Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158B
Agenda Introduce Network Intrusion Detection (NID) Signature Anomaly Compare and Contrast: Signature based vs. Anomaly based NID Example using Ethereal™
Intrusion Detection Systems Intrusion detection begins where the firewall ends. Preventing unauthorized entry is best, but not always possible. It is important that the system is reliable and accurate and secure.
IDS (cont.) When designing a IDS, the mission is to protect the data’s Confidentiality- read Integrity- read/write Availability- read/write/access Threats can come from both outside and inside the network.
Signature Signature based IDS are based on looking for “known patterns” of detrimental activity. Benefits: Low alarm rates: All it has to do is to look up the list of known signatures of attacks and if it finds a match report it. Signature based NID are very accurate. Speed: The systems are fast since they are only doing a comparison between what they are seeing and a predetermined rule.
Signature (cont.) Negatives: If someone develops a new attack, there will be no protection. “only as strong as its rule set.” Attacks can be masked by splitting up the messages. Similar to Anti-Virus, after a new attack is recorded, the data files need to be updated before the network is secure. Example: Port Scan DOS Sniffing
Anomaly Anomaly based IDS are based on tracking unknown unique behavior pattern of detrimental activity Advantages: Helps to reduce the “limitations problem”. Conducts a thorough screening of what comes through.
Anomaly (cont.) Disadvantages: False positives, catches too much because Behavior based NIDs monitor a system based on their behavior patterns. Painstaking slow to do an exhaustive monitoring, uses up a lot or resource After an anomaly has been detected, it may become a “signature”.
Anomaly vs. Signature Which is the best way to defend your network? Both have advantages Signature can be used as a stand alone system Anomaly has a few weak points that prevent it from being a stand alone system. Signature is the better of the two for defending you network The best way is to use both!
Example Using Ethereal™ to detect a port scan A port scan is when a person executes sequential port open requests trying to find an open port. Most of these come back with a “reset” Normal TCP/IP port request Port request on closed port