The document details the concepts of intrusion detection and prevention systems (IDS), explaining their functions, types (network-based, host-based, application-based), and relevant terminologies. It highlights the learning objectives related to understanding intrusions, their detection, and the challenges faced by IDS, including false positives and negatives. Additionally, it discusses the deployment strategies, effectiveness metrics, and complementary security technologies like cryptography and access control devices.

1. DCIT 418
System and Network Security
Module 2: Detecting and Preventing System Intrusions
Lecturer: Dr E.D. Ansong, Dept of Computer Sc.
Contact Information: edansong@ug.edu.gh

2. Learning Objectives
By the end of this module, you should be able to:
• Provide an overview of what system intrusions are,
including common methods used by attackers to gain
unauthorized access to computer systems.
• Explain the role of intrusion detection systems in
identifying and alerting to potential security breaches,
including network-based and host-based IDS.
.ED Ansong Dept of Computer Sc. Slide 2

3. Learning Objectives
• Describe how intrusion prevention systems go beyond
detection to actively block or mitigate threats in real-
time, enhancing overall network security.
• Discuss challenges associated with intrusion detection
and prevention, such as false positives (incorrectly
identifying benign activity as malicious) and false
negatives (failing to detect actual intrusions).

4. Intrusion Terminology
• Intrusion: attack on information where malicious
perpetrator tries to break into, disrupt system
• Intrusion detection: includes procedures and systems
created and operated to detect system intrusions
• Intrusion reaction: covers actions organization takes
upon detecting intrusion
• Intrusion correction activities: restore normal operations
• Intrusion prevention: actions that try to deter intrusions
proactively

5. Intrusion Detection System (IDS)
• An Intrusion Detection System (IDS) is a security tool
designed to monitor network or system activities for
malicious or suspicious behavior.
• It works by analyzing incoming and outgoing network
traffic, as well as system logs, looking for patterns that
indicate unauthorized access, misuse, or potential
security threats.

6. Some IDS Terminologies
• Alert,Alarm: A notification generated by an IDS to indicate
suspicious or potentially malicious activity detected on the
network or system.
• False Negative: A false negative occurs when an IDS fails to
detect actual malicious activity or an intrusion, incorrectly
classifying it as benign or normal behavior.
• False Positive: occurs when an IDS incorrectly identifies
legitimate activity as malicious or suspicious, generating
unnecessary alerts or alarms

7. Some IDS Terminologies Cont’d
• Confidence Value: The confidence value represents the level of
certainty or reliability assigned to an alert or detection event by
the IDS.
• Alarm Filtering: Alarm filtering refers to the process of
prioritizing and managing alerts generated by an IDS to reduce the
volume of notifications and focus attention on the most critical
security events.

8. Terminologies Cont’d
• Confidence Value: The confidence value represents the level of
certainty or reliability assigned to an alert or detection event by
the IDS.
• Alarm Filtering: Alarm filtering refers to the process of
prioritizing and managing alerts generated by an IDS to reduce the
volume of notifications and focus attention on the most critical
security events.

9. Why Use an IDS
• Prevent problem behaviors by increasing the perceived risk
of discovery and punishment
• Detect attacks and other security violations
• Detect and deal with preambles to attacks
• Document existing threat to an organization
• Act as quality control for security design & administration
• Provide useful information about intrusions that take place

10. How IDS works
Figure 1.0 General IDS operation

11. IDS Classification Methods
• IDS operation:
– Network-based intrusion detection syst. (NIDS)
– Host-based IDS (HIDS)
– Application-based systems (AppIDS)
• IDS detection methods:
– Signature-based (sig IDS)
– Statistical anomaly-based (stat IDS)

12. Types of Intrusion Detection System (IDS)
There are two main types of IDS
• Network-based IDS (NIDS): NIDS monitors network traffic in
real-time, examining packets passing through the network. It can
detect anomalies or known attack patterns by comparing network
activity to a database of signatures or predefined rules
• Host-based IDS (HIDS): HIDS operates on individual host
machines, monitoring activities such as file system changes,
logins, and system calls. It compares these activities against
known patterns of malicious behavior from normal activity.

