1 / 20

Intrusion Detection System

Marmagna Desai [ 520 Presentation]. Intrusion Detection System. Contents. Computer Security Network System IDS - Introduction Intrusion Detection System Network Based (NIDS) Host Based (HIDS) ID Expert Systems IDS Techniques Misuse Detection Anomaly Detection Immune System Approach

gnatoli
Download Presentation

Intrusion Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Marmagna Desai [ 520 Presentation] Intrusion Detection System

  2. Contents Computer Security Network System IDS - Introduction Intrusion Detection System Network Based (NIDS) Host Based (HIDS) ID Expert Systems IDS Techniques Misuse Detection Anomaly Detection Immune System Approach Architecture Requirements Conclusion References Thanks

  3. Computer Security – CIAConfidentiality-Integrity-Authentication Network Security Protecting Network equipment. Network servers and transmissions. Eavesdropping. Data Integrity System Security User access Authentication controls Assignment of privilege Maintaining file and file system integrity Monitoring processes Log-keeping Backups

  4. Intrusion Detection System IDS - Definition Monitors either a Network boundary (Network IDS) or a single host (Host IDS) in real-time, looking for patterns that indicate Attacks. Functional Blocks.. Sensor Monitor Resolver Controller

  5. Sensor System Specific Data Gathering Component. Track Network traffic, Log files, System behaviour Monitor Monitor Components, Get Events from Sensor. Correlates Events against Behaviour-Model Produce Alerts. Resolver Determine Response against Alerts. E.g. Logging, Changing System Mechanism, Setting Firewall Rule etc. Controller - Coordination and Administration

  6. Network IDS NIDS Sensors collect information from Network Connections. Uses Packet Sniffing on NIC in Promiscuous Mode. No Auditing / Logging required. Agents can introduced without affecting Data Source at NIC level. Detects Network Level Attacks (e.g. SYN Atk) Can NOT scan Protocols or Content of Network Traffic if encrypted.

  7. Host IDS HIDS Sensors collect information reflecting the System Activity. Based on Operating System Audit Trails, Logs and Process Trees. User and Application Level Analysis Process Behaviour Analysis Operate in Encrypted Environments. Platform Specific, Large Overhead for OS and Higher Management/Deployment Costs

  8. ID Expert Systems A set of System Tools Working in Coordination Users Behave in a Consistent Manner Behaviour can be Summarised in a Profile. Profile can be generated by Advanced Statistical Analysis. Oracle Database is used for Profiles. Provides Real-Time Response to Intrusion.

  9. IDS Approaches Misuse Detection Models Abnormal behaviour E.G. HTTP request referring to the cmd.exe file Uses Pattern Matching of system setting and user activities against database of known attacks. (Signature Analysis) Highly Efficient – Tightly Defined Signature. Vulnerable to novel attacks.

  10. Anomaly Detection Models Normal Behaviour E.g. Expected System Calls, generated by User Process (Root/Non-root). Statistical profiles for system objects are created by measuring attributes of normal use. Detects Novel and Complex attacks. Low Efficiency False Positive Legitimate action classified as Anomalous.

  11. Anomaly Detection - continued Immune System Approach Models in terms of Sequence of System Calls. Sequence for Normal Behaviour Error Condition Anomaly Kernel-Level System-Call Monitoring. E.g. “exec “ System call produces trace in all above situations.

  12. System Call Execution Process System Call Dispatcher User Process System Call Implementation Schedular System Call

  13. Kernel Level System Monitoring System Call Dispatcher User Process IDS Module Schedular System Call Implementation System Call Response e.g. Delay

  14. Architecture Monolithic Single Application contains sensor, monitor, resolver and controller Most Simplest Architecture, unable to detect attack made by distributed normal events. Hierarchic Resolver and Controller at root of hierarchy. Monitors at sub-system (logical group) level. Sensors at Node-Level Centralised controller correlates information from different Monitors and Resolver take decision

  15. Architecture – continued Agent Based Distributed Sensors/Monitors/Resolver and Controller. Multi-Hierarchy of Monitors High Scalability Recently used in various IDS.

  16. Requirements Accuracy Prevention, not just detection Broad attack coverage Analyze all relevant traffic Highly granular detection and response Sophisticated forensics and reporting Maximum sensor uptime Wire-speed performance

  17. Requirements... Accuracy Reduced False +ve and -ve Thorough Protocol Analysis Prevention Real Time Prevention Reconfiguration and Response Self Learning Profiles Broad Attack Coverage Protects against all Attacks

  18. Requirements... Analyze all relevant traffic (NIDS) Deploy IDS to suit varying Networks Topology Granular Detection and Response One size does not fit all. Forensic and Reporting Extensive Historic Analysis and Report Wire-Speed Multi – Giga bit Performance

  19. Conclusion IDS will merge all Network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks Stable and Secure. Distributed elements performing specific jobs. Hierarchical correlation and analysis. Novel approaches like AI, Data-Mining etc.

  20. Thank You!!

More Related