This ppt explain you various type of possible attack, security property, Traffic Analysis, Security mechanism Intrusion detection system, vulnerability, Attack framework etc.

1. IDS/IPS
Computer Security and Intrusion Detection
• Communication
•Any communication requires 4 entities
•Source
•Destination
•Medium
•Protocol – Rule

2. IDS/IPS
Computer Security and Intrusion Detection
• Communication – Flow of Information

3. IDS/IPS
Computer Security and Intrusion Detection
• Various types of attacks
•Interruption
•Interception
•Modification
•Fabrication

4. IDS/IPS
Computer Security and Intrusion Detection
• Interruption - state where the asset of a system gets
destroyed or becomes un-available
• targets the source or the communication channel
• prevents the information from reaching the destination

5. IDS/IPS
Computer Security and Intrusion Detection
• Interruption - Examples
• Cutting the physical cable medium
• Overload the carrying medium
• Types of Denial of Service (DoS) Attacks

6. IDS/IPS
Computer Security and Intrusion Detection
• Interception – un-authorized party gets illegal access to
the information traversing through the communication
channel.
• Examples
•Wiretapping

7. IDS/IPS
Computer Security and Intrusion Detection
• Modification – information is intercepted and modified .
• Examples
•MITM Attacks

8. IDS/IPS
Computer Security and Intrusion Detection
• Fabrication – attacker inserts forged objects into the
system without the senders knowledge and involvement .

9. IDS/IPS
Computer Security and Intrusion Detection
• Fabrication – 2 types
• Replaying
• previously intercepted entity is inserted
• Example – Replaying an authentication message.
• Masquerading
• attacker pretends to be the legitimate source
• inserts his / her desired information
• Example – Adding new records to a file or database

10. IDS/IPS
Computer Security and Intrusion Detection
• Security Property
•Desired feature of a system with regard to certain
type of attacks.
•The four attacks discussed in the previous section
violates the various security properties of an
information system
•Core qualities of any information system

11. IDS/IPS
Computer Security and Intrusion Detection
• Security Property
•Confidentiality
•Integrity
•Availability
•Authentication
•Non Repudiation

12. IDS/IPS
Computer Security and Intrusion Detection
• Traffic Analysis - Process of intercepting and
examining messages in order to deduce information
from patterns in communication. Information collected
include:
•Source
•Destination
•Timing of the data
•Frequency of a particular message
•Type of data / communication

13. IDS/IPS
Computer Security and Intrusion Detection
• Non-repudiation
Concept of ensuring that a contract cannot later be
denied by one of the parties involved.
• Describes the mechanism that prevents either sender
or receiver from denying a transmitted message.
•Non-repudiation of origin – proves data has been sent
•Non-repudiation of delivery – proves data has been
received

14. IDS/IPS
Computer Security and Intrusion Detection
•Security Mechanisms
The various actions and countermeasures
employed to safeguard the security properties of an
information system.
•Security Mechanisms – 3 Types
•Attack Prevention
•Attack Avoidance
•Attack Detection

15. IDS/IPS
Computer Security and Intrusion Detection
• Attack Prevention
Series of security mechanisms implemented to
prevent or defend against various kinds of attacks
before they can actually reach and affect the target
system.
•Examples
•Access Control
•Firewall

16. IDS/IPS
Computer Security and Intrusion Detection
• Attack Avoidance
Techniques in which the information is modified in a
way that makes it unusable for the attacker.
•Assumption – Attacker may / has access to the
subject information.
•Examples
• Cryptography

17. IDS/IPS
Computer Security and Intrusion Detection
• Attack Detection
Process / Technique of reporting that something is
able to bypass the security measures (if available),
and identifying the type of attack.
• Counter measures are initiated to recover from the
impact of the attack.
•Examples
• IDS / IPS

18. IDS/IPS
Computer Security and Intrusion Detection
• Intrusion Detection System
Intrusion detection encompasses a range of
security techniques designed to detect (and report
on) malicious system and network activity or to
record evidence of intrusion.

19. IDS/IPS
Attack Framework
• Types of Events – 2
• Attributable
Event can be traced to an authenticated user
•Non-attributable
Event cannot be traced to an authenticated user.
Ex: Any event that occur before authentication in
the login process – bad password attempts.

