Document Sample
IDS Powered By Docstoc
					Intrusion Detection Systems:

Intrusion and Intrusion Detection
• Intrusion : Attempting to break into or misuse your system. • Intruders may be from outside the network or legitimate users of the network. • Intrusion can be a physical, system or remote intrusion.

Different ways to intrude
• • • • Buffer overflows Unexpected combinations Unhandled input Race conditions

Intrusion Detection System (IDS)
• An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. • Intrusion Detection Systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent

Why should I use Intrusion Detection Systems?
• Intrusion detection allows organizations to protect their systems from the threats that come with increasing network connectivity and reliance on information systems. • To detect attacks and other security violations that are not prevented by other security measures • To document the existing threat to an organization • To provide useful information about intrusions that do take place, allowing improved diagnosis, recovery, and correction of causative factors. • “Burglar alarms” for computer networks

Attack types detected by most IDSs
– – – – Scans/probes Denial of Service (DoS) User-To-Root (U2R) Remote-To-Local (R2L)

Types of IDS
• Various ways to classify IDS types – Information sources (Network, Host-based) – Detection method (Misuse, Anomaly) – Analysis mechanism (Real-time, Batch/Offline)

Types: Information Sources
Network-based (NIDS):
• This IDS looks for attack signatures in network traffic via a promiscuous interface • A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known unmalicious traffic

Network-based (NIDS)
Advantages – Packet analysis – Evidence removal – Real time detection and response – Malicious intent detection – Complement and verification – Operating system independence – Relatively painless deployment – Accurate in detecting known attacks via signature

Network-based (NIDS)
– Disadvantages • Difficulty processing all packets on high-speed nets • Difficulty with encrypted protocols, switched traffic • No indicator of attack success – Examples: Snort, ISS, NFR, Cisco NetRanger

Types: Information Sources
Host-based (HIDS)
• A host-based IDPS monitors the characteristics of a single host and the events occurring within that host for suspicious activity • The host operating system or the application logs in the audit information. • These audit information includes events like the use of identification and authentication mechanisms (logins etc.) , file opens and program executions, admin activities etc. • This audit is then analyzed to detect trails of intrusion.

Host-based (HIDS)
– Advantages • Can detect attacks visible only at application layer • Therefore, no trouble with encrypted packet • Also unaffected by switched network • Attack verification • System specific activity • Encrypted and switch environments • Monitoring key components • Near Real-Time detection and response. • No additional hardware

Host-based (HIDS)
– Disadvantages • Harder to manage, correlate data, centralize • IDS on host may be attacked and/or disabled • Use valuable CPU time on the host itself – Examples: ISS (HIDS), LIDS, Tripwire

Types: Detection Method
Anomaly based IDS
• This IDS models the normal usage of the network as a noise characterization. • Anything distinct from the noise is assumed to be an intrusion activity. – e.g. flooding a host with lots of packet. • The primary strength is its ability to recognize novel attacks.

Anomaly based IDS
– Advantages • Detects new attacks (info can then be used to write signatures for misuse detectors!) – Disadvantages • Require extensive training sets of data to determine what is normal • Assumes that intrusions will be accompanied by manifestations that are sufficiently unusual so as to permit detection. • These generate many false alarms and hence compromise the effectiveness of the IDS.

Types: Detection Method
• Misuse Detection:
look for behavior matching known attack scenarios – Approach used by most commercial vendors (“signature-based detection”)

Types: Detection Method
Signature based IDS
• This IDS possess an attacked description that can be matched to sensed attack manifestations. • The question of what information is relevant to an IDS depends upon what it is trying to detect. – e.g. DNS, FTP etc.

Signature based IDS
• ID system is programmed to interpret a certain series of packets, or a certain piece of data contained in those packets ,as an attack. For example, an IDS that watches web servers might be programmed to look for the string “phf” as an indicator of a CGI program attack. • Most signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgibin/phf?''), it identifies those network packets as vehicles of an attack.

Signature based IDS

– Advantages • Simple yet effective, match known bad traffic patterns / hacker tools • Relatively easy to administer – Disadvantages • Unable to detect novel attacks, even slightly modified signatures • Suffer from false alarms • Have to programmed again for every new pattern to be detected.

Wireless IDPS
• A wireless local area network (WLAN) is a group of wireless networking nodes within a limited geographic area that is capable of exchanging data through radio communications . A wireless IDPS works by sampling traffic i.e. the band is separated into channels Wireless IDPS components are typically connected to each other through a wired network

• •

Wireless IDPS
A typical components in wireless IDPS is same as network based IDPS and are  Sensors  One or more Management Servers  Multiple Consoles  One or more Database Servers

Wireless IDPS
ADVANTAGES: Wireless IDPS can detect attacks, misconfiguration and policy violations. The types of events most commonly detected by IDPS are • Unauthorized WLANs and WLAN devices. • Unusual usage pattern • Denial of Service attacks and conditions DISADVANTAGES: • It is not currently possible for a sensor to monitor all traffic on a band simultaneously; a sensor has to monitor a single channel at a time

Policy Of IDS
IDS policy, taking the following factors into consideration: • Must be aware of limitations before deployment • Like any other system, maintenance must be performed • It should be scalable • IDS admin(s) should require special high-level access controls to IDS output data • Alarming, alerts to administrative staff • Define policy for dealing with incidents, both internal and external, plus forensic policy

Future of IDS
• To integrate the network and host based IDS for better detection. • Developing IDS schemes for detecting novel attacks rather than individual instantiations.

Commercial ID Systems
• ISS – Real Secure from Internet Security Systems: – Real time IDS. – Contains both host and network based IDS. • Tripwire – File integrity assessment tool. • Bro and Snort – open source public-domain system. • BASE • OSSEC HIDS

• Commercial IDSs are still in their infancy – Much work yet to be done (research/commercial) – Increasing importance of Anomaly detection • IDSs are not a one-stop solution to an organization’s security concern, But they are an important part of an overall security strategy if deployed and managed well • Good IDS Policy makes all the difference! – IDS, Forensics, and other existing network/security policies must interface well to be truly effective

Shared By:
Description: This is Network security presentation