The document discusses intrusion detection and prevention systems (IDS/IPS). It describes what an IDS is, the components of an IDS, and different types of IDS including network-based, host-based, and hybrid systems. It also covers the differences between passive and reactive IDS, as well as techniques attackers use to evade detection like fragmentation and small packets. The document concludes by discussing intrusion prevention systems and how they differ from IDS in their ability to block threats in real-time.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
What is IDS?
Software or hardware device
Monitors network or hosts for:
Malware (viruses, trojans, worms)
Network attacks via vulnerable ports
Host based attacks, e.g. privilege escalation
What is in an IDS?
An IDS normally consists of:
Various sensors based within the network or on hosts
These are responsible for generating the security events
A central engine
This correlates the events and uses heuristic techniques and rules to create alerts
A console
To enable an administrator to monitor the alerts and configure/tune the sensors
Different types of IDS
Network IDS (NIDS)
Examines all network traffic that passes the NIC that the sensor is running on
Host based IDS (HIDS)
An agent on the host that monitors host activities and log files
Stack-Based IDS
An agent on the host that monitors all of the packets that leave or enter the host
Can monitor a specific protocol(s) (e.g. HTTP for webserver)
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
What is IDS?
Software or hardware device
Monitors network or hosts for:
Malware (viruses, trojans, worms)
Network attacks via vulnerable ports
Host based attacks, e.g. privilege escalation
What is in an IDS?
An IDS normally consists of:
Various sensors based within the network or on hosts
These are responsible for generating the security events
A central engine
This correlates the events and uses heuristic techniques and rules to create alerts
A console
To enable an administrator to monitor the alerts and configure/tune the sensors
Different types of IDS
Network IDS (NIDS)
Examines all network traffic that passes the NIC that the sensor is running on
Host based IDS (HIDS)
An agent on the host that monitors host activities and log files
Stack-Based IDS
An agent on the host that monitors all of the packets that leave or enter the host
Can monitor a specific protocol(s) (e.g. HTTP for webserver)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Five Major Types of Intrusion Detection System (IDS)david rom
Intrusion Detection System (IDS) is designed to monitor an entire network activity, traffic and identify network and system attack with only a few devices.
Intrusion Detection System is a software that keeps monitoring system or network state for possible intrusion and alert the administrator, while IPS is capable of blocking such attacks. Together they constitute IDPS.
IPS (Intrusion Prevention System) is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system kernel to network data packets. It
provides policies and rules for network traffic along with an IDS for alerting system or network
administrators to suspicious traffic, but allows the administrator to provide the action upon being
alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap
over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also
some unknown attacks due to its database of generic attack behaviours. Thought of as a combination of
IDS and an application layer firewall for protection, IPS is generally considered to be the "next
generation" of IDS.
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
CS266 Software Reverse Engineering (SRE)Applying Anti-Reversing Techniques to Machine Code
Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu
Department of Computer Science
San José State University
Spring 2015
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
Intrusion detection system (IDS) is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. Intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Five Major Types of Intrusion Detection System (IDS)david rom
Intrusion Detection System (IDS) is designed to monitor an entire network activity, traffic and identify network and system attack with only a few devices.
Intrusion Detection System is a software that keeps monitoring system or network state for possible intrusion and alert the administrator, while IPS is capable of blocking such attacks. Together they constitute IDPS.
IPS (Intrusion Prevention System) is definitely the next level of security technology with its capability to
provide security at all system levels from the operating system kernel to network data packets. It
provides policies and rules for network traffic along with an IDS for alerting system or network
administrators to suspicious traffic, but allows the administrator to provide the action upon being
alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap
over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also
some unknown attacks due to its database of generic attack behaviours. Thought of as a combination of
IDS and an application layer firewall for protection, IPS is generally considered to be the "next
generation" of IDS.
Applying Anti-Reversing Techniques to Machine CodeTeodoro Cipresso
CS266 Software Reverse Engineering (SRE)Applying Anti-Reversing Techniques to Machine Code
Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu
Department of Computer Science
San José State University
Spring 2015
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...frank2
Binary obfuscation is a mysterious ritual employed by malware authors and software vendors alike that no one really seems to talk about. It's almost like a secret society. Interestingly, you don't have to write a program to obfuscate the binary-- you can also write high-level code that obfuscates at compile-time, rather than afterward.
