Intrusion detection system ppt
91,594 views
18 slides
Jul 01, 2013
Slide 1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
About This Presentation
No description available for this slideshow.
Slide Content
Intrusion Detection Intrusion Detection
SystemSystem
SystemSystem
Intrusion and Intrusion Intrusion and Intrusion
DetectionDetection
Intrusion : Attempting to break into or Intrusion : Attempting to break into or
misuse your system.misuse your system.
Intruders may be from outside the Intruders may be from outside the
network or legitimate users of the network or legitimate users of the
network.network.
Intrusion can be a physical, system or Intrusion can be a physical, system or
remote intrusion.remote intrusion.
DetectionDetection
Intrusion : Attempting to break into or Intrusion : Attempting to break into or
misuse your system.misuse your system.
Intruders may be from outside the Intruders may be from outside the
network or legitimate users of the network or legitimate users of the
network.network.
Intrusion can be a physical, system or Intrusion can be a physical, system or
remote intrusion.remote intrusion.
Different ways to intrudeDifferent ways to intrude
Buffer overflowsBuffer overflows
Unexpected combinationsUnexpected combinations
Unhandled inputUnhandled input
Race conditionsRace conditions
Buffer overflowsBuffer overflows
Unexpected combinationsUnexpected combinations
Unhandled inputUnhandled input
Race conditionsRace conditions
Intrusion Detection SystemIntrusion Detection System
Knowledge
Base
Response
Model
Alert
Data-
base
Event
Provider
Analysis Engine
Other
machines
Knowledge
Base
Response
Model
Alert
Data-
base
Event
Provider
Analysis Engine
Other
machines
Intrusion Detection Intrusion Detection
Systems (IDS)Systems (IDS)
Different ways of classifying an IDSDifferent ways of classifying an IDS
IDS based onIDS based on
– anomaly detectionanomaly detection
– signature based misusesignature based misuse
– host basedhost based
– network basednetwork based
– Stack basedStack based
Systems (IDS)Systems (IDS)
Different ways of classifying an IDSDifferent ways of classifying an IDS
IDS based onIDS based on
– anomaly detectionanomaly detection
– signature based misusesignature based misuse
– host basedhost based
– network basednetwork based
– Stack basedStack based
Intrusion Detection Intrusion Detection
Systems (IDS)Systems (IDS)
Intrusion Detection Systems look for Intrusion Detection Systems look for
attack signatures, which are specific attack signatures, which are specific
patterns that usually indicate malicious patterns that usually indicate malicious
or suspicious intent.or suspicious intent.
Systems (IDS)Systems (IDS)
Intrusion Detection Systems look for Intrusion Detection Systems look for
attack signatures, which are specific attack signatures, which are specific
patterns that usually indicate malicious patterns that usually indicate malicious
or suspicious intent.or suspicious intent.
Anomaly based IDSAnomaly based IDS
This IDS models the normal usage of This IDS models the normal usage of
the network as a noise the network as a noise
characterization.characterization.
Anything distinct from the noise is Anything distinct from the noise is
assumed to be an intrusion activity.assumed to be an intrusion activity.
–E.g flooding a host with lots of packet.E.g flooding a host with lots of packet.
The primary strength is its ability to The primary strength is its ability to
recognize novel attacks.recognize novel attacks.
This IDS models the normal usage of This IDS models the normal usage of
the network as a noise the network as a noise
characterization.characterization.
Anything distinct from the noise is Anything distinct from the noise is
assumed to be an intrusion activity.assumed to be an intrusion activity.
–E.g flooding a host with lots of packet.E.g flooding a host with lots of packet.
The primary strength is its ability to The primary strength is its ability to
recognize novel attacks.recognize novel attacks.
Drawbacks of Anomaly Drawbacks of Anomaly
detection IDSdetection IDS
Assumes that intrusions will be Assumes that intrusions will be
accompanied by manifestations that are accompanied by manifestations that are
sufficiently unusual so as to permit sufficiently unusual so as to permit
detection.detection.
These generate many false alarms and These generate many false alarms and
hence compromise the effectiveness of the hence compromise the effectiveness of the
IDS.IDS.
detection IDSdetection IDS
Assumes that intrusions will be Assumes that intrusions will be
accompanied by manifestations that are accompanied by manifestations that are
sufficiently unusual so as to permit sufficiently unusual so as to permit
detection.detection.
