IDS Upload
Transcript of IDS Upload
-
8/8/2019 IDS Upload
1/23
-
8/8/2019 IDS Upload
2/23
DEFINITIONS
What is intrusion?
What is intrusion detection?
What is intrusion detection system?
-
8/8/2019 IDS Upload
3/23
FUNCTIONS OF IDS
Monitoring and analysis of user and systemactivity
Auditing of system configurations and
vulnerabilities
Assessing the integrity of critical system and datafiles
Recognition of activity patterns reflecting knownattacks
Statistical analysis for abnormal activity patterns
-
8/8/2019 IDS Upload
4/23
BENEFITS OF INTRUSION DETECTION
Improving integrity of other parts of the information securityinfrastructure
Improved system monitoring
Tracing user activity from the point of entry to point of exit or
impact Recognizing and reporting alterations to data files
Spotting errors of system configuration and sometimes correctingthem
Recognizing specific types of attack and alerting appropriate stafffor defensive responses
Keeping system management personnel up to date on recentcorrections to programs
Allowing non-expert staff to contribute to system security
Providing guidelines in establishing information security policies
-
8/8/2019 IDS Upload
5/23
IDS TAXONOMY
IDS
Architecture
Reaction on
intrusion
Analysis Timing
Detection
Approach
Targets
Distributed
Centralized
Active
Passive
Real Time
Periodical
Misuse Detection
Anomaly Detection
Network
Host
Application
-
8/8/2019 IDS Upload
6/23
PROCESS MODEL FOR INTRUSION
DETECTION
Information Sources
Analysis
Response
-
8/8/2019 IDS Upload
7/23
ARCHITECTURE
The Audit Collection/Storage Unit
The Processing Unit
Alarm/Response Unit
-
8/8/2019 IDS Upload
8/23
TYPES OF IDS
Network-based IDS
The NIDS detect attacks by capturing and analyzingnetwork packets.
Network-based IDSs often consist of a set of single-
purpose sensors or hosts placed at various points in a
network.
-
8/8/2019 IDS Upload
9/23
-
8/8/2019 IDS Upload
10/23
Host-Based IDS
Host-based IDSs operate on information collected
from within an Individual computer system.
Host-based IDSs normally utilize information sources
of two types, operating system audit trails, and
system logs.
-
8/8/2019 IDS Upload
11/23
HIDS
Advantages
It can detect attacks that
cannot be seen by network-
based IDS.
Host-based IDSs can often
operate in an environment in
which network traffic is
encrypted Host-based IDSs are
unaffected by switched
networks.
Disadvantages
Host-based IDSs are harder
to manage.
host-based IDSs reside on
the host targeted by attacks,
So the IDS may be attacked
and disabled as part of the
attack
-
8/8/2019 IDS Upload
12/23
Application-Based IDS
Application-based IDSs are a special subset of host-
based IDSs that analyze the events transpiring within
a software application.
-
8/8/2019 IDS Upload
13/23
Application-Based IDS
Advantages
It can monitor the
interaction between user and
application.
They can often work in
encrypted environments.
Disadvantages
Application-based IDSs
may be more vulnerable
They often monitor events
at the user level of
abstraction, they usually
cannot detect Trojan horse.
-
8/8/2019 IDS Upload
14/23
IDS ANALYSIS
Misuse Detection
Misuse detection, in which the analysis targets
something known to be bad.
The patterns corresponding to known attacks are
called signatures, misuse detection is sometimes
called signature-based detection.
-
8/8/2019 IDS Upload
15/23
Advantages
Misuse detectors are very
effective at detecting attacks.
Misuse detectors can quicklyand reliably diagnose the use
of a specific attack tool
Misuse detectors can allow
system managers, to track
security problems on theirsystems, initiating incident
handling procedures
Disadvantages
Misuse detectors can only
detect those attacks they know
They are designed to use
tightly defined signatures that
prevent them from detecting
variants of common attacks
-
8/8/2019 IDS Upload
16/23
Anomaly Detection
Anomaly detectors identify abnormal unusual
behaviour (anomalies) on a host or network.
They function on the assumption that attacks are
different from normal (legitimate) activity and can
therefore be detected by systems that identify these
differences.
-
8/8/2019 IDS Upload
17/23
Advantages
It detect unusual behaviour
Anomaly detectors canproduce information that can
in turn be used to define
signatures for misuse detectors
Disadvantages
They usually produce a large
number of false alarms due to
the unpredictable behavioursof users and networks.
They often require extensive
training sets of system event
records in order to characterize
normal behaviour patterns
-
8/8/2019 IDS Upload
18/23
Where IDS should be Placed?
-
8/8/2019 IDS Upload
19/23
Strengths of IDS
Monitoring and analysis of system events and user behaviours
Testing the security states of system configurations
Recognizing patterns of system events that correspond to knownattacks
Measuring enforcement of security policies encoded in the analysisengine
Managing operating system audit and logging mechanisms and thedata they generate
Alerting appropriate staff by appropriate means when attacks aredetected
Allowing non-security experts to perform important securitymonitoring functions.
Recognizing patterns of activity that statistically vary from normalactivity
-
8/8/2019 IDS Upload
20/23
Limitations Of IDS
Instantaneously detecting, reporting, and responding to an
attack, when there is a heavy network or processing load.
Detecting newly published attacks or variants of existing
attacks. Effectively responding to attacks launched by sophisticated
attackers
Automatically investigating attacks without human
intervention
-
8/8/2019 IDS Upload
21/23
Challenges with IDS technique
There exist over 100 Intrusion Detection Systems
Both open source and commercial
Can be network based or host based or combination
Main problem
Too many false positives
System administrators tend to ignore warnings after a while
Difficult to determine a good IDS policy
Other problems
Protecting the IDS itself against attack
-
8/8/2019 IDS Upload
22/23
CONCLUSION
-
8/8/2019 IDS Upload
23/23
THANK YOU