Intrusion Detection System(IDS)

1. Seminar on Intrusion Detection System

2. Topics: <ul><li>Introduction of IDS

3. Technologies

4. Detection types</li></li></ul><li>Introduction <ul><li>What is IDS?

5. History

6. Need of IDS

7. Classification of IDS</li></li></ul><li>What is IDS? <ul><li>Revolution in networking

8. The possibilities and opportunities are limitless.

9. Unfortunately, so too are the risks and chances of malicious activities.</li></li></ul><li><ul><li>Intrusion=Illegal entry or unwelcome addition

10. Definition:</li></ul> Intrusion Detection System (IDS) is a software to determine if a computer network or server has experienced an unauthorized intrusion.

11. IDS detects these intrusion attempts so that action may be takento repair the damage later. IDS monitors network traffic and monitors for suspicious activity and alerts the system or network administrator.

12. The beginning(History) A USAF paper published in October 1972 written by James P. Anderson outlined the fact the USAF had “become increasingly aware of computer security problems.”

13. <ul><li>Before designing an IDS, it was necessary to understand the types of threats and attacks that could be mounted against computers systems.</li></li></ul><li><ul><li>A computer system should provide confidentiality, integrity and assuranceagainst denial of service.

14. Confidentiality:</li></ul>Whether the information stored on a system is protected against unauthorized access. Need of IDS

15. <ul><li>Integrity:</li></ul> Whether the information stored on a system is reliable and can be trusted. <ul><li>Increased connectivity: (especially on the Internet)</li></ul> more and more systems are subject to attack by intruders.

16. <ul><li>These intruders attempts try to exploit flaws in the OS as well as in application programs and have resulted in spectacular incidents.

17. Internet Worm incident of 1988.</li></li></ul><li>Two ways to handle

18. <ul><li>we cannot prevent intruders,we should at least try to detect it and prevent similar attacks in future.</li></li></ul><li>Types of intruders

19. Tasks to be performed Simulation Analysis Notification

21. Technologies:

22. Network Intrusion detection system <ul><li>Detect attacks as they happen

23. Real-time monitoring of networks

24. Provide information about attacks that have succeeded

25. Forensic analysis</li></li></ul><li><ul><li>Deploying sensors at strategic locations

26. E.G., Packet sniffing via tcpdump at routers

27. Inspecting network traffic

28. Watch for violations of protocols and unusual connection patterns

29. Monitoring user activities

30. Look into the data portions of the packets for malicious command sequences</li></li></ul><li>

31. May be easily defeated by encryption Data portions and some header information can be encrypted The decryption engine still there.

32. Related Tools for Network IDS <ul><li>While not an element of Snort, Ethereal is the best open source GUI-based packet viewer

33. www.ethereal.com offers:

34. Windows

35. UNIX, e.g., www.ethereal.com/download.html

36. Red Hat Linux RPMs: ftp.ethereal.com/pub/ethereal/rpms</li></li></ul><li>

37. Requirements of NIDS <ul><li>High-speed, large volume monitoring

38. No packet filter drops

39. Real-time notification

40. Mechanism separate from policy

41. Extensible

42. Broad detection coverage

43. Economy in resource usage

44. Resilience to stress

45. Resilience to attacks upon the IDS itself!</li></li></ul><li>Host Intrusion Detection System <ul><li>Using OS auditing mechanisms

46. E.G., BSM on Solaris: logs all direct or indirect events generated by a user

47. strace for system calls made by a program

48. Monitoring user activities

49. E.G., Analyze shell commands</li></li></ul><li><ul><li>Monitoring executions of system programs

50. E.G., Analyze system calls made by sendmail

51. A HIDS can see more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data. </li></li></ul><li>

53. Signature based ids <ul><li>Sniff traffic on network

54. border router or multiple sensors within a LAN

55. Match sniffed tracffic with signatures

56. attack signatures in database

57. Signature: set of rules pertaining to a typical intrusion activity

58. Simple example rule: any ICMP packet > 10,000 bytes

59. Example: more than one thousand SYN packets to different ports on same host under a second</li></li></ul><li><ul><li>skilled security engineers research known attacks; put them in database

60. can configure IDS to exclude certain signatures; can modify signature parameters

61. Warn administrator when signature matches.

62. send e-mail, SMS

63. send message to network management system</li></li></ul><li>Limitations to signature detection <ul><li>Requires previous knowledge of attack to generate accurate signature

64. Blind to unknown attacks

65. Signature bases are getting larger

66. Every packet must be compared with each signature

67. IDS can get overwhelmed with processing; can miss packets</li></li></ul><li>Anomaly Detection IDS <ul><li>Observe traffic during normal operation

68. Create normal traffic profile

69. Look for packet streams that are statistically unusual

70. e.g., inordinate percentage of ICMP packet

71. or exponential growth in port scans/sweeps

72. Doesn’t rely on having previous knowledge of attack

73. Research topic in security</li>