SlideShare une entreprise Scribd logo

Ids

Télécharger en tant que PPT, PDF
S
Suresh Reddy
1  sur  26
Intrusion Detection - Arun Hodigere
Intrusion and Intrusion Detection • Intrusion : Attempting to break into or misuse your system. • Intruders may be from outside the network or legitimate users of the network. • Intrusion can be a physical, system or remote intrusion.
Different ways to intrude • Buffer overflows • Unexpected combinations • Unhandled input • Race conditions
Intrusion Detection Systems (IDS) Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.
Intrusion Detection Systems (IDS) • Different ways of classifying an IDS IDS based on – anomaly detection – signature based misuse – host based – network based
Anomaly based IDS • This IDS models the normal usage of the network as a noise characterization. • Anything distinct from the noise is assumed to be an intrusion activity. – E.g flooding a host with lots of packet. • The primary strength is its ability to recognize novel attacks.
Drawbacks of Anomaly detection IDS • Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection. • These generate many false alarms and hence compromise the effectiveness of the IDS.
Signature based IDS • This IDS possess an attacked description that can be matched to sensed attack manifestations. • The question of what information is relevant to an IDS depends upon what it is trying to detect. – E.g DNS, FTP etc.
Signature based IDS (contd.) • ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets,as an attack. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack. • Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.
Drawbacks of Signature based IDS • They are unable to detect novel attacks. • Suffer from false alarms • Have to programmed again for every new pattern to be detected.
Host/Applications based IDS • The host operating system or the application logs in the audit information. • These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc. • This audit is then analyzed to detect trails of intrusion.
Drawbacks of the host based IDS • The kind of information needed to be logged in is a matter of experience. • Unselective logging of messages may greatly increase the audit and analysis burdens. • Selective logging runs the risk that attack manifestations could be missed.
Strengths of the host based IDS • Attack verification • System specific activity • Encrypted and switch environments • Monitoring key components • Near Real-Time detection and response. • No additional hardware
Stack based IDS • They are integrated closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. • This allows the IDS to pull the packets from the stack before the OS or the application have a chance to process the packets.
Network based IDS • This IDS looks for attack signatures in network traffic via a promiscuous interface. • A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.
Strengths of Network based IDS • Cost of ownership reduced • Packet analysis • Evidence removal • Real time detection and response • Malicious intent detection • Complement and verification • Operating system independence
Commercial ID Systems • ISS – Real Secure from Internet Security Systems: – Real time IDS. – Contains both host and network based IDS. • Tripwire – File integrity assessment tool. • Bro and Snort – open source public-domain system.
Bro: Real time IDS • Network based IDS • Currently developed for six Internet applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin.
Design goals for Bro • High-speed, large volume monitoring • No packet filter drops • Real time notification • Mechanism separate from policy • Extensible • Monitor will be attacked
Structure of the Bro System Network libcap Event engine Policy Script Interpreter Packet Stream Filtered Packet Stream Event Stream Real time notification Policy script Event Control Tcpdump filter
Bro - libcap • It’s the packet capture library used by tcpdump. • Isolates Bro from details of the network link technology. • Filters the incoming packet stream from the network to extract the required packets. • E.g port finger, port ftp, tcp port 113 (Ident), port telnet, port login, port 111 (Portmapper). • Can also capture packets with the SYN, FIN, or RST Control bits set.
Bro – Event Engine • The filtered packet stream from the libcap is handed over to the Event Engine. • Performs several integrity checks to assure that the packet headers are well formed. • It looks up the connection state associated with the tuple of the two IP addresses and the two TCP or UDP port numbers. • It then dispatches the packet to a handler for the corresponding connection.
Bro – TCP Handler • For each TCP packet, the connection handler verifies that the entire TCP Header is present and validates the TCP checksum. • If successful, it then tests whether the TCP header includes any of the SYN/FIN/RST control flags and adjusts the connection’s state accordingly. • Different changes in the connection’s state generate different events.
Policy Script Interpreter • The policy script interpreter receives the events generated by the Event Engine. • It then executes scripts written in the Bro language which generates events like logging real-time notifications, recording data to disk or modifying internal state. • Adding new functionality to Bro consists of adding a new protocol analyzer to the event engine and then writing new events handlers in the interpreter.
Application Specific Processing - Finger Finger request Event Engine Generates Finger_request event Script interpreter Tests for buffer overflow, checks the user against sensitive ids, etc Event Engine Generates event controls based on the policy Finger reply
Future of IDS • To integrate the network and host based IDS for better detection. • Developing IDS schemes for detecting novel attacks rather than individual instantiations.

