Professional Documents
Culture Documents
and Cryptography
Basics of Information Security
Professor dr.sc.ing. Viktor Gopejenko
Department of Computer Technologies and Natural Sciences
ISMA University of Applied Science, Riga, Latvia
Lecture 7
Intrusion Detection
Learning Objectives
An overview of Snort
Detailed Content:
Intruders
Intrusion Detection
Honeypots
classes:
host-based IDS
monitors the
characteristics of a comprises three logical
single host for suspicious
activity components:
network-based IDS • sensors - collect data
monitors network traffic • analyzers - determine if
and analyzes network, intrusion has occurred
transport, and
application protocols to • user interface - view output
identify suspicious or control system behavior
activity
IDS Principles
assume intruder
behavior differs
from legitimate
users
overlap in
behaviors causes
problems
false positives
false negatives
IDS Requirements
configured
impose a minimal adapt to changes
according to
overhead on in systems and
system security
system users
policies
Measures
That May
Be Used For
Intrusion
Detection
Signature Detection
rule-based anomaly rule-based penetration
detection identification
historical audit records are key feature is the use of
analyzed to identify usage rules for identifying known
patterns penetrations or
penetrations that would
rules are generated that
exploit known weaknesses
describe those patterns
rules can also be defined
current behavior is matched
that identify suspicious
against the set of rules
behavior
does not require knowledge
typically rules are specific to
of security vulnerabilities
the machine and operating
within the system
system
a large database of rules is
needed
Distributed
Host-Based
IDS
Distributed
Host-Based
IDS
Network-Based IDS
(NIDS)
comprised of a number of
sensors, one or more servers analysis of traffic patterns
for NIDS management may be done at the sensor,
functions, and one or more the management server or a
management consoles for combination of the two
the human interface
NIDS Sensor
Deployment
inline sensor
anomaly detection
denial of service attacks, scanning, worms