Intruders

Internal assessment
Presentation
Name : Nishant Kumar Kaushal
Roll no : 215/UCC/001
Program : Btech CSE - Cyber Security
Faculty : Dr. Aarti Gautam Dinker
Course : Cryptography and data privacy
Intruders
Intruder is a unauthorized person or entity that tries to access the system without the
permission with the intent of doing harm, stealing data, or interfering with regular
operations.

The intrusive party might be a hacker, a hostile insider, or someone seeking to take
advantage of a system weakness.

After the hacker has access to the network or system, they could try to steal important
data, put malware on the system, or seize control of it.

Types of Intruders
Intruders are divided into three categories:
1. Masquerader
2. Misfeasor
3. Clandestine user
Types of Intruders
1.Masquerader :
The category of individuals that are not authorized to use the system but still exploit
users’ privacy and confidential information by possessing techniques that give them
control over the system, such category of intruders is referred to as Masquerader.
Masqueraders are outsiders and hence they don’t have direct access to the system,
their aim is to attack unethically to steal data/ information.
2.Misfeasor :
The category of individuals that are authorized to use the system, These are
individuals that take undue advantage of the permissions and access given to them,
such category of intruders is referred to as Misfeasor.
Misfeasors are insiders and they have direct access to the system, which they aim to
attack unethically for stealing data/ information.
3.Clandestine User :
The category of individuals who have supervision/administrative control over
the system and misuse the authoritative power given to them. The misconduct
of power is often done by superlative authorities for financial gains, such a
category of intruders is referred to as Clandestine Users.
A Clandestine User can be any of the two, insiders or outsiders, and
accordingly, they can have direct/ indirect access to the system, which they
aim to attack unethically by stealing data/ information.

Intrusion Detection System (IDS)

A system called an intrusion detection system (IDS) observes network traffic
for malicious transactions and sends immediate alerts when it is observed. It
is software that checks a network or system for malicious activities or policy
violations.
Principles of IDS:
1.Capture : Application log, network driver or network cable etc
2.Analyse : Parse data, filter data and execute detection algorithms
3.Response : Drop packets, send alerts, update routing tables, kill
processes etc

Components of IDS:
An IDS is composed of several components:
• Sensors which generate security events
• A Console to monitor events and alerts and control the sensors
• A central Engine that records events logged by the sensors in a database
and uses a system of rules to generate alerts from security events received
 Internal Network
External network
How it works

1 An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any suspicious activity.

2 It analyzes the data flowing through the network to look for patterns and signs of abnormal behavior.

3 The IDS compares the network activity to a set of predefined rules and patterns to identify any activity that might indicate
an attack or intrusion.

4 If the IDS detects something that matches one of these rules or patterns, it sends an alert to the system administrator.

5 The system administrator can then investigate the alert and take action to prevent any damage or further intrusion.
Classification of Intrusion Detection System (IDS)
IDS are classified into 5 types:
1. Network Intrusion Detection System (NIDS)
2. Host Intrusion Detection System (HIDS)
3. Protocol-based Intrusion Detection System (PIDS)
4. Application Protocol-based Intrusion Detection System (APIDS)
5. Hybrid Intrusion Detection System

1.Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network.
It performs an observation of passing traffic on the entire subnet and matches the traffic
that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can be sent to
the administrator.
An example of a NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying to crack the firewall.

Example:
Snort : Snort is a open source network intrusion detection and prevention system
capable of performing packet logging and real-time traffic analysis, on IP networks
Technologies used in NIDS are:
1.Signature-based Detection: This method involves comparing network traffic against a
database of known attack patterns or signatures. If a match is found, it triggers an alert.
However, it might miss newer or unknown threats.

2.Anomaly-based Detection: Anomaly detection looks for deviations from normal

behavior within the network. It establishes a baseline of "normal" activity and flags
anything that significantly differs from it.

3.Heuristic-based Detection: Heuristic analysis identifies patterns that are not explicitly
defined as malicious but exhibit suspicious behavior. It uses rules and algorithms to
identify potential threats based on behaviors that resemble known attack methods.

4.Protocol Analysis: NIDS examines network protocol activity to detect anomalies or

misuse of protocols. For instance, it might flag unusual or incorrect use of protocol
commands.
2.Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent hosts
or devices on the network.
A HIDS monitors the incoming and outgoing packets from the
device only and will alert the administrator if suspicious or
malicious activity is detected.
It takes a snapshot of existing system files and compares it with the
previous snapshot.
If the analytical system files were edited or deleted, an alert is sent
to the administrator to investigate.
Technologies used in HIDS include:
1.Log Analysis: This involves examining system logs for abnormal patterns or
signs of potential intrusion.

