Signature Based and Anomaly Based Network Intrusion Detection

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Anomaly Based Intrusion Detection System
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
seminar on Intrusion detection system
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
A Vehicular Ad Hoc Networks Intrusion Detection System Based on BUSNet.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Internet Security facilities for secure communication.
 a crime committed on a computer network, esp. the Internet.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Clay Brockman ITK 478 Fall Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Basic Security Networking for Home and Small Businesses – Chapter 8.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
By Jim White WiredCity, Div. of OSIsoft Copyright c 2004 OSIsoft Inc. All rights reserved. Cyber Security Tools.
Kittiphan Techakittiroj (25/10/58 12:06 น. 25/10/58 12:06 น. 25/10/58 12:06 น.) Intrusion Detection System Kittiphan Techakittiroj
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
1 Figure 10-4: Intrusion Detection Systems (IDSs) IDSs  Event logging in log files  Analysis of log file data  Alarms Too many false positives (false.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
HONEYPOTS An Intrusion Detection System. Index Intrusion Detection System Host bases Intrusion Detection System Network Based Intrusion Detection System.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
(A CORPORATE NETWORK APPROACH)
Intrusion Control.
Principles of Computer Security
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
CompTIA Security+ Study Guide (SY0-501)
Intrusion Detection & Prevention
Intrusion Detection Systems (IDS)
Intrusion Detection Systems
Intrusion Detection system
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Network Security Mark Creighton GBA 576 6/4/2019.
Presentation transcript:

Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158B

Agenda Introduce Network Intrusion Detection (NID) Signature Anomaly Compare and Contrast: Signature based vs. Anomaly based NID Example using Ethereal™

Intrusion Detection Systems Intrusion detection begins where the firewall ends. Preventing unauthorized entry is best, but not always possible. It is important that the system is reliable and accurate and secure.

IDS (cont.) When designing a IDS, the mission is to protect the data’s Confidentiality- read Integrity- read/write Availability- read/write/access Threats can come from both outside and inside the network.

Signature Signature based IDS are based on looking for “known patterns” of detrimental activity. Benefits: Low alarm rates: All it has to do is to look up the list of known signatures of attacks and if it finds a match report it. Signature based NID are very accurate. Speed: The systems are fast since they are only doing a comparison between what they are seeing and a predetermined rule.

Signature (cont.) Negatives: If someone develops a new attack, there will be no protection. “only as strong as its rule set.” Attacks can be masked by splitting up the messages. Similar to Anti-Virus, after a new attack is recorded, the data files need to be updated before the network is secure. Example: Port Scan DOS Sniffing

Anomaly Anomaly based IDS are based on tracking unknown unique behavior pattern of detrimental activity Advantages: Helps to reduce the “limitations problem”. Conducts a thorough screening of what comes through.

Anomaly (cont.) Disadvantages: False positives, catches too much because Behavior based NIDs monitor a system based on their behavior patterns. Painstaking slow to do an exhaustive monitoring, uses up a lot or resource After an anomaly has been detected, it may become a “signature”.

Anomaly vs. Signature Which is the best way to defend your network? Both have advantages Signature can be used as a stand alone system Anomaly has a few weak points that prevent it from being a stand alone system. Signature is the better of the two for defending you network The best way is to use both!

Example Using Ethereal™ to detect a port scan A port scan is when a person executes sequential port open requests trying to find an open port. Most of these come back with a “reset” Normal TCP/IP port request Port request on closed port