SlideShare a Scribd company logo

Idps

Download as PPT, PDF
GNANARAJA R
GNANARAJA R

The document discusses intrusion detection and prevention systems (IDPS). It begins by defining IDSs and IPSs, noting that IPSs have evolved from IDSs by combining detection capabilities with improved firewall technologies. It then discusses various types of IDPS detection methodologies including signature-based, anomaly-based, and stateful protocol analysis. The document also covers the different classes of IDPS including network-based, host-based, network behavior analysis, and wireless. It emphasizes using multiple types of IDPS technologies for comprehensive detection. Finally, it provides an overview of the anti-malware tool Prevx1 and how it works to intercept and verify programs against its database.

1 of 35
1 Intrusion Detection Prevention Systems Prepared by: Abeer Saif Supervised by: Dr. Lo’ai Tawalbeh
2 Introduction • Intrusion Detection Systems (IDSs) will be obsolete very soon (if they aren't already). In it's place is something much more capable, an Intrusion Prevention System (IPS). • IPSs are not a new technology, they are simply an evolved version of IDS. • IPSs combine IDSs and improved firewall technologies, they make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. • Because IDS and IPS technologies offer many of the same capabilities, administrators can usually disable prevention features in IPS products, causing them to function as IDSs.
3 Definitions • Intrusions: attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer system or network( illegal access). • Intrusions have many causes, such as malware (worms, spyware, etc…), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. • Although many intrusions are malicious in nature, many others are not; for example: a person might mistype the address of a computer and accidentally attempt to connect to a different system without authorization.
4 Definitions • Intrusion detection: is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible intrusions (incidents). • Intrusion detection system (IDS): is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. • Intrusion prevention system (IPS): is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
5 Why Intrusion Detection Prevention Systems should be used? • It’s a dire fact that while every enterprise has a firewall, most still suffer from network security problems. IT professionals are acutely aware of the need for additional protective technologies, and network equipment vendors are anxious to fill in the gap. • Intrusion Prevention Systems have been promoted as cost-effective ways to block malicious traffic, to detect and contain worm and virus threats, to serve as a network monitoring point, to assist in compliance requirements, and to act as a network sanitizing agent.
6 Why Intrusion Detection Prevention Systems should be used? IDPSs are primarily focused on: • Identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. • Identifying problems with security policies • Documenting existing threats • Deterring individuals from violating security policies. 
7 In addition, all types of IDPSs perform the following: • Recording information related to observed events. Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers, security information and event management (SIEM) solutions, and enterprise management systems. • Notifying security administrators of important observed events. This notification, known as an alert, may take the form of audible signals, e-mails, pager notifications, or log entries. A notification message typically includes only basic information regarding an event; administrators need to access the IDPS for additional information. • Producing reports. Reports summarize the monitored events or provide details on particular events of interest.
8 • An IDPS might also alter the settings for when certain alerts are triggered or what priority should be assigned to subsequent alerts after a particular threat is detected. • IPSs respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques: • The IPS stops the attack itself. Examples: Terminate the network connection or user session that is being used for the attack. Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service, application, or other resource.
9 • The IPS changes the security environment. The IPS could change the configuration of other security controls to disrupt an attack. Such as reconfiguring a network device (e.g., firewall, router, switch) to block access from the attacker or to the target, and altering a host-based firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities. • The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. An example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient.
10 • Most IDPSs also offer features that compensate for the use of common evasion techniques. Evasion is modifying the format or timing of malicious activity so that its appearance changes but its effect is the same. Attackers use evasion techniques to try to prevent IDPSs from detecting their attacks. • For example: an attacker could encode text characters in a particular way, knowing that the target understands the encoding and hoping that any monitoring IDPSs do not. Most IDPSs can overcome common evasion techniques by duplicating special processing performed by the targets. If the IDPS can “see” the activity in the same way that the target would, then evasion techniques will generally be unsuccessful at hiding attacks.
11 Classes of detection methodologies: • Signature-based: compares known threat signatures to observed events to identify incidents. • This is very effective at detecting known threats but largely ineffective at detecting unknown threats and many variants on known threats. • Signature-based detection cannot track and understand the state of complex communications, so it cannot detect most attacks that comprise multiple events. Examples: • A telnet attempt with a username of “root”, which is a violation of an organization’s security policy • An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are characteristics of a known form of malware
12 • Anomaly-based detection: sample network activity to compare to traffic that is known to be normal. • When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert. • Anomaly-based detection can detect new types of attacks. • Requires much more overhead and processing capacity than signature-based . • May generate many false positives.
13 • For example: a profile for a network might show that Web activity comprises an average of 13% of network bandwidth at the Internet border during typical workday hours. The IDPS then uses statistical methods to compare the characteristics of current activity to thresholds related to the profile, such as detecting when Web activity comprises significantly more bandwidth than expected and alerting an administrator of the anomaly. Profiles can be developed for many behavioral attributes, such as the number of e-mails sent by a user, the number of failed login attempts for a host, and the level of processor usage for a host in a given period of time.
14 • Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers. • Protocol analyzers can natively decode application- layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits against predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state. • Problems with this type include that it is often very difficult or impossible to develop completely accurate models of protocols, it is very resource-intensive, and it cannot detect attacks that do not violate the characteristics of generally acceptable protocol behavior.
