An intrusion detection system (IDS) monitors network traffic and system activities for suspicious activity that could indicate a security threat or attack. An IDS analyzes patterns in traffic to identify potential threats. There are network IDS that monitor entire network traffic and host IDS that monitor individual systems. An IDS detects threats but does not prevent them. An intrusion prevention system (IPS) can detect and prevent threats by blocking malicious traffic in real-time. An IPS combines IDS detection capabilities with preventative blocking functions. Common types of IPS include inline network IPS, layer 7 switches, application firewalls, and hybrid switches.

1. IDS/IPS
Santosh Khadsare

2. What is an Intrusion?
An intrusion is somebody attempting to break into or
misuse your system. The word “misuse” can reflect
something severe as stealing confidential data to something
minor such as misusing your email system for spam.
Intrusion can be defined as any set of actions that attempt
to compromise the integrity, confidentiality or availability of
resource.
In the context of info systems, intrusion refers to any
unauthorized access, unauthorized attempt to access or
damage or malicious use of info resources.

3. WHO ARE INTRUDERS?
• Outsiders. Intruders from outside the
network. They may attempt to go around
the firewall to attack machines on the
internal network.
• Insiders. Intruders that legitimately
use your internal network. These include
users who misuse privileges or who
impersonate higher privileged users.

4. HOW DO INTRUDERS GET INTO
THE SYSTEM?
• Physical intrusion.
• System intrusion.
• Remote intrusion.

5. WHAT IS AN INTRUSION
DETECTION SYSTEM?
• The main function of an IDS is to warn
about suspicious activity taking place, but
not to prevent them.
• An IDS specifically looks for suspicious
activity and events that might be the result
of a virus, worm or hacker.

6. Intrusion Detection Systems (IDS)
IDS designed to detect security breaches.
IDS designed to aid in mitigating damage caused by hacking.
Basic intent behind IDS: spot something suspicious on
NW/system and sound alarm.
May look for data bits that indicate questionable activity or
monitor system logs.
Events that sound alarm – may not be an intrusion; any
abnormal activity may trigger, depending on configuration.

7. Intrusion Detection Systems (IDS)
All IDS have three things in common:
Sensors: collect tfc and user activity data and sends to
analyzer.
Analyzer: Looks for suspicious activity.
Administrator Interface: If analyzer detects suspicious
activity, sends an alert to the Admin Interface.

8. Intrusion Detection Systems (IDS)
Why use an IDS:
To detect attacks and other security violations that are not
prevented by other security measures,
To detect and deal with the preambles to attacks (commonly
experienced as network probes and other “doorknob rattling”
activities),
To document the existing threat to an organization
To act as quality control for security design and administration,
especially of large and complex enterprises
To provide useful information about intrusions that do take
place, allowing improved diagnosis, recovery, and correction of
causative factors.

9. Intrusion Detection Systems (IDS)
IDS can be configured for:
Watch for attacks
Parse audit logs
Terminate a connection
Alert an admin as attacks are happening
Protect system files
Expose a hacker’s techniques
Throw up vulnerabilities that need to be addressed
Possibly help to track down hackers
Two main type of IDS:
NIDS
HIDS

10. Network Intrusion Detection Systems (NIDS)
Uses sensors to monitor all NW tfc
Cannot see the activities within the computer itself.

11. Host based Intrusion Detection Systems (HIDS)
Installed on indl workstns / servers
Watches for abnormal activity
NIDs understands and monitors NW tfc, HIDs monitors the
computer only on which it is installed.
Gen, HIDS installed on critical servers only due to administrative
overheads.

12. Types of HIDS/NIDS
Signature based
Pattern matching
Stateful matching
Anomaly based
Statistical anomaly based
Protocol anomaly based
Tfc anomaly based
Rule based

13. Types of HIDS/NIDS
Knowledge or Signature based IDS
Knowledge is gained by sensors about how specific attacks are
carried out.
Each identified attack has a signature
Eg of a signature:
A pkt having the same source and destination address (Land
Attack)
A TCP header of a pkt in which all values are set to 1s (xmas
attack).
Once these type of attack discovered, vendors wrote signatures
that looks specially for pkts with same source and destination
addresses or with TCP headers flag set to all 1s.

