0% found this document useful (0 votes)
792 views18 pages

Intrusion Detection System

Intrusion Detection Systems (IDS) monitor network traffic and system activities for suspicious activity that could indicate an attack or unauthorized access. There are different types of IDS including anomaly-based, signature-based, host-based, network-based, and stack-based. Anomaly-based IDS detect novel attacks but generate many false alarms. Signature-based IDS only detect known attacks by matching patterns but cannot find new threats. Host-based IDS analyze operating system logs but require careful logging. Network-based IDS monitor traffic through a network interface and filter known benign traffic. The future of IDS involves integrating network and host-based systems to improve detection of novel attacks.

Uploaded by

Sheetal Verma
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
792 views18 pages

Intrusion Detection System

Intrusion Detection Systems (IDS) monitor network traffic and system activities for suspicious activity that could indicate an attack or unauthorized access. There are different types of IDS including anomaly-based, signature-based, host-based, network-based, and stack-based. Anomaly-based IDS detect novel attacks but generate many false alarms. Signature-based IDS only detect known attacks by matching patterns but cannot find new threats. Host-based IDS analyze operating system logs but require careful logging. Network-based IDS monitor traffic through a network interface and filter known benign traffic. The future of IDS involves integrating network and host-based systems to improve detection of novel attacks.

Uploaded by

Sheetal Verma
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

Intrusion Detection System

Intrusion and Intrusion Detection

Intrusion : Attempting to break into or misuse your system. Intruders may be from outside the network or legitimate users of the network. Intrusion can be a physical, system or remote intrusion.

Different ways to intrude

Buffer overflows Unexpected combinations Unhandled input Race conditions

Intrusion Detection System

Analysis Engine
Knowledge Base

Response Model

Alert Database Event Provider

Other machines

Intrusion Detection Systems (IDS)

Different ways of classifying an IDS IDS based on


anomaly detection signature based misuse host based network based Stack based

Intrusion Detection Systems (IDS)


Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent.

Anomaly based IDS

This IDS models the normal usage of the network as a noise characterization. Anything distinct from the noise is assumed to be an intrusion activity.
E.g flooding a host with lots of packet.

The primary strength is its ability to recognize novel attacks.

Drawbacks of Anomaly detection IDS

Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection. These generate many false alarms and hence compromise the effectiveness of the IDS.

Signature based IDS

This IDS possess an attacked description that can be matched to sensed attack manifestations. The question of what information is relevant to an IDS depends upon what it is trying to detect.
E.g DNS, FTP etc.

Signature based IDS (contd.)

ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets,as an attack. For example, an IDS that watches web servers might be programmed to look for the string phf as an indicator of a CGI program attack. Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.

Drawbacks of Signature based IDS

They are unable to detect novel attacks. Suffer from false alarms Have to programmed again for every new pattern to be detected.

Host/Applications based IDS

The host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc. This audit is then analyzed to detect trails of intrusion.

Drawbacks of the host based IDS

The kind of information needed to be logged in is a matter of experience. Unselective logging of messages may greatly increase the audit and analysis burdens. Selective logging runs the risk that attack manifestations could be missed.

Strengths of the host based IDS

Attack verification System specific activity Encrypted and switch environments Monitoring key components Near Real-Time detection and response. No additional hardware

Stack based IDS

They are integrated closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. This allows the IDS to pull the packets from the stack before the OS or the application have a chance to process the packets.

Network based IDS

This IDS looks for attack signatures in network traffic via a promiscuous interface. A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic.

Strengths of Network based IDS

Cost of ownership reduced Packet analysis Evidence removal Real time detection and response Malicious intent detection Complement and verification Operating system independence

Future of IDS

To integrate the network and host based IDS for better detection. Developing IDS schemes for detecting novel attacks rather than individual instantiations.

You might also like