270 likes | 606 Views
INTRUSION DETECTION SYSTEM. Presented by: Sabeeh Ahmad saeed REG No: fa10-bs( tn )-041. intrusion. An intrusion is defined as an act of entering into any secured area by means of unauthorized and illegal accessed points. A person who does intrusion is known as intruder.
E N D
INTRUSION DETECTION SYSTEM Presented by: Sabeeh Ahmad saeed REG No: fa10-bs(tn)-041
intrusion • An intrusion is defined as an act of entering into any secured area by means of unauthorized and illegal accessed points. • A person who does intrusion is known as intruder. • During the process of intrusion, intruder used unfair means to bypass the security mechanisms implemented on that particular area and enter it illegally. • So intrusion in a network also means that entering into a network by illegal means and to bypass the security implemented on that network. • Intrusion is carried out either to hack or attack or crack network assets and to provide loss to network or the organization that uses that network.
Different techniques used by intruders to bypass network security • Fragmentation: by sending fragmented packets, the attacker will be under the radar and can easily by pass the detection system's ability to detect the attack signature. • Avoiding defaults: The TCP port utilized by a protocol does not always provide an indication to the protocol which is being transported. For example, an IDS may expect to detect a Trojan on port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to detect the presence of the Trojan. • Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
Different techniques used by intruders to bypass network security • Address spoofing/ proxing: attackers can increase the difficulty of the ability of Security Administrators to determine the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server then it makes it very difficult for IDS to detect the origin of the attack. • Pattern change evasion: IDS generally rely on ‘pattern matching’ to detect an attack. By changing the data used in the attack slightly, it may be possible to evade detection. For example, an IMAP server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does not resemble the data that the IDS expects, it may be possible to evade detection.
Intrusion detection system • What is ids. • An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. • Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. • IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.
Intrusion detection system • Burglar Alert/Alarm: A signal suggesting that a system has been or is being attacked. • Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system (True Positive) divided by the total number of intrusion instances present in the test set. • False Alarm Rate: defined as the number of 'normal' patterns classified as attacks (False Positive) divided by the total number of 'normal' patterns. • True Positive: A legitimate attack which triggers an IDS to produce an alarm. • False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. • False Negative: When no alarm is raised when an attack has taken place. • True Negative: An event when no attack has taken place and no detection is made. • Noise: Data or interference that can trigger a false positive or obscure a true positive.
Intrusion detection system • Site policy: Guidelines within an organization that control the rules and configurations of an IDS. • Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity. • Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.[2] • Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks. • Attacker or Intruder: An entity which tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities. • Masquerader: A person who attempts to gain unauthorized access to a system by pretending to be an authorized user. They are generally outside users. • Misfeasor: They are commonly internal users and can be of two types: • An authorized user with limited permissions. • A user with full permissions and who misuses their powers. • Clandestine user: A person who acts as a supervisor and tries to use his privileges so as to avoid being captured.
History/development • Fred Cohen noted in 1984 that it is impossible to detect an intrusion in every case, and that the resources needed to detect intrusions grow with the amount of usage. • Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today. • Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data. • IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES). • The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann.[10] Haystack was also developed this year using statistics to reduce audit trails. • Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory W&S created rules based on statistical analysis, and then used those rules for anomaly detection. • In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp on a VAX 3500 computer. The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation. The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system. Computer Watch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
History/development • Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt. NADIR used a statistics-based anomaly detector and an expert system. • The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data. Network Flight Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later. APE has since become the world's largest used IDS/IPS system with over 300,000 active users. • The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications. • In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.
Intrusion detection system types • Network ids • Network intrusion detection systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis for a passing traffic on the entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of known attacks. Once the attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Example of the NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.
Intrusion detection system types • HOST IDS • Host intrusion detection systems run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations. • Intrusion detection systems can also be system-specific using custom tools and honeypots.
Intrusion detection system types • Passive and reactive system • In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect (alert)" and "prevent".
Intrusion detection techniques • Statistical anomaly-based IDS • An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if the baselines are not intelligently configured.
Intrusion detection techniques • Signature-based IDS • A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
Intrusion detection techniques • application protocol-based intrusion detection system (APIDS) • An application protocol-based intrusion detection system (APIDS) is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system. • An APIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit between a process, or group of servers, monitoring and analyzing the application protocol between two connected devices. A typical place for an APIDS would be between a web server and the database management system, monitoring the SQL protocol specific to the middleware/business logic as it interacts with the database. • At a basic level an APIDS would look for, and enforce, the correct (legal) use of the protocol. • However at a more advanced level the APIDS can learn, be taught or even reduce what is often an infinite protocol set, to an acceptable understanding of the subset of that application protocol that is used by the application being monitored/protected. • Thus, an APIDS, correctly configured, will allow an application to be "fingerprinted", thus should that application be subverted or changed, so will the fingerprint change.
