This document provides an overview of intrusion detection systems (IDS) based on the OSI layer model. It defines what an intrusion is and describes different types of intruders. The document discusses network IDS (NIDS) and host-based IDS (HIDS), comparing their advantages and disadvantages. It also outlines common types of attacks detected by IDS at different OSI layers, such as buffer overflow attacks at the application layer and TCP SYN floods at the transport layer. The document proposes an IDS to detect both network and host-based attacks across multiple OSI layers.

1. INTRUSION DETECTION
SYSTEM (BASED ON OSI
LAYER MODEL)

2. CONTENTS
 Introduction
 System Overview
 Comparison between NIDS and HIDS
 Types of attacks
 Advantages & Disadvantages
 Applications
 Conclusion
 References

3. What is an intrusion?
•Any set of actions that attempt to compromise the confidentiality,
integrity, or availability of a computer resource
Introduction

4. Types of Intruders
• In an early study of intrusion, Anderson identified three classes of intruders:
 Masqueraders: An individual who is not authorized to use the computer and who
penetrates a system’s access controls to exploit a legitimate user’s account.
 Misfeasor: A legitimate user who accesses data, programs or resources for which
such access is not authorized, or who is authorized for such access but misuses his
or her privileges.
 Clandestine user: An individual who seizes supervisory control of the system and
uses this control to evade auditing and access controls or to suppress audit actions.

5. ●Intrusion detection is the process of identifying and responding to
malicious activity targeted at resources.
● IDS is a system designed to test/analyze network system
traffic/events against a given set of parameters and alert/capture data
when these thresholds are met.
● IDS uses collected information and predefined knowledge-based
system to reason about the possibility of an intrusion.
● IDS also provides services to cop with intrusion such as giving
alarms, activating programs to try to deal with intrusion, etc.
What is in an IDS?

6. Different types of IDS
● Network IDS (NIDS)
Examines all network traffic that passes the NIC that the sensor is
running on
● Host based IDS (HIDS)
An agent on the host that monitors host activities and log files
● Stack-Based IDS
*An agent on the host that monitors all of the packets that leave or
enter the host
*Can monitor a specific protocol(s) (e.g. HTTP for webserver)

7. Why do we need IDS ?
 Firewalls use rules to reject unwanted network traffic
 Hackers can hide attacks in “acceptable” network traffic, therefore
bypassing the firewall
 IDS actually monitor the network traffic, packet by packet
 IDS use rules as well as signatures to identify unwanted network traffic
 IDS can learn acceptable network traffic

8. Principles of Intrusion Detection Systems
 An IDS must run unattended for extended periods of time
 The IDS must stay active and secure
 The IDS must be able to recognize unusual activity
 The IDS must operate without unduly affecting the system’s activity
 The IDS must be configurable

9. System Overview
Architecture of
the
proposed
system

10. ● Monitor activity on the network for
→Known attacks
→Suspicious network activity
● Designed to detect attacks such as
→Denial of service
→Network probes
→Malformed packets, etc.
● Can be some overlap with firewall
● Real-time monitoring of networks
Network-based IDS

11. .
Placement of Network-based IDS
 Deployment options:
 Outside firewall
 Just inside firewall
 Combination of both will detect attacks getting through firewall and may help
to refine firewall rule set.
 Behind remote access server
 Between Business Units
 Between Corporate Network and Partner Networks

12. Host-based IDS
● Monitor activities on hosts for
→ Known attacks or
→ Suspicious behavior
● Designed to detect attacks such as
→ Buffer overflow
→ Escalation of privilege
● Host-based IDS are often critical in detecting internal attacks directed towards an
organization’s servers such as DNS, Mail, and Web Servers

13. Placement of Host-based IDS
 Deployment options:
 Key servers that contain mission-critical
and sensitive information
 Web servers:
→ FTP and DNS servers:
→ E-commerce database servers, etc.
→ Workstations

14. Host Based
• Narrow in scope (watches only specific
host activities)
• More complex setup
• Better for detecting attacks from the inside
• More expensive to implement
• Detection is based on what any single host
can record
• Does not see packet headers
• Usually only responds after a suspicious
log entry has been made
• OS-specific
• Detects local attacks before they hit the
network
• Verifies success or failure of attacks
Network Based
• Broad in scope (watches all network
activities)
• Easier setup
• Better for detecting attacks from the outside
• Less expensive to implement
• Detection is based on what can be recorded
on the entire network
• Examines packet headers
• Near real-time response
• OS-independent
• Detects network attacks as payload is
analyzed
• Detects unsuccessful attack attempts
COMPARISON

