Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
-
Upload
conrad-fisher -
Category
Documents
-
view
215 -
download
2
Transcript of Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
![Page 1: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/1.jpg)
Intrusion Detection SystemsIntrusion Detection Systems
Present byPresent by
Ali FanianAli Fanian
In the Name of AllahIn the Name of Allah
![Page 2: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/2.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 3: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/3.jpg)
What is an intrusion?What is an intrusion?
An intrusion can be defined as “any set of An intrusion can be defined as “any set of actions that attempt to compromise the:actions that attempt to compromise the:– IntegrityIntegrity– confidentiality, or confidentiality, or – availability availability
of a resource”. of a resource”.
![Page 4: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/4.jpg)
IntrudersIntruders
InsiderInsider: abuse by a person with : abuse by a person with authorized access to the system.authorized access to the system.
HackerHacker: attack the via communication : attack the via communication links (e.g. Internet). links (e.g. Internet).
Malicious softwareMalicious software (`MalWare`, Trojan (`MalWare`, Trojan horse, Virus)horse, Virus): attack on the system by : attack on the system by software running on it. software running on it.
![Page 5: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/5.jpg)
Intrusion ExamplesIntrusion Examples
VirusVirusBuffer-overflowsBuffer-overflows– 2000 Outlook Express vulnerability.2000 Outlook Express vulnerability.
Denial of Service (DOS)Denial of Service (DOS)– explicit attempt by attackers to prevent legitimate explicit attempt by attackers to prevent legitimate
users of a service from using that service.users of a service from using that service.
Address spoofingAddress spoofing– a malicious user uses a fake IP address to send a malicious user uses a fake IP address to send
malicious packets to a target.malicious packets to a target.
Many othersMany others
![Page 6: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/6.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 7: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/7.jpg)
Intrusion Detection SystemsIntrusion Detection Systems
Systems that detect attacks on computer Systems that detect attacks on computer systemssystems..
![Page 8: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/8.jpg)
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Prevention System can Intrusion Prevention System can prevent the network fromprevent the network from outside outside attacks.attacks.
InternetInternet
Intruder
Intruder Victim
IPS
![Page 9: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/9.jpg)
IDS BasicIDS Basic FunctionsFunctions
MonitoringMonitoring– Collect the information from the networkCollect the information from the network
AnalyzingAnalyzing– Determine what, if any thing, is of interestDetermine what, if any thing, is of interest
Reporting Reporting – Generate conclusions and otherwise act on Generate conclusions and otherwise act on
analysis resultsanalysis results
![Page 10: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/10.jpg)
Intrusion Detection SystemsIntrusion Detection Systems
Firewalls are typically placed on the network Firewalls are typically placed on the network perimeter protecting against external attacksperimeter protecting against external attacksFirewalls allow traffic only to legitimate hosts Firewalls allow traffic only to legitimate hosts and servicesand servicesTraffic to the legitimate hosts/services can Traffic to the legitimate hosts/services can have attackshave attacksSolution?Solution?– Intrusion Detection SystemsIntrusion Detection Systems– Monitor data and behaviorMonitor data and behavior– Report when identify attacksReport when identify attacks
![Page 11: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/11.jpg)
Traditional IDS response tends to be passive Traditional IDS response tends to be passive responseresponseSecondary investigation required because IDS is Secondary investigation required because IDS is still imperfectstill imperfect
These days, IDS can be set up to respond to These days, IDS can be set up to respond to events automatically – “active response”events automatically – “active response”
Intrusion Detection SystemsIntrusion Detection Systems
![Page 12: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/12.jpg)
Active response – dropping connection, Active response – dropping connection, reconfiguring networking devices (firewalls, reconfiguring networking devices (firewalls, routers)routers)
