intrusion detection systems n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Intrusion Detection Systems PowerPoint Presentation
Download Presentation
Intrusion Detection Systems

Loading in 2 Seconds...

play fullscreen
1 / 48

Intrusion Detection Systems - PowerPoint PPT Presentation


  • 347 Views
  • Uploaded on

In the Name of Allah. Intrusion Detection Systems. Present by Ali Fanian. Outline. Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Intrusion Detection Systems


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. In the Name of Allah Intrusion Detection Systems Present by Ali Fanian

    2. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    3. An intrusion can be defined as “any set of actions that attempt to compromise the: Integrity confidentiality, or availability of a resource”. What is an intrusion?

    4. Intruders • Insider: abuse by a person with authorized access to the system. • Hacker: attack the via communication links (e.g. Internet). • Malicious software (`MalWare`, Trojan horse, Virus): attack on the system by software running on it.

    5. Intrusion Examples • Virus • Buffer-overflows • 2000 Outlook Express vulnerability. • Denial of Service (DOS) • explicit attempt by attackers to prevent legitimate users of a service from using that service. • Address spoofing • a malicious user uses a fake IP address to send malicious packets to a target. • Many others

    6. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    7. Intrusion Detection Systems • Systems that detect attacks on computer systems.

    8. Intrusion Detection Systems • Intrusion Prevention System can prevent the network fromoutside attacks. Intruder Victim Intruder IPS Internet

    9. IDS BasicFunctions • Monitoring • Collect the information from the network • Analyzing • Determine what, if any thing, is of interest • Reporting • Generate conclusions and otherwise act on analysis results

    10. Intrusion Detection Systems • Firewalls are typically placed on the network perimeter protecting against external attacks • Firewalls allow traffic only to legitimate hosts and services • Traffic to the legitimate hosts/services can have attacks • Solution? • Intrusion Detection Systems • Monitor data and behavior • Report when identify attacks

    11. Intrusion Detection Systems • Traditional IDS response tends to be passive response • Secondary investigation required because IDS is still imperfect • These days, IDS can be set up to respond to events automatically – “active response”

    12. Intrusion Detection Systems • Active response – dropping connection, reconfiguring networking devices (firewalls, routers)

    13. Intrusion Detection Systems • Alarm investigation resource would affect the delays in response in both active and passive response • If multiple alarm types involved, which alarm to investigate is an issue

    14. Intrusion Detection Systems • Passive response • potential damage cost - resulting from alarmed events not investigated immediately • low false alarm costs since alarmed events are not disrupted

    15. Intrusion Detection Systems • Active response • It could prevent attack damage because the events are terminated immediately • higher false alarm costs contingent on the performance of the IDS

    16. Audit Log Architecture The System Being Monitored Profiles IDS Audit Log Data Alerts Reports

    17. Inline Architecture The System Being Monitored Profiles IDS Sniffer Data Alerts Reports

    18. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    19. Types of IDS Host-based Signature-based Anomaly-based Network-based

    20. Signature-based IDS • Characteristics • Uses known pattern matching to signify attack

    21. Signature-based IDS • Advantages? • Widely available • Fairly fast • Easy to implement • Easy to update • Disadvantages? • Cannot detect attacks for which it has no signature

    22. Anomaly-based IDS • Characteristics • Uses statistical model or machine learning engine to characterize normal usage behaviors • Recognizes departures from normal as potential intrusions

    23. Anomaly-based IDS • Advantages? • Can detect attempts to exploit new and unforeseen vulnerabilities • Can recognize authorized usage that falls outside the normal pattern • Disadvantages? • Generally slower, more resource intensive compared to signature-based IDS • Greater complexity, difficult to configure • Higher percentages of false alerts

    24. More Problems with Anomaly Detection • The dynamic update problem is unsolved. • You can train these systems successfully to handle static environments, but computer networks are dynamic. • If you try to retrain an existing system to deal with new events, it will usually forget its old training. You have to give it the old training data as well as the new.