2.File Integrity Monitoring (FIM): FIM tracks changes to critical system files,
directories, and configurations. It creates hashes or checksums of files and
compares them to detect any unauthorized modifications.

3.Behavioral Analysis: Analyzing the behavior of applications and processes helps

identify deviations from normal behavior, such as sudden increases in resource
usage or unusual access patterns.

4.Registry Monitoring: On Windows systems, HIDS might monitor the Windows

Registry for changes, as many configurations and settings crucial for the system's
operation are stored there.
An example of HIDS usage can be
seen on mission-critical
machines, which are not
expected to change their layout.
3.Protocol-Based Intrusion Detection System:
A Protocol-Based Intrusion Detection System (PIDS) is a specific IDS that
monitors the protocol in use.
In practice, this system typically analyzes the HTTP or HTTPS protocol stream
between your devices and the server.
In most cases, a PIDS will go at the front end of a server.
The system can protect your web server by monitoring inbound and outbound
traffic.

Technology used in Protocol based IDS are:

1.Packet Inspection: Examining individual data packets to identify anomalies or patterns
that might indicate malicious behavior.

2.Protocol Analysis: Focusing on specific network protocols (e.g., HTTP, FTP, SMTP) to
detect irregularities or malicious actions that deviate from the expected behavior of these
protocols
4.Application Protocol-based Intrusion Detection System (APIDS):
An application protocol-based intrusion detection system (APIDS) is an intrusion
detection system that focuses its monitoring on communications that occur
between applications and the server.
Example : Secerno : The Secerno is a database activity monitoring, database policy
enforcement and database compliance auditing solutions but does not directly
block potential threats.
Technology used in Application protocol based IDS:
1.Machine Learning and AI: Implementing algorithms that can learn from network
traffic patterns and detect anomalies. They can adapt and improve detection
capabilities over time.

2.Protocol Analysis: Deep packet inspection and analysis of network traffic to

identify protocol-specific anomalies or deviations from standard protocol
behaviors.
5.Hybrid Intrusion Detection System:
Hybrid intrusion detection system is made by the combination of two or more
approaches to the intrusion detection system.
In the hybrid intrusion detection system, the host agent or system data is combined with
network information to develop a complete view of the network system.
The hybrid intrusion detection system is more effective in comparison to the other
intrusion detection system. Prelude is an example of Hybrid IDS.
Intrusion Prevention System (IPS):
An intrusion prevention system is a network security tool (which can be a
hardware device or software) that continuously monitors a network for malicious
activity and takes action to prevent it, including reporting, blocking, or dropping
it, when it does occur.

Types of IPS:
There are four types of IPS:
1. Network-based intrusion prevention system (NIPS)
2. Wireless intrusion prevention system (WIPS)
3. Host-based intrusion prevention system (HIPS)
4. Network behavioral analysis (NBA)
1. Network-based intrusion prevention system (NIPS):
A NIPS monitors and protects an entire network from anomalous or
suspicious behavior.
This is a broad-based system that can be integrated with additional
monitoring tools to help provide a comprehensive view of an organization’s
network.

2. Wireless intrusion prevention system (WIPS):

WIPS are also quite common, often monitoring any wireless networks owned by
an organization.
This type is similar to a NIPS but is localized to wireless networks for a more
targeted detection and response.
3. Host-based intrusion prevention system (HIPS):
HIPS are often deployed on key devices or hosts that an organization needs to
secure.
The system will then monitor all traffic flowing through and from the host to
detect malicious behavior.

4. Network behavioral analysis (NBA):

As opposed to NIPS, an NBA solution will look for anomalous behavior within
patterns of a network itself, making it key for detecting incidents such as
DDoS attacks, behaviors against the policy, and other types of malware.
Position of IDS and IPS
in network
How does an intrusion prevention system work?
There are several techniques that intrusion prevention systems use to
identify threats:
1.Signature based detection
2.Anomaly based detection
3.Policy based detection

1. Signature-based:
Signature-based detection is a detection method based on a
dictionary of uniquely identifiable patterns (or signatures) in the code
of each exploit.
As an exploit is discovered, its signature is recorded and stored in a
continuously growing dictionary of signatures.
2.Anomaly based detection:
Anomaly-based detection takes samples of network traffic at random and
compares them to a pre-calculated baseline performance level.
When the traffic activity is outside the parameters of baseline performance, the
IPS takes action.

3.Policy based detection:

Policy-based detection requires system administrators to configure security
policies based on an organization’s security policies and network
infrastructure.
If any activity occurs that breaks a defined security policy, an alert is
triggered and sent to the admins.
Thank you