INTRUSION DETECTION SYSTEM

BYM.SUDHEER REDDY

INTRUSIO

N…?????

?

AGENDA INTRODUCTION

TYPES OF IDS NETWORK INTRUSION DETECTION SYSTEM HOW DOES IT PROTECT THE SENSITIVE SYSTEM

  WORKING OF NIDS

DIFFERENCES BETWEEN NIDS AND FIREWALL 

MISUSE DETECTION SYSTEMS

NEW ARCHITECTURE

IMPLEMENTED APPROACHES

ADVANTAGES AND DISADVANTAGES CONCLUSION

INTRODUCTIONAn intrusion is somebody attempting to break

into or misuse your system.

An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.

TYPES OF INTRUSION DETECTION SYSTEM

Intrusion Detection Systems are categorized into two types

a) Network intrusion detection system(NIDS)

b) Host based intrusion detection system(HIDS)

NETWORK INTRUSION DETECTION SYSTEM (NIDS)

A network-based IDS or NIDS resides on a computer or appliance connected to a segment of an organization's network and monitors network traffic on that network.

In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the dematerialized zone (DMZ) or at network borders.

HOW DOES NIDS PROTECT SENSITIVE MATERIALS

A Network Intrusion Detection System (NIDS) performs the same function as a sophisticated alarm system.

NIDS observes and alerts. It will not affect network performance. NIDS maintains a database – updated daily – that contains a history, nearly a decade’s worth of documented attack attempts, detecting similarities.

WORKING OF NIDS HUBS: The NIDS device connects to a network hub or a

switch that connects to the network router or Firewall. All traffic passing to or from the customer is inspected by the NIDS device.

TAP: The network tap is another approach to allowing the NIDS to see all the traffic on a switched network. A tap is similar in function to a phone tap. The tap will typically look like 3-port switch. Port 1 will attach to Switch 1 Port 2 will attach to Switch 2 and Port 3 will attach to the NIDS.

SPAN PORT: Another popular option for adding a sniffer of any type to a network is the use of a span port on the switch being monitored A span port is a port that is configured to have a copy of all packets sent to it The major disadvantage of spanning ports is that they can have a detrimental effect on other traffic traversing the switch.

An inline NIDS looks essentially like a bridge. The NIDS will be configured without an IP so that it will not respond to any trafficThe final option is an inline NIDS. The IPS will simply accept traffic on one NIC and pass it back out unchanged on a second NIC like a bridge.

TYPES OF DETECTION METHODS:Two types of detection methods are: a) Anomaly Detection model b) Signature detection modelANOMALY DETECTION MODEL: IDS methodology is an approach called

anomaly detection or behavior-based detection. This model works by establishing accepted

baselines or rules and noting exceptional differences

If an ids looks only at network packet headers for differences it is called as protocol anomaly detection.

This model triggers off when the following events occur

a) Unusual user account activity b) Excessive file and object accesses c) High cpu utilization d) Inappropriate protocol use e) Unusual login frequency f) High number of sessions g) Unusual content

Anomaly Detection :

Advantages: Analyzes ongoing traffic, activity, transactions, and behavior for anomalies. Potential to detect previously unknown types of attacks. Catalogs the differences between baseline behavior and ongoing activity. Disadvantages: Prone to false positives. Heavy processing overhead. Vulnerable to attack while creating time consuming, statistically significant baselines.

Signature detection model: The defined patterns of code are called as

signatures and often treated as a rule when included in ids.

Signature-based IDS use a database of traffic and activity patterns related to known attacks. The patterns are called attack signatures.

These signatures and rules can be collected together into larger sets called signature databases or rule sets.

Advantages: Examines ongoing activity and matches

against patterns of previously observed attacks. Works extremely well against previously

observed attacks.Disadvantages: Signature databases must be constantly

updated. Must compare and match activities against

large collections of attack signatures. Specific signature definitions may miss

variations on known attacks. May impose noticeable performance drags on

systems.

Misuse Detection:

Expert Systems

Keystroke monitoring

Model Based Intrusion Detection

NEW ARCHITECTURE

Mobile IDS Agents The Local Audit Trial The Local Intrusion Database ( LID )  The Secure Communication Module The Anomaly Detection Modules ( ADM s The Misuse Detection Modules ( MDM) s

Stationary Secure Database

IMPLEMENTED APPROACHES IEEE 802.11

a) Open System Authentication.b) Shared Key Authentication.

Secure key generation and distribution

Mitigating Routing Misbehavior:( Sergio Marti et al. [19])

ADVANTAGES:Monitors an entire network with only a few well-

placed nodesMostly passive devicesLow Overhead and limited number of resources

are used even in the large network.Easy to secure against attackMostly undetectable to attackers or intruders

because they are completely hidden in the network.

Easy to installNIDS can be used in the present networks

without interrupting conventional network operations.

DISADVANTAGES: May not be able to monitor and analyze all

traffic on large, busy networks Vulnerable to attacks launched during peak

traffic periods on large busy networksNot able to monitor switch-based (high-speed)

networks effectivelyTypically unable to analyze encrypted data or

not suitable for encrypted traffic.Does not always report success or failure of

attempted attacksRequire active manual involvement by network

administrators or security administrators.

CONCLUSION:As NIDS technologies continue to evolve, they will

more closely resemble their real-world counterparts. In the future, NIDS, firewalls, VPNs, and related security technologies will all come to interoperate to a much higher degree. The current generation of IDS (HIDS and NIDS) is quite effective already; as they continue to improve they will become the backbone of the more flexible security systems we expect to see in the not-too-distant future.

QUERIES…????

THAN

K

YOU

THANK