Intrusion Detection Systems

Presented by: Priyanka Ghagare Guided By: Amol Bhilare

Index
Introduction Why do I need an IDS,I have a Firewall? Components of Intrusion Detection Types of IDS

Firewall Versus Network IDS

Problems with Current IDSs

Next Generation IDSs

Conclusion

Introduction
Intrusion
A set of actions aimed to compromise the security goals, namely
Integrity, confidentiality, or availability, of a computing and networking resource

Intrusion detection
The process of identifying and responding to intrusion activities.

WHY DO I NEED AN IDS, I HAVE A FIREWALL?

Firewall
Active filtering Fail-close

Network IDS
Passive monitoring
Fail-open

IDS

FW

Components of Intrusion Detection System

system activities are observable Audit Records Audit Data Preprocessor Activity Data Detection Models Detection Engine Alarms Decision Table Decision Engine normal and intrusive activities have distinct evidence

Action/Report

Types of IDS
Different ways of classifying an IDS

IDS based on
anomaly detection signature based misuse host based network based

Anomaly based IDS

This IDS models the normal usage of the network as a noise characterization. Anything distinct from the noise is assumed to be an intrusion activity.
E.g flooding a host with lots of packet.

The primary strength is its ability to recognize novel attacks.

Anomaly Detection
90 80 70 60 activity 50 measures40 30 20 10 0 CPU Process Size

probable intrusion
normal profile abnormal

Relatively high false positive rate anomalies can just be new normal activities.

Signature based misuse

This IDS possess an attacked description that can be matched to sensed attack manifestations. The question of what information is relevant to an IDS depends upon what it is trying to detect.
E.g DNS, FTP etc.

Misuse Detection
pattern matching Intrusion Patterns activities intrusion

Example: if (src_ip == dst_ip) then land attack Cant detect new attacks

Host/Applications based IDS

The host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc. This audit is then analyzed to detect trails of intrusion.

Network IDSs
Deploying sensors at strategic locations
E.g., Packet sniffing via tcpdump at routers

Inspecting network traffic

Watch for violations of protocols and unusual connection patterns

Monitoring user activities

Look into the data portions of the packets for malicious command sequences

May be easily defeated by encryption

Data portions and some header information can be encrypted

Other problems

Architecture of Network IDS

Policy script Alerts/notifications

Policy Script Interpreter

Event control Event stream

Event Engine
tcpdump filters Filtered packet stream

libpcap
Packet stream

Network

Functions of IDS
Monitoring and analyzing both user and system activities. Analyzing system configurations and vulnerabilities. Assessing system and file.

Detecting and preventing network intrusions.

Antivirus, antispyware management Integrity

Monitoring Networks and Hosts

Network Packets
tcpdump

Operating System Events

BSM

Problems with Current IDSs

Knowledge and signature-based:
We have the largest knowledge/signature base Ineffective against new attacks

Individual attack-based:
Intrusion A detected; Intrusion B detected No long-term proactive detection/prediction

Statistical accuracy-based:
x% detection rate and y% false alarm rate
Are the most damaging intrusions detected?

Statically configured.

Next Generation IDSs

Adaptive Detect new intrusions Scenario-based Correlate (multiple sources of) audit data and attack information Cost-sensitive Model cost factors related to intrusion detection Dynamically configure IDS components for best protection/cost performance

Adaptive IDSs
ID Modeling Engine
semiautomatic

anomaly data ID models

IDS
anomaly detection

(misuse detection)

ID models

ID models

IDS IDS

Where do I put my IDS?

Conclusion
IDS are becoming the logical next step for many organizations after deploying firewall technology at the network perimeter. IDS can offer protection from external users and internal attackers, where traffic doesn't go past the firewall at all.If all of these points are not adhered to, an IDS implementation along with a firewall alone can not make a highly secured infrastructure.