Intrusion Detection SystemsIntrusion Detection Systems
![Page 13: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/13.jpg)
Alarm investigation resource would affect the Alarm investigation resource would affect the delays in response in both active and passive delays in response in both active and passive responseresponse
If multiple alarm types involved, which alarm to If multiple alarm types involved, which alarm to investigate is an issueinvestigate is an issue
Intrusion Detection SystemsIntrusion Detection Systems
![Page 14: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/14.jpg)
Passive responsePassive response– potential damage cost - resulting from potential damage cost - resulting from
alarmed events not investigated immediatelyalarmed events not investigated immediately– low false alarm costs since alarmed events low false alarm costs since alarmed events
are not disruptedare not disrupted
Intrusion Detection SystemsIntrusion Detection Systems
![Page 15: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/15.jpg)
Active responseActive response– It could prevent attack damage because the It could prevent attack damage because the
events are terminated immediatelyevents are terminated immediately– higher false alarm costs contingent on the higher false alarm costs contingent on the
performance of the IDSperformance of the IDS
Intrusion Detection SystemsIntrusion Detection Systems
![Page 16: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/16.jpg)
Audit Log ArchitectureAudit Log Architecture
The SystemBeing Monitored
IDS
AlertsReports
Profiles
Audit Log Data
![Page 17: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/17.jpg)
Inline ArchitectureInline Architecture
The SystemBeing Monitored
IDS
AlertsReports
SnifferData
Profiles
![Page 18: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/18.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 19: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/19.jpg)
Types of IDSTypes of IDS
Host-basedHost-based Network-Network-basedbased
Signature-Signature-basedbased
Anomaly-Anomaly-basedbased
![Page 20: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/20.jpg)
Signature-based IDSSignature-based IDS
CharacteristicsCharacteristics– Uses known pattern matching to signify attackUses known pattern matching to signify attack
![Page 21: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/21.jpg)
Signature-based IDSSignature-based IDS
Advantages?Advantages?– Widely availableWidely available– Fairly fastFairly fast– Easy to implementEasy to implement– Easy to updateEasy to update
Disadvantages?Disadvantages?– Cannot detect attacks for which it has no signatureCannot detect attacks for which it has no signature
![Page 22: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/22.jpg)
Anomaly-based IDSAnomaly-based IDS
CharacteristicsCharacteristics–Uses statistical model or machine learning engine Uses statistical model or machine learning engine
to characterize normal usage behaviorsto characterize normal usage behaviors–Recognizes departures from normal as potential Recognizes departures from normal as potential
intrusionsintrusions
![Page 23: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/23.jpg)
Anomaly-based IDSAnomaly-based IDS
Advantages?Advantages?–Can detect attempts to exploit new and Can detect attempts to exploit new and
unforeseen vulnerabilitiesunforeseen vulnerabilities–Can recognize authorized usage that falls Can recognize authorized usage that falls
outside the normal patternoutside the normal pattern
Disadvantages?Disadvantages?–Generally slower, more resource intensive Generally slower, more resource intensive
compared to signature-based IDScompared to signature-based IDS
–Greater complexity, difficult to configureGreater complexity, difficult to configure
–Higher percentages of false alertsHigher percentages of false alerts
![Page 24: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/24.jpg)
More Problems with Anomaly More Problems with Anomaly DetectionDetection
The dynamic update problem is unsolved.The dynamic update problem is unsolved.– You can train these systems successfully to handle You can train these systems successfully to handle
static environments, but computer networks are static environments, but computer networks are dynamic.dynamic.
– If you try to retrain an existing system to deal with If you try to retrain an existing system to deal with new events, it will usually forget its old training. You new events, it will usually forget its old training. You have to give it the old training data as well as the new.have to give it the old training data as well as the new.
