INTRUSION DETECTION

SYSTEM
 Content
 What is Intrusion
 What are Intruders and their types
 What is IDS
 Principle of IDS
 Components
 Functions of IDS
 Classification of IDS
 Types of IDS
 Conclusion
 What is an intrusion?
• Any set of actions that attempt to compromise
the confidentiality, integrity, or availability of a
computer resource
 Intruders and their types
Many computer security incidents are caused by Unauthorized users
which are called as Intruders who could not be blocked by firewalls. So
as a next level of defense we are using Intrusion detection system.

There are three classes of intruders:

• Masqueraders : An individual who is not authorized to use the
computer and who penetrates a system’s access controls to exploit a
legitimate user’s account.
• Misfeasor : A legitimate user who accesses data, programs or
resources for which such access is not authorized, or who is authorized
for such access but misuses his or her privileges.
• Clandestine user : An individual who seizes supervisory control of the
system and uses this control to evade auditing and access controls or
to suppress audit actions
 What is IDS
• Intrusion Detection System (IDS) is a device
typically another separate computer, that
monitors activity to identify malicious or
suspicious events.
• IDS uses collected information and predefined
knowledge-based system to reason about the
possibility of an intrusion.
 Principle of IDS
• An IDS must run unattended
for extended periods of time
• The IDS must stay active and
secure
• The IDS must be able to
recognize unusual activity
• The IDS must operate
without unduly affecting the
system’s activity
• The IDS must be configurable
 Components
Basically there are three components or modules in
an Intrusion detection System:-
• Sensor: Responsible for capturing packets and
sending to the Console class.
• Console: Responsible for analyzing packets
captured by Sensor class.
• It is the class responsible for displaying GUI and
generating alerts.
 Functions of IDS
1. Monitoring users and system activity
2. Auditing system configuration for vulnerabilities and
misconfigurations
3. Assessing the integrity of critical system and data files
4. Recognizing known attack patterns in system activity
5. Identifying abnormal activity through statistical
analysis
6. Correcting system configuration errors
 Classification of IDS

IDS

Signature Anomaly
based based
 Signature based
• Signature based IDS analyses content of each packet at layer
7 and compares it with a set of predefined signatures.
• Works similar to Antivirus.
• Highly effective towards well known attack.
• Can be bypassed by changing the signature of attack.
 Anomaly based
• Monitors network traffic and compares it against an
established baseline for normal use and classifying it
as either normal or anomalous.
• Based on rules, rather than patterns or signatures.
• Can be accomplished using Artificial intelligence.
 Types of IDS

Network
IDS
IDS
Host IDS
 Network IDS
• Connected to network segments to monitor,
analyze and respond to network traffic.
• A single IDS sensor can monitor many hosts.
• Example : Snort
 Host IDS
• A software or Agent installed on computers to
monitor input and output packets from device
• It performs log analysis, file integrity checking, policy
monitoring, real-time alerting and active response.
• Examples : Cisco Security Agent (CSA)
 Conclusion
 Future research trends seem to be converging
towards a model that is hybrid of the anomaly
and misuse detection models.
 It is slowly acknowledged that neither of the
models can detect all intrusion attempts on
their own.
THANK YOU