intrusion detection system(ids)
DESCRIPTION
In this ppt I have included mainly three topics.1.Introduction of IDS2.Technologies used in IDS3.Detection typesTRANSCRIPT
![Page 1: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/1.jpg)
Seminar on
Intrusion
Detection
System
![Page 2: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/2.jpg)
TOPICS:
Introduction of IDS Technologies Detection types
![Page 3: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/3.jpg)
INTRODUCTIONWhat is IDS?HistoryNeed of IDSClassification of IDS
![Page 4: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/4.jpg)
WHAT IS IDS?Revolution in networkingThe possibilities and opportunities are limitless.
Unfortunately, so too are the risks and chances of malicious activities.
![Page 5: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/5.jpg)
Intrusion=Illegal entry or unwelcome addition
Definition: Intrusion Detection System (IDS) is a software to determine if a computer network or server has experienced an unauthorized intrusion.
![Page 6: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/6.jpg)
IDS detects these intrusion attempts so that action may be taken to repair the damage later.
IDS monitors network traffic and monitors for suspicious activity and alerts the system or network administrator.
![Page 7: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/7.jpg)
THE BEGINNING(HISTORY)
A USAF paper published in October 1972 written by James P. Anderson outlined the fact the USAF had “become increasingly aware of computer security problems.”
![Page 8: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/8.jpg)
Before designing an IDS, it was necessary to understand the types of threats and attacks that could be mounted against computers systems.
![Page 9: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/9.jpg)
A computer system should provide confidentiality, integrity and assurance against denial of service.
Confidentiality: Whether the information stored on a system is protected against unauthorized access.
NEED OF IDS
![Page 10: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/10.jpg)
Integrity: Whether the information stored on a system is reliable and can be trusted.
Increased connectivity: (especially on the Internet)
more and more systems are subject to attack by intruders.
![Page 11: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/11.jpg)
These intruders attempts try to exploit flaws in the OS as well as in application programs and have resulted in spectacular incidents.
Internet Worm incident of 1988.
![Page 12: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/12.jpg)
TWO WAYS TO HANDLE
By building a completely
secure system.
• Require all users to identify and authenticate themselves
Protect data
• Cryptographic methods and very tight access control mechanisms
![Page 13: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/13.jpg)
we cannot prevent intruders,we should at least try to detect it and prevent similar attacks in future.
![Page 14: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/14.jpg)
TYPES OF INTRUDERSIntruders
INTERNAL
MASQUERADE
CLANDESTINE
EXTERNAL
![Page 15: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/15.jpg)
TASKS TO BE PERFORMED
Prevention
Intrusion monitoring
Intrusion detection
Response
Simulation
Analysis
Notification
![Page 16: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/16.jpg)
![Page 17: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/17.jpg)
TECHNOLOGIES:
Network IDS
Host IDS
![Page 18: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/18.jpg)
NETWORK INTRUSION DETECTION SYSTEMDetect attacks as they happen
Real-time monitoring of networks
Provide information about attacks that have succeeded
Forensic analysis
![Page 19: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/19.jpg)
Deploying sensors at strategic locations E.G., Packet sniffing via tcpdump at
routersInspecting network traffic
Watch for violations of protocols and unusual connection patterns
Monitoring user activities Look into the data portions of the
packets for malicious command sequences
![Page 20: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/20.jpg)
![Page 21: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/21.jpg)
May be easily defeated by encryptionData portions and some header information can be encrypted
The decryption engine still there.
![Page 22: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/22.jpg)
RELATED TOOLS FOR NETWORK IDS While not an element of Snort,
Ethereal is the best open source GUI-based packet viewer
www.ethereal.com offers: Windows UNIX, e.g.,
www.ethereal.com/download.html Red Hat Linux RPMs:
ftp.ethereal.com/pub/ethereal/rpms
![Page 23: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/23.jpg)
![Page 24: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/24.jpg)
REQUIREMENTS OF NIDSHigh-speed, large volume
monitoring No packet filter drops
Real-time notificationMechanism separate from policyExtensibleBroad detection coverageEconomy in resource usageResilience to stressResilience to attacks upon the IDS
itself!
![Page 25: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/25.jpg)
HOST INTRUSION DETECTION SYSTEMUsing OS auditing mechanisms
E.G., BSM on Solaris: logs all direct or indirect events generated by a user
strace for system calls made by a program
Monitoring user activities E.G., Analyze shell commands
![Page 26: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/26.jpg)
Monitoring executions of system programs E.G., Analyze system calls made by sendmail
A HIDS can see more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data.
![Page 27: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/27.jpg)
![Page 28: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/28.jpg)
Detection types
Signature based Anomaly based
![Page 29: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/29.jpg)
SIGNATURE BASED IDSSniff traffic on networkborder router or multiple sensors
within a LANMatch sniffed tracffic with signaturesattack signatures in databaseSignature: set of rules pertaining to
a typical intrusion activity Simple example rule: any ICMP
packet > 10,000 bytes Example: more than one thousand
SYN packets to different ports on same host under a second
![Page 30: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/30.jpg)
skilled security engineers research known attacks; put them in database
can configure IDS to exclude certain signatures; can modify signature parameters
Warn administrator when signature matches.
send e-mail, SMSsend message to network management system
![Page 31: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/31.jpg)
LIMITATIONS TO SIGNATURE DETECTIONRequires previous knowledge of
attack to generate accurate signature Blind to unknown attacks
Signature bases are getting larger Every packet must be compared
with each signature IDS can get overwhelmed with
processing; can miss packets
![Page 32: Intrusion Detection System(IDS)](https://reader033.vdocuments.net/reader033/viewer/2022061201/54793322b4af9fea158b4789/html5/thumbnails/32.jpg)
ANOMALY DETECTION IDS Observe traffic during normal operation Create normal traffic profile Look for packet streams that are
statistically unusual e.g., inordinate percentage of ICMP
packet or exponential growth in port
scans/sweeps Doesn’t rely on having previous
knowledge of attack Research topic in security