SlideShare a Scribd company logo

Ids 001 ids vs ips

Download as PPSX, PDF
J
jyoti_lakhani

An intrusion detection system (IDS) monitors network traffic and analyzes system activities for potential threats. There are two main types of IDS - network-based IDS (NIDS) which analyzes network packets, and host-based IDS (HIDS) which analyzes the host system. An intrusion prevention system (IPS) also monitors for threats but can actively block or prevent intrusions by taking automatic actions in response to rules and detections. IDS and IPS use various analysis techniques like signature-based detection, anomaly detection, and machine learning to identify threats and protect networks and systems.

Technology
1 of 43
Intrusion Detection System Introduction 1 (Copyright: Dr. Jyoti Lakhani)
Intrusion An intrusion is an active sequence of related events that deliberately try to cause harm, such as rendering a system unusable, accessing, unauthorized information, or manipulating such information. This definition refers to both successful and unsuccessful attempts. - Carl Enriolf IDS systems record information about both successful and unsuccessful attempts so that security professionals will have a more comprehensive understanding of the events on their networks. 2 (Copyright: Dr. Jyoti Lakhani)
One way this can be done is by placing devices that examine network traffic, called sensors, both in front of the firewall (the unprotected area) and behind the firewall (the protected area) and comparing the information recorded by the two. Internet Firewall 3 (Copyright: Dr. Jyoti Lakhani)
Collecting Data Port Mirroring or Spanning Network Taps 4 (Copyright: Dr. Jyoti Lakhani)
When copies of incoming and outgoing packets are forwarded from one port of a network switch to another port where the packets can be analyzed. Port Mirroring or Spanning 5 (Copyright: Dr. Jyoti Lakhani)
Network taps are put directly in-line of the network traffic, and they copy the incoming and outgoing packets and retransmit them back out on the network. Network Taps 6 (Copyright: Dr. Jyoti Lakhani)
What Is an Intrusion-Detection System (IDS)? The tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity It detects activity in traffic that may or may not be an intrusion. IDSs work at the network layer of the OSI model They analyze packets to find specific patterns in network traffic —if they find such a pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus software in that they use known signatures to recognize traffic patterns that may be malicious in intent. 7 (Copyright: Dr. Jyoti Lakhani)
Types of IDS Systems Host-based Intrusion- Detection System (HIDS) Network-based Intrusion- Detection System (NIDS) Hybrids 8 (Copyright: Dr. Jyoti Lakhani)
A HIDS system will require some software that resides on the system and can scan all host resources for activity some just scan syslog and event logs for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Host-based Intrusion-Detection System (HIDS) 9 (Copyright: Dr. Jyoti Lakhani)
A NIDS system is usually inline on the network, and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment, including switched networks (where this is not the default behavior) via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. Most NIDSs are equipped with facilities to log their activities and report or alarm on questionable events. In addition, many high- performance routers offer NID capabilities. Network-based Intrusion-Detection System (NIDS) 10 (Copyright: Dr. Jyoti Lakhani)
11 (Copyright: Dr. Jyoti Lakhani)
12 (Copyright: Dr. Jyoti Lakhani)
13 (Copyright: Dr. Jyoti Lakhani)
NIDS HIDS Broad in scope (watches all network activities) Narrow in scope (watches only specific host activities) Easier setup More complex setup Better for detecting attacks from the outside Better for detecting attacks from the inside Less expensive to implement More expensive to implement Detection is based on what can be recorded on the entire network Detection is based on what any single host can record Examines packet headers Does not see packet headers 14 (Copyright: Dr. Jyoti Lakhani)
NIDS HIDS Detects network attacks as payload is analyzed Detects local attacks before they hit the network Detects unsuccessful attack attempts Verifies success or failure of Attacks Near real-time response Usually only responds after a suspicious log entry has been made OS-independent OS-specific In computer networking and telecommunications, when a transmission unit is sent from the source to the destination, it contains both a header and the actual data to be transmitted. This actual data is called the payload. 15 (Copyright: Dr. Jyoti Lakhani)
The basic process for an IDS is that a NIDS or HIDS passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent 16 (Copyright: Dr. Jyoti Lakhani)
Standard IDS System 17 (Copyright: Dr. Jyoti Lakhani)
18 (Copyright: Dr. Jyoti Lakhani)
What Is an Intrusion-Prevention System (IPS)? It is still early in the development of intrusion-prevention systems (IPSs) An IPS sits inline on the network and monitors it, and when an event occurs, it takes action based on prescribed rules. This is unlike IDSs, which do not sit inline and are passive. 19 (Copyright: Dr. Jyoti Lakhani)
Types of IPS Systems Host-based Intrusion- Prevention System (HIPS) Network-based Intrusion- Prevention System (NIPS) Hybrids 20 (Copyright: Dr. Jyoti Lakhani)
User actions should correspond to actions in a predefined knowledge base; if an action isn’t on the accepted list, the IPS will prevent the action. Unlike an IDS, the logic in an IPS is typically applied before the action is executed in memory. Other IPS methods compare file checksums to a list of known good checksums before allowing a file to execute, and to work by intercepting system calls. 21 (Copyright: Dr. Jyoti Lakhani)
