logging in or signing up INTRUSION DETECTION syde Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 124 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: November 25, 2011 This Presentation is Public Favorites: 0 Presentation Description Intrusion Detection System Comments Posting comment... Premium member Presentation Transcript INTRUSION DETECTION & PREVENTION SYSTEM: INTRUSION DETECTION & PREVENTION SYSTEM Presented By : Isha Gupta CSE 2 nd year 2309059Table OF Contents: Table OF Contents What is an Intrusion Detection? Intrusion Detection and Prevention Definition. Jargon Related To IDPS. What is Intrusion Detection? Common detection methodologies. Types Of IDPS technologies. Types Of responses. Who are the targets? Where Can an IDPS be installed? What an IDPS can do? What an IDPS cannot do? Leading Products ConclusionWHAT IS INTRUSION DETECTION?: WHAT IS INTRUSION DETECTION? An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. It provies Monitoring and analysis of user and system activity Auditing of system configurations and vulnerabilities Assessing the integrity of critical system and data files Statistical analysis of activity patterns based on the matching to known attacks Abnormal activity analysis Operating system auditJargon related to IDS: Jargon related to IDS Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive.INTRUSION DETECTION & PREVENTION SYSTEM.: INTRUSION DETECTION & PREVENTION SYSTEM. IDS:- An intrusion detection system (IDS) is software that automates the intrusion detection process. IPS:- An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.COMMON DETECTION METHODOLOGIES: COMMON DETECTION METHODOLOGIES Signature Based Detection Anomaly Based Detection Stateful Protocol AnalysisSIGNATURE BASED DETECTION: SIGNATURE BASED DETECTION A signature is a pattern that corresponds to a known threat. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents. For e.g.:- A telnet attempt with a username of “root”, which is a violation of an organization’s security policy An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are characteristics of a known form of malware An operating system log entry with a status code value of 645, which indicates that the host’s auditing has been disabled.ANOMALY BASED DETECTION: ANOMALY BASED DETECTION Anomaly-based detection :- It is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations through some pre generated “ Profiles ”. Previously unknown threats are detectable Profiles can be developed for many behavioral attributes . Complex computer activity can make profiles having error. False Positives are more often.STATEFUL PROTOCOL ANALYSIS: STATEFUL PROTOCOL ANALYSIS Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. SPA Relies on vendor-developed universal profiles. can identify unexpected sequences of commands. Performs Network based deep packet inspection & Host based activity as well. Use protocol models from vendors like IETF,RFC. Drawbacks :- Resource Intensive. May cause a “Denial of service”. IDPS protocol model may conflict with the actual protocol implementation. TYPES OF IDPS TECHNOLOGIES: TYPES OF IDPS TECHNOLOGIES Network based IDPS. Wireless IDPS. Network Behaviour Analysis. Host–Based IDPS.NETWORK BASED IDPS: NETWORK BASED IDPS It monitors network traffic for particular network segments or devices. Analyzes the network and application protocol activity to identify suspicious activity. It can identify many different types of events of interest. It is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks. For Example:- SnortNETWORK BEHAVIOR ANALYSIS: NETWORK BEHAVIOR ANALYSIS It examines network traffic to identify threats that generate unusual traffic flows. Employed for intrusions such as Distributed Denial Of Service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization’s internal networks. sometimes deployed where they can monitor flows between an organization’s networks and external networks. e.g., the Internet, business partners’ networks).HOST BASED IDPS: HOST BASED IDPS It monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDPS might monitor are network traffic (only for that host), system logs, running processes, application activity, file access & modification, and system & application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information.WIRELESS IDPS: WIRELESS IDPS It monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization’s wireless network to monitor it. It can also be deployed to locations where unauthorized wireless networking could be occurring.TYPE OF RESPONSE: TYPE OF RESPONSE Alteration to the environment Changes a rule on router Changes a rule on Firewall Striking back (not recommended) Execute a script to collect information about attacker Send a 20 megs file back to anyone fingering Down side: Acknowledgement sent to the attacker Real time notification Send a pager alert SNMP Alarms Sends email to one or more recipients Visual on screen or audible alarmsWho are the targets ?? : Who are the targets ?? Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. Fast bandwidth is now a cheap commodity. Cable modem and ADSL access is the equivalent of having a T1 link in your home. Kids of all ages can scan a whole country in a very short time frame. No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’E-COMMERCE + WELL KNOWN NAME = HACKER TARGET : E-COMMERCE + WELL KNOWN NAME = HACKER TARGET A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. ISCA Info Security Magazine Sept 2000 Comparison E-Comm site (left column) vs Non E-Comm site (right column) Viruses /Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16%THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute): THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) Bind weakenesses Vulnerable CGI and extension on web server Remote Procedure (NFS and Remote execution) IIS Remote Data Services (for example .htr files) Sendmail Buffer Overflow Solaris sadmind and mountd ‘public’ and ‘private.’ Global file sharing (netbios, Macintosh web sharing, UNIX NFS) Use of weak password or no password on user id I IMAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’ MAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’NEED OF IDPS: NEED OF IDPS RelTunnel – ICMP Tunnel A great money is spent on concrete walls (firewalls) but they are of no use of someone can dig through them.WHERE CAN IDPS CAN BE INSTALLED?: WHERE CAN IDPS CAN BE INSTALLED? B/w network and Extranet In the DMZ before the Firewall Between the firewall and your network, to identify a threat in case of the firewall penetration In the Remote access environment Between your servers and user community, to identify the attacks from the inside. On the intranet, FTP, and database environment.WHAT CAN IDS REALISTICLLY DO?: WHAT CAN IDS REALISTICLLY DO? Monitor and analyse user and system activities. Auditing of system and configuration vulnerabilities. Assess integrity of critical system and data files. Recognition of pattern reflecting known attacks. Statistical analysis for abnormal activities. Data trail, tracing activities from point of entry up to the point of exit. Installation of decoy servers (honey pots). Installation of vendor patches (some IDS).WHAT IDS CANNOT DO: WHAT IDS CANNOT DO Compensate for weak authentication and identification mechanisms. Investigate attacks without human intervention. Guess the content of your organization security policy. Compensate for weakeness in networking protocols, for example: IP Spoofing. Compensate for integrity or confidentiality of information. Analyze all traffic on a very high speed network. Deal adequately with attack at the packet level. Deal adequately with modern network hardware.Evasion Techniques: Evasion Techniques Evasion techniques are used in order to navigate below the radar of your IDS Fragmentation Slow scan Stealth scan Out of order packets Ambiguous packet (crafting) Encoding such as %u, UTF (%xx%xx), HEX (%xx) Use of well known port (Codered)Evasion Techniques - %u encoding: Evasion Techniques - %u encoding Announced 5 Sept 2001 by eEye Digital Security Almost all IDS are vulnerable except SNORT, Symantec, and NAI Not a standard and only MS specific, unknown to other vendors. So if an attacker sent a %u encoded request then they could bypass IDS checking for ".ida". An example stealth codered request would look like: GET /himom.id%u0061 HTTP/1.0Features to look for: Features to look for What specialized equipment is required. Is the product Network or Host based. How much does the update cost. Is it capable of automated response to attacks. How customizable is it. What is the incidence rate of false positive. What kind of expertise is required to support it.Leading Products: Leading Products Dragon from Enterasys http://www.enterasys.com/ids/ CISCO Secure IDS http://www.cisco.com/go/ids/ Snort http://www.snort.org/ ISS Real Secure http://www.iss.net/securing_e-business/ SHADOW http://www.whitehats.ca ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.isoREFERENCES: REFERENCES http://www.wikipedia.com Guide to Intrusion Detection and Prevention Systems (IDPS),Karen Scarfone Peter Mell ,February 2007 SANS Institute InfoSec Reading Room Introduction to Intrusion Detection – ISCA Publications, Prepared by Rebeka Bace - URL: http://www.icsa.net/html/communities/ids/White%20paper/Intrusion1.pdf Extra reading: http://secinf.net/info/ids/idspaper/idspaper.html R. Durst et al., “Testing and Evaluating Computer Intrusion Detection Systems,” Comm. ACM , Vol. 42, No. 7, 1999, pp. 53–61. You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
