Cryptography and Network Security Sixth Edition by William Stallings

IDS and IPS Overview

3 Definition Intrusion Detection Systems (IDS) Process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incident Incidents have many causes; malware, attackers gaining unauthorized access, misuse of privileges or gaining additional privileges Software that automates the intrusion detection process Intrusion Prevention Systems (IPS) All the above but also attempt to stop possible incidents

4 Uses of IDPS IDPS primary focus is identifying possible incident IDPS can also identify reconnaissance activity Identifying security policy problems Documenting the existing threat to an organization Deterring individuals from violating security policies

5 Key functions of IDPS Technologies Analyse and monitor events to identify undesirable activity Recording information related to observed events Notifying security administrators of important events Producing reports. The IPS stops the attack itself The IPS change the security environment The IPS changes the attack’s content.

6 Key functions of IDPS Technologies IDPS cannot provide completely accurate detection False positive False negative Most IDPS also offer features that compensate for the use of common evasion techniques Evasion is modifying the format or timing of malicious activity so that its appearance changes but its effect is the same Attackers use evasion techniques to try to prevent IDPS from detecting their attack

Common detection methodologies Signature-based detection A signature is a pattern that correspond to a known threat Compares signatures against observed events to identify possible incidents Simplest detection and have little understanding of state. Cannot remeber previous request. Anomaly-based detection Comparing definitions of what activities is considered normal against observed events to identify significant deviations Profiles that represent normal behaviour of such things as users, network connections or applications Major benefit is they can be effective at detecting previously unknown threats. Can inadvertently include malicious activity as part of profile. Generate many false positive and difficult for analyst to determine why an alert was generated Stateful protocol analysis The proces of comparing profiles of generally accepted definitions of protocol state against observed events to identify deviations Understanding and Tracking state of network, transport and applications protocol that have a notion of state Very ressource-intensive and cannot detect that do not violate protocol behavior

Type of IDPS technologies Network-based Monitor network traffic for particular network segments or devices and analyse the network and application protocol activity to identify suspicious activity Wireless Monitor wireless traffic and analyse its wireless network protocols to identify suspicious activity involving the protocols themselves It cannot identify suspicious activity in the application or higher-layer network Network behavior analysis (NBA) Examines network traffic to identify threats that generate unusual traffic activity such as DDoS or malware Host-based Monitors the characteristics of a single host and the events occurring within that host for suspicious activity

9 Component and architecture Sensors and agents Management server. Database server. Console Management network and management interface Isolate management network from production network Can also be isolated through VLAN

10 Security capabilities Information gathering capabilities Logging capabilities Detection capabilities Threshold Blacklist and whitelist Alert settings Code viewing and editing Prevention capabilities