An IPS will typically consist of four main components: • Traffic normalizer • Service scanner • Detection engine • Traffic shaper 22 (Copyright: Dr. Jyoti Lakhani)
The traffic normalizer will interpret the network traffic and do packet analysis and packet reassembly, as well as performing basic blocking functions. The traffic is then fed into the detection engine and the service scanner. The service scanner builds a reference table that classifies the information and helps the traffic shaper manage the flow of the information. The detection engine does pattern matching against the reference table, and the appropriate response is determined. 23 (Copyright: Dr. Jyoti Lakhani)
24 (Copyright: Dr. Jyoti Lakhani)
IDS IPS Installed on network segments (NIDS) and on hosts (HIDS) Installed on network segments (NIPS) and on hosts (HIPS) Sits on network passively Sits inline (not passive) Cannot parse encrypted traffic Better at protecting applications Central management control Central management control Better at detecting hacking attacks Ideal for blocking web defacement Alerting product (reactive) Blocking product (proactive) 25 (Copyright: Dr. Jyoti Lakhani)
Why IDSs and IPSs are Important? 1. Greater proficiency in detecting intrusions than by doing it manually 2. In-depth knowledge bases to draw from 3. Ability to deal with large volumes of data 4. Near real-time alerting capabilities that help reduce potential damages 26 (Copyright: Dr. Jyoti Lakhani)
Why IPSs are Important? • Automated responses, such as logging off a user, disabling a user account, or launching automated scripts • Strong Deterrent* Value • Built-in Forensic Capabilities • Built-in Reporting Capabilities •Deterrent: a thing that discourages or is intended to discourage someone from doing something. •Eg. "cameras are a major deterrent to crime" 27 (Copyright: Dr. Jyoti Lakhani)
(Copyright: Dr. Jyoti Lakhani) 28 ASSIGNMENT 1 Q1. Explain architecture of IDS and IPS with suitable diagrams Q2. What are the pros and cons of IDS and IPS? Last Date of submission: 30/11/2020
MOST IMPORTANT 1. Legal and regulatory issues 2. Quantification of attacks 3. Establishment of an overall defense-in-depth strategy Why IPSs are Important? 29 (Copyright: Dr. Jyoti Lakhani)
IDS and IPS Analysis Schemes IDSs and IPSs perform analyses It is important to understand the analysis process: - what analysis does? - what types of analysis are available? - what the advantages and disadvantages of different analysis schemes are. 30 (Copyright: Dr. Jyoti Lakhani)
What Is Analysis? Analysis, in the context of intrusion detection and prevention, is the organization of the constituent parts of data and their interrelationships to identify any anomalous activity of interest. Real-time analysis is analysis done on the fly as the data travels the path to the network or host. Baseline Activities Anomalous Activities Relationship between Baseline and Anomalous Network Activity 31 (Copyright: Dr. Jyoti Lakhani)
Goals of intrusion-detection and intrusion-prevention analysis • Create records of relevant activity for follow-up • Determine flaws in the network by detecting specific activities • Record unauthorized activity for use in forensics or criminal prosecution of intrusion attacks • Act as a deterrent to malicious activity • Increase accountability by linking activities of one individual across systems 32 (Copyright: Dr. Jyoti Lakhani)
Intrusion Analysis Process Pre Processing Analysis Response Refinement Data Collected From Sensors 33 (Copyright: Dr. Jyoti Lakhani)
Pre Processing Pre Processing Analysis Response Refinemen t DB Sensors Data Baseline Activity Anomalous Activity Analysis Schemes Classification 34 (Copyright: Dr. Jyoti Lakhani)
Intrusion Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Classification Data Baseline Activity Anomalous Activity Analysis Schemes Core Analysis Engine • Detection of the modification of system log files • Detection of unexpected privilege escalation • Detection of Backdoor Netbus • Detection of Backdoor SubSeven • ORACLE grant attempt • RPC mountd UDP export request 35 (Copyright: Dr. Jyoti Lakhani)
Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB Templates for different anomaly cases • Once the prepossessing is completed, the analysis stage begins. • The data record is compared to the knowledge base, and the data record will either be logged as an intrusion event or it will be dropped. • Then the next data record is analyzed. 36 (Copyright: Dr. Jyoti Lakhani)
Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or RESPONSE of IDS and IPS (against anomaly) is a differentiating factor 37 (Copyright: Dr. Jyoti Lakhani)
Response Phase (IDS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS Log File ALARM 38 (Copyright: Dr. Jyoti Lakhani)
Response Phase (IPS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IPS Network System Blocked Intrusion Prevention 39 (Copyright: Dr. Jyoti Lakhani)
Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or Proactive Security Reactive Security 40 (Copyright: Dr. Jyoti Lakhani)
Proactive ADJECTIVE (of a person or action) creating or controlling a situation rather than just responding to it after it has happened. Eg. "employers must take a proactive approach to equal pay" 41 (Copyright: Dr. Jyoti Lakhani)
Refinement Phase Pre Processing Analysis Response Refinement DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS/IPS Tuning of IDS/IPS TOOLS Eg. CTR* *Cisco Threat Response (CTR): help with the refining stage by actually making sure that an alert is valid by checking whether you are vulnerable to that attack or not. 42 (Copyright: Dr. Jyoti Lakhani)
Detection Approaches Misuse Detection / Rule Based / Signature Detection / Pattern Matching Anomaly Detection / Profile Based Detection 43 (Copyright: Dr. Jyoti Lakhani)

