IDS-IDPS-NIDS-HIDS

GROUP 6
 GROUP 6 MEMBERS

TN TD TD
Nguyễn Thị Thủy Đỗ Anh Tài Đinh Công Thành

LN TN
Nguyễn Thị Mai Linh Ngô Quang Tùng
 Main contents

GAM
IDS IDPS NIDS HIDS
E
Game
Game
1 2

3 4
 Game
Question 1: What does IDS stand for?
Game
Question 1: What does IDS stand for?

INTRUSION
DETECTION SYSTEM
Game
Question 2: What does IDPS stand for?
Game
Question 2: What does IDPS stand for?

INTRUSION
DETECTION AND
PREVENTION
SYSTEM
Game
Question 3: What does NIDS stand for?
Game
Question 3: What does NIDS stand for?

NETWORK-BASED
INTRUSION
DETECTION
SYSTEM
Game
Question 4: What does HIDS stand for?
Game
Question 4: What does HIDS stand for?

HOST-BASED INTRUSION
DETECTION SYSTEM
 IDS
Presenter: Nguyen Thi Mai Linh
IDS

-IDS stand for Intrusion detection system is a device or software

application that monitors a networkor systems for malicious activity or
policy violations.

- Any intrusion activity or violation is typically reported either to an

administrator or collected centrally using a security information and event
management (SIEM) system.
 IDS
- IDS needs to meet certain requirements:
• Accuracy
• Performance
• Completeness
• Fault Tolerance
• Scalability
 IDS

- Components of IDS
• information collection

• Detection

• Response
 IDS
- Function
• Monitors: Monitor network traffic for abnormal and suspicious activities.

• Warning : Once IDS has identified abnormal activities from a specific

access, it will provide a system alert to the administrator.

• Protect : Use default settings and configurations from the administrator

to take actions against intruders.
IDS
IDS can be classified into 2 different

• NIDS : Network-based intrusion detection system.

 IDS
IDS can be classified into 2 different
• HIDS : Host-based intrusion detection system.
IDS
IDS detection methods:

• Signature-based detection

• Statistical anomaly-based detection

• Stateful protocol analysis detection

 IDPS
Presenter: Dinh Cong Thanh and
Do Anh Tai
IDPS
I. Definition

Intrusion detection and prevention systems (IDPS) are focused on

identifying possible incidents, logging information about them,
attempting to stop them, and reporting them to security administrators.
IDPS
II. Basic functions of an IDPS
• Monitoring

• Detection

• Prevention

• Response

• Auditing

The IDPS helps to ensure the security and integrity of the network and
protect it from various types of attacks.
 IDPS
III. Types of IDPS
1. Network-based intrusion prevention system (NIPS):

• NIPS monitor entire networks or network segments for malicious traffic.

• If the protocol activity matches against a database of known attacks, the

corresponding information isn’t allowed to get through.

• NIPS are usually deployed at network boundaries, behind firewalls,

routers, and remote access servers.
 IDPS
III. Types of IDPS
2. Wireless intrusion prevention system (WIPS):

· WIPS monitor wireless networks by analyzing wireless

networking specific protocols.

· It is deployed within the wireless network and in areas that are susceptible
to unauthorized wireless networking.
IDPS
III. Types of IDPS
3. Network behavior analysis (NBA) system:

• identify threats by checking for unusual traffic patterns.

For example: policy violations, malware-generated attacks, or distributed
denial of service (DDoS) attacks.

• It is deployed in an organization’s internal networks

 IDPS
III. Types of IDPS
4. Host-based intrusion prevention system (HIPS):

· Host-based intrusion prevention systems are deployed in a single

host.

· Monitoring running processes, network activity, system logs, application

activity, and configuration changes.
IDPS
IV. Detection level functionalities of IDPS and examples

• Threshold monitoring

• The first step of threshold monitoring consists of setting accepted

levels associated with each user, application, and system behavior.

• The monitoring system alerts admins and sometimes triggers automated

responses when a threshold is crossed.
IDPS
IV. Detection level functionalities of IDPS
2. Profiling

• Intrusion detection and prevention systems offer two types of

profiling: user profiling and resource profiling.

• User profiling involves monitoring if a user with a particular role

or user group only generates traffic that is allowed.

• Resource profiling measures how each system, host, and application consumes
and generates data. An application with a suddenly increased workflow might
indicate malicious behavior.
IDPS
V. Prevention–level functionalities of IDPS

1. Stopping the attack

2. Security environment changes

3. Attack content modification

IDPS
VI. Techniques of IDPS
1. Signature-based detection

• A signature is a specific pattern in the payload.

2. Anomaly-based detection

• Anomaly detection works on threshold monitoring and profiling.