![Page 25: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/25.jpg)
Possible Approaches to Possible Approaches to Anomaly DetectionAnomaly Detection
Neural networksNeural networksExpert systemsExpert systemsStatistical decision theoryStatistical decision theory
![Page 26: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/26.jpg)
Network-based IDSNetwork-based IDS
CharacteristicsCharacteristics– NIDS examine raw packets in the network NIDS examine raw packets in the network
passively and triggers alertspassively and triggers alerts
![Page 27: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/27.jpg)
Network-based IDSNetwork-based IDSAdvantages?Advantages?– Easy deploymentEasy deployment– Difficult to evadeDifficult to evade
Disadvantages?Disadvantages?– NIDS needs to create traffic seen at the end hostNIDS needs to create traffic seen at the end host– Need to have the complete network topology and Need to have the complete network topology and
complete host behaviorcomplete host behavior
![Page 28: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/28.jpg)
Host-based IDSHost-based IDS
CharacteristicsCharacteristics– Runs on single hostRuns on single host– Can analyzeCan analyze logs, integrity of files and logs, integrity of files and
directories, etc.directories, etc.
![Page 29: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/29.jpg)
Host-based IDSHost-based IDS
AdvantagesAdvantages
– More accurate than NIDSMore accurate than NIDS
– Less volume of traffic so less overheadLess volume of traffic so less overhead
DisadvantagesDisadvantages– Deployment is expensiveDeployment is expensive– What happens when host get compromised?What happens when host get compromised?
![Page 30: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/30.jpg)
Honey Pots and Burglar AlarmsHoney Pots and Burglar Alarms
Burglar alarms are resources on the network Burglar alarms are resources on the network that generate an alarm if accessed that generate an alarm if accessed incorrectly.incorrectly.Honey pots are burglar alarms dressed up to Honey pots are burglar alarms dressed up to look attractive. look attractive.
Have to look real to the attackersHave to look real to the attackers
![Page 31: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/31.jpg)
Intrusion Detection Using Intrusion Detection Using Honey PotHoney Pot
Honey pot is a “decoy” system that Honey pot is a “decoy” system that appears to have several vulnerabilities for appears to have several vulnerabilities for easy access to its resources.easy access to its resources.
It provides a mechanism so that It provides a mechanism so that intrusions can be trapped before attack is intrusions can be trapped before attack is made on real assets.made on real assets.
![Page 32: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/32.jpg)
Intrusion Detection Using Intrusion Detection Using Honey Pot (cont.)Honey Pot (cont.)
Multi-level Log Mechanism (MLLM)Multi-level Log Mechanism (MLLM)
MLLM logs the attacker’s activities intoMLLM logs the attacker’s activities into– Remote Log ServerRemote Log Server– Sniffer ServerSniffer Server
![Page 33: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/33.jpg)
An Architecture for Intrusion DetectionAn Architecture for Intrusion Detection
using Honey Potusing Honey Pot
Intrusion Detection Using Intrusion Detection Using Honey Pot (cont.)Honey Pot (cont.)
![Page 34: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/34.jpg)
IDS PlacementIDS Placement
DNSServer
Intra1
Internet
Outer Firewall
Firewall
Inner Firewall
Firewall
SW
SW
MailServer
WebServer
DMZ
Router
IDS
IDS
IDS
![Page 35: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/35.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 36: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/36.jpg)
Attacks to the IDSAttacks to the IDS
Overload until IDS fails to keep up with the data
Overload packet filter (easy) Overload event engine (difficult because events
are light weighted and attacker doesn’t know policy script)
Overload Logging/Recording mechanism
![Page 37: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/37.jpg)
Attacks to the IDSAttacks to the IDSAn Subterfuge attack attempts to mislead the IDS to the meaning of the analyzed traffic
![Page 38: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/38.jpg)
IDS SoftwareIDS Software
SnortSnort Free, libpcap based, rules driven Free, libpcap based, rules driven IDSIDS package. Many package. Many add-on components available.add-on components available.……
![Page 39: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/39.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 40: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/40.jpg)
What Is a Gateway IDS?What Is a Gateway IDS?
