Intrusion

1
Intrusion
Detection
Systems
By William Pinkerton and Sean Burnside
2
What is IDS

• IDS is the acronym for Intrusion Detection
  Systems
• Secure systems from attack
• Attacks on a system are through the network, by
  either
• Crackers
• Hackers
• Disgruntled Employees
• Five different kinds of intrusion detection
  systems
• Network-based
• Protocol-based
• Application-based
• Host-based
• Hybrid

3
History of IDS

• Began
• Mid 1980s
• James P. Anderson
• Computer Security Threat Monitoring and
  Surveillance
• Fred Cohen
• The inventor of defenses against viruses
• Said, It is impossible to detect an intrusion in
  every case and the resources needed to detect
  intrusion grows with the amount of usage
• Dorthy E. Denning assisted by Peter Neuman
• Created an anomaly-based intrusion detection
  system
• Named Intrusion Detection Expert System
• Later version was named Next-generation Intrusion
  Detection Expert System

4
Passive vs. Reactive Systems

• Passive System
• First detects a breach
• Logs the breach and/or alerts the
  administrator(s)
• Reactive System
• Takes more action of alerting the breach, by
  either
• Resetting the connection
• Reprograms the firewall

5
Firewall and Antivirus vs. IDS

• Firewall
• Blocks potentially harmful incoming or outgoing
  traffic
• Does not detect intrusions

• Antivirus
• Scans files to identify or eliminate, either
• Malicious Software
• Computer Viruses

• Intrusion Detection Systems
• Alert an administrator(s) of suspicious activity
• Looks for intrusions before they happen
• Note For maximum protection it is best to have
  all three!!

6
5 Methods of IDS

1. Network-based Intrusion Detection System
2. Protocol-based Intrusion Detection System
3. Application-based Intrusion Detection System
4. Host-based Intrusion Detection System
5. Hybrid Intrusion Detection System

7
Network-based Intrusion Detection System

• Runs on different points of a network
• Scans for DOS attacks, activities on ports and
  hacking
• Also scans incoming and outgoing packets that are
  bad
• Pros
• Not much overhead on network
• Installing, upkeep and securing is easy
• Undetectable by most hacks
• Cons
• Has trouble with large networks

8
Network-based Intrusion Detection System (cont.)

• Cons (cont.)
• Has trouble with switch based networks
• No reporting if attack fails or succeeds
• Cannot look at encrypted data

9
Protocol-based Intrusion Detection System

• Sits at the front end of a server
• Usually used for web servers
• Two uses
• Making sure a protocol is enforced and used
  correctly
• Teaching the system constructs of a protocol
• Pros
• Easier for system to pick up on attacks since it
  is protocol based
• Cons
• Rules for protocols come out slowly could be a
  gap in attacks

10
Host-based Intrusion Detection System

• Internally based detection system
• Analyses a system four ways
• File system monitoring
• Logfile analysis
• Connection analysis
• Kernel based intrusion
• Pros
• Analyses encrypted data
• Can keep up with switch based networks
• Provides more information about attacks

11
Host-based Intrusion Detection System(cont.)

• Pros (cont.)
• System can tell what processes where used in the
  attack
• System can tell the users involved in the attack
• Cons
• Decrease in network performance if multiple hosts
  are analyzed
• If the host machine is broken the system can be
  disabled
• Affected by DOS attacks
• Needs allot of resources

12
Application-based Intrusion Detection System

• System is application specific
• Monitor dynamic behaviors and states of protocol
• The system analyzes the communication between
  applications
• Pros
• Greater chance of detecting an attack since it is
  application specific
• Can look at encrypted data
• Con
• Needs a lot of processing power

13
Hybrid Intrusion Detection System

• Combines two or more systems
• Pros
• It has the same pros as the systems that it is
  based on
• Cons
• It has the same cons as the systems that it is
  based on

14
Top 5 IDS

• Snort
• OSSEC HIDS
• Fragrouter
• BASE
• Squil

15

• Lightweight, open source
• Originally named bro
• Developed by Lawrence Berkeley National
  Laboratory in 1998
• The most widely used Intrusion detection system
• Capable of performing packet logging and real
  time traffic analysis over IP networks

16
OSSEC HIDS

• Strong log analysis engine
• Correlate and analyze logs from different
  devices and formats
• Can be centralized
• Many different systems can be monitored
• Runs on most operating systems
• Linus
• OpenBSD
• Mac OS X
• Solaris
• FreeBSD
• Windows

17
Fragrouter

• Used to evade intrusion detection systems
• Limited to certain operating systems
• BSD
• Linux
• Good tool for finding weaknesses on a network,
  computers, or servers that ids may not be able to
  find

18
BASE

• Written in php
• Nice web front in
• Analyzes data stored in a database that is
  populated by firewalls, ids, and network
  monitoring tools

19
Sguil

• Known for its graphical user interface
• Runs on operating systems that support tcl/tk
• Linux
• BSD
• Solaris
• MacOS
• Win32
• Network security monitoring
• Provides intrusion detection system alerts

20

• Question Time