15 • For example: the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets. • IDPS technologies cannot provide completely accurate detection. When an IDPS incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives and negatives; in most cases, reducing the occurrences of one increases the occurrences of the other.
16 • Many organizations choose to decrease false negatives at the cost of increasing false positives, which means that more malicious events are detected but more analysis resources are needed to differentiate false positives from true malicious events. Altering the configuration of an IDPS to improve its detection accuracy is known as tuning.
17 Types of IDPSs 1. Network-based: perform packet sniffing and analyze network traffic to identify and stop suspicious activity. They are typically deployed inline. Like a network firewall. They receive packets, analyze them, decide whether they should be permitted, and allow acceptable packets to pass through. • Allow some attacks ,such as network service worms, e-mail.borne worms and viruses with easily recognizable characteristics (e.g., subject, attachment filename), to be detected on networks before they reach their intended targets (e.g., e-mail servers, Web servers). • Most products use a combination of attack signatures and analysis of network and application protocols.
18 • Network-based products might be able to detect and stop some unknown threats through application protocol analysis. • Some products allow administrators to create and deploy attack signatures for many major new malware threats in a matter of minutes. Although poorly written signature triggers false positives that block benign activity, a custom signature can block a new malware threat hours before antivirus signatures become available. • However, network-based products are generally not capable of stopping malicious mobile code or Trojan horses.
19 Placement of Network IDPSs  Deployment options: • Outside firewall • Just inside firewall -Combination of both will detect attacks getting through firewall and may help to refine firewall rule set. • Behind remote access server • Between business units • Between corporate network and partner networks  Sensors may need to be placed in all switched network segments
20
21 Types of IDPSs 2. Host-based: are similar in principle and purpose to network-based , except that a host-based product monitors the characteristics of a single host and the events occurring within that host, such as monitoring network traffic (only for that host), system logs, running processes, file access and modification, and system and application configuration changes. • They often use a combination of attack signatures and knowledge of expected or typical behavior to identify known and unknown attacks on systems. • If a host-based product monitors the host’s network traffic, it offers detection capabilities similar to a network-based.
22 • Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. • For example: attempted changes to files can be effective at detecting viruses attempting to infect files and Trojan horses attempting to replace files, as well as the use of attacker tools, such as rootkits, that often are delivered by malware.
23 Placement of host IDPSs Deployment options: • Key servers that contain mission-critical and sensitive information. • Web servers. • FTP and DNS servers. • E-commerce database servers, etc. • Other high value assets. May also emplace these randomly to obtain probabilistic measure of hosts becoming compromised.
24
25 Types of IDPSs 3. Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as denial of service (DoS) and distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). • NBA systems are most often deployed to monitor flows on an organization’s internal networks, and are also sometimes deployed where they can monitor flows between an organization’s networks and external networks (e.g., the Internet, business partners’ networks).
26 Types of IDPSs 4. Wireless: monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. • It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. • It is most commonly deployed within range of an organization’s wireless network to monitor it, but can also be deployed to locations where unauthorized wireless networking could be occurring.
27 • organizations should consider using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. • For most environments, a combination of network- based and host-based IDPSs is needed for an effective IDPS solution. • NBA technologies can also be deployed if organizations desire additional detection capabilities for DoS & DDoS attacks, worms, and other threats that NBAs are particularly good at detecting. • Wireless IDPSs may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organization’s facilities.
28 • Before evaluating IDPS products organizations need to understand the characteristics of their system and network environments, so that a compatible IDPS can be selected that can monitor the events of interest on the systems and/or networks. • Organizations should articulate the goals and objectives they wish to attain by using an IDPS, such as stopping common attacks, identifying misconfigured wireless network devices, and detecting misuse of the organization’s system and network resources. • Organizations should also review their existing security policies, which serve as a specification for many of the features that the IDPS products need to provide.
29 • Organizations should determine if they require IDPSs or other specific system security resources. • Organizations also need to define specialized sets of requirements for the following: • Security capabilities: including information gathering, logging, detection, and prevention. • Performance: including maximum capacity and performance features • Management: including design and implementation (e.g., reliability, interoperability, scalability, product security), operation and maintenance (including software updates), and training, documentation, and technical support Life cycle costs, both initial and maintenance costs.
30
31 What is Prevx1? • Prevx1 is a powerful anti-malware tool. It works alongside existing security tools such as anti-virus software and firewalls, or it can be used on its own. • Additionally, Prevx1 is significantly quieter than other current security products because of it's unique Community Intrusion Prevention System (CIPS) concept. • Prevx1 provides vital protection against attacks that traditional security products may not adequately protect against. These attacks include: • Buffer Overflows • Trojans and Exploits
32 • Internet Worms and Hack Attacks • Spyware and Adware • Phishing (Hosts File misuse). HOW DOES PREVX 2.0 WORK? • When you first start Prevx 2.0, it carries out a once- only scan to identify executable files that run automatically or frequently. • After these files have been catalogued, it then verifies them against the Prevx Central Database. This database contains records of known good and known bad (malware) programs.
33 Example: • When a program tries to start, Prevx 2.0 will intercept it to see if it is safe to run. The diagram shown here is an example of what happens if you download a program from the internet and then try to run it. • Good programs are allowed to start. • Bad programs (in other words, malware) are automatically blocked. You will see a message box where you can get online details about the file. • Very rarely, if at all, a program may not be in the Community database. This may be because the program is very new or has only been seen a few times by the Prevx 2.0 community or if the Community database could not be contacted. In this case the program would be classified as unknown, and you will be prompted to allow it to start or not. This is known as a Query.
34
35 Thank You