These generate many false alarms and These generate many false alarms and
hence compromise the effectiveness of the hence compromise the effectiveness of the
IDS.IDS.
Signature based IDSSignature based IDS
This IDS possess an attacked This IDS possess an attacked
description that can be matched to description that can be matched to
sensed attack manifestations.sensed attack manifestations.
The question of what information is The question of what information is
relevant to an IDS depends upon what relevant to an IDS depends upon what
it is trying to detect.it is trying to detect.
–E.g DNS, FTP etc.E.g DNS, FTP etc.
This IDS possess an attacked This IDS possess an attacked
description that can be matched to description that can be matched to
sensed attack manifestations.sensed attack manifestations.
The question of what information is The question of what information is
relevant to an IDS depends upon what relevant to an IDS depends upon what
it is trying to detect.it is trying to detect.
–E.g DNS, FTP etc.E.g DNS, FTP etc.
Signature based IDS Signature based IDS
(contd.)(contd.)
ID system is programmed to interpret a certain ID system is programmed to interpret a certain
series of packets, or a certain piece of data series of packets, or a certain piece of data
contained in those packets,as an attack. For contained in those packets,as an attack. For
example, an IDS that watches web servers might example, an IDS that watches web servers might
be programmed to look for the string “phf” as an be programmed to look for the string “phf” as an
indicator of a CGI program attack. indicator of a CGI program attack.
Most signature analysis systems are based off of Most signature analysis systems are based off of
simple pattern matching algorithms. In most cases, simple pattern matching algorithms. In most cases,
the IDS simply looks for a sub string within a stream the IDS simply looks for a sub string within a stream
of data carried by network packets. When it finds of data carried by network packets. When it finds
this sub string (for example, the ``phf'' in ``GET /cgi-this sub string (for example, the ``phf'' in ``GET /cgi-
bin/phf?''), it identifies those network packets as bin/phf?''), it identifies those network packets as
vehicles of an attack.vehicles of an attack.
(contd.)(contd.)
ID system is programmed to interpret a certain ID system is programmed to interpret a certain
series of packets, or a certain piece of data series of packets, or a certain piece of data
contained in those packets,as an attack. For contained in those packets,as an attack. For
example, an IDS that watches web servers might example, an IDS that watches web servers might
be programmed to look for the string “phf” as an be programmed to look for the string “phf” as an
indicator of a CGI program attack. indicator of a CGI program attack.
Most signature analysis systems are based off of Most signature analysis systems are based off of
simple pattern matching algorithms. In most cases, simple pattern matching algorithms. In most cases,
the IDS simply looks for a sub string within a stream the IDS simply looks for a sub string within a stream
of data carried by network packets. When it finds of data carried by network packets. When it finds
this sub string (for example, the ``phf'' in ``GET /cgi-this sub string (for example, the ``phf'' in ``GET /cgi-
bin/phf?''), it identifies those network packets as bin/phf?''), it identifies those network packets as
vehicles of an attack.vehicles of an attack.
Drawbacks of Signature Drawbacks of Signature
based IDSbased IDS
They are unable to detect novel They are unable to detect novel
attacks.attacks.
Suffer from false alarmsSuffer from false alarms
Have to programmed again for every Have to programmed again for every
new pattern to be detected.new pattern to be detected.
based IDSbased IDS
They are unable to detect novel They are unable to detect novel
attacks.attacks.
Suffer from false alarmsSuffer from false alarms
Have to programmed again for every Have to programmed again for every
new pattern to be detected.new pattern to be detected.
Host/Applications based Host/Applications based
IDSIDS
The host operating system or the The host operating system or the
application logs in the audit application logs in the audit
information.information.
These audit information includes These audit information includes
events like the use of identification and events like the use of identification and
authentication mechanisms (logins authentication mechanisms (logins
etc.) , file opens and program etc.) , file opens and program
executions, admin activities etc.executions, admin activities etc.
This audit is then analyzed to detect This audit is then analyzed to detect
trails of intrusion.trails of intrusion.
IDSIDS
The host operating system or the The host operating system or the
application logs in the audit application logs in the audit
information.information.
These audit information includes These audit information includes
events like the use of identification and events like the use of identification and
authentication mechanisms (logins authentication mechanisms (logins
etc.) , file opens and program etc.) , file opens and program
executions, admin activities etc.executions, admin activities etc.
This audit is then analyzed to detect This audit is then analyzed to detect
trails of intrusion.trails of intrusion.