Recommended

Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
Overview of computing paradigm
Overview of computing paradigmOverview of computing paradigm
Overview of computing paradigm
Ripal Ranpara
 
Unit 4
Unit 4Unit 4
Unit 4
Ravi Kumar
 
Fault tolerance
Fault toleranceFault tolerance
Fault tolerance
Gaurav Rawat
 
distributed shared memory
distributed shared memory distributed shared memory
distributed shared memory
Ashish Kumar
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
OECLIB Odisha Electronics Control Library
 

Recommended

Chapter 1: Overview of Network Security
Chapter 1: Overview of Network SecurityChapter 1: Overview of Network Security
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
OECLIB Odisha Electronics Control Library
 
Overview of computing paradigm
Overview of computing paradigmOverview of computing paradigm
Overview of computing paradigm
Ripal Ranpara
 
Unit 4
Unit 4Unit 4
Unit 4
Ravi Kumar
 
Fault tolerance
Fault toleranceFault tolerance
Fault tolerance
Gaurav Rawat
 
distributed shared memory
distributed shared memory distributed shared memory
distributed shared memory
Ashish Kumar
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Firewall ppt
Firewall pptFirewall ppt
Firewall ppt
OECLIB Odisha Electronics Control Library
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
Alagappa Govt Arts College, Karaikudi
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
System security
System securitySystem security
System security
invertis university
 
Introduction to Distributed System
Introduction to Distributed SystemIntroduction to Distributed System
Introduction to Distributed System
Sunita Sahu
 
distributed Computing system model
distributed Computing system modeldistributed Computing system model
distributed Computing system model
Harshad Umredkar
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security Challenges
Yateesh Yadav
 
Mobile computing unit 5
Mobile computing unit 5Mobile computing unit 5
Mobile computing unit 5
Assistant Professor
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
SCSI(small computer system interface)
SCSI(small computer system interface)SCSI(small computer system interface)
SCSI(small computer system interface)
Niraj Lamichhane
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
Gaurav Suri
 
On demand provisioning
On demand provisioningOn demand provisioning
On demand provisioning
GOVERNMENT COLLEGE OF ENGINEERING,TIRUNELVELI
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
Seraphic Nazir
 
