230 likes | 450 Views
Intrusion Detection Systems. Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of tracking and analyzing of users of ARPANET, resulting 1 st IDS
E N D
Intrusion Detection Systems 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of tracking and analyzing of users of ARPANET, resulting 1st IDS 1988-Haystack project - IDS based on using defined patterns of misuse, resulting in Distributed IDS 1990-Todd Heberlein - Network Security Monitor – 1st network monitor, lots of interest leading to commercial development, leading to the IDS boom we see today.
What are Intrusion Detection Systems? • Not a firewall! • Firewall is just that; a wall (allow/deny) • IDS is a monitoring system; it takes notes of what is going on, and reports it to someone else to deal with.
What are Intrusion Detection Systems? Sensors -> report security events Console -> monitor events/alerts control sensors Engine -> logs events reported by sensor generate alerts based upon security rules Can have all 3 components in a single place
Types of IDS Based upon where the sensors are placed in the system as well as the rules used to generate alerts Network IDS Host-based IDS IDS
Network IDS • Ideally scan all, but not always practical • Examines network traffic connected to network device allowing port mirroring or network tap • Signature vs anomaly based
Network IDS Signature Based (knowledge based) • most IDS are signature based • works like antivirus software – looks for attempts to exploit known vulnerabilities • This type is ineffective if an exploit type is unknown to the system
Network IDS Anomaly based (behavior based) • This type observes the deviation from “normal” behavior of the system. • Not vulnerable to new/unforeseen vulnerabilities • High “false positive” rate; requires a “learning phase” and subsequent “retraining” as network changes.
Host based IDS • Host based • Individual devices • Monitors PC – sys calls, app logs, file mods • Single device only! • Alerts user/admin if detected
Hybrid IDS • Hybrid systems • Can be combination of these systems • Such as host based + network based • With the host reporting to the network based system for a more comprehensive protection
Passive VS Reactive IDS • Among the variety of “flavors” of IDS they can be categorized into two major groups: • Passive Systems work by simply monitoring, detecting and alerting • Reactive Systems perform any necessary action or actions to a detected threat
Passive IDS • Monitors System for any suspicious or malicious intrusion • If found, evaluates it to determine whether it is a threat • If detected as so, generates and sends an alert to user • Up to the user to take action I just found a threat, user
Reactive IDS Alerts console user and attempts to respond according to security rules/capabilities • reprogram firewall • reset connections • block IP addresses Typically called Intrusion Prevention System Essentially a firewall with network and application level filtering I found a threat and I’m taking care of it, oh yeah
IDS Evasion Techniques • Closely related to network attack methods • Designed to avoid detection by the IDS • Some basic and commonly known methods to attack IDS are through: • String matching weaknesses • Session assembly weaknesses • Denial of service techniques
String Matching Weaknesses • Easiest to implement and understand • Most IDS strong dependency on string matching • Using variants, string manipulation techniques, and character substitution techniques so strings don’t match • Strings don’t match no threat is detected
Session Assembly Weakness • Works by dividing string across several packets • Data will be delivered a few bytes at the time with modified IP packets to evade string match • To defend IDS should fully understand session (difficult and processor intensive)
Denial of Service Technique • Characterized by preventing legitimate users of a service from using that service • Examples • Consume device’s processing power • Fill up disk space • More alarms than can be handled by management systems • Personnel not being able to investigate all the alarms • Device lock up
Towards the Future • IDS vendors and hardware will have to keep a pace with all the switched networks and traffic increases • The future of IDS lies in data correlation • AI • Data mining • Future IDS, produce result by examining input from different sources
Conclusion • Nearly every company dependent on Internet to survive, so IDS here to stay • Also as technology advances for new IDS so does the possibility of new threats • Security issues are always present • However promising future • Statistical Analysis • Predictive AI