Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008.

Published byBarbara May Modified over 8 years ago

Similar presentations

Presentation on theme: "A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008."— Presentation transcript:

1 A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008

2 Outline  Introduction  Define an Intrusion  Objectives of Intrusion Detection Systems  Signature Based Detection  Advantages and Disadvantages  Anomaly Based Detection  Advantages and Disadvantages  Active Intrusion Detection Systems (IPS)‏  Cost  Conclusion

3 Introduction Intrusion Detection System: A system which inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. An IDS is basically a sophisticated packet scanner. Designed and put into use on production networks between the late 1970's and early 1980's and still in use today. The software scans all packets on the network and attempts to classify the traffic as intrusive or non intrusive.

4 An intrusion is “Any set of activities that attempt to compromise the integrity, confidentiality or availability of a resource. What Is an Intrusion "Denial of Service – action or series of actions that prevent some part of a system from performing as intended Disclosure – unauthorized acquisition of sensitive information Manipulation – improper modification of system information whether being processed, stored, or transmitted Masqueraders – attempt by an unauthorized user or process to gain access to a system by posing as an authorized entity

5 Threats Continued Replay – retransmission of valid messages under invalid circumstances to produce unauthorized effects Repudiation – successful denial of an action Physical Impossibilities – violation of an object residing in two places at the same time, moving from one place to another in less than optimal time, or repeating a specific action in less than some minimal time quantum Device Malfunctions (health of the system) – partial or complete failure of a monitored system device"

6 Objectives of Intrusion Detection Systems "Confidentiality – ensuring that the data and system are not disclosed to unauthorized individuals, processes, or systems Integrity – ensuring that the data is preserved in regard to its meaning, completeness, consistency, intended use, and correlation to its representation Availability – ensuring that the data and system are accessible and usable to authorized individuals and/or processes Accountability – ensuring that transactions are recorded so that events may be recreated and traced to users or processes"

7 Signature Based Detection Signature based detection works in a similar fashion to a virus scanner. This style of detection relies on rules and tries to associate possible patterns to intrusion attempts. Viruses are known to often attempt a series of steps to penetrate a system. This series of steps would be compiled into such a rule. Whenever the IDS software (an agent) collects the data it then compares what it has observed against the rules that have been defined and then has to decide whether it is a positive or a negative attempt.

8 Advantages of Signature Based Detection Often considered to be much more accurate at identifying an intrusion attempt. Ease of tracking down cause of alarm due to detailed log files Time is saved since administrators spend less time dealing with false positives

9 Disadvantages of Signature Based Detection Signature based systems can only detect an intrusion attempt if it matches a pattern that is in the database, therefore causing databases to constantly be updated When ever a new virus or attack is identified it can take vendors anywhere from a few hours to a few days to update their signature databases.

10 Disadvantages of Signature Based Detection Hosts that are subjected to large amounts of traffic the IDS can have a difficult time inspecting every single packet that it comes in contact, which then forces some packets to be dropped leaving the potential for hazardous packets getting by without detection Systems can suffer a substantial performance slow down if not properly equipped with the necessary hardware to keep up with the demands

11 Anomaly Based Detection An anomaly is defined as something that is not not nominal or normal. Anomaly detection is split into two separate categories: static and dynamic. Static assumes that one or more sections on the host should remain constant Focus only on the software side and ignore any unusual changes in hardware Used to monitor data integrity Dynamic Depends on a baseline or profile Baseline established by IDS or network administrator Baseline tells the system what kind of traffic looks normal May include information about bandwidth, ports, time frames etc...

12 Advantages of Anomaly Based Detection New threats can be detected with out having to worry about databased being up to date Very little maintenance once system is installed it continues to learn about network activity and continues to build its profiles. The longer the system is in use the more accurate it can become at identifying threats

13 Disadvantages of Anomaly Based Detection The network can be in an unprotected state as the system builds its profile. If malicious activity looks like normal traffic to the system it will never send an alarm. False positives can become cumbersome with an anomaly based setup. Normal usage such as checking e-mail after a meeting has the potential to signal an alarm.

14 Active Intrusion Detection Systems Passive systems can only send an alarm to an administrator when there is an attempt in progress. An active system can take control of the situation by disconnecting the assailant Methods: Session Disruption: IDS may send a TCP reset packet if the attacker has opened a TCP connection to the victim IDS may send various UDP packets to disrupt a UDP connection Will not permanently remedy the situation only disconnect the current connection Rule Modification IDS is linked to a firewall via an administrative link IDS communicates with the firewall telling it to drop all packets from the attackers IP Address

15 Costs "CSO magazine’s 2006 E-Crime Watch survey revealed that the damage done by enterprise security events is getting worse. Sixty-three percent of respondents reported operational losses as a result of e-crime, 23 percent reported harm done to their organization’s reputation and 40 percent reported financial losses, which averaged $740,000 in 2005 compared to an average of $507,000 in 2004." Intrusion Detection Systems range in price anywhere from $4,000 - $60,000 depending on the features that a company may need The price may appear high to some but when compared to the cost of the damage that may be done its a well spent investment to a company Remember that data is very hard to put a price tag on if lost

16 Questions?

Download ppt "A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008."

Similar presentations

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.

Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Similar presentations

Ads by Google