Recommended

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 

Recommended

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
CAS
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
Nikhil Raj
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
iberrywifisecurity
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
NetProtocol Xpert
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Data security
Data securityData security
Data security
ForeSolutions
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Firewall
FirewallFirewall
Firewall
nayakslideshare
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Dos attack
Dos attackDos attack
Dos attack
Manjushree Mashal
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
RohitK71
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
useonlyfortech140
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 

More Related Content

What's hot

Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
iberrywifisecurity
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
NetProtocol Xpert
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
Data security
Data securityData security
Data security
ForeSolutions
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
Aj Maurya
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
Eng. Mohammed Ahmed Siddiqui
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Firewall
FirewallFirewall
Firewall
nayakslideshare
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
Umesh Dhital
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
LJ PROJECTS
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Dos attack
Dos attackDos attack
Dos attack
Manjushree Mashal
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
RohitK71
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 

What's hot (20)

Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
Information Security
Information SecurityInformation Security
Information Security
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Data security
Data securityData security
Data security
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Firewall
FirewallFirewall
Firewall
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Intruders
IntrudersIntruders
Intruders
 
Dos attack
Dos attackDos attack
Dos attack
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
 
Network Security
Network SecurityNetwork Security
Network Security
 

Similar to Idps

FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
useonlyfortech140
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
thilakrajc
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
Nicholas Davis
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Roshan Ranabhat
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
Network Security
Network SecurityNetwork Security
Network Security
Jitin Kollamkudy
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptx
SriK49
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Security
elipanganiban15
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
SAurabh PRajapati
 
Idps
IdpsIdps
Idps
iskrena
 
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docxScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
ronnasleightholm
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
RoyBokhiriya
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
Zara Nawaz
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Presentation (3) cybersecurity wd imp.pptx
Presentation (3) cybersecurity wd imp.pptxPresentation (3) cybersecurity wd imp.pptx
Presentation (3) cybersecurity wd imp.pptx
Yash Sharma
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
TikdiPatel
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
Nuuko, Inc.
 

