ids basics n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IDS BASICS PowerPoint Presentation
Download Presentation
IDS BASICS

Loading in 2 Seconds...

play fullscreen
1 / 13
galeno

IDS BASICS - PowerPoint PPT Presentation

164 Views
Download Presentation
IDS BASICS
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. IDS BASICS James Logan CS526 Dr. Chow April 29, 2009

  2. Contents • Intrusion Detection System Intro • IDS Basic Architectures • IDS Issues And Algorithms • SNORT

  3. Intrusion Detection System Introduction • An IDS is policy driven mechanism implemented in software or hardware to help secure a network. • Seen as defense in depth approach when used in conjunction with a firewall • IDSs focuses on Prevention, Detection, and Response Actions to rogue traffic and system threats

  4. Three Basic Architectures • Early Warning Mode • Internal Deployments • Every Host

  5. Early Warning Mode

  6. Internal Deployment

  7. IDS Issues • Performance Problems • False Positives • DHCP (Host Only IDS) • Workarounds • Encryption • Evasion Programs

  8. IDS Algorithms • IDSs have two basic detection algorithms: - Signature Based Aho-Corasick - Anomaly Based Heuristic algorithms for real time and data mining signature profile creation Both algorithm types focus on comparing packet header data which includes Source/Destination IPs, Port Numbers, and Payload Content.

  9. Aho-Corasick • Fundamental IDS signature based algorithm • Can be DFA or NFA based • Packet payload content can be searched multiple stages • The state machine is built on pre-loaded comparison strings • NFA versions require failure transitions to be in place based on the longest prefix of a node that start from the root but cannot be on the same path as node. If a node is of depth 1 or a prefix cannot be found the failure transition is to the root.

  10. Aho-Corasick Cont: NFA Implementation using: phone, telephone, test and elephant

  11. SNORT Quick Intro • Open source IDS developed by Martin Roesch in 1998 • Performs real time traffic analysis and packet logging on IP networks • Can perform analysis on protocol usage and has the ability to do content matching/searching • Uses a multi-rule inspection engine during packet processing. • Uses Wu-Manber algorithm for pattern matching

  12. Questions ???

  13. References • Stefano Marinelli, Analysis of Intrusion Detection Tools and Tecjniques, December 12, 2002, Available: http://dragas.dyndns.org/~draga/articles/IDS/index.php • Sailesh Kumar, Survey of Current Network Intrusion Detection Techniques, Available: http://www.cs.wustl.edu/~jain/cse571-07/ftp/ids.pdf • Marc Norton and Daniel Roelker, SNORT 2.0 Hi-performance Multi-rule Inspection Engine, April 2004, Available:http://www.cs.ucdavis.edu/~wu/ecs236/sf_snort20_HPMRIE.pdf • About SNORT, Available:http://www.snort.org/about_snort/