15. TYPES OF ATTACKES
●Attacks over O.S.I. layers :
→Application layer: Buffer overflow
→Transport layer: TCP sync flood
→Network layer: Sniffing
● Host attacks :
→Security log

16. Buffer overflow Attack
 A buffer overflow, or buffer overrun, is an anomaly where a program while
writing data to a buffer overruns the buffer's boundary and overwrites adjacent
memory locations.
 Buffers are areas of memory set aside to hold data, often while moving
it from one section of a program to another, or between programs.
Buffer overflows can often be triggered by malformed inputs, if one
assumes all inputs will be smaller than a certain size and the buffer is
created to be that size, if an anomalous transaction produces more
data it could cause it to write past the end of the buffer. If this
overwrites adjacent data or executable code, this may result in erratic
program behavior, including memory access errors, incorrect results,
and crashes.

17. TCP SYNC FLOOD ATTACK
● Normally when a client attempts to start a TCP connection to a server, the client and
server exchange a series of messages which normally runs like this:
1.The client requests a connection by sending a SYN (synchronize) message to the server.
2.The server acknowledges this request by sending SYN-ACK back to the client.
3.The client responds with an ACK, and the connection is established.
● This is called the TCP three-way handshake, and is the foundation for every connection
established using the TCP protocol. A SYN flood attack works by not responding to
the server with the expected ACK code.
● The malicious client can either simply not send the expected ACK, or by spoofing the
source IP address in the SYN, causing the server to send the SYN-ACK to a falsified
IP address – which will not send an ACK because it "knows" that it never sent a SYN.

18. SNIFFER ATTACK
 A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If the
packets are not encrypted, a sniffer provides a full view of the data
inside the packet. Even encapsulated (tunneled) packets can be
broken open and read unless they are encrypted and the attacker
does not have access to the key.
 Using a sniffer, an attacker can do any of the following:
→ Analyze your network and gain information to eventually cause
your network to crash or to become corrupted.
→ Read your communications.

19. ADVANTAGES AND DISADVANTAGES
ADVANTAGES
• Can detect external hackers, as well as, internal network-based attacks
• Scales easily to provide protection for the entire network
• Offers centralized management for correlation of distributed attacks
• Provides defense in depth
• Gives administrators the ability to quantify attacks
• Provides an additional layer of protection

20. DISADVANTAGES
• Generates false positives and negatives
• Reacts to attacks rather than preventing them
• Requires full-time monitoring and highly skilled staff dedicated to interpreting
the data
• Requires a complex incident response process
• Cannot monitor traffic at higher network traffic rates
• Generates an enormous amount of data to be analyzed
• Cannot deal with encrypted network traffic
• It is expensive

21. Conclusion
 An IDS system to detect various types of layers attacks like application layer, transport
layer and Abnormal packets in N/W IDS and additionally in Host IDS UN-authorize
accessing .
 The proposed system is providing both type of functionality in one system which is
improving overall efficiency of the existing IDS.

22. References
[1] Interaction understanding in the OSI model functionality of networks with
casestudies Stefano-Niko Orzen 2 014 IEEE 9th IEEE International Symposium
on Applied Computational Intelligence and Informatics(SACI)
[2] Attack detection in active queue management within large-scale network
controlsystem with information of network and physical system Ladan Sadeghi
Khorrami 2016 24th Iranian Conference on Electrical Engineering (ICEE)
[3] Distributed cross layer approach for detecting multilayer attacks in wireless
multihop networks Divya Bansal 2011 IEEE Symposium on Computers &
Informatics
[4] Detecting Denial of Service Attacks using Cross Layer based Intrusion
DetectionSystem in Wireless Ad Hoc S. Bose 2008 International Conference on
Signal Processing, and Networking.
[5] Intrusion detection system using the anomaly technique in wireless sensor
networkSushant Kumar Pandey Jyoti Prakash Singh 2016 International
Conference on Computing, Communication and Automation (ICCCA)