14. Types of HIDS/NIDS
Knowledge or Signature based IDS
Most popular IDS today.
Effectiveness depends on regularly updating signature database.
May not be able to uncover new types of attacks.

15. Types of HIDS/NIDS
State based IDS
What is a state?
Every change that an OS experiences (user log on, opening of
aplns, user data input, etc), is a state transition.
Gen happens continuously in any system.
So again, what is a state?
A snapshot of an OS’s values in volatile and non-volatile memory
locations.
In a state based IDS:
Initial state is the state prior to attack execution.
Compromised state is the state after successful penetration.
The IDS has rules as to which state transitions should trigger
alarm.

16. Types of HIDS/NIDS
An example of State based IDS
•A remote user connects to a system
•Sends data to an apln (data exceeds alloted buffer for this
empty variable).
•The data is executed and overwrites the buffer and possibly
other memory segments.
•A malicious code executes.
State based IDS looks for activity between initial and
compromised state and sends alert if any state transition
sequence matches its preconfigured rules.
Requires frequent signature updates.

17. Types of HIDS/NIDS
Statistical Anomaly based IDS
A behavior based system (also called heuristic IDS).
Does not use a signature database.
Initially put in a learning mode wherein the IDS learns the `normal’
NW activities.
The longer it is in learning mode, more accurate profile of a
normal state is built up.
After a profile is built, all future activities are compared to this
`normal’ profile.
If an activity exceeds a predefined `normal’ threshold, the alert is
triggered.

18. Types of HIDS/NIDS
Statistical Anomaly based IDS - Benefits
Can react to 0 day attacks
Also capable of detecting the low and slow attacks
Statistical Anomaly based IDS – Problems
May provide overwhelming number of false positives.
If an attacker discovers an IDS on a NW, will try to detect type so
that he can circumvent it.
With a behavior based IDS, attacker will try to integrate activities
in the `normal’ NW usage.
If an attack was underway when the IDS was in learning mode,
an attack will never be detected.
Sends generic alerts compared to specific alerts thrown up by
signature based IDS.

19. Types of HIDS/NIDS
Statistical Anomaly based IDS
Strength of this IDS lies in determining actual thresholds of normal
activity.
Once an attack is iden, the IDS can:
Send an alert to the admin’s console.
Send an email to a preconfigured address.
Kill the connection of the detected attack
Reconfigure a router/firewall to stop any further similar
attacks.

20. Types of HIDS/NIDS
Protocol Anomaly based IDS
These IDS have specific knowledge of each protocol they will
monitor.
A protocol anomaly pertains to the format and behavior of a
protocol..
The IDS builds a model of each protocol’s `normal’ usage
Eg of protocol anomaly:
Data Link Layer: ARP attack where bogus data is inserted in an
ARP table.
NW Layer: ICMP can be used in a Loki Attack to move data from
one place to another.

21. Types of HIDS/NIDS
Traffic Anomaly based IDS
Detects changes in NW tfc patterns
Tfc patterns may change during DoS attacks or when a new
service is introduced on the NW.
The IDS learns the normal tfc pattern and sets a threshold.
0 day attacks can be detected.

22. Types of HIDS/NIDS
Rule based IDS
A signature based IDS is very straightforward –
if a pkt has same source/destination address, send alert.
A statistical anomaly based IDS is also straightforward –
X logs in his system at 8 AM and logs off at 5 PM everyday. If he
logs on at 10 PM, it is an anomaly and an alert is sent.
Rule based IDS gen used in expert systems (Artificial
Intelligence).
An expert system has:
A knowledge base
An inference engine
Rule based programming.

23. Types of HIDS/NIDS
Rule based IDS
Rule based programming refers to - IF situation THEN action.
The rules are applied to facts (data that comes in from a sensor).
Rule based IDS gathers data from sensors/logs, the inference
engine uses its pre-programmed rules on it. If characteristics of
the rule is met – an alert is triggered.
Eg of a rule based IDS:
IF a root user creates file1 AND creates file2 SUCH THAT they are in the
same directory AND the root user opens tool1 TRIGGER send alert.

