Beruflich Dokumente
Kultur Dokumente
Index
Introduction Why do I need an IDS,I have a Firewall? Components of Intrusion Detection Types of IDS
Introduction
Intrusion
A set of actions aimed to compromise the security goals, namely
Integrity, confidentiality, or availability, of a computing and networking resource
Intrusion detection
The process of identifying and responding to intrusion activities.
Firewall
Active filtering Fail-close
Network IDS
Passive monitoring
Fail-open
IDS
FW
Action/Report
Types of IDS
Different ways of classifying an IDS
IDS based on
anomaly detection signature based misuse host based network based
Anomaly Detection
90 80 70 60 activity 50 measures40 30 20 10 0 CPU Process Size
probable intrusion
normal profile abnormal
Relatively high false positive rate anomalies can just be new normal activities.
Misuse Detection
pattern matching Intrusion Patterns activities intrusion
Example: if (src_ip == dst_ip) then land attack Cant detect new attacks
Network IDSs
Deploying sensors at strategic locations
E.g., Packet sniffing via tcpdump at routers
Other problems
Event Engine
tcpdump filters Filtered packet stream
libpcap
Packet stream
Network
Functions of IDS
Monitoring and analyzing both user and system activities. Analyzing system configurations and vulnerabilities. Assessing system and file.
BSM
Individual attack-based:
Intrusion A detected; Intrusion B detected No long-term proactive detection/prediction
Statistical accuracy-based:
x% detection rate and y% false alarm rate
Are the most damaging intrusions detected?
Statically configured.
Adaptive IDSs
ID Modeling Engine
semiautomatic
IDS
anomaly detection
(misuse detection)
ID models
ID models
IDS IDS
Conclusion
IDS are becoming the logical next step for many organizations after deploying firewall technology at the network perimeter. IDS can offer protection from external users and internal attackers, where traffic doesn't go past the firewall at all.If all of these points are not adhered to, an IDS implementation along with a firewall alone can not make a highly secured infrastructure.