The document discusses different types of intruders and intrusion detection systems. It describes three classes of intruders: masqueraders, misfeasors, and clandestine users. It then defines intrusion detection systems, intrusion prevention systems, and intrusion detection and prevention systems. The document outlines different types of attacks and intrusion detection mechanisms, including misuse detection, anomaly detection, and hybrid detection. It also discusses network-based and host-based intrusion detection systems. Honeypots are described as systems designed to deceive attackers in order to learn about their tools and methods.

1. Presented by: Tufail(130228)

2. 2Central University of kashmir

3. In early study of Intrusion Anderson identified three
classes of Intruders:
Masqueraders: An individual who is not authorized to
use the computer & who penetrates a systems access
controls to exploit a legitimate user’s account.
Misfeasor: A legitimate user who accesses data programs
or resources for which such access is not authorized , or
who is authorized for such access but misuses his/her
privileges.
Clandestine User: An individual who seizes supervisory
control of the system & uses this control to evade auditing
& access controls or to suppress audit actions.
3Central University of kashmir

4. Central University of kashmir 4

5. Intrusion detection: is the process of monitoring the events
occurring in a computer system or network and analyzing them
for signs of possible intrusions (incidents).
Intrusion detection system (IDS): is software that automates
the intrusion detection process. The primary responsibility of
an IDS is to detect unwanted and malicious activities.
Intrusion prevention system (IPS): is software that has all the
capabilities of an intrusion detection system and can also
attempt to stop possible incidents.
Intrusion Detection & prevention System (IDPS): evaluates a
suspected intrusion once it has taken place ,signals an alarm&
makes attempts to stop it. It watches for activities specifically
designed to be overlooked by Firewall’s filtering rules.
5Central University of kashmir

6. Unauthorized access to the resources
Password cracking
Spoofing e.g. DNS spoofing
Scanning ports & services
Network packet listening
Stealing information
Unauthorized network access
Uses of IT resources for private purpose
Unauthorized alternation of resources
Falsification of identity
Information altering and deletion
Unauthorized transmission and creation of data
Configuration changes to systems and n/w services
6Central University of kashmir

7. Denial of Service
Flooding
Ping flood
Mail flood
Compromising system
Buffer overflow
Remote system shutdown
Web application attack
“Most attacks are not a single attack but a series of
individual events developed in coordinated manner”
7Central University of kashmir

8. Central University of kashmir 8

9. Central University of kashmir 9

10. 10Central University of kashmir

11. Audit Data
Preprocessor
Audit Records
Activity Data
Detection
Models
Detection Engine
Alarms
Decision
Table
Decision Engine
Action/Report
system activities aresystem activities are
observableobservable
normal and intrusivenormal and intrusive
activities have distinctactivities have distinct
evidenceevidence

12. These are three models of intrusion detection
mechanisms:
• Anomaly detection (statistical based)
• Misuse Detection (Signature-based)
• Hybrid detection.
12Central University of kashmir

13. 1)Misuse Detection: The misuse detection concept assumes that
each intrusive activity is representable by a unique pattern
or a signature so that slight variations of the same activity
produce a new signature and therefore can also be detected.
They work by looking for a specific signature on a system.
Identification engines perform well by monitoring these
patterns of known misuse of system resources.
 Examples:
A telnet attempt with a username of “root”, which is a violation of an
organization’s security policy
An e-mail with a subject of “Free pictures!” and an attachment
filename of “freepics.exe”, which are characteristics of a known form
of malware
13Central University of kashmir

14. 2)Anomaly detection: monitors network traffic and
compare it against an established baseline. The
baseline will identify what is “normal” for that
network- what sort of bandwidth is generally used,
what protocols are used, what ports and devices
generally connect to each other- and alert the
administrator or user when traffic is detected which is
anomalous, or significantly different, than the
baseline. The issue is that it may raise a False Positive
alarm for a legitimate use of bandwidth if the
baselines are not intelligently configured.
14Central University of kashmir

15. True Positive: : Attack - Alert
False Positive: : No attack - Alert
False Negative: : Attack - No Alert
True Negative: : No attack - No Alert
15Central University of kashmir

16. IDPS are classified based on their monitoring
scope. They are:
1) network-based intrusion detection and
2) host-based detections.
Network-Based Intrusion Detection Systems
(NIDSs)/NDPS
NIDSs have the whole network as the monitoring
scope. They monitor the traffic on the network to
detect intrusions. They are responsible for detecting
anomalous, inappropriate, or other data that may be
considered unauthorized and harmful occurring on a
network.
16Central University of kashmir

17. 17Central University of kashmir

18. misuse is not confirmed only to the “bad” outsiders but
the problem is more rampart within organizations. To
tackle this problem, security experts have turned to
inspection of systems within an organization network.
This local inspection of systems is called host-based
intrusion detection systems (HIDS).
Host-based intrusion detection is the technique of
detecting malicious activities on a single computer.
18Central University of kashmir

19. A HIDS, is therefore, deployed on a single target
computer and it uses software that monitors operating
system specific logs including system, event, and
security logs on Windows systems and syslog in Unix
environments to monitor sudden changes in these logs.
When a change is detected in any of these files, the
HIDS compares the new log entry with its configured
attack signatures to see if there is a match. If a match is
detected then this signals the presence of an
illegitimate activity.
19Central University of kashmir

20. 20Central University of kashmir

21. A honeypot is a system designed to look like something
that an intruder can hack.
 to deceive attackers and learn about their tools and
methods.
Honeypots are also add-on/tools that are not strictly
sniffer-based intrusion detection systems like HIDS and
NIDS. However, they are good deception systems that
protect the network in much the same way as HIDS
and NIDS.
Since the goal for a honeypot is to deceive intruders
and learn from them without compromising the
security of the network, then it is important to find a
strategic place for the honeypot. In the DMZ for those
networks with DMZs or behind the network firewall if
the private network does not have a DMZ.
21Central University of kashmir

22. 22Central University of kashmir

23. A honey pot is a system that is deliberately named
and configured so as to invite attack
swift-terminal.bigbank.com
www-transact.site.com
source-r-us.company.com
admincenter.noc.company.net
23Central University of kashmir

24. 24Central University of kashmir

25. 25Central University of kashmir

26. 26Central University of kashmir