UNIT-4.docx

UNIT-4
Malwares – Malicious Software
 Difficulty Level : Basic
 Last Updated : 29 Jan, 2020
Malware is a software that gets into the system without user consent with an
intention to steal private and confidential data of the user that includes bank
details and password. They also generates annoying pop up ads and makes
changes in system settings
They get into the system through various means:
1. Along with free downloads.
2. Clicking on suspicious link.
3. Opening mails from malicious source.
4. Visiting malicious websites.
5. Not installing an updated version of antivirus in the system.
Types:
1. Virus
2. Worm
3. Logic Bomb
4. Trojan/Backdoor
5. Rootkit
6. Advanced Persistent Threat
7. Spyware and Adware
What is computer virus:
Computer virus refers to a program which damages computer systems and/or
destroys or erases data files. A computer virus is a malicious program that self-
replicates by copying itself to another program. In other words, the computer
virus spreads by itself into other executable code or documents. The purpose of
creating a computer virus is to infect vulnerable systems, gain admin control and
steal user sensitive data. Hackers design computer viruses with malicious intent
and prey on online users by tricking them.
Symptoms:
 Letter looks like they are falling to the bottom of the screen.
 The computer system becomes slow.
 The size of available free memory reduces.
 The hard disk runs out of space.
 The computer does not boot.
Types of Computer Virus:
These are explained as following below.
1. Parasitic –
These are the executable (.COM or .EXE execution starts at first
instruction). Propagated by attaching itself to particular file or
program. Generally resides at the start (prepending) or at the end
(appending) of a file, e.g. Jerusalem.

2. Boot Sector –
Spread with infected floppy or pen drives used to boot the computers.
During system boot, boot sector virus is loaded into main memory and
destroys data stored in hard disk, e.g. Polyboot, Disk killer, Stone,
AntiEXE.
3. Polymorphic –
Changes itself with each infection and creates multiple copies.
Multipartite: use more than one propagation method. >Difficult for
antivirus to detect, e.g. Involutionary, Cascade, Evil,Virus 101.,
Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies
from infection to infection, and Mutation engine.
4. Memory Resident –
Installs code in the computer memory. Gets activated for OS run and
damages all files opened at that time, e.g. Randex, CMJ, Meve.
5. Stealth –
Hides its path after infection. It modifies itself hence difficult to detect
and masks the size of infected file, e.g. Frodo, Joshi, Whale.
6. Macro –
Associated with application software like word and excel. When
opening the infected document, macro virus is loaded into main
memory and destroys the data stored in hard disk. As attached with
documents; spreads with those infected documents only, e.g. DMV,
Melissa, A, Relax, Nuclear, Word Concept.
7. Hybrids –
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-
replicating information, clogging the system so that its operations are slowed
down or stopped.
Types of Worm:
1. Email worm – Attaching to fake email messages.
2. Instant messaging worm – Via instant messaging applications using
loopholes in network.
3. Internet worm – Scans systems using OS services.
4. Internet Relay Chat (IRC) worm – Transfers infected files to web
sites.
5. Payloads – Delete or encrypt file, install backdoor, creating zombie etc.
6. Worms with good intent – Downloads application patches.
Logical Bomb:
A logical bomb is a destructive program that performs an activity when a certain
action has occurred. These are hidden in programming code. Executes only when
a specific condition is met, e.g. Jerusalem.

Script Virus:
Commonly found script viruses are written using the Visual Basic Scripting
Edition (VBS) and the JavaScript programming language.
Trojan / Backdoor:
Trojan Horse is a destructive program. It usually pretends as computer games or
application software. If executed, the computer system will be damaged. Trojan
Horse usually comes with monitoring tools and key loggers. These are active only
when specific events are alive. These are hidden with packers, crypters and
wrappers.< Hence, difficult to detect through antivirus. These can use manual
removal or firewall precaution.
RootKits:
Collection of tools that allow an attacker to take control of a system.
 Can be used to hide evidence of an attacker’s presence and give them
backdoor access.
 Can contain log cleaners to remove traces of attacker.
 Can be divided as:
– Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module
(LKM)
 Gains control of infected m/c by:
– DLL injection: by injecting malicious DLL (dynamic link library)
– Direct kernel object manipulation: modify kernel structures and
directly target trusted part of OS
– Hooking: changing applicant’s execution flow
Advanced Persistent Threat:
Created by well funded, organized groups, nation-state actors, etc. Desire to
compromise government and commercial entities, e.g. Flame: used for
reconnaissance and information gathering of system.
Spyware and Adware:
Normally gets installed along with free software downloads. Spies on the end-
user, attempts to redirect the user to specific sites. Main tasks: Behavioral
surveillance and advertising with pop up ads Slows down the system.
Types of Firewall
Firewall is a network device that isolates organization’s internal network from larger outside
network/Internet. It can be a hardware, software, or combined system that prevents
unauthorized access to or from internal network.
All data packets entering or leaving the internal network pass through the firewall, which
examines each packet and blocks those that do not meet the specified security criteria.