Drawbacks of the host Drawbacks of the host
based IDSbased IDS
The kind of information needed to be The kind of information needed to be
logged in is a matter of experience.logged in is a matter of experience.
Unselective logging of messages may Unselective logging of messages may
greatly increase the audit and analysis greatly increase the audit and analysis
burdens.burdens.
Selective logging runs the risk that Selective logging runs the risk that
attack manifestations could be missed.attack manifestations could be missed.
based IDSbased IDS
The kind of information needed to be The kind of information needed to be
logged in is a matter of experience.logged in is a matter of experience.
Unselective logging of messages may Unselective logging of messages may
greatly increase the audit and analysis greatly increase the audit and analysis
burdens.burdens.
Selective logging runs the risk that Selective logging runs the risk that
attack manifestations could be missed.attack manifestations could be missed.
Strengths of the host Strengths of the host
based IDSbased IDS
Attack verificationAttack verification
System specific activitySystem specific activity
Encrypted and switch environmentsEncrypted and switch environments
Monitoring key componentsMonitoring key components
Near Real-Time detection and Near Real-Time detection and
response.response.
No additional hardwareNo additional hardware
based IDSbased IDS
Attack verificationAttack verification
System specific activitySystem specific activity
Encrypted and switch environmentsEncrypted and switch environments
Monitoring key componentsMonitoring key components
Near Real-Time detection and Near Real-Time detection and
response.response.
No additional hardwareNo additional hardware
Stack based IDSStack based IDS
They are integrated closely with the They are integrated closely with the
TCP/IP stack, allowing packets to be TCP/IP stack, allowing packets to be
watched as they traverse their way up watched as they traverse their way up
the OSI layers.the OSI layers.
This allows the IDS to pull the packets This allows the IDS to pull the packets
from the stack before the OS or the from the stack before the OS or the
application have a chance to process application have a chance to process
the packets.the packets.
They are integrated closely with the They are integrated closely with the
TCP/IP stack, allowing packets to be TCP/IP stack, allowing packets to be
watched as they traverse their way up watched as they traverse their way up
the OSI layers.the OSI layers.
This allows the IDS to pull the packets This allows the IDS to pull the packets
from the stack before the OS or the from the stack before the OS or the
application have a chance to process application have a chance to process
the packets.the packets.
Network based IDSNetwork based IDS
This IDS looks for attack signatures in This IDS looks for attack signatures in
network traffic via a promiscuous network traffic via a promiscuous
interface.interface.
A filter is usually applied to determine A filter is usually applied to determine
which traffic will be discarded or which traffic will be discarded or
passed on to an attack recognition passed on to an attack recognition
module. This helps to filter out known module. This helps to filter out known
un-malicious traffic.un-malicious traffic.
This IDS looks for attack signatures in This IDS looks for attack signatures in
network traffic via a promiscuous network traffic via a promiscuous
interface.interface.
A filter is usually applied to determine A filter is usually applied to determine
which traffic will be discarded or which traffic will be discarded or
passed on to an attack recognition passed on to an attack recognition
module. This helps to filter out known module. This helps to filter out known
un-malicious traffic.un-malicious traffic.
Strengths of Network Strengths of Network
based IDSbased IDS
Cost of ownership reducedCost of ownership reduced
Packet analysisPacket analysis
Evidence removalEvidence removal
Real time detection and responseReal time detection and response
Malicious intent detectionMalicious intent detection
Complement and verificationComplement and verification
Operating system independenceOperating system independence
based IDSbased IDS
Cost of ownership reducedCost of ownership reduced
Packet analysisPacket analysis
Evidence removalEvidence removal
Real time detection and responseReal time detection and response
Malicious intent detectionMalicious intent detection
Complement and verificationComplement and verification
Operating system independenceOperating system independence
Future of IDSFuture of IDS
To integrate the network and host To integrate the network and host
based IDS for better detection.based IDS for better detection.
Developing IDS schemes for detecting Developing IDS schemes for detecting
novel attacks rather than individual novel attacks rather than individual
instantiations.instantiations.
To integrate the network and host To integrate the network and host
based IDS for better detection.based IDS for better detection.
Developing IDS schemes for detecting Developing IDS schemes for detecting
novel attacks rather than individual novel attacks rather than individual
instantiations.instantiations.
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 91,594
- Slides 18
- Favorites 61
- Age 4536 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views