Similar to Idps (20)

FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdfFALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
Network Security
Network SecurityNetwork Security
Network Security
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptx
 
Computer Security: Principles of Information Security
Computer Security: Principles of Information SecurityComputer Security: Principles of Information Security
Computer Security: Principles of Information Security
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
 
Idps
IdpsIdps
Idps
 
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docxScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
ScenarioSummaryIn this lab, you will explore at least one IDS, IP.docx
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Presentation (3) cybersecurity wd imp.pptx
Presentation (3) cybersecurity wd imp.pptxPresentation (3) cybersecurity wd imp.pptx
Presentation (3) cybersecurity wd imp.pptx
 
Cyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptxCyber-Security-Unit-4.pptx
Cyber-Security-Unit-4.pptx
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
 

Recently uploaded

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Idps

  • 1. 1 Intrusion Detection Prevention Systems Prepared by: Abeer Saif Supervised by: Dr. Lo’ai Tawalbeh
  • 2. 2 Introduction • Intrusion Detection Systems (IDSs) will be obsolete very soon (if they aren't already). In it's place is something much more capable, an Intrusion Prevention System (IPS). • IPSs are not a new technology, they are simply an evolved version of IDS. • IPSs combine IDSs and improved firewall technologies, they make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. • Because IDS and IPS technologies offer many of the same capabilities, administrators can usually disable prevention features in IPS products, causing them to function as IDSs.
  • 3. 3 Definitions • Intrusions: attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer system or network( illegal access). • Intrusions have many causes, such as malware (worms, spyware, etc…), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. • Although many intrusions are malicious in nature, many others are not; for example: a person might mistype the address of a computer and accidentally attempt to connect to a different system without authorization.
  • 4. 4 Definitions • Intrusion detection: is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible intrusions (incidents). • Intrusion detection system (IDS): is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. • Intrusion prevention system (IPS): is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
  • 5. 5 Why Intrusion Detection Prevention Systems should be used? • It’s a dire fact that while every enterprise has a firewall, most still suffer from network security problems. IT professionals are acutely aware of the need for additional protective technologies, and network equipment vendors are anxious to fill in the gap. • Intrusion Prevention Systems have been promoted as cost-effective ways to block malicious traffic, to detect and contain worm and virus threats, to serve as a network monitoring point, to assist in compliance requirements, and to act as a network sanitizing agent.
  • 6. 6 Why Intrusion Detection Prevention Systems should be used? IDPSs are primarily focused on: • Identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. • Identifying problems with security policies • Documenting existing threats • Deterring individuals from violating security policies. 
  • 7. 7 In addition, all types of IDPSs perform the following: • Recording information related to observed events. Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers, security information and event management (SIEM) solutions, and enterprise management systems. • Notifying security administrators of important observed events. This notification, known as an alert, may take the form of audible signals, e-mails, pager notifications, or log entries. A notification message typically includes only basic information regarding an event; administrators need to access the IDPS for additional information. • Producing reports. Reports summarize the monitored events or provide details on particular events of interest.
  • 8. 8 • An IDPS might also alter the settings for when certain alerts are triggered or what priority should be assigned to subsequent alerts after a particular threat is detected. • IPSs respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques: • The IPS stops the attack itself. Examples: Terminate the network connection or user session that is being used for the attack. Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute. Block all access to the targeted host, service, application, or other resource.
  • 9. 9 • The IPS changes the security environment. The IPS could change the configuration of other security controls to disrupt an attack. Such as reconfiguring a network device (e.g., firewall, router, switch) to block access from the attacker or to the target, and altering a host-based firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities. • The IPS changes the attack’s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. An example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient.