24. IDS
Placement of sensors
Outside the FW- detect attacks
Inside the FW – to detect actual intrusions
Highly sensitive subnets
DMZs
NW Tfc:
Every vendor’s IDS product has a threshold.
If NW tfc exceeds the threshold, all pkts may not be examined
and attacks may go unnoticed.
In high tfc environments multiple sensors reqd to be placed to
ensure all pkts are investigated.

25. WHAT IS IPS?
• Intrusion Prevention System (IPS) is any
device (hardware or software) that has the
ability to detect attacks, both known and
unknown, and prevent the attack from being
successful.

26. Intrusion Prevention Systems (IPS)
The bad guys are always one step ahead of the security
professionals.
Security professionals try and come up with innovative means to
detect and prevent attacks.
IPS is a preventive device rather than a detective device (IDS).
An IPS combines the prevent action of a FW with the in depth
pkt analysis function of an IDS.

27. CLASSIFICATION OF IPS
• Broadly classified into two categories
– Host IPS (HIPS)
– Network IPS (NIPS)

28. HOST-IPS
• HIPS is installed directly on the system
being protected
• It binds closely with the operating system
kernel and services, it monitors and
intercepts system calls to the kernel in
order to prevent attacks as well as log
them.
• It prevents the system from generic
attacks for which no “signature” yet
exists.

29. NETWORK-IPS
• Has two network interfaces, one designated
as internal and one as external.
• Packets passed through both interfaces and
they determined whether the packet being
examined poses a threat.
• If it detects a malicious packet, an alert is
raised, the packets are discarded
immediately. Legitimate packets are passed
through to the second interface and on to
their intended destination.

30. TYPES OF IPS
• Inline network intrusion protection
systems.
• Layer seven switches.
• Application firewalls.
• Hybrid switches.
• Deceptive applications.

31. INLINE NETWORK IPS
• It is configured with two NICs, one for
management and one for detection.
• NIC that is configured for detection usually does
not have an IP address assigned .
• It works by sitting between the systems that need
to be protected and the rest of the network.
• It inspects the packet for any vulnerabilities that
it is configured to look for.

32. INLINE NETWORK IPS
PKT SCRUBBING

33. LAYER SEVEN SWITCHES
• Placing these devices in front of your
firewalls would give protection for the entire
network.
• However the drawbacks are that they can
only stop attacks that they know about.
• The only attack they can stop that most
others IPS can’t are the DoS attacks.

34. LAYER SEVEN SWITCHES

35. APPLICATION FIREWALLS
• These IPSs are loaded on each server that is to be
protected.
• These types of IPSs are customizable to each
application that they are to protect.
• It profiles a system before protecting it. During the
profiling it watches the user’s interaction with the
application and the applications interaction with the
operating system to determine what legitimate
interaction looks like.
• The drawback is that when the application is updated
it might have to be profiled again so that it does not
block legitimate use.

36. HYBRID SWITCHES
• They inspect specific traffic for malicious
content as has been configured .
• Hybrid switch works in similar manner to layer
seven switch, but has detailed knowledge of the
web server and the application that sits on top
of the web server.
• It also fails , if the user’s request does not
match any of the permitted requests.

37. HYBRID SWITCHES

38. DECEPTIVE APPLICATIONS
• It watches all your network traffic and figures out
what is good traffic.
• When an attacker attempts to connect to services
that do not exist, it will send back a response to
the attacker
• The response will be “marked” with some bogus
data. When the attacker comes back again and
tries to exploit the server the IPS will see the
“marked” data and stop all traffic coming from the
attacker.

39. Honeypots
A system set up as a sacrificial lamb on a NW.
Not locked down.
Modified operational data kept on system to lure hackers to this
system rather than going to an actual operational system.
Enables admin to know what types of attacks are occurring.
May also help to track down an intruder.
More the time spent by the hacker on a honeypot, more info can
be gained about his techniques.

40. Honeypots
Legal issues with a honeypot
Enticement versus entrapment.

41. THANK YOU