MIS risk and security project
Abdulellah1997
8-Intrusiondetectionsystems.pptx
Intrusion Detection Systems
Network security tools
1
Introduction
Intrusion detection is the process of collecting information about events occurring in a computer system or network and analyzing them for signs of intrusions.
Intrusions are violations of security policy, usually characterized as attempts to affect the confidentiality, integrity, or availability of a computer or network.
These violations can come from attackers accessing systems from the Internet or from authorized users of the systems who attempt to overstep their legitimate authorization levels or who use their legitimate access to the system to conduct unauthorized activity.
2
3
Intrusion prevention is the process of coupling intrusion detection with specified responses to certain detected intrusion scenarios
Intrusion detection is a necessary function in most system security strategies.
It is the primary security technology that supports the goal of auditability.
“Auditability” is the ability to independently review and examine system records and activities to:
Determine the adequacy of system controls
Ensure compliance with established security policy and operational procedures
Detect breaches in security
Recommend any indicated changes
IDEAL INTRUSION DETECTION SYSTEM
An ideal intrusion system should address the following issues:
should be able to run continuously without human supervision
Must survive a system crash and not have its database rebuilt at restart
It should observe and record deviations from normal behavior.
It must resist destruction
It must deal with changing system behavior over time as new applications are being added
Must have a very low false negative and false positive rate.
4
5
| POSITIVE | NEGATIVE | |
| TRUE | Alerts when there is malicious traffic | Silent when traffic is benign |
| FALSE | Alerts when traffic is benign | Silent when malicious traffic occurs |
IDS vs Firewall
Firewalls can be thought of as a fence or a security guard placed in front of a house., They protect a network and attempt to prevent intrusions
IDS tools detect whether or not the network is under attack or has, in fact, been breached.
6
Components of an IDS
Three fundamental functional components
Information Sources –sources can be drawn from different levels of the system,: network, host, and application monitoring.
Analysis – the part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place.
Response – the set of actions that the system takes once it detects intrusions.
Grouped into active and passive measures
Active measures involving some automated intervention on the part of the system,
Passive measures involving reporting IDS findings to humans, who are then expected to take action based on those reports.
7
CLASSIFICATION OF INRUSION DETECTION SYSTEMS
8
Host-based IDS
Network-based IDS
Anomaly-based Detection
Signature-based Detection
Host-based IDS (HIDS)
Looks for signs of intrusion on the local host system.
Use the host system’s audit and logging mechanism as a source of information for analysis
For example, it can detect logins, improper file access, unapproved privilege escalation, or alterations on system privileges
Can be an extremely powerful tool for analyzing a possible attack.
For example, it can sometimes tell exactly what the attacker did, which commands he ran, what files he opened, and what system calls he executed
Encrypted communications can be monitored because an HIDS inspection can look at the traffic before it is encrypted.
This means that HIDS signatures will still be able to match against common attacks and not be blinded by encryption
9
Network-based IDS (NIDS)
Most common approach
It attempts to discover unauthorized and malicious access to a LAN by analyzing traffic that traverses the wire to multiple hosts
It reads inbound and outgoing packets and searches for any suspicious patterns.
Any alert generated by an NIDS allows it to notify administrators or take active actions such as blocking the source IP address.
10
11
The network IDS usually has two logical components: the sensor and the management station.
The sensor sits on a network segment, monitoring it for suspicious traffic.
The management station receives alarms from the sensor(s) and displays them to an operator.
The sensors are usually dedicated systems that exist only to monitor the network. They have an network interface in promiscuous (ghost)mode, which means they receive all network traffic, not just that destined for their IP address, and they capture passing network traffic for analysis. If they detect something that looks unusual, they pass it back to the analysis station.
The analysis station can display the alarms or do additional analysis.
12
Anomaly-based IDS
Anomaly-based IDS works by identifying patterns from already defined users or groups of users.
This approach looks for variations and deviations from an established baseline behavior which might indicate an attack.
This baseline is the profile of what a normal scenario, usage, bandwidth or behavior would look like in a specific network environment, such as the average length of a telnet session
Any activity that deviates from the baseline is treated as a possible intrusion and an alert would be generated.
13
14
The biggest advantage of anomaly-based approach is its ability to detect zero-day attacks, since it does not depend on an established signature database, but only deviations from an established baseline.
The behavior of each target system is unique, therefore anomaly-based approaches use customized profiles which in turn make it difficult for an attacker to know with certainty what activity it can carry off without setting off an alarm.
Anomaly-based IDSs have a high false positive rate.
It requires time to establish a baseline behavior when it is first placed in a new system.
Anomaly-based IDSs are more complex and difficult to associate an alarm with the specific event that triggered that alarm
Signature-based IDS
This IDS looks for packets and compares them with predefined rules or patterns known as signatures that are defined in the database.
The main advantage is that it is simple and efficient processing of audit data.
It has lower rate of false positives.
Because of the nature of signature-based detection, it is ineffective against zero-day attacks for which there may not be a discovered ruleset or established method of attack yet
15
16
| Type | Advantages | Disadvantages |
| HIDS | 1. More accurate in intrusion detection 2. Able to detect encrypted attacks. 3. Does not require additional hardware | 1. Higher cost. 2. May cause performance issues or resource consumption. 3. rely on the logging and monitoring capabilities of the server |
| NIDS | 1. Simple to install 2. Detect network-based attacks such as denial-of-service attacks. | High fluctuations in network traffic cause packets to be lost. Requires more CPU power and resources in a large-scale LAN. 3. Unable to analyze encrypted packets. |
| Anomaly-based | 1. Ability to detect zero-day attack attempts. 2. Low false negative rate. | 1. Slow to work when placed in a new environment. 2. High false positive rate. |
| Signature-based | 1. High response time for known attacks. 2. Low false positive rate. | 1. Limited capability to detect zero-day attacks. 2. Signature database must be updated frequently |
17
Adaptive systems start with generalized rules for the environment, then learn, or adapt to, local conditions that would otherwise be unusual. After the initial learning period, the system understands how people interact with the environment, and then warn operators about unusual activities
Passive and Active IDS
When classifying IDSs, we can also categorize them by the way IDSs respond during an attack.
A passive IDS records, analyzes, logs and alerts an administrator about the possibility of an attack.
An active IDS can take actions when it detects a possible intrusion, such as blocking further traffic from a specific network source or locking down the system with safe mode.
Active IDS is also known as an Intrusion Prevention System (IPS).
18
Types of Computer Attacks Commonly Detected by IDS
Scanning Attacks
Denial of service (DOS)
System penetration
19
Scanning Attacks
When an attacker investigates a target network or system by sending different kinds of packets.
Using the responses received from the target, the attacker can learn many of the system’s characteristics and vulnerabilities
Scanning attacks may yield:
The topology of a target network
The types of network traffic allowed through a firewall
The active hosts on the network
The operating systems those hosts are running
The server software they are running
The software version numbers for all detected software
20
21
Denial Of Service (DOS) attacks attempt to slow or shut down targeted network systems or services. It causes major losses to electronic commerce operations, whose customers were unable to access them to make purchases
Penetration attacks involve the unauthorized acquisition and/or alteration of system privileges, resources, or data
