UNIT -2

Rahul Kumar
Assistant Professor SoCS
 MALWARE
Malware is an executable binary that is malicious in nature.
Malware’s can be used by attackers to perform variety of malicious actions
like Spying on the target using Keyloggers or RAT’S, they can also delete your data or
encrypt your data for “Ransom”.

Rahul Kumar Assistant Professor SoCS UPES

What is Malware Analysis?
Malware Analysis is the study or process of determining the functionality,
origin and potential impact of a given malware sample and extracting as much
information from it. The information that is extracted helps to understand the
functionality and scope of malware, how the system was infected and how to
defend against similar attacks in future.

Rahul Kumar Assistant Professor SoCS UPES

Objectives:

•To understand the type of malware and its functionality.

•Determine how the system was infected by malware and define if it was a

targeted attack or a phishing attack.

•How malware communicates with attacker.

•Future detection of malware and generating signatures.

Rahul Kumar Assistant Professor SoCS UPES

Types of Malware Analysis:
•Static analysis – It is a process of analyzing the malware without executing or running
it. This analysis is used to extract as much metadata from malware as possible like P.E
headers strings etc.
•Dynamic analysis – It is process of executing malware and analyzing its functionality
and behavior. This analysis helps to know what malware does during its execution
using debugger.

Rahul Kumar Assistant Professor SoCS UPES

•Code analysis – It is a process of analyzing/reverse engineering assembly code. It is
combination of both static and dynamic analysis.
•Behavioral analysis – It is the process of analyzing and monitoring the malware after
execution. It involves monitoring the processes, registry entries and network
monitoring to determine the workings of the malware.

Rahul Kumar Assistant Professor SoCS UPES

Common Steps in Malware Analysis:
•Identification: Determining the presence of malware and understanding its
characteristics.
•Acquisition: Obtaining a copy of the malware for analysis, ensuring proper
handling and containment.
•Preliminary Analysis: Conducting initial assessments to gather basic information
about the malware.

Rahul Kumar Assistant Professor SoCS UPES

•Static Analysis: Examining the malware without executing it to extract metadata and understand its structure.
•Dynamic Analysis: Executing the malware in a controlled environment to observe its behavior and effects.
•Code Analysis: Analyzing the malware’s code to understand its functionality, logic, and potential
vulnerabilities.
•Behavioral Analysis: Monitoring the malware’s actions during execution to identify its interactions with the
system and network.
•Reverse Engineering: Unpacking and decompiling the malware to understand its inner workings and
algorithms.
•Post-Analysis: Documenting findings, generating reports, and deriving insights for future prevention and
detection.

Rahul Kumar Assistant Professor SoCS UPES

Advantages of Malware Analysis:

DATA MANAGMENT
1.Threat Detection: Malware analysis enables the detection of previously unknown threats, allowing
organizations to proactively defend against attacks.
2.Improved Security: By understanding the behavior of malware, organizations can improve their
security measures and reduce the risk of infection.
3.Understanding of Attack Techniques: Malware analysis provides insight into the methods and
techniques used by attackers, allowing organizations to better prepare for and defend against future
attacks.
4.Early Detection: By analyzing malware early in its lifecycle, organizations can mitigate the impact
of an attack and reduce the time required to recover from it.
5.Forensics: Malware analysis can provide valuable information for forensic investigations and can
aid in the prosecution of attackers.

Rahul Kumar Assistant Professor SoCS UPES

Disadvantages of Malware Analysis:
1.Time-Consuming: The process of malware analysis can be time-consuming and requires specialized
knowledge and tools.
2.Risk of Infection: Conducting malware analysis in an uncontrolled environment can result in the spread
of the malware, potentially causing harm to other systems.
3.Cost: Malware analysis requires specialized tools and expertise, which can be expensive for
organizations to acquire and maintain.
4.Difficulty: Malware is constantly evolving, and the analysis process can be challenging, requiring
specialized knowledge and expertise.
5.False Positives: Malware analysis can sometimes result in false positives, leading to false alarms and a
loss of confidence in the security measures in place.