20. IDS/IPS
Attack Framework
Vulnerability
•Existence of a weakness, design, or implementation
error that can lead to an unexpected, undesirable
event compromising the security of the system,
network, application, or protocol involved
•Pen Testers Point of View - From a penetration
tester’s point of view, vulnerability is defined as a
security weakness in a Target of Evaluation.

21. IDS/IPS
Attack Framework
Threat
• Any possible event, action, process or phenomenon
that can potentially inflict damage on system resources

22. IDS/IPS
Attack Framework
Relation between Vulnerability and Threat

23. IDS/IPS
Attack Framework
Real Life Case Study – European Space Agency
•Ariane 5 Rocket – 10 years and $ 7 million
•Capable of placing a pair of three-ton satellites into
the orbit.
•Launched on 04 Jun 1996

24. IDS/IPS
Attack Framework
Immediately after launch, Ariane 5
exploded
Case of the explosion
a very small computer program
trying to stuff a 64-bit number into a
16-bit space
See it:
http://s.freissinet.free.fr/videos/aria
ne5.wmv

25. IDS/IPS
Attack Framework
Vulnerability Classification
Vulnerabilities can be classified as follows:
• Design Vulnerabilities
• Implementation Vulnerabilities
• Configuration or Operational Vulnerabilities

26. IDS/IPS
Attack Framework
Design Vulnerability
• When the vulnerability is said to be inherent to the
project or design
• Very difficult to detect and eliminate as it is
inherent to the project
• Proper implementation of the product will not get
rid of the flaw
• Example - TCP/IP protocol stack vulnerability

27. IDS/IPS
Attack Framework
Implementation Vulnerability
• When an error is introduced into the components
of a system, during the implementation stage of a
project or algorithm, they are termed as
Implementation Vulnerabilities.
• Error could be hardware based or software based.
• Example – Buffer Overflows

28. IDS/IPS
Attack Framework
Configuration Vulnerability
• Also known as Operational Vulnerability.
• Introduced into the system when the administrator
responsible does not perform the proper
configuration or sometimes leaving the default
configuration on.
•Example - Not disabling unwanted services,
allowing weak passwords

29. IDS/IPS
Attack Framework
Attacks
• an assault on system security that derives from an
intelligent threat.
• an intelligent act that is a deliberate attempt to
evade security services and violate the security
policy of a system
•Example - denial of service attacks, penetration
and sabotage

30. IDS/IPS
Attack Framework
Difference between Attack and Security Event
• Attack - the intruder aims at achieving a particular
result which could be against the implied security
policy
• Event – No rules are violated or broken

31. IDS/IPS
Attack Framework
Attack Components
• Attack realization tool – Example - Port
Scanner
• Vulnerability – Exploit a known vulnerability
• Security Event – actions on target system
• Result of the Attack - When an attacker is
able to exploit vulnerability and has generated a
security event
The results of an attack may vary depending upon
the security event and vulnerability chosen.

32. IDS/IPS
Attack Framework
ATTACKER
TARGET
PERFORMS ATTACK
General Attack Model

33. IDS/IPS
Attack Framework
The attacker and target represent the same entity
ATTACKER AND TARGET
ARE ON THE SAME
ENTITY

34. IDS/IPS
Attack Framework
Attack Model Categories
• Traditional Attack Model
• One-to-one Attack Model
• One-to-many Attack Model
• Distribution Attack Model
• Many-to-one Attack Model
• Many-to-many Attack Model

35. IDS/IPS
Attack Framework
Traditional Attack Model
• Attack always originate from a single point.
• Single – tier architecture
• There is only a single layer between the attacker
and the target.

36. IDS/IPS
Attack Framework
One-to-one (traditional attack model)
• The attacker and target is having a one-to-one
relationship.
•Attack originates from a single machine.

37. IDS/IPS
Attack Framework
One-to-many (traditional attack model)
• The attacker and target is having a one-to-many
relationship.
•Attack originates from a single machine, but more
than one target is there

38. IDS/IPS
Attack Framework
One-to-many (traditional attack model)

39. IDS/IPS
Attack Framework
Distributed Attack Model
• Based on many-to-one and many-to-many
relationship.
• Source of the attack is more than one entity.
• The attack packets originate from intermediate
systems compromised by the attacker.

