seminar on Intrusion detection system By Suchismita Kar Regd No -0701209021 CS A

Topics to be covered… Overview of IDS Process model Architecture Information sources Analysis techniques Strengths Limitations Conclusion Reference

Overview of Intrusion Detection Systems: what are intrusions ? What is intrusion detection ? Functions of IDS Monitoring and analysis of user and system activity. Auditing of system configurations . Assessing the integrity of critical system and data files. Recognition of activity patterns reflecting known attacks Statistical analysis for abnormal activity patterns

Process model for Intrusion Detection: Information sources: network ,host ,application Analysis: misuse detection , anomaly detection Response: active measures involving some automated intervention on the part of the system, and passive measures involving reporting IDS findings to humans, who are then expected to take action based on those reports.

IDS Architecture Audit Collection/Storage Unit Processing Unit Alarm/Response Unit

Information sources Network based IDSs: Consist of a set of single-purpose sensors . These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. Host based IDSs: Operate on information collected from within an Individual computer system. Operating system audit trails, and system logs Application based IDSs: Special subset of host-based IDSs . The most common information sources used by these IDSs are the application’s transaction log files.

IDS Analysis Techniques Misuse detection Anomaly detection Specification based detection

Misuse detection Misuse detectors analyze system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.

Advantages Misuse detectors are very effective at detecting attacks without generating an overwhelming number of false alarms. Misuse detectors can quickly and reliably diagnose the use of a specific attack tool or technique. This can help security managers prioritize corrective measures. Misuse detectors can allow system managers, regardless of their level of security expertise, to track security problems on their systems, initiating incident handling procedures.  

Disadvantages Misuse detectors can only detect those attacks they know about –therefore they must be constantly updated with signatures of new attacks. Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks. State-based misuse detectors can overcome this limitation, but are not commonly used in commercial IDSs.

Anomaly detection Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network.

Advantages IDSs based on anomaly detection detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. Anomaly detectors can produce information that can in turn be used to define signatures for misuse detectors

Disadvantages Anomaly detection approaches usually produce a large number of false alarms due to the unpredictable behaviors of users and networks. Anomaly detection approaches often require extensive “training sets” of system event records in order to characterize normal behavior patterns.

Specification based detection They distinguished between normal and intrusive behaviour by monitoring the traces of system calls of the target processes. A specification that models the desired behaviour of a process tells the IDS whether the actual observed trace is part of an attack or not.

Advantages More or less the same as for misuse detection. However these systems manage to detect some types/classes of novel attacks. Additionally, they are more resistant against subtle changes in attacks.

Disadvantages Usually for every program that is monitored, a specification has to be designed. Furthermore, the modelling process can be regarded as more difficult than the design of patterns for misuse detection systems. Additionally some classes of attacks are not detectable at all. Their systems managed the detection by inspecting log files.

Strengths of IDS Testing the security states of system configurations Base lining the security state of a system, then tracking any changes to that Baseline Recognizing patterns of system events that correspond to known attacks Recognizing patterns of activity that statistically vary from normal activity Managing operating system audit and logging mechanisms and the data they generate. Alerting appropriate staff by appropriate means when attacks are detected. Measuring enforcement of security policies encoded in the analysis engine Providing default information security policies Allowing non-security experts to perform important security monitoring Functions. Monitoring and analysis of system events and user behaviors

Limitations Compensating for weak or missing security mechanisms in the protection Infrastructure. Such mechanisms include firewalls, identification and authentication, link encryption, access control mechanisms, and virus detection and eradication. Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network or processing load. Detecting newly published attacks or variants of existing attacks. Effectively responding to attacks launched by sophisticated attackers Resisting attacks that are intended to defeat or circumvent them Compensating for problems with the fidelity of information sources Dealing effectively with switched networks.

Conclusion IDSs are here to stay, with billion dollar firms supporting the development of commercial security products and driving hundreds of millions in annual sales. However, they remain difficult to configure and operate and often can’t be effectively used by the very novice security personnel who need to benefit from them most.

References www.google.com www.wikipedia.com Yi Hu, Brajendra Panda: A data mining approach for database intrusion detection. Lee, V. C.S., Stankovic, J. A., Son, S. H. Intrusion Detection in Real-time Database Systems Via Time Signatures

Any queries ?????????

THANK U