Parallel computing and its applications
Parallel computing and its applicationsParallel computing and its applications
Parallel computing and its applications
Burhan Ahmed
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts
Prajakta Rane
 
idps
idpsidps
idps
iskrene
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 

More Related Content

What's hot

Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
Alagappa Govt Arts College, Karaikudi
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
System security
System securitySystem security
System security
invertis university
 
Introduction to Distributed System
Introduction to Distributed SystemIntroduction to Distributed System
Introduction to Distributed System
Sunita Sahu
 
distributed Computing system model
distributed Computing system modeldistributed Computing system model
distributed Computing system model
Harshad Umredkar
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security Challenges
Yateesh Yadav
 
Mobile computing unit 5
Mobile computing unit 5Mobile computing unit 5
Mobile computing unit 5
Assistant Professor
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
SCSI(small computer system interface)
SCSI(small computer system interface)SCSI(small computer system interface)
SCSI(small computer system interface)
Niraj Lamichhane
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
Kathirvel Ayyaswamy
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
Gaurav Suri
 
On demand provisioning
On demand provisioningOn demand provisioning
On demand provisioning
GOVERNMENT COLLEGE OF ENGINEERING,TIRUNELVELI
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
Cleverence Kombe
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
Seraphic Nazir
 
Parallel computing and its applications
Parallel computing and its applicationsParallel computing and its applications
Parallel computing and its applications
Burhan Ahmed
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Devil's Cafe
 
2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts
Prajakta Rane
 

What's hot (20)

Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Message passing in Distributed Computing Systems
Message passing in Distributed Computing SystemsMessage passing in Distributed Computing Systems
Message passing in Distributed Computing Systems
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
System security
System securitySystem security
System security
 
Introduction to Distributed System
Introduction to Distributed SystemIntroduction to Distributed System
Introduction to Distributed System
 
distributed Computing system model
distributed Computing system modeldistributed Computing system model
distributed Computing system model
 
Cloud Computing Security Challenges
Cloud Computing Security ChallengesCloud Computing Security Challenges
Cloud Computing Security Challenges
 
Mobile computing unit 5
Mobile computing unit 5Mobile computing unit 5
Mobile computing unit 5
 
Cia security model
Cia security modelCia security model
Cia security model
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
 
User authentication
User authenticationUser authentication
User authentication
 
SCSI(small computer system interface)
SCSI(small computer system interface)SCSI(small computer system interface)
SCSI(small computer system interface)
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
 
On demand provisioning
On demand provisioningOn demand provisioning
On demand provisioning
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
 
Parallel computing and its applications
Parallel computing and its applicationsParallel computing and its applications
Parallel computing and its applications
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts2. Distributed Systems Hardware & Software concepts
2. Distributed Systems Hardware & Software concepts
 

Similar to Ids 001 ids vs ips

idps
idpsidps
idps
iskrene
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
ijsrd.com
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
Netwax Lab
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
IJERA Editor
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
ijcsbi
 
Information Security.pptx
Information Security.pptxInformation Security.pptx
Information Security.pptx
DrRajapraveen
 
Intrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring SystemIntrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring System
IJERA Editor
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
IOSR Journals
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
N44096972
N44096972N44096972
N44096972
IJERA Editor
 
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack DetectionA Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
ijsrd.com
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
Preshan Pradeepa
 
Intrusion detection system – a study
Intrusion detection system – a studyIntrusion detection system – a study
Intrusion detection system – a study
ijsptm
 
A Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer NetworkA Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer Network
Audrey Britton
 
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
IIJSRJournal
 
Intrusiond and detection
Intrusiond and detectionIntrusiond and detection
Intrusiond and detection
Piyu Karande
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection Systems
IRJET Journal
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
Editor IJCATR
 

Similar to Ids 001 ids vs ips (20)

idps
idpsidps
idps
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
 
IDS (intrusion detection system)
IDS (intrusion detection system)IDS (intrusion detection system)
IDS (intrusion detection system)
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
 
Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013Vol 6 No 1 - October 2013
Vol 6 No 1 - October 2013
 
Information Security.pptx
Information Security.pptxInformation Security.pptx
Information Security.pptx
 
Intrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring SystemIntrusion Detection System: Security Monitoring System
Intrusion Detection System: Security Monitoring System
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
N44096972
N44096972N44096972
N44096972
 
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack DetectionA Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Intrusion detection system – a study
Intrusion detection system – a studyIntrusion detection system – a study
Intrusion detection system – a study
 
A Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer NetworkA Review Of Intrusion Detection System In Computer Network
A Review Of Intrusion Detection System In Computer Network
 
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
Analysis of Artificial Intelligence Techniques for Network Intrusion Detectio...
 
