Signature Based and Anomaly Based Network Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Signature Based and Anomaly Based Network Intrusion Detection

Description:

Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158B Agenda Introduce Network Intrusion Detection (NID) Signature ... – PowerPoint PPT presentation

Number of Views:1079
Avg rating:3.0/5.0
Slides: 11
Provided by: csSjsuEd3
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Signature Based and Anomaly Based Network Intrusion Detection


1
Signature Based and Anomaly Based Network
Intrusion Detection
  • By Stephen Loftus and Kent Ho
  • CS 158B

2
Agenda
  • Introduce Network Intrusion Detection (NID)
  • Signature
  • Anomaly
  • Compare and ContrastSignature based vs. Anomaly
    based NID
  • Example using Ethereal

3
Intrusion Detection Systems
  • Intrusion detection begins where the firewall
    ends.
  • Preventing unauthorized entry is best, but not
    always possible.
  • It is important that the system is reliable and
    accurate and secure.

4
IDS (cont.)
  • When designing a IDS, the mission is to protect
    the datas
  • Confidentiality- read
  • Integrity- read/write
  • Availability- read/write/access
  • Threats can come from both outside and inside the
    network.

5
Signature
  • Signature based IDS are based on looking for
    known patterns of detrimental activity.
  • Benefits
  • Low alarm rates All it has to do is to look up
    the list of known signatures of attacks and if it
    finds a match report it.
  • Signature based NID are very accurate.
  • Speed The systems are fast since they are only
    doing a comparison between what they are seeing
    and a predetermined rule.

6
Signature (cont.)
  • Negatives
  • If someone develops a new attack, there will be
    no protection.
  • only as strong as its rule set.
  • Attacks can be masked by splitting up the
    messages.
  • Similar to Anti-Virus, after a new attack is
    recorded, the data files need to be updated
    before the network is secure.
  • Example
  • Port Scan
  • DOS
  • Sniffing

7
Anomaly
  • Anomaly based IDS are based on tracking unknown
    unique behavior pattern of detrimental activity
  • Advantages
  • Helps to reduce the limitations problem.
  • Conducts a thorough screening of what comes
    through.

8
Anomaly (cont.)
  • Disadvantages
  • False positives, catches too much because
    Behavior based NIDs monitor a system based on
    their behavior patterns.
  • Painstaking slow to do an exhaustive monitoring,
    uses up a lot or resourceAfter an anomaly has
    been detected, it may become a signature.

9
Anomaly vs. Signature
  • Which is the best way to defend your network?
  • Both have advantages
  • Signature can be used as a stand alone system
  • Anomaly has a few weak points that prevent it
    from being a stand alone system.
  • Signature is the better of the two for defending
    you network
  • The best way is to use both!

10
Example
  • Using Ethereal to detect a port scan
  • A port scan is when a person executes sequential
    port open requests trying to find an open port.
    Most of these come back with a reset
  • Normal TCP/IP port request
  • Port request on closed port
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Signature Based and Anomaly Based Network Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!