Recommandé

IDS n IPS
IDS n IPSIDS n IPS
IDS n IPSSAurabh PRajapati
 
INTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMINTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMBhushan Gajare
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemPreshan Pradeepa
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 

Recommandé

IDS n IPS
IDS n IPSIDS n IPS
IDS n IPSSAurabh PRajapati
 
INTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMINTERNET SECURITY SYSTEM
INTERNET SECURITY SYSTEMBhushan Gajare
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemPreshan Pradeepa
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention SystemVishwanath Badiger
 
Intrusion detection system IDS
Intrusion detection system IDSIntrusion detection system IDS
Intrusion detection system IDSMAURICE NTAHOBARI
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...skpatel91
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Intruders
IntrudersIntruders
IntrudersDr.Florence Dayana
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systemsSeraphic Nazir
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesFull Stack Developer at Electro Mizan Andisheh
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion DetectionGregory Hanis
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 

Contenu connexe

Tendances

Intrusion detection system IDS
Intrusion detection system IDSIntrusion detection system IDS
Intrusion detection system IDSMAURICE NTAHOBARI
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...skpatel91
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAkhil Kumar
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Saksham Agrawal
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsPaul Green
 
Chapter 12
Chapter 12Chapter 12
Chapter 12cclay3
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...UzairAhmad81
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systemsSeraphic Nazir
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection SystemMohit Belwal
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 

Tendances (20)

Intrusion detection system IDS
Intrusion detection system IDSIntrusion detection system IDS
Intrusion detection system IDS
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection Sys...
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1Network_Intrusion_Detection_System_Team1
Network_Intrusion_Detection_System_Team1
 
Introduction To Intrusion Detection Systems
Introduction To Intrusion Detection SystemsIntroduction To Intrusion Detection Systems
Introduction To Intrusion Detection Systems
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
NGIPS(Next Generation Intrusion Prevention System) in Network security presen...
 
Intruders
IntrudersIntruders
Intruders
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
Intrusion detection systems
Intrusion detection systemsIntrusion detection systems
Intrusion detection systems
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Practical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approachesPractical real-time intrusion detection using machine learning approaches
Practical real-time intrusion detection using machine learning approaches
 
Intrusion Detection System
Intrusion Detection SystemIntrusion Detection System
Intrusion Detection System
 
Intrusion Detection
Intrusion DetectionIntrusion Detection
Intrusion Detection
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection Systems
 

Similaire à Ids

Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxssuserc517ee1
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and preventionNicholas Davis
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And PreventionNicholas Davis
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxSriK49
 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptxVuongPhm
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniLoay Elbasyouni
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxRineri1
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptuseonlyfortech140
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMApoorv Pandey
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Wail Hassan
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewallsDivya Jyoti
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfAschalewAyele2
 
L5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptxL5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptxRebeccaMunasheChimhe
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 

Similaire à Ids (20)

Cours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptxCours_4_IDS_IPS.pptx
Cours_4_IDS_IPS.pptx
 
Intrusion detection and prevention
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Intruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptxIntruders in cns. Various intrusion detection and prevention technique.pptx
Intruders in cns. Various intrusion detection and prevention technique.pptx
 
ids.ppt
ids.pptids.ppt
ids.ppt
 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptx
 
Intrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouniIntrusion_Detection_By_loay_elbasyouni
Intrusion_Detection_By_loay_elbasyouni
 
Unit-5.pptx
Unit-5.pptxUnit-5.pptx
Unit-5.pptx
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.pptFALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
FALLSEM2023-24_BCSE353E_ETH_VL2023240100871_2023-05-25_Reference-Material-I.ppt
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
 
Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)Module 19 (evading ids, firewalls and honeypots)
Module 19 (evading ids, firewalls and honeypots)
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
012
012012
012
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
 
L5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptxL5A - Intrusion Detection Systems.pptx
L5A - Intrusion Detection Systems.pptx
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 