3. Stateful protocol analysis

• Anomaly detection uses host- or network-specific profiles to

determine suspicious activity.
IDPS
VII. Top 10 IDPS tools in 2022

• AirMagnet Enterprise
• Amazon Web Services (AWS) GuardDuty
• Azure Firewall Premium IDPS
• Blumira
• Cisco Secure IPS (NGIPS)
• Darktrace Enterprise Immune System
• IBM Intrusion Detection and Prevention System (IDPS) Management
• Meraki MX Advanced Security Edition
• NSFocus Next-Generation Intrusion Prevention System
• Snort
 NIDS
Presenter: Ngo Quang Tung
NIDS

I. Definition.

• A network-based intrusion detection system (NIDS) is used to monitor

network traffic and look for suspicious activity such as illicit network
actions, malicious traffic, and exploits that may indicate an attempted or
successful attack.
NIDS

II. How is work?

• To detect threats, network-based intrusion detection

systems gather information about incoming and
outgoing internet traffic.
NIDS

II. How is work?

• When threats are discovered,

based on its severity, the
system can take action such as
notifying administrators, or
barring the source IP address
from accessing the network.
NIDS

III. Technologies that can be monitored by NIDS.

• TCP/IP protocols, such as HTTP, FTP, DNS, SMTP, and SSH.
• Network-based attacks, such as Denial of Service (DoS), Distributed
Denial of Service (DDoS), and Port Scanning.
• Intrusion attempts, such as SQL Injection, Cross-Site Scripting (XSS),
and Buffer Overflow.
• Malware and viruses, such as trojans, worms, and ransomware.
• Network anomalies, such as unusual traffic patterns or spikes in data
transfer
NIDS

IV. Common types of network intrusion detection systems.

There are two common types of Network Intrusion Detection

Systems (NIDS), as follows:

• Signature-based NIDS: This type of

NIDS is also known as rule-based
NIDS.
NIDS
NIDS

IV. Common types of network intrusion detection systems.

2. Anomaly-based NIDS: This type of NIDS compares

network traffic against a baseline of what is considered
normal traffic.
NIDS
 HIDS
Presenter: Nguyen Thi Thuy
HIDS
I. Definition.

• Host-based Intrusion Detection System (HIDS)

• A security software used to monitor and detect intrusion into

a specific computer system

• Works by monitoring system events on the computer and

comparing them with predefined patterns to detect
malicious activities
HIDS
I. Definition.
HIDS
II. How HIDS Works?

• HIDS monitors system logs, configuration files, and other

system information for anomalies and potential security
breaches

• Compares the observed data with known malicious patterns

to detect intrusions

• Generates alerts or takes action to prevent the attack

HIDS
HIDS
III. Types of HIDS

• Signature-based HIDS: Uses predefined patterns to detect attacks

• Anomaly-based HIDS: Learns normal system behavior and raises an

alarm when an activity deviates from the norm

• Behavior-based HIDS: Analyzes system behavior and raises an alarm

when it detects suspicious activities
HIDS
IV. Advantages and disadvantage of HIDS
• Advantage of HIDS
• Provides real-time monitoring of system events

• Can detect new and unknown attacks

• Can identify the root cause of the intrusion

• Can integrate with other security tools to

enhance overall security
HIDS
IV. Advantages and disadvantage of HIDS

2. Disadvantage of HIDS

• Requires significant resources to operate and

maintain

• Can generate false positives and negatives,

leading to wasted resources or missed attacks

• Can be by passed by sophisticated attackers

HIDS
V. Examples of HIDS
• OSSEC: An open-source HIDS that detects intrusions,
rootkits, and other security threats

• Snort: A popular open-source network intrusion detection system that can

be used as a HIDS by monitoring traffic on a single host
HIDS
V. Examples of HIDS

• Tripwire: A commercial HIDS that monitors file integrity

and configuration changes on a system does not protect
against all types of attacks
CONCLUSI
ON
 Advantage :
• Suitable for collecting data and evidence for
investigation and incident response purposes.
• Provides a comprehensive overview of the entire
network system.
• A useful tool for checking for any issues or

IDS
incidents within the network system.

Defect:
• It needs to be configured properly, otherwise it
can cause false alarms.
• Relatively low ability to analyze encrypted
traffic.
• The development and operation costs of the
system are relatively high.
 • IDPS is to provide information about threats,
vulnerabilities and intrusion behavior in the
system.

• IDPS is an important role in system protection

and information security.

IDPS • IDPS is not the only solution for system

protection. Other security measures should also
be implemented to ensure system safety.
 Advantage
• Early detection of threats
• Comprehensive coverage
• Scalability
• Customizable rules

NIDS Disadvantage

• False positives
• Signature-based limitations
• High resource utilization
• Cost
 • HIDS is an essential component of a
comprehensive security strategy to protect
computer systems from unauthorized access and
other security threats
• While HIDS has some limitations, it remains an
effective tool for detecting and responding to

HIDS
security breaches.