Intrusion Detection System

Marmagna Desai[ 520 Presentation]

Contents Computer SecurityComputer Security

Network System

IDS - IntroductionIDS - Introduction Intrusion Detection SystemIntrusion Detection System

Network Based (NIDS) Host Based (HIDS) ID Expert Systems

IDS TechniquesIDS Techniques Misuse Detection Anomaly Detection

Immune System Approach ArchitectureArchitecture RequirementsRequirements

ConclusionConclusion

ReferencesReferences

ThanksThanks

Computer Security – CIAConfidentiality-Integrity-Authentication

Network Security Protecting

Network equipment. Network servers and

transmissions. Eavesdropping.

Data Integrity

System Security User access Authentication controls Assignment of

privilege Maintaining file and file

system integrity Monitoring processes Log-keeping Backups

Intrusion Detection System

IDS - Definition Monitors either a Network boundary (Network

IDS) or a single host (Host IDS) in real-time, looking for patterns that indicate Attacks.

Functional Blocks.. Sensor Monitor Resolver Controller

Sensor System Specific Data Gathering Component. Track Network traffic, Log files, System behaviour

Monitor Monitor Components, Get Events from Sensor. Correlates Events against Behaviour-Model Produce Alerts.

Resolver Determine Response against Alerts. E.g. Logging, Changing System Mechanism,

Setting Firewall Rule etc.

Controller - Coordination and Administration

Network IDS

NIDS Sensors collect information from Network Connections.

Uses Packet Sniffing on NIC in Promiscuous Mode.

No Auditing / Logging required. Agents can introduced without affecting Data

Source at NIC level. Detects Network Level Attacks (e.g. SYN Atk) Can NOT scan Protocols or Content of

Network Traffic if encrypted.

Host IDS

HIDS Sensors collect information reflecting the System Activity.

Based on Operating System Audit Trails, Logs and Process Trees.

User and Application Level Analysis Process Behaviour Analysis Operate in Encrypted Environments. Platform Specific, Large Overhead for OS and

Higher Management/Deployment Costs

ID Expert Systems

A set of System Tools Working in Coordination Users Behave in a Consistent Manner Behaviour can be Summarised in a Profile. Profile can be generated by Advanced

Statistical Analysis. Oracle Database is used for Profiles. Provides Real-Time Response to Intrusion.

IDS Approaches

Misuse Detection Models Abnormal behaviour

E.G. HTTP request referring to the cmd.exe file Uses Pattern Matching of system setting and

user activities against database of known attacks. (Signature Analysis)

Highly Efficient – Tightly Defined Signature. Vulnerable to novel attacks.

Anomaly Detection Models Normal Behaviour

E.g. Expected System Calls, generated by User Process (Root/Non-root).

Statistical profiles for system objects are created by measuring attributes of normal use.

Detects Novel and Complex attacks. Low Efficiency False Positive

Legitimate action classified as Anomalous.

Anomaly Detection - continued

Immune System Approach Models in terms of Sequence of System Calls. Sequence for

Normal Behaviour Error Condition Anomaly

Kernel-Level System-Call Monitoring. E.g. “exec “ System call produces trace in all

above situations.

System Call Execution Process

User Process

Schedular

System Call Implementation

System CallDispatcher

System Call

Kernel Level System Monitoring

User ProcessIDS Module

SchedularSystem Call Implementation

System CallDispatcher

System Call

Response

e.g.

Delay

Architecture

Monolithic Single Application contains sensor, monitor,

resolver and controller Most Simplest Architecture, unable to detect

attack made by distributed normal events. Hierarchic

Resolver and Controller at root of hierarchy. Monitors at sub-system (logical group) level. Sensors at Node-Level Centralised controller correlates information

from different Monitors and Resolver take decision

Architecture – continued

Agent Based Distributed Sensors/Monitors/Resolver and

Controller. Multi-Hierarchy of Monitors High Scalability Recently used in various IDS.

Requirements

Accuracy Prevention, not just detection Broad attack coverage Analyze all relevant traffic Highly granular detection and response Sophisticated forensics and reporting Maximum sensor uptime Wire-speed performance

Requirements...

Accuracy Reduced False +ve and -ve Thorough Protocol Analysis

Prevention Real Time Prevention Reconfiguration and Response Self Learning Profiles

Broad Attack Coverage Protects against all Attacks

Requirements...

Analyze all relevant traffic (NIDS) Deploy IDS to suit varying Networks Topology

Granular Detection and Response One size does not fit all.

Forensic and Reporting Extensive Historic Analysis and Report

Wire-Speed Multi – Giga bit Performance

Conclusion

IDS will merge all Network components and tools which exist today, into a complete and cooperative system, dedicated to keeping networks Stable and Secure.

Distributed elements performing specific jobs. Hierarchical correlation and analysis. Novel approaches like AI, Data-Mining etc.

References

http://www.securityfocus.com http://www.citeseer.com “Intrusion Detection Techniques and

Approaches” [ Theuns Verwoerd and Ray Hunt ] “Computer System Intrusion Detection: A

Survey” [ Anita K. Jones and Robert S. Sielken]

http://www.insecure.org/ http://nss.co.uk/

Thank You!!

Questions

?