Ids

  • 2. Intrusion and Intrusion Detection • Intrusion : Attempting to break into or misuse your system. • Intruders may be from outside the network or legitimate users of the network. • Intrusion can be a physical, system or remote intrusion.
  • 3. Different ways to intrude • Buffer overflows • Unexpected combinations • Unhandled input • Race conditions
  • 4. Intrusion Detection Systems (IDS) Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.
  • 5. Intrusion Detection Systems (IDS) • Different ways of classifying an IDS IDS based on – anomaly detection – signature based misuse – host based – network based
  • 6. Anomaly based IDS • This IDS models the normal usage of the network as a noise characterization. • Anything distinct from the noise is assumed to be an intrusion activity. – E.g flooding a host with lots of packet. • The primary strength is its ability to recognize novel attacks.
  • 7. Drawbacks of Anomaly detection IDS • Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection. • These generate many false alarms and hence compromise the effectiveness of the IDS.
  • 8. Signature based IDS • This IDS possess an attacked description that can be matched to sensed attack manifestations. • The question of what information is relevant to an IDS depends upon what it is trying to detect. – E.g DNS, FTP etc.
  • 9. Signature based IDS (contd.) • ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets,as an attack. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack. • Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.
  • 10. Drawbacks of Signature based IDS • They are unable to detect novel attacks. • Suffer from false alarms • Have to programmed again for every new pattern to be detected.
  • 11. Host/Applications based IDS • The host operating system or the application logs in the audit information. • These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc. • This audit is then analyzed to detect trails of intrusion.
  • 12. Drawbacks of the host based IDS • The kind of information needed to be logged in is a matter of experience. • Unselective logging of messages may greatly increase the audit and analysis burdens. • Selective logging runs the risk that attack manifestations could be missed.
  • 13. Strengths of the host based IDS • Attack verification • System specific activity • Encrypted and switch environments • Monitoring key components • Near Real-Time detection and response. • No additional hardware
  • 14. Stack based IDS • They are integrated closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. • This allows the IDS to pull the packets from the stack before the OS or the application have a chance to process the packets.
  • 15. Network based IDS • This IDS looks for attack signatures in network traffic via a promiscuous interface. • A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.
  • 16. Strengths of Network based IDS • Cost of ownership reduced • Packet analysis • Evidence removal • Real time detection and response • Malicious intent detection • Complement and verification • Operating system independence
  • 17. Commercial ID Systems • ISS – Real Secure from Internet Security Systems: – Real time IDS. – Contains both host and network based IDS. • Tripwire – File integrity assessment tool. • Bro and Snort – open source public-domain system.
  • 18. Bro: Real time IDS • Network based IDS • Currently developed for six Internet applications: FTP, Finger, Portmapper, Ident, Telnet and Rlogin.
  • 19. Design goals for Bro • High-speed, large volume monitoring • No packet filter drops • Real time notification • Mechanism separate from policy • Extensible • Monitor will be attacked
  • 20. Structure of the Bro System Network libcap Event engine Policy Script Interpreter Packet Stream Filtered Packet Stream Event Stream Real time notification Policy script Event Control Tcpdump filter
  • 21. Bro - libcap • It’s the packet capture library used by tcpdump. • Isolates Bro from details of the network link technology. • Filters the incoming packet stream from the network to extract the required packets. • E.g port finger, port ftp, tcp port 113 (Ident), port telnet, port login, port 111 (Portmapper). • Can also capture packets with the SYN, FIN, or RST Control bits set.
  • 22. Bro – Event Engine • The filtered packet stream from the libcap is handed over to the Event Engine. • Performs several integrity checks to assure that the packet headers are well formed. • It looks up the connection state associated with the tuple of the two IP addresses and the two TCP or UDP port numbers. • It then dispatches the packet to a handler for the corresponding connection.
  • 23. Bro – TCP Handler • For each TCP packet, the connection handler verifies that the entire TCP Header is present and validates the TCP checksum. • If successful, it then tests whether the TCP header includes any of the SYN/FIN/RST control flags and adjusts the connection’s state accordingly. • Different changes in the connection’s state generate different events.
  • 24. Policy Script Interpreter • The policy script interpreter receives the events generated by the Event Engine. • It then executes scripts written in the Bro language which generates events like logging real-time notifications, recording data to disk or modifying internal state. • Adding new functionality to Bro consists of adding a new protocol analyzer to the event engine and then writing new events handlers in the interpreter.
  • 25. Application Specific Processing - Finger Finger request Event Engine Generates Finger_request event Script interpreter Tests for buffer overflow, checks the user against sensitive ids, etc Event Engine Generates event controls based on the policy Finger reply
  • 26. Future of IDS • To integrate the network and host based IDS for better detection. • Developing IDS schemes for detecting novel attacks rather than individual instantiations.