Rahul Kumar Assistant Professor SoCS UPES

What is Antivirus Software?

Antivirus software (computer protection software) is a program(s) that is created to search, detect,

prevent and remove software viruses from your system that can harm your system. Other harmful

software such as worms , adware, and other threats can also be detected and removed via antivirus. This

software is designed to be used as a proactive approach to cyber security, preventing threats from

entering your computer and causing issues. Most antivirus software operates in the background once

installed, providing real-time protection against virus attacks.

.

Rahul Kumar Assistant Professor SoCS UPES

What is Antivirus Software?

While you may believe that your computer is safe as long as you don’t visit questionable websites,

hackers have far more sophisticated methods of infecting your computer, which is why you need a

powerful antivirus to stay to secure your data and system. The implications of a virus getting into your

computer might be fatal. Viruses can cause a wide range of malicious behavior. They can crash your

device, monitor your accounts, or spy on you through your webcam. So, always use antivirus software.

Rahul Kumar Assistant Professor SoCS UPES

Types of Cyber Threats
As the Internet of Things (IoT) continues to grow, so does the risk of cybercrime for mobile phones,
laptops, smart home devices, and other internet-connected devices. According to the 2023 Cost of Data
Breach Study by IBM, the average cost of a data breach involving mobile devices is \$1.9 million. You
need to protect yourself against malware by using strong passwords, keeping your devices up to date,
and being careful about what apps you download.
The three most common types of cyber threats are –
1.Malware
2.spyware
3.phishing

Rahul Kumar Assistant Professor SoCS UPES

 How Antivirus Works?

Antivirus software works by comparing your computer applications and files to

a database of known malware kinds. Because hackers are continually creating and
disseminating new viruses, they will also check systems for the presence of new
or undiscovered malware threats. The antivirus checks files, programs, and
applications going in and out of your computer to its database to identify
matches. Similar and identical matches to the database are segregated, scanned,
and eliminated.

Rahul Kumar Assistant Professor SoCS UPES

Rahul Kumar Assistant Professor SoCS UPES
Most Antivirus programs will employ these four types of detection techniques:
•Signature detection is a method by which an antivirus keenly scans files that are
brought into a system to analyze more likely hazardous files.
•Specific detection, which looks for known parts or types of malware or patterns that
are linked by a common codebase
•A genericthe detection is a type of detection that looks for known parts or types of
malware or patterns that are related to a common codebase.
•Heuristic detection is a type of virus detection that looks for unknown infections by
spotting suspicious file structures.

Rahul Kumar Assistant Professor SoCS UPES

Benefits of Antivirus Software
•Spam and advertisements are blocked: Viruses exploit pop-up advertising
and spam websites as one of the most common ways to infect your computer and
destroy your files. Antivirus acts against harmful virus-infected adverts and
websites by denying them direct access to your computer network.
•Virus protection and transmission prevention: It identifies any possible
infection and then attempts to eliminate it.
•Hackers and data thieves are thwarted: Antivirus do regular checks to see if
there are any hackers or hacking-related apps on the network. As a result,
antivirus offers complete security against hackers.
Rahul Kumar Assistant Professor SoCS UPES
•Protected against devices that can be detached: Antivirus scans all removable
devices for potential viruses, ensuring that no viruses are transferred.
•To improve security from the toweb, restrict website access: Antivirus restricts
your online access in order to prevent you from accessing unauthorized networks.
This is done to ensure that you only visit websites that are safe and non-harmful to
your computer.
•Password Protection: Using antivirus, you should consider using a password
manager for added security.

Rahul Kumar Assistant Professor SoCS UPES

Disadvantages of Antivirus programs
•Slows down system’s speed: When you use antivirus programs, you’re using a lot of
resources like your RAM and hard drive. As a result, the computer’s overall speed may be
significantly slowed.
•Popping up of Advertisements: Apart from commercial antivirus applications, free
antivirus must make money in some way. One approach to attaining these is through
advertising. Many times, these advertisements degrade the user experience by popping up
every time.

