By : Gaurav Koriya : By : Gaurav Koriya Intrusion
System Content : Content Introduction
What is Intrusion
What is IDS
4. Conclusion INTRODUCTION : INTRODUCTION THREAT TO NETWORK SECURITY
A significant security problem for networked system is, or at least unwanted, trespass by users or software.
User trespass can take form of unauthorized logon to a machine or, in case of an authorized user, acquisition of privileges or performance of actions beyond those that have been authorized.
Software trespass can take form of a virus, worm or Trojan horse. What is an intrusion? : What is an intrusion? Any set of actions that attempt to compromise the confidentiality, integrity, or availability of a computer resource Types of Intruders : Types of Intruders In an early study of intrusion, Anderson identified three classes of intruders:
Masqueraders: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
Misfeasor: A legitimate user who accesses data, programs or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges.
Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit actions. Consequences of Intrusion : Consequences of Intrusion Intruder attacks range from benign to the serious. At the benign end of the scale, there are many people who simply wish to explore internet and what is out there. At the serious end, intruder may attempt following:
Read privileged data.
Perform unauthorized modification to data.
Disrupt the system settings. Slide 7: Intrusion Detection System (IDS) Knowledge
Base Analysis Engine Response
Provider Alert Database Other machines Intrusion Detection Systems (IDS) : Intrusion Detection Systems (IDS) Intrusion detection is the process of identifying and responding to malicious activity targeted at resources
IDS is a system designed to test/analyze network system traffic/events against a given set of parameters and alert/capture data when these thresholds are met.
IDS uses collected information and predefined knowledge-based system to reason about the possibility of an intrusion.
IDS also provides services to cop with intrusion such as giving alarms, activating programs to try to deal with intrusion, etc. Functions of IDS : Functions of IDS An IDS detects attacks as soon as possible and takes appropriate action.
An IDS does not usually take preventive measures when an attack is detected.
It is a reactive rather than a pro-active agent.
It plays a role of informant rather than a police officer. Principles of Intrusion Detection Systems : Principles of Intrusion Detection Systems An IDS must run unattended for extended periods of time
The IDS must stay active and secure
The IDS must be able to recognize unusual activity
The IDS must operate without unduly affecting the system’s activity
The IDS must be configurable Principles of Intrusion Detection Systems (continued) : Principles of Intrusion Detection Systems (continued) Components of IDS : Components of IDS Basically there are three components or modules in an Intrusion detection System:-
Sensor: Responsible for capturing packets and sending to the Console class.
Console: Responsible for analyzing packets captured by Sensor class.
It is the class responsible for displaying GUI and generating alerts. Types Of IDS : Types Of IDS A network intrusion detection system (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts.. An example of a NIDS is Snort.
A protocol based intrusion detection system (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. Slide 14: An application protocol based intrusion detection system (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols..
A host-based intrusion detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC. Slide 15: A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.
A reactive IDS will not only detect suspicious or malicious traffic and alert the administrator, but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user. IDS Detection Approaches : IDS Detection Approaches Signature-based IDS
Statistical anomaly based IDS Signature Detection : Signature Detection Signature Detection to discriminate between anomaly or attack patterns (signatures) and known intrusion detection signatures. It is a technique often used in the Intrusion Detection System (IDS) and many anti-mal ware systems such as anti-virus and anti-spyware etc. In the signature detection process, network or system information is scanned against a known attack or malware signature database. If match found, an alert takes place for further actions. Statistical Anomaly Detection : Statistical Anomaly Detection Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.
Statistical anomaly detection falls into two broad categories:
Profile based anomaly detection. Statistical Anomaly Detection continue… : Statistical Anomaly Detection continue… Threshold detection involves counting the numbers of occurrences of specified event type over an interval of time
Profile-based anomaly detection focuses on characterizing the past behavior of individuals users or related groups of users and then detecting significant deviations Slide 20: Examples of parameters that are useful for profile-based intrusion detection are the following:
Counter: Typically, a count of certain event types is kept over a particular period of time. Examples include the numbers of logins, number of password failures, number of times a given command is executed during a single user session.
Interval timer: The length of time between two related events. Ex. is the length of time lapsed between two successive logins to an account. Intrusion Detection Architectures : Intrusion Detection Architectures Host-based IDS
Network-based IDS Slide 22: Host-based IDS Monitor activities on hosts for
Known attacks or
Designed to detect attacks such as
Escalation of privilege
Little or no view of network activities Slide 23: Placement of Host-based IDS Deployment options
Key servers that contain mission-critical
and sensitive information;
FTP and DNS servers;
E-commerce database servers, etc.
Workstations Slide 24: Placement of Host-based IDS Internet Firewall Mailserver Webserver Sensor Console PerimeterNetwork Sensor Sensor Human Resources Network Slide 25: Network-based IDS Monitor activity on the network for
Suspicious network activity
Designed to detect attacks such as
Denial of service
Malformed packets, etc.
Can be some overlap with firewall
Little or no view of host-based attacks Slide 26: Placement of Network-based IDS Deployment options:
Just inside firewall
Combination of both will detect attacks getting through firewall and may help to refine firewall rule set.
Behind remote access server
Between Business Units
Between Corporate Network and Partner Networks Slide 27: Placement of Network-based IDS Internet Firewall Mailserver Webserver Protected Network Sensor Sensor Sensor Console PerimeterNetwork Slide 28: Conclusions Future research trends seem to be converging towards a model that is hybrid of the anomaly and misuse detection models.
It is slowly acknowledged that neither of the models can detect all intrusion attempts on their own. Thank you…. : Thank you…. concept by :
© Korian Corp.