13. Types of IDS Cont’d
There is also Application-based Intrusion Detection Systems
(IDS)
Unlike network-based IDS, which focus on monitoring network
traffic, application-based IDS operate at the application layer of
the OSI (Open Systems Interconnection) model, analyzing
activity within individual applications or services

14. Advantages of NIDS
Advantages
• Organization can monitor large network with
few devices
• Passive; deployment minimally disrupts operations
• Less susceptible to attack; attackers may not detect
them

15. Disadvantages of NIDS
Disadvantages
• Can be overwhelmed by volume of network traffic
• Need to monitor all traffic
• Cannot analyze encrypted network packets
• Cannot determine if attack was successful
• Cannot detect some attacks (e.g., fragmented packets)

16. How NIDS works
Figure 2.0 NIDS operation

17. Statistical anomaly-based (stat IDS)
•Statistical anomaly-based IDS sample network activity,
compare to “known normal” traffic
IDS sounds alarm when activity is outside baseline
parameters
• Advantage: IDS can detect new types of attacks
• Disadvantages:
– Requires more overhead, compute power than
signature-based IDSs
– May generate many false positives

18. Advantages of HIDS
Advantages
Detect local events, attacks on host systems that NIDSs
may not
 Can view encrypted traffic (as it has been decrypted on
system)
 HIDS is unaffected by switched network protocols
 Can detect inconsistencies in apps, programs by
examining

19. Disadvantages of HIDS
Disadvantages
• Harder to manage than NIDSs
• Vulnerable to attacks against host operating system,
HIDS
• Cannot detect scans of multiple hosts, non-network
devices
• HIDSs potential targets for denial- of-service (DoS)
attack

20. How HIDS works
Figure 3.0 HIDS operation

21. IDS Deployment Overview
NIST recommends four locations for NIDSs:
• Location 1: behind each external firewall, in the network
DMZ
• Location 2: outside an external firewall
• Location 3: on major network backbones
• Location 4: on critical subnets

22. IDS Deployment Overview
Figure 4.0 NIDS Sensor locations

23. Deploying HIDS
• Steps:
– First: install HIDSs on most critical
systems
– Next: install HIDSs on all systems or
until organization reaches tolerable degree
of coverage

24. Measuring Effectiveness of IDS
• IDSs are evaluated using two dominant metrics:
– # of attacks detected in a known collection of probes
– Network bandwidth at which IDSs fail
Example: At 1 Gbits/sec, IDS detected 95% of
directed attacks against it
• Many vendors provide test suites for verification
• Example test suites:
– Record, retransmit real packet trace from virus/worm
– Perform same for malformed packets (e.g., SYN flood)
– Launch

25. Honeypots, Honeynets, and Padded Cell Systems
• Honeypots: decoy systems designed to lure
potential attackers away from critical systems
• Design goals:
– Divert attacker from accessing critical systems
– Gather information about attacker’s activity
– Encourage attacker to linger so admins can
document event, respond

26. Honeypots, Honeynets, and Padded Cell Systems
Honeynets: collection of honeypots connected in a
subnet
• Padded cell: honeypot protected in order to hinder
compromise
– Typically works in tandem with traditional IDS
– When IDS detects attackers, it transfers them to “special
environment” where they cannot cause harm (hence the name)

27. Scanning and Analysis Tools
They are often used to collect information that attacker would need to
launch successful attack
Attack protocol: sequence of attacker’s steps to attack target
system/network
• Footprinting: determining what hostnames, IP addresses a target org.
owns
Fingerprinting: systematic survey of resources found in footprinting
stage
– Useful for discovering weaknesses in org.’s network or systems

