Intrusion Detection Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Intrusion Detection Systems

Description:

1984-SRI int'l develop method of tracking and analyzing of users of ARPANET, ... 1988-Haystack project - IDS based on using defined patterns of misuse, resulting ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 20
Provided by: yama69
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems


1
Intrusion Detection Systems
2
Intrusion Detection Systems
  • 1980-Paper written detailing importance of audit
    data in detecting misuse user behavior
  • 1984-SRI intl develop method of tracking and
    analyzing of users of ARPANET, resulting 1st IDS
  • 1988-Haystack project - IDS based on using
    defined patterns of misuse, resulting in
    Distributed IDS
  • 1990-Todd Heberlein - Network Security Monitor
    1st network monitor, lots of interest leading to
    commercial development, leading to the IDS boom
    we see today.

3
What are Intrusion Detection Systems?
  • Not a firewall!
  • Firewall is just that a wall (allow/deny)
  • IDS is a monitoring system it takes notes of
    what is going on, and reports it to someone else
    to deal with.

4
What are Intrusion Detection Systems?
  • Sensors -gt report security events
  • Console -gt monitor events/alerts
  • control sensors
  • Engine -gt logs events reported by sensor
  • generate alerts based upon security rules
  • Can have all 3 components in a single place

5
Types of IDS
  • Based upon where the sensors are placed in the
    system as well as the rules used to generate
    alerts
  • Network IDS
  • Host-based IDS

IDS
6
Network IDS
  • Ideally scan all, but not always practical
  • Examines network traffic
  • connected to network device allowing port
    mirroring or network tap
  • Signature vs anomaly based

7
Network IDS
  • Signature Based (knowledge based)
  • most IDS are signature based
  • works like antivirus software looks for
    attempts to exploit known vulnerabilities
  • This type is ineffective if an exploit type is
    unknown to the system

8
Network IDS
  • Anomaly based (behavior based)
  • This type observes the deviation from normal
    behavior of the system.
  • Not vulnerable to new/unforeseen vulnerabilities
  • High false positive rate requires a learning
    phase and subsequent retraining as network
    changes.

9
Host based IDS
  • Host based
  • Individual devices
  • Monitors PC sys calls, app logs, file mods
  • Single device only!
  • Alerts user/admin if detected

10
Hybrid IDS
  • Hybrid systems
  • Can be combination of these systems
  • Such as host based network based
  • With the host reporting to the network based
    system for a more comprehensive protection

11
Passive VS Reactive IDS
  • Among the variety of flavors of IDS they can be
    categorized into two major groups
  • Passive Systems ? work by simply monitoring,
    detecting and alerting
  • Reactive Systems ? perform any necessary action
    or actions to a detected threat

12
Passive IDS
  • Monitors System for any suspicious or malicious
    intrusion
  • If found, evaluates it to determine whether it is
    a threat
  • If detected as so, generates and sends an alert
    to user
  • Up to the user to take action

I just found a threat, user
13
Reactive IDS
  • Alerts console user and attempts to respond
    according to security rules/capabilities
  • reprogram firewall
  • reset connections
  • block IP addresses
  • Typically called Intrusion Prevention System
  • Essentially a firewall with network and
    application level filtering

I found a threat and Im taking care of it, oh
yeah
14
IDS Evasion Techniques
  • Closely related to network attack methods
  • Designed to avoid detection by the IDS
  • Some basic and commonly known methods to attack
    IDS are through
  • String matching weaknesses
  • Session assembly weaknesses
  • Denial of service techniques

15
String Matching Weaknesses
  • Easiest to implement and understand
  • Most IDS strong dependency on string matching
  • Using variants, string manipulation techniques,
    and character substitution techniques so strings
    dont match
  • Strings dont match no threat is detected

16
Session Assembly Weakness
  • Works by dividing string across several packets
  • Data will be delivered a few bytes at the time
    with modified IP packets to evade string match
  • To defend IDS should fully understand session
    (difficult and processor intensive)

17
Denial of Service Technique
  • Characterized by preventing legitimate users of a
    service from using that service
  • Examples
  • Consume devices processing power
  • Fill up disk space
  • More alarms than can be handled by management
    systems
  • Personnel not being able to investigate all the
    alarms
  • Device lock up

18
Towards the Future
  • IDS vendors and hardware will have to keep a pace
    with all the switched networks and traffic
    increases
  • The future of IDS lies in data correlation
  • AI
  • Data mining
  • Future IDS, produce result by examining input
    from different sources

19
Conclusion
  • Nearly every company dependent on Internet to
    survive, so IDS here to stay
  • Also as technology advances for new IDS so does
    the possibility of new threats
  • Security issues are always present
  • However promising future
  • Statistical Analysis
  • Predictive AI
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Intrusion Detection Systems" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!