Gateway Intrusion Detection SystemGateway Intrusion Detection System– A network intrusion detection system which A network intrusion detection system which
acts as a network gatewayacts as a network gateway– Designed to stop malicious traffic and Designed to stop malicious traffic and
generate alerts on suspicious trafficgenerate alerts on suspicious traffic– An “ideal” gateway IDS is able to stop all An “ideal” gateway IDS is able to stop all
known exploitsknown exploits
![Page 41: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/41.jpg)
GIDS vs NIDSGIDS vs NIDS
GIDSGIDS
Acts as network Acts as network gatewaygateway
Stops suspect Stops suspect packetspackets
Prevents successful Prevents successful intrusionsintrusions
False positives are False positives are VERY badVERY bad
NIDSNIDSOnly observes Only observes network trafficnetwork trafficLogs suspect packets Logs suspect packets and generates alertsand generates alertsCannot stop an Cannot stop an intruderintruderFalse positives are False positives are not as big of an issuenot as big of an issue
![Page 42: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/42.jpg)
About Inline SnortAbout Inline Snort
Based on the Snort intrusion detection Based on the Snort intrusion detection systemsystemOperation is similar to some bridging Operation is similar to some bridging firewallsfirewallsUses snort rules with some additional Uses snort rules with some additional keywords to make forward/drop decisionskeywords to make forward/drop decisionsCompatible with most snort pluginsCompatible with most snort pluginsFreely available under the GPLFreely available under the GPL
![Page 43: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/43.jpg)
Inline SnortInline Snort
drop Drops a packet, sends an rst, logs drop Drops a packet, sends an rst, logs the packet the packet
ignore Drops a packet without sending an ignore Drops a packet without sending an rst rst
sdrop Drops a packet, sends an rst, does sdrop Drops a packet, sends an rst, does not log the packet not log the packet
![Page 44: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/44.jpg)
Content ReplacementContent Replacement
It can replace content in a packetIt can replace content in a packet– ““replace” keyword tells hogwash to replace a detected replace” keyword tells hogwash to replace a detected
string with another string.string with another string.– Example:Example:
alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;)replace:”yyy.yyy”;)
– Any content in the packet payload can be replaced.Any content in the packet payload can be replaced.– A great way to break an exploit without dropping the A great way to break an exploit without dropping the
packet!!packet!!
![Page 45: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/45.jpg)
Sample snort RulesSample snort Rules
To drop incoming port 80 connections:To drop incoming port 80 connections:drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”)drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”)
To drop cmd.exe calls to your webservers:To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe drop tcp any any -> $HOMENET 80 (msg:“cmd.exe
attempt”; content: “cmd.exe”)attempt”; content: “cmd.exe”)
![Page 46: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/46.jpg)
OutlineOutline
Intrusion ConceptIntrusion Concept
Intrusion Detection Systems(IDS)Intrusion Detection Systems(IDS)
Types of IDSTypes of IDS
Attacks to the IDSAttacks to the IDS
Gateway Intrusion Detection SystemGateway Intrusion Detection System
Host-based Intrusion DetectionHost-based Intrusion Detection
![Page 47: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/47.jpg)
Host-based Intrusion DetectionHost-based Intrusion Detection
Anomaly detection:Anomaly detection:
IDS monitors system IDS monitors system call trace from the call trace from the appapp
DB contains a list of DB contains a list of subtraces that are subtraces that are allowed to appearallowed to appear
Any observed Any observed subtrace not in DB subtrace not in DB sets off alarmssets off alarms
App allowedtraces
IDS
Operating System
![Page 48: Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.](https://reader037.fdocuments.us/reader037/viewer/2022110401/56649de35503460f94ada5b5/html5/thumbnails/48.jpg)
HIDS’ Advantages over NIDSHIDS’ Advantages over NIDS
HIDS can monitor user-specific activity of the HIDS can monitor user-specific activity of the systemsystem– Check process listing, local log files, system calls.Check process listing, local log files, system calls.– It is difficult for NIDS to associate packets to specific It is difficult for NIDS to associate packets to specific
users (except when content switch-based NIDS is users (except when content switch-based NIDS is used!) and to determine if the commands in the used!) and to determine if the commands in the packets violate specific user’s access privilege.packets violate specific user’s access privilege.