    25. Possible Approaches to Anomaly Detection • Neural networks • Expert systems • Statistical decision theory

    26. Network-based IDS • Characteristics • NIDS examine raw packets in the network passively and triggers alerts

    27. Network-based IDS • Advantages? • Easy deployment • Difficult to evade • Disadvantages? • NIDS needs to create traffic seen at the end host • Need to have the complete network topology and complete host behavior

    28. Host-based IDS • Characteristics • Runs on single host • Can analyzelogs, integrity of files and directories, etc.

    29. Host-based IDS • Advantages • More accurate than NIDS • Less volume of traffic so less overhead • Disadvantages • Deployment is expensive • What happens when host get compromised?

    30. Honey Pots and Burglar Alarms • Burglar alarms are resources on the network that generate an alarm if accessed incorrectly. • Honey pots are burglar alarms dressed up to look attractive. • Have to look real to the attackers

    31. Intrusion Detection Using Honey Pot • Honey pot is a “decoy” system that appears to have several vulnerabilities for easy access to its resources. • It provides a mechanism so that intrusions can be trapped before attack is made on real assets.

    32. Intrusion Detection Using Honey Pot (cont.) Multi-level Log Mechanism (MLLM) • MLLM logs the attacker’s activities into • Remote Log Server • Sniffer Server

    33. Intrusion Detection Using Honey Pot (cont.) An Architecture for Intrusion Detection using Honey Pot

    34. IDS Placement

    35. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    36. Attacks to the IDS • Overload until IDS fails to keep up with the data • Overload packet filter (easy) • Overload event engine (difficult because events are light weighted and attacker doesn’t know policy script) • Overload Logging/Recording mechanism

    37. Attacks to the IDS An Subterfuge attack attempts to mislead the IDS to the meaning of the analyzed traffic

    38. IDS Software • Snort­ Free, libpcap based, rules driven IDS package. Many add-on components available. • …

    39. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    40. What Is a Gateway IDS? • Gateway Intrusion Detection System • A network intrusion detection system which acts as a network gateway • Designed to stop malicious traffic and generate alerts on suspicious traffic • An “ideal” gateway IDS is able to stop all known exploits

    41. GIDS Acts as network gateway Stops suspect packets Prevents successful intrusions False positives are VERY bad NIDS Only observes network traffic Logs suspect packets and generates alerts Cannot stop an intruder False positives are not as big of an issue GIDS vs NIDS

    42. About Inline Snort • Based on the Snort intrusion detection system • Operation is similar to some bridging firewalls • Uses snort rules with some additional keywords to make forward/drop decisions • Compatible with most snort plugins • Freely available under the GPL

    43. Inline Snort • drop Drops a packet, sends an rst, logs the packet • ignore Drops a packet without sending an rst • sdrop Drops a packet, sends an rst, does not log the packet

    44. Content Replacement It can replace content in a packet • “replace” keyword tells hogwash to replace a detected string with another string. • Example: alert tcp any any -> $IIS_SERVERS 80 (content:”cmd.exe”; replace:”yyy.yyy”;) • Any content in the packet payload can be replaced. • A great way to break an exploit without dropping the packet!!

    45. Sample snort Rules • To drop incoming port 80 connections: drop tcp any any -> $HOMENET 80 (msg:”Port 80 tcp”) • To drop cmd.exe calls to your webservers: drop tcp any any -> $HOMENET 80 (msg:“cmd.exe attempt”; content: “cmd.exe”)

    46. Outline Intrusion Concept Intrusion Detection Systems(IDS) Types of IDS Attacks to the IDS Gateway Intrusion Detection System Host-based Intrusion Detection

    47. Host-based Intrusion Detection Anomaly detection: • IDS monitors system call trace from the app • DB contains a list of subtraces that are allowed to appear • Any observed subtrace not in DB sets off alarms App allowedtraces IDS Operating System

    48. HIDS’ Advantages over NIDS • HIDS can monitor user-specific activity of the system • Check process listing, local log files, system calls. • It is difficult for NIDS to associate packets to specific users (except when content switch-based NIDS is used!) and to determine if the commands in the packets violate specific user’s access privilege.