Module-2

IDS
 Intrusion Detection System (IDS)
• IDP (Intrusion Detection and Prevention) network
intrusion detection (ID) is based on monitoring the
operation of computer systems or `networks and analyzing
the processes they perform, which can point to certain
incidents.
• Incidents are events posing a threat to or violating defined
security policies, violating AUP (acceptable use policy)
rules, or generally accepted security norms.
• They appear as a result of the operation of various malware
programmes (eg. Worms, spyware, viruses, and trojans), as
a result of attempts at unauthorized access to a system
through public infrastructure (internet), or as a result of the
operation of authorized system users who abuse their
privileges.
 Intrusion Detection System (IDS)
Network intrusion prevention (IP)
•It includes the process of detecting network intrusion events,
but also includes the process of preventing and blocking
detected or potential network incidents.
Network intrusion detection and prevention systems (idp)
•They are based on identifying potential incidents, logging
information about them, attempting to prevent them and
alerting the administrators responsible for security.
•In addition to this basic function, IDP systems can also be
used to identify problems concerning the adopted security
policies, to document existing security threats and to
discourage individuals from violating security rules.
•IDP systems use various incident detection methods.
 Intrusion Detection System (IDS)
• There are three primary classes of detection
methodology:
1. Signature-based detection
2. Anomaly-based detection
3. Detection based on stateful protocol analysis
 Intrusion Detection System (IDS)
1. Signature-based detection
– certain security threats can be detected based on the
characteristic manner in which they appear.
– The behaviour of an already detected security threat,
described in a form that can be used for the detection of
any subsequent appearance of the same threat, is called an
attack signature.
– This detection method, based on the characteristic
signature of an attack, is a process of comparing the known
forms in which the threat has appeared with the specific
network traffic in order to identify certain incidents.
IDS
 Intrusion Detection System (IDS)
1. Signature-based detection
– Although it can be very efficient in detecting the
subsequent appearance of known threats, this detection
method is extremely inefficient in the detection of
completely unknown threats, of threats hidden by
using various techniques, and of already known threats
that have somehow been modified in the meantime.
– It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state
of certain, more complex forms of communication.
 Intrusion Detection System (IDS)
2. Anomaly-based detection
– This method of IDP is based on detecting anomalies in
a specific traffic flow in the network.
– Anomaly detection is performed, based on the
defined profile of acceptable traffic and its
comparison with the specific traffic in the network.
– Acceptable traffic profiles are formed by tracking the
typical characteristics of the traffic in the network
during a certain period of time (e.g., The number of
email messages sent by a user, and the number of
attempts to log in to a host, or the level of utilisation of
the processor in a given time interval).
– These characteristics of the behaviour of users, hosts,
connections or applications in the same time interval
are then considered to be completely acceptable.
 Intrusion Detection System (IDS)
2. Anomaly-based detection
– However, acceptable-behaviour profiles can
unintentionally contain certain security threats,
which lead to problems in their application.
– Likewise, imprecisely defined profiles of
acceptable behaviour can cause numerous alarms,
generated by the system itself as a reaction to
certain acceptable) activities on the network.
– The greatest advantage of this detection method is
its exceptional efficiency in detecting previously
unknown security threats.
 Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Stateful protocol analysis is a process of comparing
predefined operation profiles with the specific data
flow of that protocol on the network.
– Predefined profiles of operation of a protocol are
defined by the manufacturers of IDP devices and they
identify everything that is acceptable or not acceptable
in the exchange of messages in a protocol.
– Unlike anomaly-based detection, where profiles are
created based on the hosts or specific activities on the
network, stateful protocol analysis uses general
profiles generated by the equipment manufacturers.
– Most IDP systems use several detection methods
simultaneously, thus enabling a more comprehensive
and precise method of detection.
 Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Testing tools are used for testing the detection,
recognition and response capabilities of devices that
perform packet filtering (including those that use
network address translation), such as firewalls, ids/ips,
routers and switches.
– These test the traffic filtering devices' ability to detect
and/or block dos attacks, spyware, backdoors, and
attacks against applications such as IIS, SQL server
and WINS.
– Standard traffic sessions can be used to test how
packet filtering devices handle a variety of protocols
including HTTP, FTP, SNMP and SMTP
 Intrusion Detection System (IDS)
• Intrusion detection systems can be grouped
into the following categories:
– Host-based IDS
– Network-based IDS
– Intrusion prevention system (IPS)
 Host-based intrusion detection
systems
• Host-based IDSs are designed to monitor, detect
and respond to activity and attacks on a given
host. In most cases, attackers target specific
systems on corporate networks that have
confidential information.
• They will often try to install scanning programs
and exploit other vulnerabilities that can record
user activity on a particular host.
• Some host-based IDS tools provide policy
management, statistical analytics and data
forensics at the host level.
 Host-based intrusion detection
systems
• Host-based IDSs are best used when an
intruder tries to access particular files or other
services that reside on the host computer.
• Because attackers mainly focus on operating
system vulnerabilities to break into hosts, in
most cases, the host-based IDS is integrated
into the operating systems that the host is
running.
 Network-based intrusion detection
systems
• Network traffic based IDSs capture network traffic to detect
intruders.
• Most often, these systems work as packet sniffers that read
through incoming traffic and use specific metrics to assess
whether a network has been compromised.