  • 10. 10 • Most IDPSs also offer features that compensate for the use of common evasion techniques. Evasion is modifying the format or timing of malicious activity so that its appearance changes but its effect is the same. Attackers use evasion techniques to try to prevent IDPSs from detecting their attacks. • For example: an attacker could encode text characters in a particular way, knowing that the target understands the encoding and hoping that any monitoring IDPSs do not. Most IDPSs can overcome common evasion techniques by duplicating special processing performed by the targets. If the IDPS can “see” the activity in the same way that the target would, then evasion techniques will generally be unsuccessful at hiding attacks.
  • 11. 11 Classes of detection methodologies: • Signature-based: compares known threat signatures to observed events to identify incidents. • This is very effective at detecting known threats but largely ineffective at detecting unknown threats and many variants on known threats. • Signature-based detection cannot track and understand the state of complex communications, so it cannot detect most attacks that comprise multiple events. Examples: • A telnet attempt with a username of “root”, which is a violation of an organization’s security policy • An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are characteristics of a known form of malware
  • 12. 12 • Anomaly-based detection: sample network activity to compare to traffic that is known to be normal. • When measured activity is outside baseline parameters or clipping level, IDPS will trigger an alert. • Anomaly-based detection can detect new types of attacks. • Requires much more overhead and processing capacity than signature-based . • May generate many false positives.
  • 13. 13 • For example: a profile for a network might show that Web activity comprises an average of 13% of network bandwidth at the Internet border during typical workday hours. The IDPS then uses statistical methods to compare the characteristics of current activity to thresholds related to the profile, such as detecting when Web activity comprises significantly more bandwidth than expected and alerting an administrator of the anomaly. Profiles can be developed for many behavioral attributes, such as the number of e-mails sent by a user, the number of failed login attempts for a host, and the level of processor usage for a host in a given period of time.
  • 14. 14 • Stateful protocol analysis: A key development in IDPS technologies was the use of protocol analyzers. • Protocol analyzers can natively decode application- layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits against predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state. • Problems with this type include that it is often very difficult or impossible to develop completely accurate models of protocols, it is very resource-intensive, and it cannot detect attacks that do not violate the characteristics of generally acceptable protocol behavior.
  • 15. 15 • For example: the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets. • IDPS technologies cannot provide completely accurate detection. When an IDPS incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives and negatives; in most cases, reducing the occurrences of one increases the occurrences of the other.
  • 16. 16 • Many organizations choose to decrease false negatives at the cost of increasing false positives, which means that more malicious events are detected but more analysis resources are needed to differentiate false positives from true malicious events. Altering the configuration of an IDPS to improve its detection accuracy is known as tuning.
  • 17. 17 Types of IDPSs 1. Network-based: perform packet sniffing and analyze network traffic to identify and stop suspicious activity. They are typically deployed inline. Like a network firewall. They receive packets, analyze them, decide whether they should be permitted, and allow acceptable packets to pass through. • Allow some attacks ,such as network service worms, e-mail.borne worms and viruses with easily recognizable characteristics (e.g., subject, attachment filename), to be detected on networks before they reach their intended targets (e.g., e-mail servers, Web servers). • Most products use a combination of attack signatures and analysis of network and application protocols.
  • 18. 18 • Network-based products might be able to detect and stop some unknown threats through application protocol analysis. • Some products allow administrators to create and deploy attack signatures for many major new malware threats in a matter of minutes. Although poorly written signature triggers false positives that block benign activity, a custom signature can block a new malware threat hours before antivirus signatures become available. • However, network-based products are generally not capable of stopping malicious mobile code or Trojan horses.
  • 19. 19 Placement of Network IDPSs  Deployment options: • Outside firewall • Just inside firewall -Combination of both will detect attacks getting through firewall and may help to refine firewall rule set. • Behind remote access server • Between business units • Between corporate network and partner networks  Sensors may need to be placed in all switched network segments
  • 20. 20
