Intrusion Detection Systems

Presented by: Priyanka Ghagare Guided By: Amol Bhilare

• Introduction • Why do I need an IDS,I have a Firewall? • Components of Intrusion Detection • Types of IDS

• Firewall Versus Network IDS
• Problems with Current IDSs

• Next Generation IDSs
• Conclusion

. confidentiality. or availability. namely • Integrity.Introduction  Intrusion • A set of actions aimed to compromise the security goals. of a computing and networking resource  Intrusion detection • The process of identifying and responding to intrusion activities.

WHY DO I NEED AN IDS. I HAVE A FIREWALL?  Firewall • Active filtering • Fail-close  Network IDS • Passive monitoring • Fail-open IDS FW .

Components of Intrusion Detection System system activities are observable Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine Alarms Decision Table Decision Engine normal and intrusive activities have distinct evidence Action/Report .

Types of IDS  Different ways of classifying an IDS IDS based on • anomaly detection • signature based misuse • host based • network based .

 The primary strength is its ability to recognize novel attacks. – E.  Anything distinct from the noise is assumed to be an intrusion activity.Anomaly based IDS  This IDS models the normal usage of the network as a noise characterization.g flooding a host with lots of packet. .

.Anomaly Detection 90 80 70 60 activity 50 measures40 30 20 10 0 CPU Process Size probable intrusion normal profile abnormal Relatively high false positive rate anomalies can just be new normal activities.

FTP etc.Signature based misuse  This IDS possess an attacked description that can be matched to sensed attack manifestations. – E.g DNS. .  The question of what information is relevant to an IDS depends upon what it is trying to detect.

Misuse Detection pattern matching Intrusion Patterns activities intrusion Example: if (src_ip == dst_ip) then “land attack” Can’t detect new attacks .

. admin activities etc.) .  This audit is then analyzed to detect trails of intrusion.  These audit information includes events like the use of identification and authentication mechanisms (logins etc.Host/Applications based IDS  The host operating system or the application logs in the audit information. file opens and program executions.

Packet sniffing via tcpdump at routers  Inspecting network traffic • Watch for violations of protocols and unusual connection patterns  Monitoring user activities • Look into the data portions of the packets for malicious command sequences  May be easily defeated by encryption • Data portions and some header information can be encrypted  Other problems … ..Network IDSs  Deploying sensors at strategic locations • E.g.

Architecture of Network IDS Policy script Alerts/notifications Policy Script Interpreter Event control Event stream Event Engine tcpdump filters Filtered packet stream libpcap Packet stream Network .

 Detecting and preventing network intrusions.  Assessing system and file.  Antivirus. antispyware management  Integrity .Functions of IDS  Monitoring and analyzing both user and system activities.  Analyzing system configurations and vulnerabilities.

Monitoring Networks and Hosts Network Packets tcpdump Operating System Events BSM .

Problems with Current IDSs  Knowledge and signature-based: • “We have the largest knowledge/signature base” • Ineffective against new attacks  Individual attack-based: • “Intrusion A detected. . Intrusion B detected …” • No long-term proactive detection/prediction  Statistical accuracy-based: • “x% detection rate and y% false alarm rate” • Are the most damaging intrusions detected?  Statically configured.

Next Generation IDSs  Adaptive • Detect new intrusions  Scenario-based • Correlate (multiple sources of) audit data and attack information  Cost-sensitive • Model cost factors related to intrusion detection • Dynamically configure IDS components for best protection/cost performance .

Adaptive IDSs ID Modeling Engine semiautomatic anomaly data ID models IDS anomaly detection (misuse detection) ID models ID models IDS IDS .

Where do I put my IDS? .

an IDS implementation along with a firewall alone can not make a highly secured infrastructure.If all of these points are not adhered to. IDS can offer protection from external users and internal attackers. . where traffic doesn't go past the firewall at all.Conclusion  IDS are becoming the logical next step for many organizations after deploying firewall technology at the network perimeter.

90/  $9.943  $ W /090.. -..:7.3 397:8438/090...9437.727.3/1.570/.2..989.431:70/ ..80...90 W 70902489/.

80/ W 4770.431:70$.090307.03.947870.90/94397:843/090.4891.9..:/9/..0 W 4/0.930397:8438  $.943$8  /.99.943  489 80389.943 W 3.425430398147-089 57490.2.90 2:95084:7..31472.59..3/ .0 W 090..0841 .74 -.943.

0 ..4895071472.3.

342.943 24/08 24/08 $ $ .9. 24/08 $ ./.9.59. /090./.342.:942.943 28:80/090. .0$8  4/03330 802.

070/45:92$ .

/070/94 ..439.344..:843  $.41 908054398.1907/0543170.423904.170.8990170.99.3 47.80..078 070 97.9:70 . 1.:70/317.3..9438.430.43.30989051472.11..:8078.9 903094750720907 $.3$ 2502039.90.897:.3/39073.3349 2.943 174209073.70349...70-0./4083 945.9.943.0.34110757490.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.