• Various internet and other proprietary protocols that
handle messages between external and internal networks,
such as TCP/IP, NetBEUI (NetBIOS Extended User Interface)
and XNS (Xerox Network Systems), are vulnerable to attack
and require additional ways to detect malicious events.
• Frequently, intrusion detection systems have difficulty
working with encrypted information and traffic from virtual
private networks. Speed over 1Gbps is also a constraining
factor, although modern and costly network-based IDSs
have the capability to work fast over this speed.
 Network-based intrusion detection
systems
• Cooperative agents are one of the most important
components of distributed intrusion detection
architecture.
• An agent is an autonomous or semi-autonomous piece
of software that runs in the background and performs
useful tasks for another.
• Relative to IDSs, an agent is generally a piece of
software that senses intrusions locally and reports
attack information to central analysis servers.
• The cooperative agents can form a network among
themselves for data transmission and processing.
• The use of multiple agents across a network allows a
broader view of the network than might be possible
with a single IDS or centralized IDSs.
 Intrusion prevention system (IPS)
• An IPS is a network security tool that can not only
detect intruders, but also prevent them from
successfully launching any known attack.
• Intrusion prevention systems combine the abilities of
firewalls and intrusion detection systems.
• However, implementing an IPS on an effective scale
can be costly, so businesses should carefully assess
their IT risks before making the investment.
• Moreover, some intrusion prevention systems are not
as fast and robust as some firewalls and intrusion
detection systems, so an IPS might not be an
appropriate solution when speed is an absolute
requirement.
 Intrusion prevention system (IPS)
• One important distinction to make is the difference between
intrusion prevention and active response.
• An active response device dynamically reconfigures or alters
network or system access controls, session streams or individual
packets based on triggers from packet inspection and other
detection devices.
• Active response happens after the event has occurred; thus, a
single packet attack will be successful on the first attempt but will
be blocked in future attempts; for example, a DDoS attack will be
successful on the first packets but will be blocked afterwards.
• While active response devices are beneficial, this one aspect makes
them unsuitable as an overall solution.
• Network intrusion prevention devices, on the other hand, are
typically inline devices on the network that inspect packets and
make decisions before forwarding them on to the destination.
 Intrusion prevention system (IPS)
• Most important, an IPS must perform packet inspection
and analysis at wire speed. Intrusion prevention
systems should be performing detailed packet
inspection to detect intrusions, including application-
layer and zero-day attacks.
• System or host intrusion prevention devices are also
inline at the operating system level. They have the
ability to intercept system calls, file access, memory
access, processes and other system functions to
prevent attacks. There are several intrusion prevention
technologies, including the following:
– System memory and process protection
– Inline network devices
– Session sniping
– Gateway interaction devices
Intrusion prevention system (IPS)
• System memory and process protection
– This type of intrusion prevention strategy resides
at the system level.
– Memory protection consists of a mechanism to
prevent a process from corrupting the memory of
another process running on the same system.
– Process protection consists of a mechanism for
monitoring process execution, with the ability to
kill processes that are suspected of being attacks.
 Intrusion prevention system (IPS)
• Inline network devices
– This type of intrusion prevention strategy places a
network device directly in the path of network
communications with the capability to modify and
block attack packets as they traverse the device’s
interfaces.
– It acts much like a router or firewall combined
with the signature-matching capabilities of IDS.
The detection and response happens in real time
before the packet is passed on to the destination
network.
 Intrusion prevention system (IPS)
• Session sniping
– This type of intrusion prevention strategy
terminates a TCP session by sending a TCP RST
packet to both ends of the connection. When an
attempted attack is detected, the TCP RST is sent
and the attempted exploit is flushed from the
buffers and thus prevented.
– Note: TCP RST packets must have the correct
sequence and acknowledgement numbers to be
effective.
Session sniping
• Gateway interaction devices
– This type of intrusion prevention strategy allows a
detection device to dynamically interact with
network gateway devices such as routers or
firewalls. When an attempted attack is detected,
the detection device can direct the router or
firewall to block the attack.
 Intrusion prevention system (IPS)
• Session sniping system identification is another
concern when deploying active response IPSs.
• When systems terminate sessions with RST
packets, an attacker might be able to discover
not only that an IPS is involved but also the type
of underlying system.
• Readily available passive operating system
identification tools analyze packets to determine
the underlying operating system.
• This type of information might enable an attacker
to evade the IPS or direct an attack at the IPS.
 Intrusion prevention system (IPS)
• There are several risks when deploying intrusion prevention
technologies.
• Most notable is the recurring issue of false positives in today’s
intrusion detection systems. On some occasions, legitimate traffic
will display characteristics similar to malicious traffic.
• This could be anything from inadvertently matching signatures to
uncharacteristically high traffic volume.
• Even a finely tuned IDS can present false positives when this occurs.
When intrusion prevention is involved, false positives can create a
denial-of-service (DoS) condition for legitimate traffic.
• In addition, attackers who discover or suspect the use of intrusion
prevention methods can purposely create a DoS attack against
legitimate networks and sources by sending attacks with spoofed
source IP addresses.
• A simple mitigation to some DoS conditions is to use a whitelisting
policy.
 Intrusion prevention system (IPS)
• When deploying an IPS, you should carefully
monitor and tune your systems and be aware
of the risks involved.
• You should also have an in-depth
understanding of your network, its traffic, and
both its normal and abnormal characteristics.
• It is always recommended to run IPS and
active response technologies in test mode for
a while to thoroughly understand their
behavior.