Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
IDS BASICS James Logan CS526 Dr. Chow April 29, 2009
Contents • Intrusion Detection System Intro • IDS Basic Architectures • IDS Issues And Algorithms • SNORT
Intrusion Detection System Introduction • An IDS is policy driven mechanism implemented in software or hardware to help secure a network. • Seen as defense in depth approach when used in conjunction with a firewall • IDSs focuses on Prevention, Detection, and Response Actions to rogue traffic and system threats
Three Basic Architectures • Early Warning Mode • Internal Deployments • Every Host
IDS Issues • Performance Problems • False Positives • DHCP (Host Only IDS) • Workarounds • Encryption • Evasion Programs
IDS Algorithms • IDSs have two basic detection algorithms: - Signature Based Aho-Corasick - Anomaly Based Heuristic algorithms for real time and data mining signature profile creation Both algorithm types focus on comparing packet header data which includes Source/Destination IPs, Port Numbers, and Payload Content.
Aho-Corasick • Fundamental IDS signature based algorithm • Can be DFA or NFA based • Packet payload content can be searched multiple stages • The state machine is built on pre-loaded comparison strings • NFA versions require failure transitions to be in place based on the longest prefix of a node that start from the root but cannot be on the same path as node. If a node is of depth 1 or a prefix cannot be found the failure transition is to the root.
Aho-Corasick Cont: NFA Implementation using: phone, telephone, test and elephant
SNORT Quick Intro • Open source IDS developed by Martin Roesch in 1998 • Performs real time traffic analysis and packet logging on IP networks • Can perform analysis on protocol usage and has the ability to do content matching/searching • Uses a multi-rule inspection engine during packet processing. • Uses Wu-Manber algorithm for pattern matching
References • Stefano Marinelli, Analysis of Intrusion Detection Tools and Tecjniques, December 12, 2002, Available: http://dragas.dyndns.org/~draga/articles/IDS/index.php • Sailesh Kumar, Survey of Current Network Intrusion Detection Techniques, Available: http://www.cs.wustl.edu/~jain/cse571-07/ftp/ids.pdf • Marc Norton and Daniel Roelker, SNORT 2.0 Hi-performance Multi-rule Inspection Engine, April 2004, Available:http://www.cs.ucdavis.edu/~wu/ecs236/sf_snort20_HPMRIE.pdf • About SNORT, Available:http://www.snort.org/about_snort/