This paper covers a new technique that can help IDS/IPS solution developers to provide more protection against web attacks. The approach is very generic and can be “adopted” by any IDS/IPS solution provider. Presently the approach is just an Idea and it requires more research and experiment to convert it into a working solution.
This approach helps in enhancing quality of “signature based IDS/IPS solution” and provides good coverage with respect to the evasion techniques.
Obfuscation, Golfing and Secret Operators in PerlJosé Castro
Everything you always wanted to know about Obfuscation and Golfing, some strange techniques and odd operators many are not aware of.
Also, everything you *never* wished to know about Obfuscation and Golfing, some even stranger techniques and even odder operators many wished they were *not* aware of.
Video available at http://conferences.yapcasia.org/ya2008/talk/1007.
In order to harden kernel exploitation as much as possible was introduced variety of features including KASLR, SMEP and sometimes also SMAP.
Even those are powerful techniques their effectiveness rely on their cooperation, environment and their implementation.
We will present new and some not so new exploitation techniques, show ideas behind breaking trough before mentioned security features and why it is possible, and we will take a look at pool spraying on x64 as well.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
There have been many recent publications that focused on malware evasion techniques – specifically techniques that malware employs to avoid detection and tools that can be used to defeat this evasion. But what happens when malware doesn’t need to evade detection because it first disables the very tools you’re using to detect malware and evade detection? It sounds complicated but the threat is very real and extremely easy to accomplish.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
With the advent of large malware in recent years, systems OS X can be vectors of attack us-ing Mach-O binaries. This presentation will illustrate the dissection of something malicious and also identifica-tion,analysis and some possibilities for mitigation.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
first ever presentation containing basic information about Intrusion Detection System and Intrusion Prevention System with advantages and disadvantages...
specially bibliography attached for engineering students.
it also contains 2013 powerpoint graphics.
hope it may helpful to u all.. your suggestions will be always welcomed..
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
2. What is Intrusion Detection?
• An Intrusion detection system
(IDS) is software and/or
hardware designed to detect
unwanted attempts at accessing,
manipulating, and/or disabling of
computer systems.
4. What does an IDS Detect?
• Attacks against a specific
service, such as File Transfer
Protocol (FTP)
• Data driven attacks at the
application layer. For
example, SQL injection error
could be used to crash an
application.
5. What Does and IDS Detect?
• Host Based
Attacks
(privilege
escalation)
• Malware,
Viruses, Trojan
Horses, Worms
6. IDS Components
• Sensors - Generate security
events such as log files
• Console – Monitors events,
alerts and controls sensors
• Engine – Analyzes the data
using artificial intelligence to
generate alerts from the
events received
• 3 in 1 (sometimes all three
are in one appliance)
8. Types of Intrusion Detection
Systems
• Network Based Intrusion
Detection System (NDS)
• Protocol Based Intrusion
Detection System (PIDS)
• Application Protocol Based
Intrusion Detection System
(APIDS)
• Host Based Intrusion
Detection System (HIDS)
• Hybrid System
9. Network Intrusion Detection
System
• Is an independent platform
which identifies intrusions by
examining network traffic and
monitors multiple hosts.
Network Intrusion Detection
Systems gain access to
network traffic by connecting
to a hub, network switch
configured for port mirroring,
or network tap. An example of
a NIDS is Snort.
10.
11. Protocol Based Intrusion
Detection System
• Consists of a system or agent that
would typically sit at the front end
of a server, monitoring and
analyzing the communication
protocol between a connected
device (a user/PC or system).
12. Application Protocol Based
Intrusion Detection System
• Consists of a system or agent that
would typically sit within a group
of servers, monitoring and
analyzing the communication on
application specific protocols. For
example; in a web server with
database this would monitor the
SQL protocol specific to the
middleware/business-login as it
transacts with the database.
13. Host Based Intrusion Detection
System
• Consists of an agent on a host
which identifies intrusions by
analyzing system calls,
application logs, file-system
modifications (binaries,
password files, capability/acl
databases) and other host
activities and state. An
example of a HIDS is OSSEC
14. Passive vs. Reactive IDS
• In a passive system, the
intrusion detection system (IDS)
sensor detects a potential
security breach, logs the
information and signals an alert
on the console and or owner
15. Passive vs. Reactive IDS
• In a reactive system, also
known as an Intrusion
Prevention System (IPS), the
IDS responds to the suspicious
activity by resetting the
connection or by reprogramming
the firewall to block network
traffic from the suspected
malicious source.
