05-10-2010, 03:42 PM
[attachment=5062]
Presented by:
PUNEET KHANAL
RAJIV SHRESTHA
RAJU KC
INTRODUCTION
Nowadays, as more people make use of the internet, their computers and valuable data in their computer systems become a more interesting target for the intruders. Attackers scan the Internet constantly, searching for potential vulnerabilities in the machines that are connected to the network. Intruders aim at gaining control of a machine and to insert a malicious code into it. Later on, using these slaved machines (also called Zombies) intruder may initiate attacks such as worm attack, Denial-of-Service (DoS) attack and probing attack.
What is an IDS?
Intrusion is any set of actions that threaten the integrity, availability, or confidentiality of a network resource. An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems.
a) NIDS: Network Intrusion Detection Systems (NIDS) are a subset of security management systems that are used to discover inappropriate, incorrect, or anomalous activities within networks.
b) HIDS: Host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are
IDS that detect based on comparing traffic patterns against a baseline and looking for
anomalies.
a) Signature Based: A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to the IDS. During that lag time, the IDS would be unable to detect the new threat. The limitation of this approach lies in its dependence on frequent updates of the signature database and its inability to generalize and detect novel or unknown intrusions.
b) Anomaly Based: An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. However, statistical anomaly detection is not based on an adaptive intelligent model and cannot learn from normal and malicious traffic patterns. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat.
a) Passive IDS: A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way. b) Reactive IDS: Reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.Intrusion detection systems help network administrators prepare for and deal with network security attacks. These systems collect information from a variety of systems and network sources, and analyze them for signs of intrusion and misuse. A variety of techniques have been employed for analysis ranging from traditional statistical methods to new machine learning approaches.
What is not an IDS?
Contrary to popular marketing belief and terminology employed in the literature on intrusion detection systems, not everything falls into this category. In particular, the following security devices are not IDS: Network logging systems used, for example, network traffic monitoring systems. Anti-virus products designed to detect malicious software such as viruses, trojan horses, worms, logic bombs. Firewalls. Security/cryptographic systems, for example VPN, SSL, S/MIME, Kerberos, Radius etc. 1.3. Attack Types
Attack can be classified into three types. They are as follows:
a) Reconnaissance: These attacks involve the gathering of information about a system in order to find its weaknesses such as port sweeps, ping sweeps, port scans, and Domain Name System (DNS) zone transfers. b) Exploits: These attacks take advantage of a known bug or design flaw in the system.
c) Denial-of-Service (DoS): These attacks disrupt or deny access to a service or resource.
Existing System
One of the most well known and widely used intrusion detection systems is the open source, freely available Snort. It is available for a number of platforms and operating systems including both Linux and Windows. Snort has a large and loyal following and there are many resources available on the Internet where we can acquire signatures to implement to detect the latest threats.
Problem Statement
The classical signature-based approach: Cannot detect unknown or new intrusions. Patches and regular updates are required. The statistical anomaly-based approach: Not based on an adaptive intelligent model. Cannot learn from normal and malicious traffic patterns. An alternative approach based on machine learning must be developed.
Objectives
To implement intrusion detection system using Naïve Bayes Classifier, To protect secure information of an organization from outside and inside intruders, To detect novel or unknown intrusions in real-time. 5
Scope of the Project
Increased network complexity, greater access, and a growing emphasis on the Internet have made network security a major concern for organizations. The number of computer security breaches has risen significantly in the last three years. In February 2000, several major web sites including Yahoo, Amazon, E-Bay, Datek, and E-Trade were shut down due to denial-of-service attacks on their web servers. Today, a large amount of sensitive information is processed through computer networks, thus it is increasingly important to make information systems, especially those used for critical functions in the military and commercial sectors, resistant and tolerant to network intrusions. Hence Intrusion Detection has become an integral part of the information security process.
