1 / 14

Intrusion Detection Systems (A preliminary study)

This study provides an overview of intrusion detection systems (IDS), including their goals, benefits, categories, detection techniques, and performance measurements. It also focuses on Snort, an open-source network-based IDS, discussing its components, operation, and future enhancements.

philipgodfrey
Download Presentation

Intrusion Detection Systems (A preliminary study)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systems(A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS Sireesha/IDS

  2. Goals • Identify types of network attacks • Explore IDS details • Benefits, Categories, Detection Techniques, Performance measurements • Snort • Why Snort, Components and operation, Snort Rules • Future enhancements Sireesha/IDS

  3. Network Attacks • With ever-increasing Internet enabled services, a computer network should be guarded against network attacks. • A few network threats • Worms • Self-propagating malicious code, automatic distribution via network connections • Virus • Self-replication code. Can be attached to any host application • Denial of Service • Overloading of resources making them unavailable to legitimate users. Sireesha/IDS

  4. IDS Details - Why an IDS? • Firewalls - Though a valid first step, not enough • Attacks can happen before its rules are updated. • Laptops can be infected outside the network and then brought in. • Wireless accesses into a network. • Benefits • Detection of Attacks • Enforcing policies • Audit trails Sireesha/IDS

  5. IDS Details - Types • Two types of IDS • Network-based IDS (NIDS) • Analyze packets coming across a network connection. • Logs for after attack analysis • Real time alerts • Host-based IDS (HIDS) • Monitors a single system • File integrity checks • Analyze system logs for unusual activities - multiple login attempts Sireesha/IDS

  6. IDS Details - Detection Techniques • Two techniques • Signature based • Maintain a store of known attack signatures. • Analyze new traffic against the contents of the store • Only known attacks can be detected, so first occurrence of a new attack cannot be detected. • Anomaly based • Create and maintain a profile based on normal behavior. • Analyze new traffic against a model profile. • New attacks can be detected. Sireesha/IDS

  7. IDS Details - Performance • Performance • Measured in terms of • False positives • Alert generated on traffic that is not an attack. • Alert generated on attack not intended for the system being monitored. • False negatives • Alerts not generated for real attacks. • Most dangerous leading to undetected attacks. Sireesha/IDS

  8. Snort • Open Source, Signature detecting, Network based IDS • Passive - No changes required for the system being monitored. • Versatile - Can be used as IDS, IPS (Intrusion Prevention System), Inline firewall. • Available for all major operating systems. • Logging to Oracle, SQL, MySQL, PostGre SQL • Rules are very simple, easy to develop and effective. Sireesha/IDS

  9. Snort Packet Processing • A packet capture library captures raw data form network card and sends it to Snort. • Snort decodes the packets based on protocol. • Preprocessors applied to normalize traffic. • Normalized traffic passed through detection engine. • Alert generated if traffic matches a rule. Sireesha/IDS

  10. Snort - Rules • Snort Rule • Header • Rule Action (log, alert, pass …) • Protocol (IP, ICMP,TCP,UDP) • Source Address and Port • Flow • Destination Address and Port • Body • Output message • Additional tests • Example • alert tcp 192.168.1.18/32 any -> any 1:1023 (msg :”eBaying”; uricontent:”ebay.com”;) Sireesha/IDS

  11. Research for enhancements • Enhancement goals • Extend Snort to include a automatic signature generation component. • Extend Snort to detect anomaly based intrusions. Sireesha/IDS

  12. Semantics-Aware Signatures • Nemean -- Automatic generation of intrusion signatures from honeynet packet traces. • Aggregate and transform the packet trace into well-defined data structures and group packets into sessions and flows. • Generate clusters of sessions based on similarity analysis. • Normal traffic will not result in a cluster formation. • A cluster generated represents a single attack. Slight variations are accounted for. • An attack signature is generated from the generated clusters. Sireesha/IDS Usenix security 2005 symposium

  13. Anomaly Detection Payload based Anomaly detection. • Operates in two phases • Learning Phase • A profile of expected payload is constructed during the normal operation by using a byte frequency distribution analysis of the payload. • Anomaly Detection Phase • Incoming payload is compared against the profile. • Statistical distributions are compared and alert generated when the comparison yields greater than a threshold value. • Resistant to mimicry attacks, since payloads are compared. Sireesha/IDS

  14. Resources • Snort Page : www.snort.org • Anomaly Detection on ITArchitect http://www.itarchitect.com/showArticle.jhtml?articleID=163700677 • More links to resources available in the project report. Sireesha/IDS

More Related