160 likes | 191 Views
NETWORK SECURITY. INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M. Clarkson University, Potsdam, New York. Introduction to IDS. Why we need IDS? Fire Walls and IDS. Analogy Based Example Classification of IDSs Models of IDS Anomaly based model Signature based model.
E N D
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Introduction to IDS • Why we need IDS? • Fire Walls and IDS. • Analogy Based Example • Classification of IDSs • Models of IDS • Anomaly based model • Signature based model.
A Typical Fire Wall DeploymentSource:http://www.scs-ca.com/images/topos/2-AV-01.gif
Anomaly Based IDS • General Functional Mechanism • Behavioral Anomaly • Statistical Approach • Example: Traffic analysis • Protocol Anomaly • Based on Protocols and communication Structure • Example : Insecure Protocols • Pros • Captures all the headers of IP • Filters out respective (Mail, Web, DNS,. etc) legal traffic • More Pro- active. • Quickly Identifies Probes and Scans towards Network Hardware • Best Suited for Larger networks and Networks vulnerable to frequent hacking.
Anomaly Based IDS • Cons • Often makes False Alarms (False Positives) • Need skilled personnel to analyze the possible intrusions. • Need Sophisticated Hardware and Software • Creates large amount of Log data • Increase network traffic (some)
Signature Based IDS • Based on known Attack patterns • There are two (Basic) kinds of Signature Based IDSs: • NIDS (Network Intrusion Detection System) • HIDS (Host Intrusion Detection System)
What is an attack Signature? • Sequence of Events A->B->C, D->E • Examples of Signature (Unix Systems) • Gaining root privileges • Suspected repetitive actions • Using the command “sudo –s” or “su – root” • Using Cgi scripts to access the file by fetching arguments. http://www.host.com/~xxxx or http://www.host.com/../../etc/passwd
Signature Based IDS • General Functional Mechanism • Pros: • Ease of Use • Looks for O/S level changes (Biggest Advantage) • No need for skilled personal • Commercial and Open Source • Regular updates of new signatures to the signature database
Signature Based IDS • Cons: • More Re-active • More reliable updates only for Commercial versions • More suited for Hosts than Networks • Why? • Depends on Network Traffic • Consumes CPU time • Can be hacked easily.
Network Intrusion Detection Systems (NIDS). • Functional Mechanism • Uses huge standby databases with signatures • Components of NIDS • Sensors and Consoles
NIDS …… • Selection Criteria • Deployment of NIDS • Interference with Net work Traffic • Commercial NIDS • Example : Snort • Open Source NIDS • Example : Bro • Monitors network in Passive mode • No Direct Interference with the Network.
HIDS • Functional Mechanism • Analogy example… • O/S level Changes • Sensors and Killing the session • Most efficient Among all IDSs • Strips down all the packets including encrypted ones. • Commercial Vs Open Source • Example Tripwire
Advancements in IDS • Hybrid IDS • Combination of NIDS functionality and HIDS. • Decoy Based IDS • Example: Our Honey Pot machine • *No problem with False Positive • Captures only unauthorized activities • All traffic are considered to be suspected ones
On Progress…. • Circumstances where unnoticed attacks take place • Hybrid NIDS • Detection Points.