Rahul Kumar Assistant Professor SoCS UPES

•Security Holes: When security flaws exist in the operating system or networking software, the

virus will be able to defeat antivirus protection. The antivirus software will be ineffective unless

the user takes steps to keep it updated.

•No customer care service: There will be no customer service provided unless you pay for the

premium version. If an issue arises, the only method to solve it is to use forums and knowledge

resources.

Rahul Kumar Assistant Professor SoCS UPES

 What is Spyware in Cyber Security ?

• Spyware is a breach of cyber security as they usually get into the

laptop/ computer system when a user unintentionally clicks on a
random unknown link or opens an unknown attachment, which
downloads the spyware alongside the attachment. It is a best practice
to be cautious of the sites that are used for downloading content on the
system. Spyware is a type of software that unethically without proper
permissions or authorization steals a user’s personal or business
information and sends it to a third party. Spyware may get into a
computer or laptop as a hidden component through free or shared
wares.

Rahul Kumar Assistant Professor SoCS UPES

• Spywares perform the function of maliciously tracking a user’s activity,
having access to data, or even resulting in the crashing of the
computer/ laptop system. Spyware in many cases runs as a background
process and slows down the normal functioning of the computer system

Rahul Kumar Assistant Professor SoCS UPES

Spyware enters the laptop/computer system through the below-listed ways:
•Phishing: It is a form of a security breach where spyware enters the system when a suspicious
link is clicked or an unknown dangerous attachment is downloaded.
•Spoofing: It goes alongside phishing and makes the unauthorized emails appear to come from
legitimate users or business units.
•Free Softwares or Shared Softwares: It gets into the system when a user installs software that is
free of cost but has additional spyware added to them.
•Misleading software: This is advertised as very beneficial for the system and would boost up the
speed of the system but lead to stealing confidential information from the system.

Rahul Kumar Assistant Professor SoCS UPES

How does Spyware Enter the Computer System?

Spyware entering the system is very dangerous and therefore proper knowledge of them can

save a lot of trusted information from being accessible to third-party. Spywares are classified

on the basis of the function they perform. There are different types of Spyware, which can

attack our system.

•Adware: It is a type of Spyware that keeps track of the user’s activity and gives
advertisements based on the tracked activity of the user.

•Tracking Cookies: It is a type of Spyware that tracks a user’s activity and supplies the same
to third parties.

Rahul Kumar Assistant Professor SoCS UPES

•Trojans: It is a type of Spyware that is the most dangerous. It aims to steal
confidential user information such as bank details, passwords and transfers it
to a third party to perform illegal transactions or frauds.
•Keyloggers: It is a type of Spyware that keeps a track of all the keystrokes
that the user enters through the keyboard. It is dangerous as it contributes bro
cyber fraud where sensitive passwords can be stolen by keeping an eye on the
user who entered the information.

Rahul Kumar Assistant Professor SoCS UPES

•Stalkerware: It is a type of Spyware that is installed on mobile phones to

stalk the user. It tracks the movement of the user and sends the same to the

third party.

•System Monitor: It is a type of Spyware that monitors and keep a track of the

entire system including users activity, sensitive information, keystrokes, calls,

and chats. It is extremely dangerous to user privacy.

Rahul Kumar Assistant Professor SoCS UPES

How Spyware Infects Devices?
Spyware gets attached to websites and downloads without going much into the notice
of the user. There are many software’s that get downloaded without any warning
alongside the needed software and are very dangerous for our computer system.
Another way of spyware, entering our systems is when the user clicks unverified
links or downloads malicious contents on the computer system.

Rahul Kumar Assistant Professor SoCS UPES

How Spyware Infects Devices?
When spyware enters the computer system it unethically accesses the information
that it is not authorized to view. In most cases, it also supplies this information to
third-party users leading to data leaks. Sensitive information such as passwords and
bank information are at much risk if spyware enters the computer system. Data leak,
stealing of sensitive information, tracking user’s activity/ preferences, making the
system slow down, and even crashing the computer system are the effects that can be
caused when spyware enters the computer system without the user’s consent.

