a copy of all packets sent to it
The major disadvantage of spanning ports is
that they can have a detrimental effect on other
traffic traversing the switch.

12. An inline NIDS looks essentially like a bridge.
The NIDS will be configured without an IP so
that it will not respond to any trafficThe final
option is an inline NIDS.
The IPS will simply accept traffic on one NIC
and pass it back out unchanged on a second NIC
like a bridge.

13. TYPES OF DETECTION METHODS:
 Two types of detection methods are:
a) Anomaly Detection model
b) Signature detection model
ANOMALY DETECTION MODEL:
 IDS methodology is an approach called anomaly
detection or behavior-based detection.
 This model works by establishing accepted baselines
or rules and noting exceptional differences

14.  If an ids looks only at network packet headers for
differences it is called as protocol anomaly detection.
This model triggers off when the following events occur
a) Unusual user account activity
b) Excessive file and object accesses
c) High cpu utilization
d) Inappropriate protocol use
e) Unusual login frequency
f) High number of sessions
g) Unusual content

15. Anomaly Detection :

16. Advantages:
 Analyzes ongoing traffic, activity, transactions,
and behavior for anomalies.
 Potential to detect previously unknown types of
attacks.
 Catalogs the differences between baseline
behavior and ongoing activity.
Disadvantages:
 Prone to false positives.
 Heavy processing overhead.
 Vulnerable to attack while creating time
consuming, statistically significant baselines.

17. Signature detection model:
 The defined patterns of code are called as signatures
and often treated as a rule when included in ids.
 Signature-based IDS use a database of traffic and
activity patterns related to known attacks. The patterns
are called attack signatures.
 These signatures and rules can be collected together
into larger sets called signature databases or rule sets.

18.  Advantages:
Examines ongoing activity and matches against patterns
of previously observed attacks.
Works extremely well against previously observed
attacks.
 Disadvantages:
Signature databases must be constantly updated.
Must compare and match activities against large
collections of attack signatures.
Specific signature definitions may miss variations on
known attacks.
May impose noticeable performance drags on systems.

19. Misuse Detection:
 Expert Systems
Keystroke monitoring
 Model Based Intrusion Detection

20. NEW ARCHITECTURE
Mobile IDS Agents
The Local Audit Trial
The Local Intrusion Database ( LID )
The Secure Communication Module
The Anomaly Detection Modules ( ADM s
The Misuse Detection Modules ( MDM) s
Stationary Secure Database

22. IMPLEMENTED APPROACHES
IEEE 802.11
a) Open System Authentication.
b) Shared Key Authentication.
Secure key generation and distribution
Mitigating Routing Misbehavior:( Sergio
Marti et al. [19])

23. ADVANTAGES:
 Monitors an entire network with only a few well-placed
nodes
 Mostly passive devices
 Low Overhead and limited number of resources are used
even in the large network.
 Easy to secure against attack
 Mostly undetectable to attackers or intruders because
they are completely hidden in the network.
 Easy to install
 NIDS can be used in the present networks without
interrupting conventional network operations.

24. DISADVANTAGES:
 May not be able to monitor and analyze all traffic on
large, busy networks
 Vulnerable to attacks launched during peak traffic periods
on large busy networks
 Not able to monitor switch-based (high-speed) networks
effectively
 Typically unable to analyze encrypted data or not suitable
for encrypted traffic.
 Does not always report success or failure of attempted
attacks
 Require active manual involvement by network
administrators or security administrators.

25. CONCLUSION:
 As NIDS technologies continue to evolve, they will more
closely resemble their real-world counterparts. In the
future, NIDS, firewalls, VPNs, and related security
technologies will all come to interoperate to a much higher
degree. The current generation of IDS (HIDS and NIDS) is
quite effective already; as they continue to improve they will
become the backbone of the more flexible security systems
we expect to see in the not-too-distant future.

26. QUERIES…????