first ever presentation containing basic information about Intrusion Detection System and Intrusion Prevention System with advantages and disadvantages... specially bibliography attached for engineering students. it also contains 2013 powerpoint graphics. hope it may helpful to u all.. your suggestions will be always welcomed..

1. 1

2. INTRUSION
Intrusion Detection system
Intrusion Preventation system
2

3. What is intrusion…???
 INTRUSIONS are the activities that violate the security
policy of system.
 Intrusion Detection System (IDS) : is software that
automates the intrusion detection process. The primary
responsibility of an IDS is to detect unwanted activities.
Intrusion Prevention System (IPS) : is software that has
all the capabilities of an intrusion detection system and can
also attempt to stop possible incidents.
3

4. 4

5. Types of IDS…
Based on the sources of the audit information used by
each IDS, the IDSs may be classified into
Host-base IDSs
Distributed IDSs
Network-based IDSs
5

6. Types in little details….
• Host Based IDS
• Get data from host trails.
• Detect attacks against a single host
• Distributed IDS
• Gather data from multiple host and possibly the network that
connects the hosts
• Detect attacks involving multiple hosts
• Network-Based IDS
• Detect attacks from network.
6

7. Intrusion Detection Techniques
Misuse detection
Anomaly detection`
7

8. Misuse Detection
• Based on known attack actions.
• Feature extract from known intrusions
• Integrate the Human knowledge.
• The rules are pre-defined
• Disadvantage:
• Cannot detect novel or unknown attacks
8

9. Anomaly Detection
• Based on the normal behavior of a subject.
Sometime assume the training data does not
include intrusion data.
• This type of detection is known as anomaly
detection.
• Here any action that significantly deviates from
the normal behavior is considered intrusion.
9

10. Anomaly Detection Disadvantages
• Based on data collected over a period of
normal operation.
• When a noise(intrusion) data in the training
data, it will make a mis-classification.
10

11. 11
Some of the benefits of IDS
• monitors the operation of firewalls, routers, key management
servers and files critical to other security mechanisms
• allows administrator to tune, organize and comprehend often
incomprehensible operating system audit trails and other logs
• can make the security management of systems by non-expert
staff possible by providing nice user friendly interface
• comes with extensive attack signature database against which
information from the customers system can be matched
• can recognize and report alterations to data files

12. 12
IDS is not a SILVER BULLET
• cannot conduct investigations of attacks without human
intervention
• cannot compensate for weaknesses in network protocols
• cannot compensate for weak identification and authentication
mechanisms
• capable of monitoring network traffic but to a certain extent of
traffic level

13. 13

14. Intrusion Prevention System
Intrusion prevention systems are network security devices
that monitor network and/or system activities for malicious
activity (intrusion)
Main functions of Intrusion Prevention System (IPS) are:
– Identify intrusion
– Log information about intrusion
– Attempt to block/stop intrusion and
– Report intrusion
• Intrusion Detection System (IDS) only detect intrusions
14

15. • Intrusion Prevention System (IPS) is any device
(hardware or software) that has the ability to detect
attacks, both known and unknown, and prevent the
attack from being successful.
WHAT IS IPS?

16. Intrusion Prevention Systems (IPS)
The bad guys are always one step ahead of the security
professionals.
Security professionals try and come up with innovative means
to detect and prevent attacks.
IPS is a preventive device rather than a detective device (IDS).

17. Broadly classified into two categories
• Host IPS (HIPS)
• Network IPS (NIPS)
CLASSIFICATION OF IPS

18. • HIPS is installed directly on the system being
protected
• It binds closely with the operating system
kernel and services, it monitors and intercepts
system calls to the kernel in order to prevent
attacks as well as log them.
HOST-IPS

19. • Has two network interfaces, one designated as
internal and one as external.
• Packets passed through both interfaces and
they determined whether the packet being
examined poses a threat.
• If it detects a malicious packet, an alert is
raised, the packets are discarded immediately.
Legitimate packets are passed through to the
second interface and on to their intended
destination.
NETWORK-IPS

20. INTRUSION PREVENTION
TECHNIQUES..
• Inline network intrusion protection systems.
• Layer seven switches.
• Application firewalls.
• Hybrid switches.
• Deceptive applications.

21. INLINE NETWORK IPS
• It is configured with two NICs, one for management
and one for detection.
• NIC that is configured for detection usually does not
have an IP address assigned .
• It works by sitting between the systems that need to
be protected and the rest of the network.
• It inspects the packet for any intrusion that it is
configured to look for.

22. LAYER SEVEN SWITCHES
• Placing these devices in front of your firewalls
would give protection for the entire network.
• However the drawbacks are that they can only
stop attacks that they know about.
• The only attack they can stop that most others
IPS can’t are the DoS attacks.

23. APPLICATION FIREWALLS
• These IPSs are loaded on each server that is to be
protected.
• These types of IPSs are customizable to each application
that they are to protect.
• It profiles a system before protecting it. During the profiling it
watches the user’s interaction with the application and the
applications interaction with the operating system to
determine what legitimate interaction looks like.
• The drawback is that when the application is updated it
might have to be profiled again so that it does not block
legitimate use.

24. HYBRID SWITCHES
• They inspect specific traffic for malicious
content as has been configured .
• Hybrid switch works in similar manner to layer
seven switch, but has detailed knowledge of
the web server and the application that sits on
top of the web server.
• It also fails,if the user’s request does not match
any of the permitted requests.

25. DECEPTIVE APPLICATIONS
• It watches all your network traffic and figures out
what is good traffic.
• When an attacker attempts to connect to
services that do not exist, it will send back a
response to the attacker
• The response will be “marked” with some bogus
data. When the attacker comes back again and
tries to exploit the server the IPS will see the
“marked” data and stop all traffic coming from
the attacker.

26. 26
Bibliography
[1] “An Introduction To Intrusion Detection Systems”
http://www.securityfocusonline.com
[2] “Intrusion Detection and Prevention Product Update”
http://www.cisco.com
[3] “An Introduction to Intrusion Detection”
http://www.acm.org

27. 27
Thank you for your attention and
time