Rahul Kumar Assistant Professor SoCS UPES

Phishing
Phishing is one type of cyber attack. Phishing got its name from “phish” meaning
fish. It’s a common phenomenon to put bait for the fish to get trapped. Similarly,
phishing works. It is an unethical way to dupe the user or victim to click on
harmful sites. The attacker crafts the harmful site in such a way that the victim
feels it to be an authentic site, thus falling prey to it. The most common mode of
phishing is by sending spam emails that appear to be authentic and thus, taking
away all credentials from the victim. The main motive of the attacker behind
phishing is to gain confidential information like

Rahul Kumar Assistant Professor SoCS UPES

The main motive of the attacker behind phishing is to gain confidential
information like
•Password
•Credit card details
•Social security numbers
•Date of birth

Rahul Kumar Assistant Professor SoCS UPES

 The attacker uses this information to further target the user and impersonate

the user and cause data theft. The most common type of phishing attack

happens through email. Phishing victims are tricked into revealing

information that they think should be kept private. The original logo of the

email is used to make the user believe that it is indeed the original email.

But if we carefully look into the details, we will find that the URL or web

address is not authentic.

Rahul Kumar Assistant Professor SoCS UPES
Let’s understand this concept with the help of an
example:

Rahul Kumar Assistant Professor SoCS UPES

In above example, most people believe it’s YouTube just by looking at the red
icon. So, thinking of YouTube as a secure platform, the users click on the
extension without being suspicious about it. But if we look carefully, we can see
the URL is supertube.com and not youtube.com. Secondly, YouTube never asks
to add extensions for watching any video. The third thing is the extension name
itself is weird enough to raise doubt about its credibility.

Rahul Kumar Assistant Professor SoCS UPES

 How Does Phishing Occur?
Below mentioned are the ways through which Phishing generally occurs. Upon using any
of the techniques mentioned below, the user can lead to Phishing Attacks.
•Clicking on an unknown file or attachment: Here, the attacker deliberately sends a
mysterious file to the victim, as the victim opens the file, either malware is injected into his
system or it prompts the user to enter confidential data.
•Using an open or free wifi hotspot: This is a very simple way to get confidential
information from the user by luring him by giving him free wifi. The wifi owner can
control the user’s data without the user knowing it.

Rahul Kumar Assistant Professor SoCS UPES

 •Responding to social media requests: This commonly includes social engineering.
Accepting unknown friend requests and then, by mistake, leaking secret data are the
most common mistake made by naive users.
•Clicking on unauthenticated links or ads: Unauthenticated links have been
deliberately crafted that lead to a phished website that tricks the user into typing
confidential data.

Rahul Kumar Assistant Professor SoCS UPES

 Types of Phishing Attacks
There are several types of Phishing Attacks, some of them are mentioned below. Below
mentioned attacks are very common and mostly used by the attackers.
•Email Phishing: The most common type where users are tricked into clicking unverified spam
emails and leaking secret data. Hackers impersonate a legitimate identity and send emails to
mass victims. Generally, the goal of the attacker is to get personal details like bank details, credit
card numbers, user IDs, and passwords of any online shopping website, installing malware, etc.
After getting the personal information, they use this information to steal money from the user’s
account or harm the target system, etc.

Rahul Kumar Assistant Professor SoCS UPES

 •Spear Phishing: In spear phishing of phishing attack, a particular user(organization or
individual) is targeted. In this method, the attacker first gets the full information of the
target and then sends malicious emails to his/her inbox to trap him into typing confidential
data. For example, the attacker targets someone(let’s assume an employee from the
finance department of some organization). Then the attacker pretends to be like the
manager of that employee and then requests personal information or transfers a large sum
of money. It is the most successful attack.
•Whaling: Whaling is just like spear-phishing but the main target is the head of the
company, like the CEO, CFO, etc. a pressurized email is sent to such executives so that
they don’t have much time to think, therefore falling prey to phishing.

Rahul Kumar Assistant Professor SoCS UPES

•Smishing: In this type of phishing attack, the medium of phishing attack is
SMS. Smishing works similarly to email phishing. SMS texts are sent to victims
containing links to phished websites or invite the victims to call a phone number or to
contact the sender using the given email. The victim is then invited to enter their
personal information like bank details, credit card information, user id/ password, etc.
Then using this information the attacker harms the victim.

