1 / 13

IDS BASICS

IDS BASICS. James Logan CS526 Dr. Chow April 29, 2009. Contents. Intrusion Detection System Intro IDS Basic Architectures IDS Issues And Algorithms SNORT. Intrusion Detection System Introduction.

galeno
Download Presentation

IDS BASICS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDS BASICS James Logan CS526 Dr. Chow April 29, 2009

  2. Contents • Intrusion Detection System Intro • IDS Basic Architectures • IDS Issues And Algorithms • SNORT

  3. Intrusion Detection System Introduction • An IDS is policy driven mechanism implemented in software or hardware to help secure a network. • Seen as defense in depth approach when used in conjunction with a firewall • IDSs focuses on Prevention, Detection, and Response Actions to rogue traffic and system threats

  4. Three Basic Architectures • Early Warning Mode • Internal Deployments • Every Host

  5. Early Warning Mode

  6. Internal Deployment

  7. IDS Issues • Performance Problems • False Positives • DHCP (Host Only IDS) • Workarounds • Encryption • Evasion Programs

  8. IDS Algorithms • IDSs have two basic detection algorithms: - Signature Based Aho-Corasick - Anomaly Based Heuristic algorithms for real time and data mining signature profile creation Both algorithm types focus on comparing packet header data which includes Source/Destination IPs, Port Numbers, and Payload Content.

  9. Aho-Corasick • Fundamental IDS signature based algorithm • Can be DFA or NFA based • Packet payload content can be searched multiple stages • The state machine is built on pre-loaded comparison strings • NFA versions require failure transitions to be in place based on the longest prefix of a node that start from the root but cannot be on the same path as node. If a node is of depth 1 or a prefix cannot be found the failure transition is to the root.

  10. Aho-Corasick Cont: NFA Implementation using: phone, telephone, test and elephant

  11. SNORT Quick Intro • Open source IDS developed by Martin Roesch in 1998 • Performs real time traffic analysis and packet logging on IP networks • Can perform analysis on protocol usage and has the ability to do content matching/searching • Uses a multi-rule inspection engine during packet processing. • Uses Wu-Manber algorithm for pattern matching

  12. Questions ???

  13. References • Stefano Marinelli, Analysis of Intrusion Detection Tools and Tecjniques, December 12, 2002, Available: http://dragas.dyndns.org/~draga/articles/IDS/index.php • Sailesh Kumar, Survey of Current Network Intrusion Detection Techniques, Available: http://www.cs.wustl.edu/~jain/cse571-07/ftp/ids.pdf • Marc Norton and Daniel Roelker, SNORT 2.0 Hi-performance Multi-rule Inspection Engine, April 2004, Available:http://www.cs.ucdavis.edu/~wu/ecs236/sf_snort20_HPMRIE.pdf • About SNORT, Available:http://www.snort.org/about_snort/

More Related