INTRUSION DETECTION syde Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 124 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: November 25, 2011 This Presentation is Public Favorites: 0 Presentation Description Intrusion Detection System Comments Posting comment... Premium member Presentation Transcript INTRUSION DETECTION & PREVENTION SYSTEM: INTRUSION DETECTION & PREVENTION SYSTEM Presented By : Isha Gupta CSE 2 nd year 2309059Table OF Contents: Table OF Contents What is an Intrusion Detection? Intrusion Detection and Prevention Definition. Jargon Related To IDPS. What is Intrusion Detection? Common detection methodologies. Types Of IDPS technologies. Types Of responses. Who are the targets? Where Can an IDPS be installed? What an IDPS can do? What an IDPS cannot do? Leading Products ConclusionWHAT IS INTRUSION DETECTION?: WHAT IS INTRUSION DETECTION? An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. It provies Monitoring and analysis of user and system activity Auditing of system configurations and vulnerabilities Assessing the integrity of critical system and data files Statistical analysis of activity patterns based on the matching to known attacks Abnormal activity analysis Operating system auditJargon related to IDS: Jargon related to IDS Alert/Alarm: A signal suggesting that a system has been or is being attacked. True Positive: A legitimate attack which triggers an IDS to produce an alarm. False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. False Negative: A failure of an IDS to detect an actual attack. True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive.INTRUSION DETECTION & PREVENTION SYSTEM.: INTRUSION DETECTION & PREVENTION SYSTEM. IDS:- An intrusion detection system (IDS) is software that automates the intrusion detection process. IPS:- An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.COMMON DETECTION METHODOLOGIES: COMMON DETECTION METHODOLOGIES Signature Based Detection Anomaly Based Detection Stateful Protocol AnalysisSIGNATURE BASED DETECTION: SIGNATURE BASED DETECTION A signature is a pattern that corresponds to a known threat. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents. For e.g.:- A telnet attempt with a username of “root”, which is a violation of an organization’s security policy An e-mail with a subject of “Free pictures!” and an attachment filename of “freepics.exe”, which are characteristics of a known form of malware An operating system log entry with a status code value of 645, which indicates that the host’s auditing has been disabled.ANOMALY BASED DETECTION: ANOMALY BASED DETECTION Anomaly-based detection :- It is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations through some pre generated “ Profiles ”. Previously unknown threats are detectable Profiles can be developed for many behavioral attributes . Complex computer activity can make profiles having error. False Positives are more often.STATEFUL PROTOCOL ANALYSIS: STATEFUL PROTOCOL ANALYSIS Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. SPA Relies on vendor-developed universal profiles. can identify unexpected sequences of commands. Performs Network based deep packet inspection & Host based activity as well. Use protocol models from vendors like IETF,RFC. Drawbacks :- Resource Intensive. May cause a “Denial of service”. IDPS protocol model may conflict with the actual protocol implementation. TYPES OF IDPS TECHNOLOGIES: TYPES OF IDPS TECHNOLOGIES Network based IDPS. Wireless IDPS. Network Behaviour Analysis. Host–Based IDPS.NETWORK BASED IDPS: NETWORK BASED IDPS It monitors network traffic for particular network segments or devices. Analyzes the network and application protocol activity to identify suspicious activity. It can identify many different types of events of interest. It is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks. For Example:- SnortNETWORK BEHAVIOR ANALYSIS: NETWORK BEHAVIOR ANALYSIS It examines network traffic to identify threats that generate unusual traffic flows. Employed for intrusions such as Distributed Denial Of Service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization’s internal networks. sometimes deployed where they can monitor flows between an organization’s networks and external networks. e.g., the Internet, business partners’ networks).HOST BASED IDPS: HOST BASED IDPS It monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDPS might monitor are network traffic (only for that host), system logs, running processes, application activity, file access & modification, and system & application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information.WIRELESS IDPS: WIRELESS IDPS It monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization’s wireless network to monitor it. It can also be deployed to locations where unauthorized wireless networking could be occurring.TYPE OF RESPONSE: TYPE OF RESPONSE Alteration to the environment Changes a rule on router Changes a rule on Firewall Striking back (not recommended) Execute a script to collect information about attacker Send a 20 megs file back to anyone fingering Down side: Acknowledgement sent to the attacker Real time notification Send a pager alert SNMP Alarms Sends email to one or more recipients Visual on screen or audible alarmsWho