Rahul Kumar Assistant Professor SoCS UPES

 •Vishing: Vishing is also known as voice phishing. In this method, the attacker calls the
victim using modern caller id spoofing to convince the victim that the call is from a trusted
source. Attackers also use IVR to make it difficult for legal authorities to trace the attacker. It
is generally used to steal credit card numbers or confidential data from the victim.
•Clone Phishing: Clone Phishing this type of phishing attack, the attacker copies the email
messages that were sent from a trusted source and then alters the information by adding a
link that redirects the victim to a malicious or fake website. Now the attacker sends this mail
to a larger number of users and then waits to watch who clicks on the attachment that was
sent in the email. It spreads through the contacts of the user who has clicked on the
attachment.

Rahul Kumar Assistant Professor SoCS UPES

Impact of Phishing

These are the impacts on the user upon affecting the Phishing Attacks. Each person has their

own impact after getting into Phishing Attacks, but these are some of the common impacts that

happen to the majority of people.

•Financial Loss: Phishing attacks often target financial information, such as credit card numbers

and bank account login credentials. This information can be used to steal money or make

unauthorized purchases, leading to significant financial losses.

Rahul Kumar Assistant Professor SoCS UPES

•Identity Theft: Phishing attacks can also steal personal information, such as Social Security numbers

and date of birth, which can be used to steal an individual’s identity and cause long-term harm.

•Damage to Reputation: Organizations that fall victim to phishing attacks can suffer damage to their

reputation, as customers and clients may lose trust in the company’s ability to protect their

information.

Rahul Kumar Assistant Professor SoCS UPES

•Disruption to Business Operations: Phishing attacks can also cause significant disruption to

business operations, as employees may have their email accounts or computers compromised, leading

to lost productivity and data.

•Spread of Malware: Phishing attacks often use attachments or links to deliver malware, which can

infect a victim’s computer or network and cause further harm.

Rahul Kumar Assistant Professor SoCS UPES

 Signs of Phishing
It is very much important to be able to identify the signs of a phishing attack in order to protect
against its harmful effects. These signs help the user to protect user data and information from
hackers. Here are some signs to look out for include:
•Suspicious email addresses: Phishing emails often use fake email addresses that appear to be
from a trusted source but are controlled by the attacker. Check the email address carefully and
look for slight variations or misspellings that may indicate a fake address.
•.

Rahul Kumar Assistant Professor SoCS UPES

 •Urgent requests for personal information: Phishing attacks often try to create a

sense of urgency in order to trick victims into providing personal information quickly.

Be cautious of emails or messages that ask for personal information and make sure to

verify the authenticity of the request before providing any information.

•Poor grammar and spelling: Phishing attacks are often created quickly and carelessly

and may contain poor grammar and spelling errors. These mistakes can indicate that the

email or message is not legitimate.

Rahul Kumar Assistant Professor SoCS UPES

 •Requests for sensitive information: Phishing attacks often try to steal sensitive
information, such as login credentials and financial information. Be cautious of emails
or messages that ask for sensitive information and verify the authenticity of the re
•quest before providing any information.
•Unusual links or attachments: Phishing attacks often use links or attachments to
deliver malware or redirect victims to fake websites. Be cautious of links or attachments
in emails or messages, especially from unknown or untrusted sources.
•Strange URLs: Phishing attacks often use fake websites that look similar to the real
ones, but have slightly different URLs. Look for strange URLs or slight variations in the
URL that may indicate a fake website.