Deploying firewall at network boundary is like aggregating the security at a single point. It is
analogous to locking an apartment at the entrance and not necessarily at each door.
Firewall is considered as an essential element to achieve network security for the following
reasons −
 Internal network and hosts are unlikely to be properly secured.
 Internet is a dangerous place with criminals, users from competing companies,
disgruntled ex-employees, spies from unfriendly countries, vandals, etc.
 To prevent an attacker from launching denial of service attacks on network
resource.
 To prevent illegal modification/access to internal data by an outsider attacker.
Firewall is categorized into three basic types −
 Packet filter (Stateless & Stateful)
 Application-level gateway
 Circuit-level gateway
These three categories, however, are not mutually exclusive. Modern firewalls have a mix of
abilities that may place them in more than one of the three categories.
AD

Stateless & Stateful Packet Filtering Firewall
In this type of firewall deployment, the internal network is connected to the external
network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet.
Packet-filtering firewalls allow or block the packets mostly based on criteria such as source
and/or destination IP addresses, protocol, source and/or destination port numbers, and various
other parameters within the IP header.
The decision can be based on factors other than IP header fields such as ICMP message type,
TCP SYN and ACK bits, etc.
Packet filter rule has two parts −
 Selection criteria − It is a used as a condition and pattern matching for decision
making.
 Action field − This part specifies action to be taken if an IP packet meets the
selection criteria. The action could be either block (deny) or permit (allow) the
packet across the firewall.
Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on
routers or switches. ACL is a table of packet filter rules.
As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each
incoming packet, finds matching criteria and either permits or denies the individual packets.
Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the criteria
even if it is not part of any established ongoing communication.
Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of
firewalls offer a more in-depth inspection method over the only ACL based packet inspection
methods of stateless firewalls.
Stateful firewall monitors the connection setup and teardown process to keep a check on
connections at the TCP/IP level. This allows them to keep track of connections state and
determine which hosts have open, authorized connections at any given point in time.
They reference the rule base only when a new connection is requested. Packets belonging to
existing connections are compared to the firewall's state table of open connections, and decision
to allow or block is taken. This process saves time and provides added security as well. No
packet is allowed to trespass the firewall unless it belongs to already established connection. It

can timeout inactive connections at firewall after which it no longer admit packets for that
connection.
Application Gateways
An application-level gateway acts as a relay node for the application-level traffic. They
intercept incoming and outgoing packets, run proxies that copy and forward information across
the gateway, and function as a proxy server, preventing any direct connection between a trusted
server or client and an untrusted host.
The proxies are application specific. They can filter packets at the application layer of the OSI
model.
Application-specific Proxies
An application-specific proxy accepts packets generated by only specified application for
which they are designed to copy, forward, and filter. For example, only a Telnet proxy can
copy, forward, and filter Telnet traffic.
If a network relies only on an application-level gateway, incoming and outgoing packets cannot
access services that have no proxies configured. For example, if a gateway runs FTP and Telnet
proxies, only packets generated by these services can pass through the firewall. All other
services are blocked.
Application-level Filtering
An application-level proxy gateway, examines and filters individual packets, rather than simply
copying them and blindly forwarding them across the gateway. Application-specific proxies
check each packet that passes through the gateway, verifying the contents of the packet up
through the application layer. These proxies can filter particular kinds of commands or
information in the application protocols.
Application gateways can restrict specific actions from being performed. For example, the
gateway could be configured to prevent users from performing the ‘FTP put’ command. This
can prevent modification of the information stored on the server by an attacker.
Transparent
Although application-level gateways can be transparent, many implementations require user
authentication before users can access an untrusted network, a process that reduces true

