Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection Systems Ali Shayan October 2008.

Published byCaren Welch Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection Systems Ali Shayan October 2008."— Presentation transcript:

1 Network Intrusion Detection Systems Ali Shayan October 2008

2 2 Introduction Intrusion – an attempt to compromise or misuse a computer system or network. Network Intrusion Detection System (NIDS) monitors packets on the network wire and attempts to discover if hackers are attempting to break into a system or cause a DOS. NIDS can run on the target or independent system. Network NIDS monitor many machines. System Integrity Verifiers (SIV) monitor system files to detect trojan versions of system binaries. It may log the attempt as it occurs.

3 3 Introduction Log File Monitors (LFM) monitor log files generated by network services. Deception Systems aka honeypots, fly-traps contain pseudo-services that emulate well-known holes in an attempt to trap hackers. Intruders – outsiders or insiders

4 Physical Intrusion – console passwords, disk removal, etc. System Intrusion – hacker has a low privilege account on the system and uses a tool that exploits a weakness to gain system privilege. Remote Intrusion – gains access via a remote service on the system. 4 How do Intruders Get In?

5 Intrusion Detection Process of identifying and responding to malicious activities targeted against networks and its resources System that performs intrusion detection is called Intrusion Detection System (IDS) –complements prevention techniques (e.g. firewalls) defense mechanism behind outer barrier works against insiders –important market for security companies (ISS, Cisco) 5

6 Intrusion Detection Type of IDSs –Material-based HIDS (Host-based Intrusion Detection System) NIDS (Network-based Intrusion Detection System) –Detection Techniques Misuse based / Signature based Anomaly based Hybrid 6

7 Intrusion Detection Techniques Misuse-based / Signature-based –observed behavior is compared against description of known, undesirable behavior (signatures) –intrusion assumed when signature spotted in input data –comparable to virus scanner –all commercial systems follow this approach –Advantages accurate reports (low false positive rate) –Disadvantages needs continous update of signatures (like virus scanner) unable of detecting novel intrusions 7

8 Intrusion Detection Techniques Anomaly based –behavior is compared against description of anticipated, legal behavior (profile) –intrusion assumed when deviation between input and profile significant –statistical methods, AI techniques (neural networks) –Advantages capable of detecting novel attacks –Disadvantages difficult to configure / train high number of false alarms (incorrect detects) 8

9 Intrusion Detection Domains Network based –input data is gathered from the network –packet sniffer, protocol analysis –Advantages – complete set of events – access to events related to multiple hosts from a single sampling point –Disadvantages – performance issues (reassembling, de-fragmenting) – switched architectures – encryption – discrepancies between sensor and target viewpoint (eg. encryption, TTL,...) 9

10 Network Based Detection Sample IDS‘s Idea –“Insertion, Evasion and Denial of Service” –bases on different TCP/IP stack implementations in case of non- standard packets (header flags, options) –TTL too short to reach target –different timeout policy for IP fragments / TCP segments –different reassembly policy in case of overlapping data NT, Solaris favour old data Linux, FreeBSD, OpenBSD favour new data 10

11 Network Based Detection Commercial systems –RealSecure (ISS) –Juniper (Juniper Networks Intrusion Prevention) –Cisco (Cisco IPS 4200 Series Sensors) Academic systems –NFR (Marcus Ranum) –NetSTAT (UCSB) –Emerald (SRI) –Bro Snort ( http://www.snort.org ) –designed to be lightweight and fast –based on libpcap (reads/writes tcpdump files) –simple rule-based analysis engine –simple pattern-matching functionalities 11

12 Intrusion Detection Domains Host based –produce data related to host activity –two main sources operating system –Syslog Daemon, klogd –Linux – LIDS –Solaris Auditing – Basic Security Model (BSM) –Windows NT Events application level –Apache logs –ftpd logs 12

13 Intrusion Detection Domains Syslog –Logging facility available in all UNIX system –accessible through syslog() that sends a log message to syslogd / klogd Syslog message –Indentity - usually the program name –Facility - specifies the source of the message (kernel, user, mail, lpr, authpriv, daemon) –Level - determines the importance of the message (emerg, alert, crit, err, warning, notice, info, debug) –Text message 13

14 Intrusion Detection Challanges Recognize malicious actions in the huge stream of events provided by network monitors and host auditing facilities Detect intrusions in real-time Correlate detection results within and across security domains Integrate different systems so that all techniques (anomaly, misuse) and domains (host, network) are covered Deploy ID systems in very different environments and take into account the characteristics of the protected computer networks 14

15 Where to locate IDS Network hosts Network Perimeter WAN/LAN Backbone Server farms Need to be on low-bandwidth nets to keep up with traffic. 15

16 Fitting IDS with Security Framework Put firewalls between networks with different security requirements. Use scanners to check for exploits. Set host policy to conform with standards. Use NIDS to see what is actually happening. Use Host based IDS to flag intrusions. Create effective IRP. 16

17 Sample IDS Placement 17 INTERNET IDS #3 FIREWALL IDS #2 INTERNAL NETWORK IDS #4 IDS #1 IDS #1 – FW don’t produce enough info to effectively detect hits. IDS #2 – detects attacks that penetrate the FW IDS #3 – detects attacks attempted against the FW IDS #4 – Insider attacks will be detected

18 Attacks Against the NIDS Blind the sensor with high traffic rates. Blind the event storage. Use decoy scans to fill up log space. DOS Packet Fragmentation Slow Scan Coordinated low-bandwidth attacks Address spoofing Pattern Change 18

19 Questions to ask IDS Vendors How Much? What do signature updates cost? What traffic level blinds the IDS? How easy to evade? How scalable is it? How many signatures does it support? What IR features are included? 19

Download ppt "Network Intrusion Detection Systems Ali Shayan October 2008."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection CS461/ECE422 Spring 2012. Reading Material Chapter 8 of the text.

Intrusion Detection CS461/ECE422 Spring Reading Material Chapter 8 of the text.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google