Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam.

Slides:



Advertisements
Similar presentations
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Distributed Intrusion Detection Mamata Desai ( ) M.Tech.,CSE dept, IIT Bombay.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Guide to Network Defense and Countermeasures Second Edition
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
IIT Indore © Neminah Hubballi
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Windows 7 Firewall.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Guide to Network Defense and Countermeasures
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
HONEYPOTS An Intrusion Detection System. Index Intrusion Detection System Host bases Intrusion Detection System Network Based Intrusion Detection System.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Outline Securing your system before the IDS and some tools to help you
CompTIA Security+ Study Guide (SY0-401)
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Working at a Small-to-Medium Business or ISP – Chapter 8
CompTIA Security+ Study Guide (SY0-401)
NETWORK SECURITY LAB Lab 9. IDS and IPS.
Intrusion Detection Systems (IDS)
Intrusion Detection system
Protection Mechanisms in Security Management
Presentation transcript:

Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam

How insecure are we? Attacks on computer infrastructures are a serious problem. Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident. Telecom and computer fraud totaled $10 billion in the US alone. *Source: Eugene H Spafford. Security Seminar, Department of Computer Sciences, Purdue University, Jan 1996.

IDS Based on Data Source Host Based IDS –Its role is to identify tampering or malicious activity occurring on the system. –This is achieved by monitoring log files, users, and the file system. Network Based IDS –Its role is to identify tampering or malicious activity occurring in the network traffic. –This is achieved by monitoring network traffic on the wire for specific activities/signatures that represent an attack. Hybrid IDS –Combination of network and host based IDS.

Host Based - Network Based

Advantages NetworkHost Lowers cost of ownershipLower cost of entry Detects what HIDS missDetects what NIDS miss Difficult to remove evidenceVerifies success/failure of attack Real-time detection & responseSuited for encrypted environments Detects unsuccessful attacksMonitors specific activities OS independentRequires no additional hardware

Host Based IDS Specific files to be monitored are defined in a configuration file. Digest of the file is stored in a database. Multiple digest algorithms can be used. Examples: TRIPWIRE/AIDE/SAMHAIN

TRIPWIRE Can be reconfigured to prevent false-alarms. Flexible policy language with predefined policy files and wildcard support. AIDE Similar to lighter version TRIPWIRE SAMHAIN Support for Stealth mode of operation. Encrypted and authenticated client/server connections.

Network Based IDS Packet Sniffing front end. Pattern matching engine. Backend database. Examples: SNORT/SHOKI/BRO

SNORT Provides its own language. Passive, doesn’t terminate malicious activity. SHOKI Multi-filter rule sets that match individual packets. SNORT rules can be converted to SHOKI filters. BRO Can also operate as packet sniffer/logger. Flexible rule based language to describe traffic. Can perform protocol analysis, content searching/matching.

SNORT Rules var EXTERNAL_NET ![ /16, /16] var HTTP_SERVERS [ /16, /16] var HTTP_PORTS 80 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace output alert_fast: alarms.log include file1.config alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)

Bro’ Rules rule sid-1328 { header ip[9:1] == 6 header ip[12:4] != /16, /16 header ip[16:4] == /16, /16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" } SHOKI Rules tcp THRESHOLD:1:10:20 SAMP-6 http h([t]*p):// ALL tcp HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL tcp PORT_SCAN:3:30:50 SAMP-8 p_scan 0x ALL

ACID screen capture for SNORT

Hybrid IDS Can be clustered Centralized database Provides file protection by using digest Network sensing using packet sniffing Blends strengths of HIDS & NIDS Examples: MANHUNT/PRELUDE/DRAGON

MANHUNT Detects new and modified attacks Dynamically reassign ports scanned Flowchaser and Trackback to fight DDoS PRELUDE Incorporates information from other IDS Provides hooks to firewalls, honeypots, etc Uses multiple sensors and a report server DRAGON Provides IDS evasion counter measures, by Keeping a large database of known hacker techniques and searching for anomalies.

Goals Design a hybrid system Send instantaneous alerts to network administrator and other hosts Use secure communication channels Keep configuration file secure Keep checksum database secure Maintain list of intruders Maintain a log of attacks

Design Intruder Database Firewall Other Hosts Administrator Host

Implementation Dedicated Sockets for Communication Messages encrypted using AES Configuration file included in list of secure files Checksums encoded using AES Network Administrator maintains log of intrusions Hosts maintain a list of intruders

Sample execution

Future Work Network sensors to defend DDoS attacks Incorporate different hashing algorithms Add feature to track sources of DDoS Incorporate data from existing IDS Add a file change notification component Lessons Learned Hybrid IDS involves a lot of components Comm. between hosts and admins must be secure Configuration files are vulnerable Hybrid IDS provides better security

References Intrusion Detection Systems By Ricky M. Magalhaes An Introduction to Intrusion Detection By Aurobindo Sundaram, ACM Crossroads Network Vs. Host Based Intrusion Detection IDS Products Intrusion Detection and Network Auditing on the Internet