transparency. Authentication may be different if the user is from the internal network or from
the Internet. For an internal network, a simple list of IP addresses can be allowed to connect to
external applications. But from the Internet side a strong authentication should be implemented.
An application gateway actually relays TCP segments between the two TCP connections in the
two directions (Client ↔ Proxy ↔ Server).
For outbound packets, the gateway may replace the source IP address by its own IP address.
The process is referred to as Network Address Translation (NAT). It ensures that internal IP
addresses are not exposed to the Internet.
AD
Circuit-Level Gateway
The circuit-level gateway is an intermediate solution between the packet filter and the
application gateway. It runs at the transport layer and hence can act as proxy for any
application.
Similar to an application gateway, the circuit-level gateway also does not permit an end-to-end
TCP connection across the gateway. It sets up two TCP connections and relays the TCP
segments from one network to the other. But, it does not examine the application data like
application gateway. Hence, sometime it is called as ‘Pipe Proxy’.
SOCKS
SOCKS (RFC 1928) refers to a circuit-level gateway. It is a networking proxy mechanism that
enables hosts on one side of a SOCKS server to gain full access to hosts on the other side
without requiring direct IP reachability. The client connects to the SOCKS server at the
firewall. Then the client enters a negotiation for the authentication method to be used, and
authenticates with the chosen method.
The client sends a connection relay request to the SOCKS server, containing the desired
destination IP address and transport port. The server accepts the request after checking that the
client meets the basic filtering criteria. Then, on behalf of the client, the gateway opens a
connection to the requested untrusted host and then closely monitors the TCP handshaking that
follows.
The SOCKS server informs the client, and in case of success, starts relaying the data between
the two connections. Circuit level gateways are used when the organization trusts the internal
users, and does not want to inspect the contents or application data sent on the Internet.
Firewall Deployment with DMZ
A firewall is a mechanism used to control network traffic ‘into’ and ‘out’ of an organizational
internal network. In most cases these systems have two network interfaces, one for the external
network such as the Internet and the other for the internal side.
The firewall process can tightly control what is allowed to traverse from one side to the other.
An organization that wishes to provide external access to its web server can restrict all traffic
arriving at firewall expect for port 80 (the standard http port). All other traffic such as mail
traffic, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An
example of a simple firewall is shown in the following diagram.

In the above simple deployment, though all other accesses from outside are blocked, it is
possible for an attacker to contact not only a web server but any other host on internal network
that has left port 80 open by accident or otherwise.
Hence, the problem most organizations face is how to enable legitimate access to public
services such as web, FTP, and e-mail while maintaining tight security of the internal network.
The typical approach is deploying firewalls to provide a Demilitarized Zone (DMZ) in the
network.
In this setup (illustrated in following diagram), two firewalls are deployed; one between the
external network and the DMZ, and another between the DMZ and the internal network. All
public servers are placed in the DMZ.
With this setup, it is possible to have firewall rules which allow public access to the public
servers but the interior firewall can restrict all incoming connections. By having the DMZ, the
public servers are provided with adequate protection instead of placing them directly on
external network.

Intrusion Detection / Prevention System
The packet filtering firewalls operate based on rules involving TCP/UDP/IP headers only. They
do not attempt to establish correlation checks among different sessions.
Intrusion Detection/Prevention System (IDS/IPS) carry out Deep Packet Inspection (DPI) by
looking at the packet contents. For example, checking character strings in packet against
database of known virus, attack strings.
Application gateways do look at the packet contents but only for specific applications. They
do not look for suspicious data in the packet. IDS/IPS looks for suspicious data contained in
packets and tries to examine correlation among multiple packets to identify any attacks such
as port scanning, network mapping, and denial of service and so on.
Difference betweenIDS and IPS
IDS and IPS are similar in detection of anomalies in the network. IDS is a ‘visibility’ tool
whereas IPS is considered as a ‘control’ tool.
Intrusion Detection Systems sit off to the side of the network, monitoring traffic at many
different points, and provide visibility into the security state of the network. In case of reporting
of anomaly by IDS, the corrective actions are initiated by the network administrator or other
device on the network.
Intrusion Prevention System are like firewall and they sit in-line between two networks and
control the traffic going through them. It enforces a specified policy on detection of anomaly
in the network traffic. Generally, it drops all packets and blocks the entire network traffic on
noticing an anomaly till such time an anomaly is addressed by the administrator.

