Nicholas Davis, profile picture
Uploaded byNicholas Davis
PPT, PDF1,786 views

Intrusion Detection And Prevention

The document discusses intrusion detection and prevention systems (IDS/IPS). It describes what an IDS is, the components of an IDS, and different types of IDS including network-based, host-based, and hybrid systems. It also covers the differences between passive and reactive IDS, as well as techniques attackers use to evade detection like fragmentation and small packets. The document concludes by discussing intrusion prevention systems and how they differ from IDS in their ability to block threats in real-time.

In this document
Powered by AI

Overview of IDS, its purpose, examples, and detection capabilities including service attacks and malware.

Components of IDS like sensors, consoles, and engines; various types including network, protocol, application, and host-based systems.

Difference between passive and reactive IDS; how they function and differentiate from firewalls; obfuscation techniques.

Methods adversaries use to evade detection, including fragmentation, denial of service, and violating protocols.

What IPS is, differences from IDS, and methods like rate-based detection for improved security. Advantages and disadvantages of Host-based vs Network-based IPS highlighting operational aspects.

Final thoughts on IDS/IP and resources for further learning.

Embed presentation

Downloaded 65 times
Information Systems 365 October 7, 2008 Intrusion Detection and Prevention
What is Intrusion Detection? • An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems.
Examples • Industrial Espionage • Malware • Disgruntled Employees
What does an IDS Detect? • Attacks against a specific service, such as File Transfer Protocol (FTP) • Data driven attacks at the application layer. For example, SQL injection error could be used to crash an application.
What Does and IDS Detect? • Host Based Attacks (privilege escalation) • Malware, Viruses, Trojan Horses, Worms
IDS Components • Sensors - Generate security events such as log files • Console – Monitors events, alerts and controls sensors • Engine – Analyzes the data using artificial intelligence to generate alerts from the events received • 3 in 1 (sometimes all three are in one appliance)
Sensor, Looks Boring
Types of Intrusion Detection Systems • Network Based Intrusion Detection System (NDS) • Protocol Based Intrusion Detection System (PIDS) • Application Protocol Based Intrusion Detection System (APIDS) • Host Based Intrusion Detection System (HIDS) • Hybrid System
Network Intrusion Detection System • Is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
Protocol Based Intrusion Detection System • Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system).
Application Protocol Based Intrusion Detection System • Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database.
Host Based Intrusion Detection System • Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC
Passive vs. Reactive IDS • In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner
Passive vs. Reactive IDS • In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source.
How Is A Firewall Different from and IDS? • Firewalls look outwardly and protect from external attacks • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • An IDS also watches for attacks that originate from within a system.
Firewall vs. IDS • This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators
IDS Evasion Techniques • Bypass detection by creating unrecognized states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.
Obfuscating Attack Payload • Encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.
Obfuscating Attack Payload • Speaking French to a bilingual computer, while the IDS only speaks English
Polymorphic Code • Is another means to circumvent signature- based IDS by creating unique attack patterns, so that the attack does not have a single detectable signature.
Using HTTPS to Obfuscate • Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
Fragmentation and Small Packets • One basic technique is to split the attack payload into multiple small packets • The IDS must reassemble the packet stream to detect the attack.
Fragmentation Continued • By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. • One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does
Protocol Violations • Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS.
Denial of Service • An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.
What is a Denial of Service Attack Anyway?
Inserting Traffic at the IDS • An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.
Intrusion Prevention Goes One Step Further than IDS • An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.
Unified Threat Management (UTM) • Next generation devices • Firewall • Virus Scanning • Content Filtering • VPN • Anti-Spam • Intrusion Detection and Prevention
How IDS and IPS Differ • Intrusion Prevention systems are designed to sit inline with traffic flows and prevent attacks in real-time • In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP
Rate Based IPS • RBIPS can identify abnormal rates for certain types of traffic • Connections per second • Packets per connection • Packets to specific ports etc. • Attacks are detected when thresholds are exceeded. • The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.
Host-based vs. Network IPS • Benefit of HIPS • HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
Host-based vs. Network IPS • Benefit of NIPS • NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.
Host-based vs. Network IPS • NIPS drawback AND benefit, depending on how you look at it • NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. • Use failover or load balancing to combat this NIPS disadvantage
Host-based vs. Network IPS • NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react • With a HIPS, only the host’s data itself is available to take a decision • It would take too much time to report it to a central decision making engine and report back to block.
Some IDS and IPS Movies • Cisco Sensor • Cisco IDS/IPS Overview • Snort With Add On Tools
Questions?