Intrusion detection techniques • protocol-based intrusion detection system (PIDS • A protocol-based intrusion detection system (PIDS) is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting • A typical use for a PIDS would be at the front end of a web server monitoring the HTTP (or HTTPS) stream. Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by IP address or port number alone, however this greater protection comes at the cost of increased computing on the web serve • Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer. • Other systems are • Autonomous Agents for Intrusion Detection, a distributed intrusion detection system. • artificial immune systems • DNS Analytics
Ids using automated responses • While Intrusion detection systems reduce the time it takes to identify suspicious activity, further actions have been dependent on human intervention to begin a response for three reasons. First, Network Intrusion Detection Systems are imperfect and can alert on non-malicious traffic, resulting in false positives. Second, not all legitimate alerts warrant a response. Third, most alerts that warrant a response, require human judgment to determine the most appropriate action. Therefore an analyst is required to further validate alerts and decide if, and how, to take any actions. Unfortunately, the human interaction is the most time consuming element in an attack response cycle. • Modern NIDS can initiate responses in addition to simple notifications. These responses usually fall under direct intervention or scripted reconfiguration of surrounding equipment. An automated response does not necessarily need to address the traffic directly, but could assist the engineers in handling incidents with greater efficiency. • Session Sniping, ICMP Messaging, Shunning, Non-Blocking Responses, Extended Notification • Risky Business, Worm and Virus Attacks, Food for Thought, Limited Shunning.
IDS limitations • Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate. • It is not uncommon for the number of real attacks to be far below the number of false-alarms. Number of real attacks is often so far below the number of false-alarms that the real attacks are often missed and ignored. • Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to newer strategies.[5] • For signature-based IDSes there will be lag between a new threat discovery and its signature being applied to the IDS. During this lag time the IDS will be unable to identify the threat.[2]
IDS limitations • It can not compensate for a weak identification and authentication mechanisms or for weaknesses in network protocols. When an attacker gains access due to weak authentication mechanism then IDS can not prevent the adversary from any malpractice. • Encrypted packets are not processed by the intrusion detection software. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred. • Intrusion detection software provides information based on the network address that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled. • Due to the nature of NIDS systems, and the need for them to analyze protocols as they are captured, NIDS systems can be susceptible to same protocol based attacks that network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause an NIDS to crash. Limitations.
Ids benefits • Pros of the system • The main benefits of a network intrusion detection system include: • Easy deployment: Deploying such a system is easier, as you will not have to change your existing infrastructure or system. This is because such systems are autonomous operating system. • Less cost: These systems can be installed for all the network segments, so it eliminates the requirement of software at each host in a network segment lowering down the cost of ownership. • Detecting attacks: these systems can easily detect attacks, which have escaped from the scanners of host-based sensors. • Retain evidence: Such a system detect real-time intrusion, so it does give the attacker a chance for removing the evidence of such attack.
Ids shortcomings • Cons to look for • Apart from the pros, there are some cons that come with network intrusion detection systems. These are: • These system can collect a large number of alerts in a day, overloading your work • FP alerts can also be very high, which leads to less confidence on alerts • If you try to cut down FP rate, then this can affect NIDS reliability • Tasks like analyzing and filtering has to be done manually
IDs vs. firewalls • Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
Some organizations affected by intrusion • Operation Aurora was a cyber attack conducted by advanced persistent threats such as the Elder wood Group based in Beijing, China, with ties to the People's Liberation Army.[2] First publicly disclosed by Google on January 12, 2010, in a blog post,[3] the attack began in mid-2009 and continued through December 2009.[4] • The attack has been aimed at dozens of other organizations, of which Adobe Systems,[5] Juniper Networks[6] and Rackspace[7] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley[8] and Dow Chemical[9] were also among the targets.
Coke Gets Hacked And Doesn’t Tell Anyone • FBI officials quietly approached executives at Coca-Cola Co. (KO) on March 15, 2009, with some startling news. • Hackers had broken into the company’s computer systems and were pilfering sensitive files about its attempted $2.4 billion acquisition of China Huiyuan Juice Group (1886), according to three people familiar with the situation and an internal company document detailing the cyber intrusion. The Huiyuan deal, which collapsed three days later, would have been the largest foreign takeover of a Chinese company at the time. • Also TJX security providing company to us banks and bankers associations had to under go a legal case entered by the banks for the leak of confidential information in Jan 2007
According to Kaspersky lab report in 2013 • Maintaining information security is the main issue faced by a company's IT management. In the past 12 months, 91% of the companies surveyed had at least one external IT security incident and 85% reported internal incidents. A serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000. A successful targeted attack on a large company can cost it $2.4 million in direct financial losses and additional costs. For a medium-sized or small company, a targeted attack can mean about $92,000 in damages – almost twice as much as an average attack. Personal mobile devices used for work-related purposes remain one of the main hazards for businesses: 65% of those surveyed saw a threat in the Bring Your Own Device policy.
Thank you • Questions.