40. IDS/IPS
Attack Framework
Many-to-one (Distributed attack model)
• The attacker and target is having a Many-to-one
relationship.
•Attack originates from more than one machine.
•There is only one target

41. IDS/IPS
Attack Framework
Many-to-one (Distributed attack model)

42. IDS/IPS
Attack Framework
Many-to-many (Distributed attack model)
• The attacker and target is having a Many-to-many
relationship.
•Attack originates from more than one machine.
•There are more than one target

43. IDS/IPS
Attack Framework
Many-to-many (Distributed attack model)

44. IDS/IPS
Attack Framework
Distributed attack
• Reconnaissance – searching for suitable host.
• Compromise the system – installing backdoors
• Attack Initiation – start the attack using the
compromised system.

45. IDS/IPS
Attack Framework
Distributed attack - Agents
• Two types of special agents
•Masters / Servers
•Daemons / Clients
•Zombie – compromised systems where agents are
installed.
•Distributed attacks implement a three tier
architecture

46. IDS/IPS
Attack Framework
Distributed attack - Advantages
• Attack Effect – devastating effect as attack
originates from multiple locations.
• Anonymity – provides high level of anonymity to
the attacker.
• Hard-to-stop attacks – Very difficult to stop the
attack without bringing down or disconnecting the
target system

47. IDS/IPS
Attack Framework
Intruder
• Also known as attacker – first element in the
attack model.
•person who attempts to gain unauthorized access
to a system, to damage that system, or to disturb
data on that system
•attempts to violate Security by interfering with
system Availability, data Integrity or data
Confidentialit

48. IDS/IPS
Attack Framework
Intruder Types
•Black Hat Hacker
•Hacker spies support by Govt
•Cyber Terrorist
•Corporate Spies
•Professional Criminals
•Vandals

49. IDS/IPS
Attack Framework
Incidents
•violation or imminent threat of violation that
could or results in
•a loss of data confidentiality,
•disruption of data or system integrity, or
disruption or denial of availability
•An incident must clearly be a breach of network
security.

50. IDS/IPS
Attack Framework
Examples of Incidents
• DoS
• Malicious Code
• Unauthorized Access
• Inappropriate Usage

51. IDS/IPS
Introduction to IDS and IPS
Intrusion - any unauthorized system or network
activity on one (or more of) computer(s) or
network(s)
Intrusion detection systems (IDSs) are software
or/and hardware based systems that detect
intrusions to your network / host based on a number
of telltale signs.

52. IDS/IPS
Introduction to IDS and IPS
Two types of IDS:
•Active IDS –
•attempt to block attacks
•respond with countermeasures
•alert administrators
•Passive IDS –
•merely log the intrusion
•create audit trails

53. IDS/IPS
Introduction to IDS and IPS
IDS can provide the following information on
attempted or actual security events
•Data destruction
•Denial-of-service
•Hostile Code
•Network or system eavesdropping
•System or network mapping and intrusion
•Unauthorized access

54. IDS/IPS
Introduction to IDS and IPS
Types of IDS
•Host - based Intrusion detection system (HIDS)
•Network-based intrusion detection system
(NIDS)
•Hybrid Intrusion Detection Systems

55. IDS/IPS
Introduction to IDS and IPS
HIDS
•Resides on the host
•They scan log files – OS log files, application
log files etc
•If the log files are corrupt, HIDS is not effective.
•The scan output is logged into secure database
and compared to detect any intrusion.

56. IDS/IPS
Introduction to IDS and IPS
Types of HIDS
• Operating System Level – Works on OS log
files.
•Application Level – Works on application level
log files.
• Network Level – works on packets addressed
to or sent from a host.

57. IDS/IPS
Introduction to IDS and IPS
Advantages of HIDS
• Cost Effective
• Additional Layer of Protection.
• Direct control over system entities – works on
packets addressed to or sent from a host.

58. IDS/IPS
Introduction to IDS and IPS
NIDS
• IDS responsible for detecting in-appropriate,
anomalous, or any other kind of data which may
be considered unauthorized or inappropriate for
a subject network
• Pattern based
HIDS – Combination of HIDS and NIDS

59. IDS/IPS
Introduction to IDS and IPS
IPS
• Sophisticated class of network security
implementation that not only has the ability to detect
the presence of intruders and their actions, but also
to prevent them from successfully launching any
attack.
• Incorporate the security features of firewall
technology and that of intrusion detection systems

60. IDS/IPS
Introduction to IDS and IPS
IPS Categories
• Host IPS (HIPS)
•Loaded on each PC and server
• Network IPS (NIPS)
•Component that effectively integrates into your
overall network security framework.

