Signature Based and Anomaly Based Network Intrusion Detection - PowerPoint PPT Presentation

About This Presentation
Title:

Signature Based and Anomaly Based Network Intrusion Detection

Description:

Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158B Agenda Introduce Network Intrusion Detection (NID) Signature ... – PowerPoint PPT presentation

Number of Views:1110
Avg rating:3.0/5.0
Slides: 11
Provided by: csSjsuEd3
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Signature Based and Anomaly Based Network Intrusion Detection


1
Signature Based and Anomaly Based Network
Intrusion Detection
  • By Stephen Loftus and Kent Ho
  • CS 158B

2
Agenda
  • Introduce Network Intrusion Detection (NID)
  • Signature
  • Anomaly
  • Compare and ContrastSignature based vs. Anomaly
    based NID
  • Example using Ethereal

3
Intrusion Detection Systems
  • Intrusion detection begins where the firewall
    ends.
  • Preventing unauthorized entry is best, but not
    always possible.
  • It is important that the system is reliable and
    accurate and secure.

4
IDS (cont.)
  • When designing a IDS, the mission is to protect
    the datas
  • Confidentiality- read
  • Integrity- read/write
  • Availability- read/write/access
  • Threats can come from both outside and inside the
    network.

5
Signature
  • Signature based IDS are based on looking for
    known patterns of detrimental activity.
  • Benefits
  • Low alarm rates All it has to do is to look up
    the list of known signatures of attacks and if it
    finds a match report it.
  • Signature based NID are very accurate.
  • Speed The systems are fast since they are only
    doing a comparison between what they are seeing
    and a predetermined rule.

6
Signature (cont.)
  • Negatives
  • If someone develops a new attack, there will be
    no protection.
  • only as strong as its rule set.
  • Attacks can be masked by splitting up the
    messages.
  • Similar to Anti-Virus, after a new attack is
    recorded, the data files need to be updated
    before the network is secure.
  • Example
  • Port Scan
  • DOS
  • Sniffing

7
Anomaly
  • Anomaly based IDS are based on tracking unknown
    unique behavior pattern of detrimental activity
  • Advantages
  • Helps to reduce the limitations problem.
  • Conducts a thorough screening of what comes
    through.

8
Anomaly (cont.)
  • Disadvantages
  • False positives, catches too much because
    Behavior based NIDs monitor a system based on
    their behavior patterns.
  • Painstaking slow to do an exhaustive monitoring,
    uses up a lot or resourceAfter an anomaly has
    been detected, it may become a signature.

9
Anomaly vs. Signature
  • Which is the best way to defend your network?
  • Both have advantages
  • Signature can be used as a stand alone system
  • Anomaly has a few weak points that prevent it
    from being a stand alone system.
  • Signature is the better of the two for defending
    you network
  • The best way is to use both!

10
Example
  • Using Ethereal to detect a port scan
  • A port scan is when a person executes sequential
    port open requests trying to find an open port.
    Most of these come back with a reset
  • Normal TCP/IP port request
  • Port request on closed port
Write a Comment
User Comments (0)
About PowerShow.com