1 / 10

Signature Based and Anomaly Based Network Intrusion Detection

Signature Based and Anomaly Based Network Intrusion Detection . By Stephen Loftus and Kent Ho CS 158B . Agenda. Introduce Network Intrusion Detection (NID) Signature Anomaly Compare and Contrast: Signature based vs. Anomaly based NID Example using Ethereal ™.

elvin
Download Presentation

Signature Based and Anomaly Based Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158B

  2. Agenda • Introduce Network Intrusion Detection (NID) • Signature • Anomaly • Compare and Contrast:Signature based vs. Anomaly based NID • Example using Ethereal™

  3. Intrusion Detection Systems • Intrusion detection begins where the firewall ends. • Preventing unauthorized entry is best, but not always possible. • It is important that the system is reliable and accurate and secure.

  4. IDS (cont.) • When designing a IDS, the mission is to protect the data’s • Confidentiality- read • Integrity- read/write • Availability- read/write/access • Threats can come from both outside and inside the network.

  5. Signature • Signature based IDS are based on looking for “known patterns” of detrimental activity. • Benefits: • Low alarm rates: All it has to do is to look up the list of known signatures of attacks and if it finds a match report it. • Signature based NID are very accurate. • Speed: The systems are fast since they are only doing a comparison between what they are seeing and a predetermined rule.

  6. Signature (cont.) • Negatives: • If someone develops a new attack, there will be no protection. • “only as strong as its rule set.” • Attacks can be masked by splitting up the messages. • Similar to Anti-Virus, after a new attack is recorded, the data files need to be updated before the network is secure. • Example: • Port Scan • DOS • Sniffing

  7. Anomaly • Anomaly based IDS are based on tracking unknown unique behavior pattern of detrimental activity • Advantages: • Helps to reduce the “limitations problem”. • Conducts a thorough screening of what comes through.

  8. Anomaly (cont.) • Disadvantages: • False positives,catches too much because Behavior based NIDs monitor a system based on their behavior patterns. • Painstaking slow to do an exhaustive monitoring, uses up a lot or resourceAfter an anomaly has been detected, it may become a “signature”.

  9. Anomaly vs. Signature • Which is the best way to defend your network? • Both have advantages • Signature can be used as a stand alone system • Anomaly has a few weak points that prevent it from being a stand alone system. • Signature is the better of the two for defending you network • The best way is to use both!

  10. Example • Using Ethereal™ to detect a port scan • A port scan is when a person executes sequential port open requests trying to find an open port. Most of these come back with a “reset” • Normal TCP/IP port request • Port request on closed port

More Related