Intrusiond and detection
Intrusiond and detectionIntrusiond and detection
Intrusiond and detection
 
An Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection SystemsAn Extensive Survey of Intrusion Detection Systems
An Extensive Survey of Intrusion Detection Systems
 
A Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer NetworksA Study of Intrusion Detection System Methods in Computer Networks
A Study of Intrusion Detection System Methods in Computer Networks
 

More from jyoti_lakhani

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsx
jyoti_lakhani
 
Projections.pptx
Projections.pptxProjections.pptx
Projections.pptx
jyoti_lakhani
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsx
jyoti_lakhani
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsx
jyoti_lakhani
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptx
jyoti_lakhani
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsx
jyoti_lakhani
 
Doubly linked list
Doubly linked listDoubly linked list
Doubly linked list
jyoti_lakhani
 
Double ended queue
Double ended queueDouble ended queue
Double ended queue
jyoti_lakhani
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary tree
jyoti_lakhani
 
Priority queue
Priority queuePriority queue
Priority queue
jyoti_lakhani
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from front
jyoti_lakhani
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
jyoti_lakhani
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at end
jyoti_lakhani
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginning
jyoti_lakhani
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a node
jyoti_lakhani
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhani
jyoti_lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhani
jyoti_lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhani
jyoti_lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo code
jyoti_lakhani
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
jyoti_lakhani
 

More from jyoti_lakhani (20)

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsx
 
Projections.pptx
Projections.pptxProjections.pptx
Projections.pptx
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsx
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsx
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptx
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsx
 
Doubly linked list
Doubly linked listDoubly linked list
Doubly linked list
 
Double ended queue
Double ended queueDouble ended queue
Double ended queue
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary tree
 
Priority queue
Priority queuePriority queue
Priority queue
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from front
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at end
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginning
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a node
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo code
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
 

Recently uploaded

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 

Recently uploaded (20)

Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 

Ids 001 ids vs ips

  • 2. Intrusion An intrusion is an active sequence of related events that deliberately try to cause harm, such as rendering a system unusable, accessing, unauthorized information, or manipulating such information. This definition refers to both successful and unsuccessful attempts. - Carl Enriolf IDS systems record information about both successful and unsuccessful attempts so that security professionals will have a more comprehensive understanding of the events on their networks. 2 (Copyright: Dr. Jyoti Lakhani)
  • 3. One way this can be done is by placing devices that examine network traffic, called sensors, both in front of the firewall (the unprotected area) and behind the firewall (the protected area) and comparing the information recorded by the two. Internet Firewall 3 (Copyright: Dr. Jyoti Lakhani)
  • 4. Collecting Data Port Mirroring or Spanning Network Taps 4 (Copyright: Dr. Jyoti Lakhani)
  • 5. When copies of incoming and outgoing packets are forwarded from one port of a network switch to another port where the packets can be analyzed. Port Mirroring or Spanning 5 (Copyright: Dr. Jyoti Lakhani)
  • 6. Network taps are put directly in-line of the network traffic, and they copy the incoming and outgoing packets and retransmit them back out on the network. Network Taps 6 (Copyright: Dr. Jyoti Lakhani)
  • 7. What Is an Intrusion-Detection System (IDS)? The tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity It detects activity in traffic that may or may not be an intrusion. IDSs work at the network layer of the OSI model They analyze packets to find specific patterns in network traffic —if they find such a pattern in the traffic, an alert is logged, and a response can be based on the data recorded. IDSs are similar to antivirus software in that they use known signatures to recognize traffic patterns that may be malicious in intent. 7 (Copyright: Dr. Jyoti Lakhani)
  • 8. Types of IDS Systems Host-based Intrusion- Detection System (HIDS) Network-based Intrusion- Detection System (NIDS) Hybrids 8 (Copyright: Dr. Jyoti Lakhani)
  • 9. A HIDS system will require some software that resides on the system and can scan all host resources for activity some just scan syslog and event logs for activity. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Host-based Intrusion-Detection System (HIDS) 9 (Copyright: Dr. Jyoti Lakhani)
  • 10. A NIDS system is usually inline on the network, and it analyzes network packets looking for attacks. A NIDS receives all packets on a particular network segment, including switched networks (where this is not the default behavior) via one of several methods, such as taps or port mirroring. It carefully reconstructs the streams of traffic to analyze them for patterns of malicious behavior. Most NIDSs are equipped with facilities to log their activities and report or alarm on questionable events. In addition, many high- performance routers offer NID capabilities. Network-based Intrusion-Detection System (NIDS) 10 (Copyright: Dr. Jyoti Lakhani)
  • 14. NIDS HIDS Broad in scope (watches all network activities) Narrow in scope (watches only specific host activities) Easier setup More complex setup Better for detecting attacks from the outside Better for detecting attacks from the inside Less expensive to implement More expensive to implement Detection is based on what can be recorded on the entire network Detection is based on what any single host can record Examines packet headers Does not see packet headers 14 (Copyright: Dr. Jyoti Lakhani)
  • 15. NIDS HIDS Detects network attacks as payload is analyzed Detects local attacks before they hit the network Detects unsuccessful attack attempts Verifies success or failure of Attacks Near real-time response Usually only responds after a suspicious log entry has been made OS-independent OS-specific In computer networking and telecommunications, when a transmission unit is sent from the source to the destination, it contains both a header and the actual data to be transmitted. This actual data is called the payload. 15 (Copyright: Dr. Jyoti Lakhani)
  • 16. The basic process for an IDS is that a NIDS or HIDS passively collects data and preprocesses and classifies them. Statistical analysis can be done to determine whether the information falls outside normal activity, and if so, it is then matched against a knowledge base. If a match is found, an alert is sent 16 (Copyright: Dr. Jyoti Lakhani)
  • 19. What Is an Intrusion-Prevention System (IPS)? It is still early in the development of intrusion-prevention systems (IPSs) An IPS sits inline on the network and monitors it, and when an event occurs, it takes action based on prescribed rules. This is unlike IDSs, which do not sit inline and are passive. 19 (Copyright: Dr. Jyoti Lakhani)
  • 20. Types of IPS Systems Host-based Intrusion- Prevention System (HIPS) Network-based Intrusion- Prevention System (NIPS) Hybrids 20 (Copyright: Dr. Jyoti Lakhani)
  • 21. User actions should correspond to actions in a predefined knowledge base; if an action isn’t on the accepted list, the IPS will prevent the action. Unlike an IDS, the logic in an IPS is typically applied before the action is executed in memory. Other IPS methods compare file checksums to a list of known good checksums before allowing a file to execute, and to work by intercepting system calls. 21 (Copyright: Dr. Jyoti Lakhani)
  • 22. An IPS will typically consist of four main components: • Traffic normalizer • Service scanner • Detection engine • Traffic shaper 22 (Copyright: Dr. Jyoti Lakhani)