Rahul Kumar Assistant Professor SoCS UPES

 How To Stay Protected Against Phishing?
Until now, we have seen how a user becomes so vulnerable due to
phishing. But with proper precautions, one can avoid such scams.
Below are the ways listed to protect users against phishing attacks:
•Authorized Source: Download software from authorized sources only
where you have trust.
•Confidentiality: Never share your private details with unknown links
and keep your data safe from hackers.
•Check URL: Always check the URL of websites to prevent any such
attack. it will help you not get trapped in Phishing Attacks.
Rahul Kumar Assistant Professor SoCS UPES
•Avoid replying to suspicious things: If you receive an email from a
known source but that email looks suspicious, then contact the source
with a new email rather than using the reply option.
•Phishing Detection Tool: Use phishing-detecting tools to monitor the
websites that are crafted and contain unauthentic content.
•Try to avoid free wifi: Avoid using free Wifi, it will lead to threats and
Phishing.
•Keep your system updated: It’s better to keep your system always
updated to protect from different types of Phishing Attacks.
•Keep the firewall of the system ON: Keeping ON the firewalls helps
you in filtering ambiguous and suspicious data and only authenticated
data will reach to you.

Rahul Kumar Assistant Professor SoCS UPES

 How To Distinguish between a Fake Website and a Real Website?

It is very important nowadays to protect yourself from fake websites and

real websites. Here are some of the ways mentioned through which you can

identify which websites are real and which ones are fake. To distinguish

between a fake website and a real website always remember the following

points:

Rahul Kumar Assistant Professor SoCS UPES

•Check the URL of the website: A good and legal website always uses a secure medium to

protect yourself from online threats. So, when you first see a website link, always check the

beginning of the website. That means if a website is started with https:// then the website is

secure because https:// s denotes secure, which means the website uses encryption to transfer

data, protecting it from hackers. If a website uses http:// then the website is not guaranteed to be

safe. So, it is advised not to visit HTTP websites as they are not secure.

•Check the domain name of the website: The attackers generally create a website whose

address mimic of large brands or companies like www.amazon.com/order_id=23. If we look

closely, we can see that it’s a fake website as the spelling of Amazon is wrong, that is amazon is

written. So it’s a phished website. So be careful with such types of websites.

Rahul Kumar Assistant Professor SoCS UPES

•Look for site design: If you open a website from the link, then pay attention to the design of the site.
Although the attacker tries to imitate the original one as much as possible, they still lack in some
places. So, if you see something off, then that might be a sign of a fake website. For example,
www.sugarcube.com/facebook, when we open this URL the page open is cloned to the actual
Facebook page but it is a fake website. The original link to Facebook is www.facebook.com

•Check for the available web pages: A fake website does not contain the entire web pages that are
present in the original website. So when you encounter fake websites, then open the option(links)
present on that website. If they only display a login page, then the website is fake

Rahul Kumar Assistant Professor SoCS UPES

 Anti-Phishing Tools
Well, it’s essential to use Anti-Phishing tools to
detect phishing attacks. Here are some of the most
popular and effective anti-phishing tools available:
•Anti-Phishing Domain Advisor (APDA): A
browser extension that warns users when they visit
a phishing website. It uses a database of known
phishing sites and provides real-time protection
against new threats.
•PhishTank: A community-driven website that
collects and verifies reports of phishing attacks.
Users can submit phishing reports and check the
status of suspicious websites.
•Webroot Anti-Phishing: A browser extension
that uses machine learning algorithms to identify
and block phishing websites. It provides real-time
protection and integrates with other security tools.
•Malwarebytes Anti-Phishing: A security tool
that protects against phishing attacks by detecting
and blocking suspicious websites. It uses a
combination of machine learning and signature-
based detection to provide real-time protection.
•Kaspersky Anti-Phishing: A browser extension
that provides real-time protection against phishing
attacks.Professor
Rahul Kumar Assistant It uses aSoCS
database
UPESof known phishing sites
 Anti-Phishing Tools

Well, it’s essential to use Anti-Phishing tools to detect phishing attacks. Here are some of the

most popular and effective anti-phishing tools available:

•Anti-Phishing Domain Advisor (APDA): A browser extension that warns users when they

visit a phishing website. It uses a database of known phishing sites and provides real-time

protection against new threats.

•PhishTank: A community-driven website that collects and verifies reports of phishing

attacks. Users can submit phishing reports and check the status of suspicious websites.