More Related Content

PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Five Major Types of Intrusion Detection System (IDS)
bydavid rom
 
PPTX
Intrusion Detection Systems (IDS)
byHachmdhmdzad
 
PPT
Intrusion Detection System
byMohit Belwal
 
PPTX
Intrusion Prevention System
byVishwanath Badiger
 
PPTX
Intrusion detection
byUmesh Dhital
 
PDF
Introduction IDS
byHitesh Mohapatra
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Intrusion detection system
bySweta Sharma
 
Five Major Types of Intrusion Detection System (IDS)
bydavid rom
 
Intrusion Detection Systems (IDS)
byHachmdhmdzad
 
Intrusion Detection System
byMohit Belwal
 
Intrusion Prevention System
byVishwanath Badiger
 
Intrusion detection
byUmesh Dhital
 
Introduction IDS
byHitesh Mohapatra
 

What's hot

PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPTX
IDS VS IPS.pptx
byTapan Khilar
 
PPSX
Intrusion detection system
bygaurav koriya
 
PPT
IDS and IPS
bySantosh Khadsare
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
PPTX
Intrusion Detection System(IDS)
byshraddha_b
 
PPTX
Intrusion prevention system(ips)
byPapun Papun
 
PDF
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
PPTX
Intrusion detection system
byAAKASH S
 
PPTX
Intrusion detection
byCAS
 
PPTX
Denial of Service Attack
byDhrumil Panchal
 
PPTX
Security Threats at OSI layers
byDepartment of Computer Science
 
PPTX
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
PPTX
Network attacks
byManjushree Mashal
 
PPTX
Networking infrastructure
byKerry Cole
 
PPTX
Firewall presentation
bygaurav96raj
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPT
Network Security
byMAJU
 
PPT
Intro to Web Application Security
byRob Ragan
 
Intrusion detection and prevention system
byNikhil Raj
 
IDS VS IPS.pptx
byTapan Khilar
 
Intrusion detection system
bygaurav koriya
 
IDS and IPS
bySantosh Khadsare
 
intrusion detection system (IDS)
byAj Maurya
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
Intrusion Detection System(IDS)
byshraddha_b
 
Intrusion prevention system(ips)
byPapun Papun
 
Computer Security and Intrusion Detection(IDS/IPS)
byLJ PROJECTS
 
Intrusion detection system
byAAKASH S
 
Intrusion detection
byCAS
 
Denial of Service Attack
byDhrumil Panchal
 
Security Threats at OSI layers
byDepartment of Computer Science
 
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
Network attacks
byManjushree Mashal
 
Networking infrastructure
byKerry Cole
 
Firewall presentation
bygaurav96raj
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Network Security
byMAJU
 
Intro to Web Application Security
byRob Ragan
 

Similar to Intrusion Detection And Prevention

PDF
IPS (intrusion prevention system)
byNetwax Lab
 
PPTX
IDS n IPS
bySAurabh PRajapati
 
PPT
Introduction To Intrusion Detection Systems
byPaul Green
 
PPTX
Ids vs ips
byTapan Khilar
 
PPTX
information security (Audit mechanism, intrusion detection, password manageme...
byZara Nawaz
 
PPTX
Cours_4_IDS_IPS.pptx
byssuserc517ee1
 
PPTX
Dcit 418-Slide two presentation (1).pptx
bykojokoranteng19
 
PDF
IDS (intrusion detection system)
byNetwax Lab
 
PPT
Ids
bySavyasachi14
 
PPTX
Intrusion detection system (ids)
bynishiyath
 
PDF
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
byCSCJournals
 
PDF
Intrusion detection system – a study
byijsptm
 
PPTX
INTERNET SECURITY SYSTEM
byBhushan Gajare
 
PPT
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
byuseonlyfortech140
 
PDF
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
bythilakrajc
 
PPTX
Information Security.pptx
byDrRajapraveen
 
DOCX
Ips and-ids
byAdam Viet
 
PPT
idps
byiskrene
 
PPT
Intrusion Detection Systems
byvamsi_xmen
 
PDF
N44096972
byIJERA Editor
 
IPS (intrusion prevention system)
byNetwax Lab
 
IDS n IPS
bySAurabh PRajapati
 
Introduction To Intrusion Detection Systems
byPaul Green
 
Ids vs ips
byTapan Khilar
 
information security (Audit mechanism, intrusion detection, password manageme...
byZara Nawaz
 
Cours_4_IDS_IPS.pptx
byssuserc517ee1
 
Dcit 418-Slide two presentation (1).pptx
bykojokoranteng19
 
IDS (intrusion detection system)
byNetwax Lab
 
Ids
bySavyasachi14
 
Intrusion detection system (ids)
bynishiyath
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
byCSCJournals
 
Intrusion detection system – a study
byijsptm
 
INTERNET SECURITY SYSTEM
byBhushan Gajare
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
byuseonlyfortech140
 
FALLSEM2023-24_CSE3501_ETH_VL2023240102981_2023-09-04_Reference-Material-I.pdf
bythilakrajc
 
Information Security.pptx
byDrRajapraveen
 
Ips and-ids
byAdam Viet
 
idps
byiskrene
 
Intrusion Detection Systems
byvamsi_xmen
 
N44096972
byIJERA Editor
 

More from Nicholas Davis

PPTX
Software Development Methodologies
byNicholas Davis
 
PPTX
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
PPTX
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
PPT
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
PPTX
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
PPTX
Organizational Phishing Education
byNicholas Davis
 
PPTX
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
PPT
Security Operations -- An Overview
byNicholas Davis
 
PPTX
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
PPTX
Cyberwar Gets Personal
byNicholas Davis
 