Types of IDS
There are two basic types of IDS.
 Signature-based IDS
o It needs a database of known attacks with their signatures.
o Signature is defined by types and order of packets characterizing
a particular attack.
o Limitation of this type of IDS is that only known attacks can be
detected. This IDS can also throw up a false alarm. False alarm
can occur when a normal packet stream matches the signature of
an attack.
o Well-known public open-source IDS example is “Snort” IDS.
 Anomaly-based IDS
o This type of IDS creates a traffic pattern of normal network
operation.
o During IDS mode, it looks at traffic patterns that are statistically
unusual. For example, ICMP unusual load, exponential growth in
port scans, etc.
o Detection of any unusual traffic pattern generates the alarm.
o The major challenge faced in this type of IDS deployment is the
difficulty in distinguishing between normal traffic and unusual
traffic.
Summary
In this chapter, we discussed the various mechanisms employed for network access control.
The approach to network security through access control is technically different than
implementing security controls at different network layers discussed in the earlier chapters of

this tutorial. However, though the approaches of implementation are different, they are
complementary to each other.
Network access control comprises of two main components: user authentication and network
boundary protection. RADIUS is a popular mechanism for providing central authentication in
the network.
Firewall provides network boundary protection by separating an internal network from the
public Internet. Firewall can function at different layers of network protocol. IDS/IPS allows
to monitor the anomalies in the network traffic to detect the attack and take preventive action
against the same.
What is a Firewall?
A firewall can be defined as a special type of network security device or a software
program that monitors and filters incoming and outgoing network traffic based on a
defined set of security rules. It acts as a barrier between internal private networks and
external sources (such as the public Internet).
The primary purpose of a firewall is to allow non-threatening traffic and prevent
malicious or unwanted data traffic for protecting the computer from viruses and
attacks. A firewall is a cybersecurity tool that filters network traffic and helps users
block malicious software from accessing the Internet in infected computers.
Firewall: Hardware or Software
This is one of the most problematic questions whether a firewall is a hardware or
software. As stated above, a firewall can be a network security device or a software
program on a computer. This means that the firewall comes at both levels,
i.e., hardware and software, though it's best to have both.

Each format (a firewall implemented as hardware or software) has different
functionality but the same purpose. A hardware firewall is a physical device that
attaches between a computer network and a gateway. For example, a broadband
router. On the other hand, a software firewall is a simple program installed on a
computer that works through port numbers and other installed software.
Apart from that, there are cloud-based firewalls. They are commonly referred to as
FaaS (firewall as a service). A primary advantage of using cloud-based firewalls is that
they can be managed centrally. Like hardware firewalls, cloud-based firewalls are best
known for providing perimeter security.
Why Firewall
Firewalls are primarily used to prevent malware and network-based attacks.
Additionally, they can help in blocking application-layer attacks. These firewalls act as
a gatekeeper or a barrier. They monitor every attempt between our computer and
another network. They do not allow data packets to be transferred through them
unless the data is coming or going from a user-specified trusted source.
Firewalls are designed in such a way that they can react quickly to detect and counter-
attacks throughout the network. They can work with rules configured to protect the
network and perform quick assessments to find any suspicious activity. In short, we
can point to the firewall as a traffic controller.
Some of the important risks of not having a firewall are:
Open Access
If a computer is running without a firewall, it is giving open access to other networks.
This means that it is accepting every kind of connection that comes through someone.
In this case, it is not possible to detect threats or attacks coming through our network.
Without a firewall, we make our devices vulnerable to malicious users and other
unwanted sources.
Lost or Comprised Data
Without a firewall, we are leaving our devices accessible to everyone. This means that
anyone can access our device and have complete control over it, including the network.
In this case, cybercriminals can easily delete our data or use our personal information
for their benefit.