Rahul Kumar Assistant Professor SoCS UPES

•Webroot Anti-Phishing: A browser extension that uses machine learning algorithms to identify
and block phishing websites. It provides real-time protection and integrates with other security
tools.
•Malwarebytes Anti-Phishing: A security tool that protects against phishing attacks by detecting
and blocking suspicious websites. It uses a combination of machine learning and signature-based
detection to provide real-time protection.
•Kaspersky Anti-Phishing: A browser extension that provides real-time protection against
phishing attacks. It uses a database of known phishing sites and integrates with other security
tools to provide comprehensive protection.

Rahul Kumar Assistant Professor SoCS UPES

INTRUSION DETECTION
SYSTEM
Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It
is a network security application that monitors network or system activities for malicious
activity. Major functions of intrusion prevention systems are to identify malicious activity,
collect information about this activity, report it and attempt to block or stop it.
Intrusion prevention systems are contemplated as augmentation of Intrusion Detection
Systems (IDS) because both IPS and IDS operate network traffic and system activities for
malicious activity.

Rahul Kumar Assistant Professor SoCS UPES

IPS typically record information related to observed events, notify security administrators of
important observed events and produce reports. Many IPS can also respond to a detected
threat by attempting to prevent it from succeeding. They use various response techniques,
which involve the IPS stopping the attack itself, changing the security environment or
changing the attack’s content.

Rahul Kumar Assistant Professor SoCS UPES

An IPS works by analyzing network traffic in real-time and comparing it against known attack patterns and

signatures. When the system detects suspicious traffic, it blocks it from entering the network.

Types of IPS

There are two main types of IPS:

1.Network-Based IPS: A Network-Based IPS is installed at the network perimeter and monitors all traffic

that enters and exits the network.

2.Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the traffic that goes in

and out of that host.

Rahul Kumar Assistant Professor SoCS UPES

 Why Do You Need an IPS?
An IPS is an essential tool for network security. Here are some reasons why:
•Protection Against Known and Unknown Threats: An IPS can block known threats and also
detect and block unknown threats that haven’t been seen before.
•Real-Time Protection: An IPS can detect and block malicious traffic in real-time,
preventing attacks from doing any damage.
•Compliance Requirements: Many industries have regulations that require the use of an IPS
to protect sensitive information and prevent data breaches.
•Cost-Effective: An IPS is a cost-effective way to protect your network compared to the cost
of dealing with the aftermath of a security breach.
•Increased Network Visibility: An IPS provides increased network visibility, allowing you to
see what’s happening on your network and identify potential security risks.

Rahul Kumar Assistant Professor SoCS UPES

 Classification of Intrusion Prevention System (IPS):
Intrusion Prevention System (IPS) is classified into 4 types:

1.Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol activity.

2.Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

3.Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of
service attacks, specific forms of malware and policy violations.

4.Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by scanning events that occur
within that host.

Rahul Kumar Assistant Professor SoCS UPES

 Comparison of Intrusion Prevention System (IPS) Technologies:
The Table below indicates various kinds of IPS Technologies:

IPS Technology Type Types of Malicious Activity Detected Scope per Sensor Strengths

Multiple network Only IDPS which can analyze

Network, transport, and application TCP/IP
Network-Based subnets the widest range of application
layer activity
and groups of hosts protocols;

Wireless protocol activity; unauthorized Multiple WLANs and

Only IDPS able to predict
Wireless wireless groups of wireless
wireless protocol activity
local area networks (WLAN) in use clients

Typically, more effective than the

others at
Network, transport, and application TCP/IP Multiple network identifying reconnaissance
NBA layer activity subnets scanning and
that causes anomalous network flows and groups of hosts DoS attacks, and at
reconstructing major
malware infections

Host application and operating system Can analyze activity that

Host-Based (OS) activity; network, transport, Individual host was transferred in end-to-end
and application TCP/IP layer activity encrypted communications

Rahul Kumar Assistant Professor SoCS UPES

 A system called an intrusion detection system (IDS) observes network traffic for

malicious transactions and sends immediate alerts when it is observed. It is software that

checks a network or system for malicious activities or policy violations. Each illegal

activity or violation is often recorded either centrally using a SIEM system or notified to

an administration. IDS monitors a network or system for malicious activity and protects a

computer network from unauthorized access from users, including perhaps insiders. The

intrusion detector learning task is to build a predictive model (i.e. a classifier) capable of

distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)

connections’.