28. Port Scanners
Tools used by attackers, defenders to identify computers on
network (plus other info.)
• Can scan for certain computers, protocols, resources
(or generic scans)
• Example: nmap (https://nmap.org/)

29. Vulnerability Scanners
• Active vulnerability scanners scan networks for highly
detailed information; initiate traffic to determine holes
• Passive vulnerability scanners listen in on network and
determine vulnerable versions of both server and client
software
• Passive vulnerability scanners have ability to find client-side
vulnerabilities typically not found in active scanners

30. Packet Sniffers
• Network tool that collects copies of packets from network and
analyzes them
• Can provide network administrator with valuable information
for diagnosing and resolving networking issues
• In the wrong hands, a sniffer can be used to eavesdrop on
network traffic
• To use packet sniffer legally, administrator must be on network
that organization owns, be under direct authorization of
owners of network and have consent of the content creators

31. Defense in Depth
The Defense in Depth strategy employs layered
security mechanisms to provide comprehensive
protection against diverse threats. By implementing
multiple layers of defense, organizations can mitigate
risks and minimize the impact of potential security
breaches.

32. Cryptography in Network Security
Cryptography is a fundamental tool in network
security, facilitating secure communication and
data protection through encryption and decryption
processes. Key concepts include:
• Symmetric Encryption: Utilizing a single
shared key for both encryption and decryption.

33. Cryptography in Network Security
• Asymmetric Encryption: Employing a pair of
keys (public and private) for encryption and
decryption.
• Digital Signatures: Verifying the authenticity
and integrity of digital messages.

34. Secure Network Protocols
Secure protocols are essential for safeguarding data transmission
over networks:
• SSL/TLS (Secure Sockets Layer/Transport Layer Security):
Encrypts data exchanged between web servers and clients,
ensuring confidentiality and integrity.
• IPsec (Internet Protocol Security): Provides secure
communication at the IP layer, enabling VPNs and secure data
transmission.
• SSH (Secure Shell): Facilitates secure remote access and
command execution on network devices.

35. Access Control Devices
• A successful access control system includes
number of components, depending on system’s
needs for authentication and authorization
• Strong authentication requires at least two forms of
authentication to authenticate the supplicant’s
identity
• The technology to manage authentication based
on what a supplicant knows is widely integrated
into the networking and security software systems
in use across the IT industry

36. Access Control Devices
• A successful access control system includes number of
components, depending on system’s needs for
authentication and authorization
• Strong authentication requires at least two forms of
authentication to authenticate the supplicant’s identity
• The technology to manage authentication based on what a
supplicant knows is widely integrated into the networking
and security software systems in use across the IT industry

37. Access Control Devices
• Access control: authenticates, authorizes users
• Authentication: validate a person’s identity
• Authorization: specify what the person can do
with computers, networks
• Recommended: use ≥ two types of auth.
technology

38. Access Control Devices
Four main ways to authenticate person:
• What a person knows (e.g., password);
• What a person has (e.g., Duo Mobile app code);
• Who a person is (e.g., fingerprint);

39. Effectiveness of Biometrics
Biometric technologies evaluated on three basic
criteria:
• False reject rate: The False Reject Rate, also
known as Type I error, measures the frequency at
which a biometric system incorrectly rejects an
authorized person.

40. Effectiveness of Biometrics
• False accept rate: The False Accept Rate, also
known as Type II error, measures how often a
biometric system incorrectly accepts an
unauthorized person.
• Crossover error rate (CER): The Crossover Error
Rate is the point at which the False Reject Rate
and the False Accept Rate are equal.

41. Acceptability of Biometrics

42. Summary
• Intrusion detection system (IDS) detects configuration
violation and sounds alarm
• Network-based IDS (NIDS) vs. host-based IDS (HIDS)
• Complex selection of IDS products that fit an
organization’s needs
• Scanning and analysis tools are used to pinpoint
vulnerabilities in systems, holes in security
components, and unsecured aspects network