16-07-2011, 01:59 PM
Presented By:
Umesh pal singh
Zaved Ahmad
[attachment=14483]
INTRUSION DETECTION SYSTEMS (IDS)
Outline
Introduction
anomaly detection
signature based misuse
host based
network based
A Frame for Intrusion Detection System
Intrusion Detection Techniques
Ideas for Improving Intrusion Detection
What is the Intrusion Detection
Defined by ICSA as:
The detection of intrusions or intrusions attempts either manually or via software expert systems that operate on logs or other information available from the system or the network.
An intrusion is a deliberate, unauthorized attempt to access or
manipulate information or system and to render them unreliable or
unusable.
When suspicious activity is from your internal network it can also be
classified as misuse
Intrusions are the activities that violate the security policy of system.
Intrusion Detection is the process used to identify intrusions.
Intrusion : Attempting to break into or misuse your system.
Intruders may be from outside the network or legitimate users of the network.
Intrusion can be a physical, system or remote intrusion.
Anomaly based IDS
This IDS models the normal usage of the network
as a noise characterization.
Anything distinct from the noise is assumed tobe
an intrusion activity.
E.g flooding a host with lots of packet.
The primary strength is its ability to recognize
novel attacks
Based on the normal behavior of a subject.
Sometime assume the training audit data does not
include intrusion data.
Any action that significantly deviates from the
normal behavior is considered intrusion.
Signature based IDS
This IDS possess an attacked description that can be matched to sensed attack manifestations.
The question of what information is relevant to
an IDS depends upon what it is trying to
detect.
E.g DNS, FTP etc.
HOST-BASED IDSs ,DISTRIBUTED IDSs , NETWORK-BASED IDSs
HOST-BASED IDSs:
Get audit data from host audit trails.
Detect attacks against a single host
Distributed IDSs:
Gather audit data from multiple host and possibly the network
Detect attacks involving multiple hosts
Network-Based IDSs:
Use network traffic as the audit data source, relieving the burden
on the hosts that usually provide normal computing
servicesDetect attacks from network.
Intrusion Detection Techniques
Misuse detection:
Catch the intrusions in terms of the characteristics of
known attacks or system vulnerabilities.
Anomaly detection:
Detect any action that significantly deviates from
the normal behavior.
Misuse Detection
Based on known attack actions.
Feature extract from known intrusions.
Integrate the Human knowledge.
The rules are pre-defined.
Disadvantage:
Cannot detect novel or unknown attacks
Misuse Detection Methods & System
Anomaly Detection
Based on the normal behavior of a subject. Sometime assume the
training audit data does not include intrusion data.
Any action that significantly deviates from the normal behavior is
considered intrusion.
Anomaly Detection Methods & System
Misuse Detection vs. Anomaly Detection
Intrusion Detection Approaches
Define and extract the features of behavior in system
Define and extract the Rules of Intrusion
Apply the rules to detect the intrusion
WHY DO I NEED AN IDS, I HAVE A FIREWALL?
IDS are a dedicated assistant used to monitor the rest of the
security infrastructure
Today’s security infrastructure are becoming extremely
complex, it includes firewalls, identification and
authentication systems, access control product, virtual
private networks, encryption products, virus scanners, and
more. All of these tools performs functions essential to
system security. Given their role they are also prime
target and being managed by humans, as such they are
prone to errors.
Failure of one of the above component of your security
infrastructure jeopardized the system they are supposed
to protect
WHAT IDS CANNOT DO
Compensate for weak authentication and identification mechanisms
Investigate attacks without human intervention
Guess the content of your organization security policy
Compensate for weakeness in networking protocols, for example: IP Spoofing
Compensate for integrity or confidentiality of information
Analyze all traffic on a very high speed network
Deal adequately with attack at the packet level
Deal adequately with modern network hardware
ADVANTAGE
HOST-BASED
Monitor in term of who accessed whatCan map problem activities to a specific user id System can track behavior changes associated with misused Can operate in encrypted environment Operates in switched networks.Monitoring load distributed against multiple hosts and not on a single host, reporting only relevant data to central console
NETWORK-BASED:
Can get information quickly without any reconfiguration of computers or need to redirect logging mechanisms
Does not affect network or data sources
Monitor and detects in real time networks attacks or misuses
Does not create system overhead
DISADvANTAGE
HOST-BASED:
Cannot see all network activitiesRunning audit mechanisms adds overload to system, performance may be an issueAudit trails can take lots of storage
OS vulnerabilities can undermine the effectiveness of agents
Agents are OS specific
Escalation of false positive
Greater deployment and maintenance cost
NETWORK-BASE:
Cannot scan protocols if the data is encrypted
Can infer from network traffic what is happening on host but cannot tell the outcome
Hard to implement on fully switched networks
Has difficulties sustaining network with a very large bandwidth