  • 23. The traffic normalizer will interpret the network traffic and do packet analysis and packet reassembly, as well as performing basic blocking functions. The traffic is then fed into the detection engine and the service scanner. The service scanner builds a reference table that classifies the information and helps the traffic shaper manage the flow of the information. The detection engine does pattern matching against the reference table, and the appropriate response is determined. 23 (Copyright: Dr. Jyoti Lakhani)
  • 25. IDS IPS Installed on network segments (NIDS) and on hosts (HIDS) Installed on network segments (NIPS) and on hosts (HIPS) Sits on network passively Sits inline (not passive) Cannot parse encrypted traffic Better at protecting applications Central management control Central management control Better at detecting hacking attacks Ideal for blocking web defacement Alerting product (reactive) Blocking product (proactive) 25 (Copyright: Dr. Jyoti Lakhani)
  • 26. Why IDSs and IPSs are Important? 1. Greater proficiency in detecting intrusions than by doing it manually 2. In-depth knowledge bases to draw from 3. Ability to deal with large volumes of data 4. Near real-time alerting capabilities that help reduce potential damages 26 (Copyright: Dr. Jyoti Lakhani)
  • 27. Why IPSs are Important? • Automated responses, such as logging off a user, disabling a user account, or launching automated scripts • Strong Deterrent* Value • Built-in Forensic Capabilities • Built-in Reporting Capabilities •Deterrent: a thing that discourages or is intended to discourage someone from doing something. •Eg. "cameras are a major deterrent to crime" 27 (Copyright: Dr. Jyoti Lakhani)
  • 28. (Copyright: Dr. Jyoti Lakhani) 28 ASSIGNMENT 1 Q1. Explain architecture of IDS and IPS with suitable diagrams Q2. What are the pros and cons of IDS and IPS? Last Date of submission: 30/11/2020
  • 29. MOST IMPORTANT 1. Legal and regulatory issues 2. Quantification of attacks 3. Establishment of an overall defense-in-depth strategy Why IPSs are Important? 29 (Copyright: Dr. Jyoti Lakhani)
  • 30. IDS and IPS Analysis Schemes IDSs and IPSs perform analyses It is important to understand the analysis process: - what analysis does? - what types of analysis are available? - what the advantages and disadvantages of different analysis schemes are. 30 (Copyright: Dr. Jyoti Lakhani)
  • 31. What Is Analysis? Analysis, in the context of intrusion detection and prevention, is the organization of the constituent parts of data and their interrelationships to identify any anomalous activity of interest. Real-time analysis is analysis done on the fly as the data travels the path to the network or host. Baseline Activities Anomalous Activities Relationship between Baseline and Anomalous Network Activity 31 (Copyright: Dr. Jyoti Lakhani)
  • 32. Goals of intrusion-detection and intrusion-prevention analysis • Create records of relevant activity for follow-up • Determine flaws in the network by detecting specific activities • Record unauthorized activity for use in forensics or criminal prosecution of intrusion attacks • Act as a deterrent to malicious activity • Increase accountability by linking activities of one individual across systems 32 (Copyright: Dr. Jyoti Lakhani)
  • 33. Intrusion Analysis Process Pre Processing Analysis Response Refinement Data Collected From Sensors 33 (Copyright: Dr. Jyoti Lakhani)
  • 35. Intrusion Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Classification Data Baseline Activity Anomalous Activity Analysis Schemes Core Analysis Engine • Detection of the modification of system log files • Detection of unexpected privilege escalation • Detection of Backdoor Netbus • Detection of Backdoor SubSeven • ORACLE grant attempt • RPC mountd UDP export request 35 (Copyright: Dr. Jyoti Lakhani)
  • 36. Analysis Process Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB Templates for different anomaly cases • Once the prepossessing is completed, the analysis stage begins. • The data record is compared to the knowledge base, and the data record will either be logged as an intrusion event or it will be dropped. • Then the next data record is analyzed. 36 (Copyright: Dr. Jyoti Lakhani)
  • 37. Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or RESPONSE of IDS and IPS (against anomaly) is a differentiating factor 37 (Copyright: Dr. Jyoti Lakhani)
  • 38. Response Phase (IDS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS Log File ALARM 38 (Copyright: Dr. Jyoti Lakhani)
  • 39. Response Phase (IPS) Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IPS Network System Blocked Intrusion Prevention 39 (Copyright: Dr. Jyoti Lakhani)
  • 40. Response Phase Pre Processing Analysis Response Refinemen t DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS IPS or Proactive Security Reactive Security 40 (Copyright: Dr. Jyoti Lakhani)
  • 41. Proactive ADJECTIVE (of a person or action) creating or controlling a situation rather than just responding to it after it has happened. Eg. "employers must take a proactive approach to equal pay" 41 (Copyright: Dr. Jyoti Lakhani)
  • 42. Refinement Phase Pre Processing Analysis Response Refinement DB Sensors Core Analysis Engine Classified Data KB ANOMALY IDS/IPS Tuning of IDS/IPS TOOLS Eg. CTR* *Cisco Threat Response (CTR): help with the refining stage by actually making sure that an alert is valid by checking whether you are vulnerable to that attack or not. 42 (Copyright: Dr. Jyoti Lakhani)
  • 43. Detection Approaches Misuse Detection / Rule Based / Signature Detection / Pattern Matching Anomaly Detection / Profile Based Detection 43 (Copyright: Dr. Jyoti Lakhani)