Network Crashes
In the absence of a firewall, anyone could access our network and shut it down. It may
lead us to invest our valuable time and money to get our network working again.
Therefore, it is essential to use firewallsand keep our network, computer, and data safe
and secure from unwanted sources.
AD
Brief History of Firewall
Firewalls have been the first and most reliable component of defense in network
security for over 30 years. Firewalls first came into existence in the late 1980s. They
were initially designed as packet filters. These packet filters were nothing but a setup
of networks between computers. The primary function of these packet filtering
firewalls was to check for packets or bytes transferred between different computers.
Firewallshave become more advanced due to continuous development, although such
packet filtering firewalls are still in use in legacy systems.
As the technology emerged, Gil Shwed from Check Point Technologies introduced
the first stateful inspection firewall in 1993. It was named as FireWall-1. Back in
2000, Netscreen came up with its purpose-built firewall 'Appliance'. It gained
popularity and fast adoption within enterprises because of increased internet speed,
less latency, and high throughput at a lower cost.
The turn of the century saw a new approach to firewall implementation during the
mid-2010. The 'Next-Generation Firewalls' were introduced by the Palo Alto
Networks. These firewalls came up with a variety of built-in functions and capabilities,
such as Hybrid Cloud Support, Network Threat Prevention, Application and Identity-
Based Control, and Scalable Performance, etc. Firewalls are still getting new features
as part of continuous development. They are considered the first line of defense when
it comes to network security.
How does a firewall work?
A firewall system analyzes network traffic based on pre-defined rules. It then filters the
traffic and prevents any such traffic coming from unreliable or suspicious sources. It
only allows incoming traffic that is configured to accept.
Typically, firewalls intercept network traffic at a computer's entry point, known as a
port. Firewalls perform this task by allowing or blocking specific data packets (units of

communication transferred over a digital network) based on pre-defined security rules.
Incoming traffic is allowed only through trusted IP addresses, or sources.
Functions of Firewall
As stated above, the firewall works as a gatekeeper. It analyzes every attempt coming
to gain access to our operating system and prevents traffic from unwanted or non-
recognized sources.
Since the firewall acts as a barrier or filter between the computer system and other
networks (i.e., the public Internet), we can consider it as a traffic controller. Therefore,
a firewall's primary function is to secure our network and information by controlling
network traffic, preventing unwanted incoming network traffic, and validating access
by assessing network traffic for malicious things such as hackers and malware.
AD
Generally, most operating systems (for example - Windows OS) and security software
come with built-in firewall support. Therefore, it is a good idea to ensure that those
options are turned on. Additionally, we can configure the security settings of the
system to be automatically updated whenever available.
Firewalls have become so powerful, and include a variety of functions and capabilities
with built-in features:
o Network Threat Prevention
o Application and Identity-Based Control

o Hybrid Cloud Support
o Scalable Performance
o Network Traffic Management and Control
o Access Validation
o Record and Report on Events
Limitations of Firewall
When it comes to network security, firewalls are considered the first line of defense.
But the question is whether these firewalls are strong enough to make our devices safe
from cyber-attacks. The answer may be "no". The best practice is to use a firewall
system when using the Internet. However, it is important to use other defense systems
to help protect the network and data stored on the computer. Because cyber threats
are continually evolving, a firewall should not be the only consideration for protecting
the home network.
The importance of using firewalls as a security system is obvious; however, firewalls
have some limitations:
o Firewalls cannot stop users from accessing malicious websites, making it vulnerableto
internal threats or attacks.
o Firewalls cannot protect against the transfer of virus-infected files or software.
o Firewalls cannot prevent misuse of passwords.
o Firewalls cannot protect if security rules are misconfigured.
o Firewallscannotprotectagainstnon-technical securityrisks, such as social engineering.
o Firewallscannotstop or prevent attackerswith modemsfrom dialinginto or out of the
internal network.
o Firewalls cannot secure the system which is already infected.
AD
Therefore, it is recommended to keep all Internet-enabled devices updated. This
includes the latest operating systems, web browsers, applications, and other security
software (such as anti-virus). Besides, the security of wireless routers should be another
practice. The process of protecting a router may include options such as repeatedly
changing the router's name and password, reviewing security settings, and creating a
guest network for visitors.