Rahul Kumar Assistant Professor SoCS UPES

Rahul Kumar Assistant Professor SoCS UPES
 How does an IDS work?
•An IDS (Intrusion Detection System) monitors the traffic on a computer network to
detect any suspicious activity.
•It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
•The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
•If the IDS detects something that matches one of these rules or patterns, it sends an
alert to the system administrator.
•The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

Rahul Kumar Assistant Professor SoCS UPES

IDS are classified into 5 types:

•Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are

set up at a planned point within the network to examine traffic from all devices on the network. It

performs an observation of passing traffic on the entire subnet and matches the traffic that is passed

on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior

is observed, the alert can be sent to the administrator. An example of a NIDS is installing it on the

subnet where firewalls are located in order to see if someone is trying to crack the firewall.

Rahul Kumar Assistant Professor SoCS UPES

Rahul Kumar Assistant Professor SoCS UPES
Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if suspicious or malicious
activity is detected. It takes a snapshot of existing system files and compares it with the
previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on mission-critical
machines, which are not expected to change their layout.

Rahul Kumar Assistant Professor SoCS UPES

Rahul Kumar Assistant Professor SoCS UPES
•Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion detection system

(PIDS) comprises a system or agent that would consistently reside at the front end of a server,

controlling and interpreting the protocol between a user/device and the server. It is trying to secure the

web server by regularly monitoring the HTTPS protocol stream and accepting the related HTTP

protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer then this

system would need to reside in this interface, between to use the HTTPS.

Rahul Kumar Assistant Professor SoCS UPES

•Application Protocol-based Intrusion Detection System (APIDS): An
application Protocol-based Intrusion Detection System (APIDS) is a system or agent
that generally resides within a group of servers. It identifies the intrusions by
monitoring and interpreting the communication on application-specific protocols.
For example, this would monitor the SQL protocol explicitly to the middleware as it
transacts with the database in the web server.
•Hybrid Intrusion Detection System: Hybrid intrusion detection system is made
by the combination of two or more approaches to the intrusion detection system. In
the hybrid intrusion detection system, the host agent or system data is combined
with network information to develop a complete view of the network system. The
hybrid intrusion detection system is more effective in comparison to the other
Rahul
intrusion Kumar system.
detection AssistantPrelude
Professor
is SoCS UPES of Hybrid IDS.
an example
Benefits of IDS
•Detects malicious activity: IDS can detect any suspicious activities and alert the
system administrator before any significant damage is done.
•Improves network performance: IDS can identify any performance issues on
the network, which can be addressed to improve network performance.
•Compliance requirements: IDS can help in meeting compliance requirements by
monitoring network activity and generating reports.
•Provides insights: IDS generates valuable insights into network traffic, which can
be used to identify any weaknesses and improve network security.

Rahul Kumar Assistant Professor SoCS UPES

Detection Method of IDS

1.Signature-based Method: Signature-based IDS detects the attacks on the basis of the

specific patterns such as the number of bytes or a number of 1s or the number of 0s in the

network traffic. It also detects on the basis of the already known malicious instruction

sequence that is used by the malware. The detected patterns in the IDS are known as

signatures. Signature-based IDS can easily detect the attacks whose pattern (signature) already

exists in the system but it is quite difficult to detect new malware attacks as their pattern

(signature) is not known.

Rahul Kumar Assistant Professor SoCS UPES

Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown

malware attacks as new malware is developed rapidly. In anomaly-based IDS there is the

use of machine learning to create a trustful activity model and anything coming is

compared with that model and it is declared suspicious if it is not found in the model. The

machine learning-based method has a better-generalized property in comparison to

signature-based IDS as these models can be trained according to the applications and

hardware configurations.

Rahul Kumar Assistant Professor SoCS UPES