are the targets ?? : Who are the targets ?? Simply being connected is a good enough reason to be a target. Search is ongoing for easy to compromise hosts. Fast bandwidth is now a cheap commodity. Cable modem and ADSL access is the equivalent of having a T1 link in your home. Kids of all ages can scan a whole country in a very short time frame. No specific motive: They do it for fame, fun, to show off, or just because they have nothing else to do. No technical knowledge is required to be a ‘’Script Kiddie’’E-COMMERCE + WELL KNOWN NAME = HACKER TARGET : E-COMMERCE + WELL KNOWN NAME = HACKER TARGET A clear example is the Denial of service attacks against Yahoo, Ebay, and other popular sites. ISCA Info Security Magazine Sept 2000 Comparison E-Comm site (left column) vs Non E-Comm site (right column) Viruses /Trojan/worm 82% 76% Denial of service 42% 31% Active Scripting exploit 40% 34% Protocol Weaknesses 29% 23% Insecure Passwords 30% 20% Buffer Overflow 29% 20% Bugs in web server 33% 16%THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute): THE TOP 10 INTERNET THREATS (Top 10 from SANS Institute) Bind weakenesses Vulnerable CGI and extension on web server Remote Procedure (NFS and Remote execution) IIS Remote Data Services (for example .htr files) Sendmail Buffer Overflow Solaris sadmind and mountd ‘public’ and ‘private.’ Global file sharing (netbios, Macintosh web sharing, UNIX NFS) Use of weak password or no password on user id I IMAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’ MAP/POP buffer overflow or incorrect configuration Default SNMP community strings set to ‘public’ and ‘private.’NEED OF IDPS: NEED OF IDPS RelTunnel – ICMP Tunnel A great money is spent on concrete walls (firewalls) but they are of no use of someone can dig through them.WHERE CAN IDPS CAN BE INSTALLED?: WHERE CAN IDPS CAN BE INSTALLED? B/w network and Extranet In the DMZ before the Firewall Between the firewall and your network, to identify a threat in case of the firewall penetration In the Remote access environment Between your servers and user community, to identify the attacks from the inside. On the intranet, FTP, and database environment.WHAT CAN IDS REALISTICLLY DO?: WHAT CAN IDS REALISTICLLY DO? Monitor and analyse user and system activities. Auditing of system and configuration vulnerabilities. Assess integrity of critical system and data files. Recognition of pattern reflecting known attacks. Statistical analysis for abnormal activities. Data trail, tracing activities from point of entry up to the point of exit. Installation of decoy servers (honey pots). Installation of vendor patches (some IDS).WHAT IDS CANNOT DO: WHAT IDS CANNOT DO Compensate for weak authentication and identification mechanisms. Investigate attacks without human intervention. Guess the content of your organization security policy. Compensate for weakeness in networking protocols, for example: IP Spoofing. Compensate for integrity or confidentiality of information. Analyze all traffic on a very high speed network. Deal adequately with attack at the packet level. Deal adequately with modern network hardware.Evasion Techniques: Evasion Techniques Evasion techniques are used in order to navigate below the radar of your IDS Fragmentation Slow scan Stealth scan Out of order packets Ambiguous packet (crafting) Encoding such as %u, UTF (%xx%xx), HEX (%xx) Use of well known port (Codered)Evasion Techniques - %u encoding: Evasion Techniques - %u encoding Announced 5 Sept 2001 by eEye Digital Security Almost all IDS are vulnerable except SNORT, Symantec, and NAI Not a standard and only MS specific, unknown to other vendors. So if an attacker sent a %u encoded request then they could bypass IDS checking for ".ida". An example stealth codered request would look like: GET /himom.id%u0061 HTTP/1.0Features to look for: Features to look for What specialized equipment is required. Is the product Network or Host based. How much does the update cost. Is it capable of automated response to attacks. How customizable is it. What is the incidence rate of false positive. What kind of expertise is required to support it.Leading Products: Leading Products Dragon from Enterasys http://www.enterasys.com/ids/ CISCO Secure IDS http://www.cisco.com/go/ids/ Snort http://www.snort.org/ ISS Real Secure http://www.iss.net/securing_e-business/ SHADOW http://www.whitehats.ca ftp://ftp.whitehats.ca/pub/ids/shadow-slack/shadow.isoREFERENCES: REFERENCES http://www.wikipedia.com Guide to Intrusion Detection and Prevention Systems (IDPS),Karen Scarfone Peter Mell ,February 2007 SANS Institute InfoSec Reading Room Introduction to Intrusion Detection – ISCA Publications, Prepared by Rebeka Bace - URL: http://www.icsa.net/html/communities/ids/White%20paper/Intrusion1.pdf Extra reading: http://secinf.net/info/ids/idspaper/idspaper.html R. Durst et al., “Testing and Evaluating Computer Intrusion Detection Systems,” Comm. ACM , Vol. 42, No. 7, 1999, pp. 53–61.