Types of Firewall
Depending on their structure and functionality, there are different types of firewalls.
The following is a list of some common types of firewalls:
o Proxy Firewall
o Packet-filtering firewalls
o Stateful Multi-layer Inspection (SMLI) Firewall
o Unified threat management (UTM) firewall
o Next-generation firewall (NGFW)
o Network address translation (NAT) firewalls
What is Honeypot?
 Difficulty Level : Medium
 Last Updated : 02 Jun, 2020
Honeypot is a network-attached system used as a trap for cyber-
attackers to detect and study the tricks and types of attacks used by
hackers. It acts as a potential target on the internet and informs the
defenders about any unauthorized attempt to the information system.
Honeypots are mostly used by large companies and organizations involved
in cybersecurity. It helps cybersecurity researchers to learn about the
different type of attacks used by attackers. It is suspected that even the
cybercriminals use these honeypots to decoy researchers and spread wrong
information.
The cost of a honeypot is generally high because it requires specialized
skills and resources to implement a system such that it appears to provide
an organization’s resources still preventing attacks at the backend and
access to any production system.
A honeynet is a combination of two or more honeypots on a network.
Types of Honeypot:
Honeypots are classified based on their deployment and the involvement of
the intruder.
Based on their deployment, honeypots are divided into :
1. Research honeypots- These are used by researchers to analyze
hacker attacks and deploy different ways to prevent these attacks.
2. Production honeypots- Production honeypots are deployed in
production networks along with the server. These honeypots act as

a frontend trap for the attackers, consisting of false information and
giving time to the administrators to improve any vulnerability in the
actual system.
Based on interaction, honeypots are classified into:
1. Low interaction honeypots:Low interaction honeypots gives very
little insight and control to the hacker about the network. It
simulates only the services that are frequently requested by the
attackers. The main operating system is not involved in the low
interaction systems and therefore it is less risky. They require very
fewer resources and are easy to deploy. The only disadvantage of
these honeypots lies in the fact that experienced hackers can easily
identify these honeypots and can avoid it.
2. Medium Interaction Honeypots: Medium interaction honeypots
allows more activities to the hacker as compared to the low
interaction honeypots. They can expect certain activities and are
designed to give certain responses beyond what a low-interaction
honeypot would give.
3. High Interaction honeypots:A high interaction honeypot offers a
large no. of services and activities to the hacker, therefore, wasting
the time of the hackers and trying to get complete information about
the hackers. These honeypots involve the real-time operating
system and therefore are comparatively risky if a hacker identifies
the honeypot. High interaction honeypots are also very costly and
are complex to implement. But it provides us with extensively large
information about hackers.
Advantages of honeypot:
1. Acts as a rich source of information and helps collect real-time data.
2. Identifies malicious activity even if encryption is used.
3. Wastes hackers’ time and resources.
4. Improves security.
Disadvantages of honeypot:
1. Being distinguishable from production systems, it can be easily
identified by experienced attackers.
2. Having a narrow field of view, it can only identify direct attacks.
3. A honeypot once attacked can be used to attack other systems.
4. Fingerprinting(an attacker can identify the true identity of a
honeypot ).

Intrusion Detection System (IDS)
 Last Updated : 17 Jan, 2022
An Intrusion Detection System (IDS) is a system that monitors network
traffic for suspicious activity and issues alerts when such activity is discovered.
It is a software application that scans a network or a system for the harmful
activity or policy breaching. Any malicious venture or violation is normally
reported either to an administrator or collected centrally using a security
information and event management (SIEM) system. A SIEM system integrates
outputs from multiple sources and uses alarm filtering techniques to
differentiate malicious activity from false alarms.
Although intrusion detection systems monitor networks for potentially malicious
activity,they are also disposed to false alarms. Hence, organizations need to fine-
tune their IDS products when they first install them. It means properly setting up
the intrusion detection systems to recognize what normal traffic on the network
looks like as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system
to check the malicious activities involved in it and at once send the warning
notifications.
Classification of Intrusion Detection System:
IDS are classified into 5 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned
point within the network to examine traffic from all devices on the
network. It performs an observation of passing traffic on the entire
subnet and matches the traffic that is passed on the subnets to the
collection of known attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the administrator. An
example of a NIDS is installing it on the subnet where firewalls are
located in order to see if someone is trying to crack the firewall.
2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts or
devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If the
analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on
mission-critical machines, which are not expected to change their
layout.
3. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises a system
or agent that would consistently resides at the front end of a server,