61. IDS/IPS
Introduction to IDS and IPS
Benefits of HIPS
• Attack Prevention
• Patch Relief
• Internal Attack propagation prevention
• Policy enforcement
• Regulatory requirements

62. IDS/IPS
Introduction to IDS and IPS
NIPS - Places sensors as L2 forwarding devices.

63. IDS/IPS
Introduction to IDS and IPS
Main difference between IDS and IPS – packet
dropping.
Dropping of packets – Categories
•Dropping a single packet
•Dropping all packets for a connection
•Dropping all traffic from a source IP.

64. IDS/IPS
Introduction to IDS and IPS

65. IDS/IPS
Introduction to IDS and IPS
Defense in Depth.
• Also known as Elastic defense.
• Military strategy that seeks to delay rather than
prevent the advance of an attacker.
• Represents the use of multiple computer security
techniques to help mitigate the risk of one
component of the defense being compromised or
circumvented.

66. IDS/IPS
Introduction to IDS and IPS
Defense in Depth
•Attacker has to penetrate a series of layered
defenses
• Each layer is equipped with the suitable defense
• The delay provides the security staff with the time
to respond to the attack.

67. IDS/IPS
Introduction to IDS and IPS
Defense in Depth

68. IDS/IPS
Introduction to IDS and IPS
IDS & IPS Analysis Scheme
•A baseline is first set.
•Baseline - known value or quantity with which an
unknown is compared when measured or assessed
•A group of network activities / characteristics are
categorized as baseline for an IDS system
•Anything outside baseline - malicious

69. IDS/IPS
Introduction to IDS and IPS
Network Activity Baseline
Variance from
the Baseline
activities

70. IDS/IPS
Introduction to IDS and IPS
IDS Analysis
• Process of organizing the various elements of
data related to IDS and their inter-relationships to
identify any irregular activity of interest.

71. IDS/IPS
Introduction to IDS and IPS
IDS Analysis
Divided into 4 phases:
• Preprocessing
• Analysis
• Response
• Refinement

72. IDS/IPS
Introduction to IDS and IPS
Detection Methodologies
• Rule based Detection
• Also known as Misuse Detection or Signature
detection or pattern matching.
• First scheme used in earlier IDS
• process of attempting to identify instances of
network attacks by comparing current activity
against the expected actions of an intruder

73. IDS/IPS
Introduction to IDS and IPS
• Anomaly Detection
• Also known as profile-based detection
•A profile is created for each user group on the
system.
•The profile created is then used as a baseline
to define user activity.
•If network activity deviates from baseline, alarm
is generated.

74. IDS/IPS
Introduction to IDS and IPS
• Behavior Anomaly Detection
• Looks for anomalies in user behavior.
• Characteristics dependent rather than
statistical.

75. IDS/IPS
Introduction to IDS and IPS
• Network Behavior Anomaly Detection (NMAD)
• Also known as traffic anomaly systems
• Process of continuously monitoring a
proprietary network for unusual events or trends
• Basically statistical rather than characteristics.

76. IDS/IPS
Introduction to IDS and IPS
• Protocol Anomaly Systems
• Look for deviations from the set protocol
standards.
• Primarily characteristics based.
• Not very reliable and generates false positives.

77. IDS/IPS
Introduction to IDS and IPS
• Target Monitoring Systems
• Look for modification of specified files or
objects.
• More of a corrective control.
•Creates crypto checksum for each file.
•This checksum is compared at regular intervals
to detect any changes.

78. IDS/IPS
Introduction to IDS and IPS
Heuristics
• Still in its initial stages
• Refers to the use of AI in detecting Intrusions.
• AI scripting language is used to apply the
analysis to the incoming data.

79. IDS/IPS
Introduction to IDS and IPS
Hybrid Approach
• Any system that uses a combination of the
above mentioned analysis

80. IDS/IPS
Introduction to IDS and IPS
Some Myths
•IDS and IPS are two separate solutions
•IDSs and IPSs will catch or stop all network
intrusions
•IDS give too many false positives
•IDS will eventually replace firewalls.
•Few Security Admins are required if you deploy
an IDS