  • 21. 21 Types of IDPSs 2. Host-based: are similar in principle and purpose to network-based , except that a host-based product monitors the characteristics of a single host and the events occurring within that host, such as monitoring network traffic (only for that host), system logs, running processes, file access and modification, and system and application configuration changes. • They often use a combination of attack signatures and knowledge of expected or typical behavior to identify known and unknown attacks on systems. • If a host-based product monitors the host’s network traffic, it offers detection capabilities similar to a network-based.
  • 22. 22 • Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. • For example: attempted changes to files can be effective at detecting viruses attempting to infect files and Trojan horses attempting to replace files, as well as the use of attacker tools, such as rootkits, that often are delivered by malware.
  • 23. 23 Placement of host IDPSs Deployment options: • Key servers that contain mission-critical and sensitive information. • Web servers. • FTP and DNS servers. • E-commerce database servers, etc. • Other high value assets. May also emplace these randomly to obtain probabilistic measure of hosts becoming compromised.
  • 24. 24
  • 25. 25 Types of IDPSs 3. Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as denial of service (DoS) and distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). • NBA systems are most often deployed to monitor flows on an organization’s internal networks, and are also sometimes deployed where they can monitor flows between an organization’s networks and external networks (e.g., the Internet, business partners’ networks).
  • 26. 26 Types of IDPSs 4. Wireless: monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. • It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. • It is most commonly deployed within range of an organization’s wireless network to monitor it, but can also be deployed to locations where unauthorized wireless networking could be occurring.
  • 27. 27 • organizations should consider using multiple types of IDPS technologies to achieve more comprehensive and accurate detection and prevention of malicious activity. • For most environments, a combination of network- based and host-based IDPSs is needed for an effective IDPS solution. • NBA technologies can also be deployed if organizations desire additional detection capabilities for DoS & DDoS attacks, worms, and other threats that NBAs are particularly good at detecting. • Wireless IDPSs may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organization’s facilities.
  • 28. 28 • Before evaluating IDPS products organizations need to understand the characteristics of their system and network environments, so that a compatible IDPS can be selected that can monitor the events of interest on the systems and/or networks. • Organizations should articulate the goals and objectives they wish to attain by using an IDPS, such as stopping common attacks, identifying misconfigured wireless network devices, and detecting misuse of the organization’s system and network resources. • Organizations should also review their existing security policies, which serve as a specification for many of the features that the IDPS products need to provide.
  • 29. 29 • Organizations should determine if they require IDPSs or other specific system security resources. • Organizations also need to define specialized sets of requirements for the following: • Security capabilities: including information gathering, logging, detection, and prevention. • Performance: including maximum capacity and performance features • Management: including design and implementation (e.g., reliability, interoperability, scalability, product security), operation and maintenance (including software updates), and training, documentation, and technical support Life cycle costs, both initial and maintenance costs.
  • 30. 30
  • 31. 31 What is Prevx1? • Prevx1 is a powerful anti-malware tool. It works alongside existing security tools such as anti-virus software and firewalls, or it can be used on its own. • Additionally, Prevx1 is significantly quieter than other current security products because of it's unique Community Intrusion Prevention System (CIPS) concept. • Prevx1 provides vital protection against attacks that traditional security products may not adequately protect against. These attacks include: • Buffer Overflows • Trojans and Exploits
  • 32. 32 • Internet Worms and Hack Attacks • Spyware and Adware • Phishing (Hosts File misuse). HOW DOES PREVX 2.0 WORK? • When you first start Prevx 2.0, it carries out a once- only scan to identify executable files that run automatically or frequently. • After these files have been catalogued, it then verifies them against the Prevx Central Database. This database contains records of known good and known bad (malware) programs.
  • 33. 33 Example: • When a program tries to start, Prevx 2.0 will intercept it to see if it is safe to run. The diagram shown here is an example of what happens if you download a program from the internet and then try to run it. • Good programs are allowed to start. • Bad programs (in other words, malware) are automatically blocked. You will see a message box where you can get online details about the file. • Very rarely, if at all, a program may not be in the Community database. This may be because the program is very new or has only been seen a few times by the Prevx 2.0 community or if the Community database could not be contacted. In this case the program would be classified as unknown, and you will be prompted to allow it to start or not. This is known as a Query.
  • 34. 34