controlling and interpreting the protocol between a user/device and
the server. It is trying to secure the web server by regularly monitoring
the HTTPS protocol stream and accept the related HTTP protocol. As
HTTPS is un-encrypted and before instantly entering its web
presentation layer then this system would need to reside in this
interface, between to use the HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS):
Application Protocol-based Intrusion Detection System (APIDS) is a
system or agent that generally resides within a group of servers. It
identifies the intrusions by monitoring and interpreting the
communication on application-specific protocols. For example, this
would monitor the SQL protocol explicit to the middleware as it
transacts with the database in the web server.
5. Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the combination of two
or more approaches of the intrusion detection system. In the hybrid
intrusion detection system, host agent or system data is combined with
network information to develop a complete view of the network
system. Hybrid intrusion detection system is more effective in
comparison to the other intrusion detection system. Prelude is an
example of Hybrid IDS.
Detection Method of IDS:
1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the specific
patterns such as number of bytes or number of 1’s or number of 0’s in
the network traffic. It also detects on the basis of the already known
malicious instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern
(signature) already exists in system but it is quite difficult to detect the
new malware attacks as their pattern (signature) is not known.
2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware
attacks as new malware are developed rapidly. In anomaly-based IDS
there is use of machine learning to create a trustful activity model and
anything coming is compared with that model and it is declared
suspicious if it is not found in model. Machine learning-based method
has a better-generalized property in comparison to signature-based
IDS as these models can be trained according to the applications and
hardware configurations.
Comparison of IDS with Firewalls:
IDS and firewall both are related to network security but an IDS differs from a
firewall as a firewall looks outwardly for intrusions in order to stop them from
happening. Firewalls restrict access between networks to prevent intrusion and

if an attack is from inside the network it doesn’t signal. An IDS describes a
suspected intrusion once it has happened and then signals an alarm.
Intrusion Prevention System (IPS)
 Last Updated : 31 Aug, 2021
Intrusion Prevention System is also known as Intrusion Detection and
Prevention System. It is a network security application that monitors network or
system activities for malicious activity. Major functions of intrusion prevention
systems are to identify malicious activity, collect information about this activity,
report it and attempt to block or stop it.
Intrusion prevention systems are contemplated as augmentation of Intrusion
Detection Systems (IDS) because both IPS and IDS operate network traffic and
system activities for malicious activity.
IPS typically record information related to observed events, notify security
administrators of important observed events and produce reports. Many IPS can
also respond to a detected threat by attempting to prevent it from succeeding.
They use various response techniques, which involve the IPS stopping the attack
itself, changing the security environment or changing the attack’s content.
Classification of Intrusion Prevention System (IPS):
Intrusion Prevention System (IPS) is classified into 4 types:
1. Network-based intrusion prevention system (NIPS):
It monitors the entire network for suspicious traffic by analyzing
protocol activity.
2. Wireless intrusion prevention system (WIPS):
It monitors a wireless network for suspicious traffic by analyzing
wireless networking protocols.
3. Network behavior analysis (NBA):
It examines network traffic to identify threats that generate unusual
traffic flows, such as distributed denial of service attacks, specific forms
of malware and policy violations.
4. Host-based intrusion prevention system (HIPS):
It is an inbuilt software package which operates a single host for
doubtful activity by scanning events that occur within that host.

Comparison of Intrusion Prevention System (IPS) Technologies:
The Table below indicates various kinds of IPS Technologies:
Detection Method of Intrusion Prevention System (IPS):
1. Signature-based detection:
Signature-based IDS operates packets in the network and compares
with pre-built and preordained attack patterns known as signatures.
2. Statistical anomaly-based detection:
Anomaly based IDS monitors network traffic and compares it against
an established baseline. The baseline will identify what is normal for
that network and what protocols are used. However, It may raise a false
alarm if the baselines are not intelligently configured.
3. Stateful protocol analysis detection:
This IDS method recognizes divergence of protocols stated by
comparing observed events with pre-built profiles of generally
accepted definitions of not harmful activity.
Comparison of IPS with IDS:
The main difference between Intrusion Prevention System (IPS) with Intrusion
Detection Systems (IDS) are:

1. Intrusion prevention systems are placed in-line and are able to actively
prevent or block intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected
malicious packets, resetting a connection or blocking traffic from the
offending IP address.
3. IPS also can correct cyclic redundancy check (CRC) errors, defragment
packet streams, mitigate TCP sequencing issues and clean up unwanted
transport and network layer options.

UNIT-4.docx

Recommended

Recommended

More Related Content

Similar to UNIT-4.docx

Similar to UNIT-4.docx (20)

Recently uploaded

Recently uploaded (9)

UNIT-4.docx