PPTX
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
PPTX
Lecture blockchain
byNicholas Davis
 
PPT
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 
PPTX
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
PPT
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
PPTX
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
PPT
Survey Presentation About Application Security
byNicholas Davis
 
PPTX
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
PPTX
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
PPT
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 
Software Development Methodologies
byNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
byNicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
byNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
byNicholas Davis
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
byNicholas Davis
 
Organizational Phishing Education
byNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
byNicholas Davis
 
Security Operations -- An Overview
byNicholas Davis
 
Information Systems 371 -The Internet of Things Overview
byNicholas Davis
 
Cyberwar Gets Personal
byNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
byNicholas Davis
 
Lecture blockchain
byNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
byNicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
byNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
byNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
byNicholas Davis
 
Survey Presentation About Application Security
byNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
byNicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
byNicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
byNicholas Davis
 

Intrusion Detection And Prevention

  • 1.
    Information Systems 365 October 7, 2008 Intrusion Detection and Prevention
  • 2.
    What is IntrusionDetection? • An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems.
  • 3.
    Examples • Industrial Espionage • Malware • Disgruntled Employees
  • 4.
    What does anIDS Detect? • Attacks against a specific service, such as File Transfer Protocol (FTP) • Data driven attacks at the application layer. For example, SQL injection error could be used to crash an application.
  • 5.
    What Does andIDS Detect? • Host Based Attacks (privilege escalation) • Malware, Viruses, Trojan Horses, Worms
  • 6.
    IDS Components • Sensors- Generate security events such as log files • Console – Monitors events, alerts and controls sensors • Engine – Analyzes the data using artificial intelligence to generate alerts from the events received • 3 in 1 (sometimes all three are in one appliance)
  • 7.
  • 8.
    Types of IntrusionDetection Systems • Network Based Intrusion Detection System (NDS) • Protocol Based Intrusion Detection System (PIDS) • Application Protocol Based Intrusion Detection System (APIDS) • Host Based Intrusion Detection System (HIDS) • Hybrid System
  • 9.
    Network Intrusion Detection System • Is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
  • 11.
    Protocol Based Intrusion Detection System • Consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system).
  • 12.
    Application Protocol Based Intrusion Detection System • Consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database.
  • 13.
    Host Based IntrusionDetection System • Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC
  • 14.
    Passive vs. ReactiveIDS • In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner
  • 15.
    Passive vs. ReactiveIDS • In a reactive system, also known as an Intrusion Prevention System (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source.
  • 16.
    How Is AFirewall Different from and IDS? • Firewalls look outwardly and protect from external attacks • An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. • An IDS also watches for attacks that originate from within a system.
  • 17.
    Firewall vs. IDS •This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators
  • 18.
    IDS Evasion Techniques •Bypass detection by creating unrecognized states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.
  • 19.
    Obfuscating Attack Payload •Encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.
  • 20.
    Obfuscating Attack Payload •Speaking French to a bilingual computer, while the IDS only speaks English
  • 21.
    Polymorphic Code • Isanother means to circumvent signature- based IDS by creating unique attack patterns, so that the attack does not have a single detectable signature.
  • 22.
    Using HTTPS toObfuscate • Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
  • 23.
    Fragmentation and Small Packets • One basic technique is to split the attack payload into multiple small packets • The IDS must reassemble the packet stream to detect the attack.
  • 24.
    Fragmentation Continued • Byitself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. • One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does
  • 25.
    Protocol Violations • SomeIDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS.
  • 26.
    Denial of Service •An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.
  • 27.
    What is aDenial of Service Attack Anyway?
  • 28.
    Inserting Traffic atthe IDS • An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.
  • 29.
    Intrusion Prevention GoesOne Step Further than IDS • An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities.
  • 30.
    Unified Threat Management (UTM) • Next generation devices • Firewall • Virus Scanning • Content Filtering • VPN • Anti-Spam • Intrusion Detection and Prevention
  • 31.
    How IDS andIPS Differ • Intrusion Prevention systems are designed to sit inline with traffic flows and prevent attacks in real-time • In addition, most IPS solutions have the ability to look at (decode) layer 7 protocols like HTTP, FTP, and SMTP
  • 32.
    Rate Based IPS •RBIPS can identify abnormal rates for certain types of traffic • Connections per second • Packets per connection • Packets to specific ports etc. • Attacks are detected when thresholds are exceeded. • The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.
  • 33.
    Host-based vs. NetworkIPS • Benefit of HIPS • HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
  • 34.
    Host-based vs. NetworkIPS • Benefit of NIPS • NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.
  • 35.
    Host-based vs. NetworkIPS • NIPS drawback AND benefit, depending on how you look at it • NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. • Use failover or load balancing to combat this NIPS disadvantage
  • 36.
    Host-based vs. NetworkIPS • NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like a worm) and can react • With a HIPS, only the host’s data itself is available to take a decision • It would take too much time to report it to a central decision making engine and report back to block.
  • 37.
    Some IDS andIPS Movies • Cisco Sensor • Cisco IDS/IPS Overview • Snort With Add On Tools
  • 38.