16. How Is A Firewall Different from
and IDS?
• Firewalls look
outwardly and protect
from external attacks
• An IDS evaluates a
suspected intrusion
once it has taken
place and signals an
alarm.
• An IDS also watches
for attacks that
originate from within
a system.
17. Firewall vs. IDS
• This is traditionally achieved
by examining network
communications, identifying
heuristics and patterns (often
known as signatures) of
common computer attacks,
and taking action to alert
operators
18. IDS Evasion Techniques
• Bypass detection by creating
unrecognized states on the
IDS and on the targeted
computer. The adversary
accomplishes this by
manipulating either the attack
itself or the network traffic
that contains the attack.
19. Obfuscating Attack Payload
• Encoding the attack payload in
a way that the target
computer will reverse but the
IDS will not. In the past, an
adversary using the Unicode
character could encode attack
packets that an IDS would not
recognize but that an IIS web
server would decode and
become attacked.
21. Polymorphic Code
• Is another
means to
circumvent
signature-
based IDS by
creating unique
attack
patterns, so
that the attack
does not have
a single
detectable
signature.
22. Using HTTPS to Obfuscate
• Attacks on
encrypted
protocols
such as
HTTPS are
obfuscated if
the attack is
encrypted.
23. Fragmentation and Small
Packets
• One basic technique is to split the
attack payload into multiple small
packets
• The IDS must reassemble the
packet stream to detect the
attack.
24. Fragmentation Continued
• By itself, small packets will not
evade any IDS that reassembles
packet streams. However, small
packets can be further modified in
order to complicate reassembly
and detection.
• One evasion technique is to pause
between sending parts of the
attack, hoping that the IDS will
time out before the target
computer does
25. Protocol Violations
• Some IDS evasion techniques
involve deliberately violating
the TCP or IP protocols in a
way the target computer will
handle differently than the
IDS. For example, the TCP
Urgent Pointer is handled
differently on different
operating systems and may
not be handled correctly by
the IDS.
26. Denial of Service
• An adversary can evade
detection by disabling or
overwhelming the IDS. This
can be accomplished by
exploiting a bug in the IDS,
using up computational
resources on the IDS, or
deliberately triggering a large
number of alerts to disguise
the actual attack.
28. Inserting Traffic at the IDS
• An adversary can send packets
that the IDS will see but the target
computer will not. For example,
the attacker could send packets
whose Time to live fields have
been crafted to reach the IDS but
not the target computers it
protects. This technique will result
in an IDS with different state than
the target.
29. Intrusion Prevention Goes One
Step Further than IDS
• An intrusion prevention system
is a network security device that
monitors network and/or system
activities for malicious or
unwanted behavior and can react,
in real-time, to block or prevent
those activities.
31. How IDS and IPS Differ
• Intrusion Prevention systems
are designed to sit inline with
traffic flows and prevent
attacks in real-time
• In addition, most IPS solutions
have the ability to look at
(decode) layer 7 protocols like
HTTP, FTP, and SMTP
32. Rate Based IPS
• RBIPS can identify abnormal rates
for certain types of traffic
• Connections per second
• Packets per connection
• Packets to specific ports etc.
• Attacks are detected when
thresholds are exceeded.
• The thresholds are dynamically
adjusted based on time of day, day
of the week etc., drawing on
stored traffic statistics.
33. Host-based vs. Network IPS
• Benefit of HIPS
• HIPS can
handle
encrypted and
unencrypted
traffic equally,
because it can
analyze the
data after it
has been
decrypted on
the host.
34. Host-based vs. Network IPS
• Benefit of NIPS
• NIPS does not use processor and
memory on computer hosts but
uses its own CPU and memory.
35. Host-based vs. Network IPS
• NIPS drawback AND benefit,
depending on how you look at it
• NIPS is a single point of failure,
which is considered a
disadvantage; however, this
property also makes it simpler to
maintain.
• Use failover or load balancing to
combat this NIPS disadvantage
36. Host-based vs. Network IPS
• NIPS can detect events scattered
over the network (e.g. low level
event targeting many different
hosts, like a worm) and can react
• With a HIPS, only the host’s data
itself is available to take a decision
• It would take too much time to
report it to a central decision
making engine and report back to
block.
37. Some IDS and IPS Movies
• Cisco Sensor
• Cisco IDS/IPS Overview
• Snort With Add On Tools