Network Intrusion Detection System (NIDS)

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Backtracking Algorithmic Complexity Attacks Against a NIDS
1 Reading Log Files. 2 Segment Format
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Snort - Open Source Network Intrusion Detection System Survey.
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
School of Computer Science and Information Systems
Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
BCIS 4630 Fundamentals of IT Security
Design and Implementation of SIP-aware DDoS Attack Detection System.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Penetration Testing Security Analysis and Advanced Tools: Snort.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
IIT Indore © Neminah Hubballi
Intrusion Detection: Snort. Basics: History Snort was developed in 1998 by Martin Roesch. It was intended to be an open-source technology, and remains.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Snort The Lightweight Intrusion Detection System.
Honeypot and Intrusion Detection System
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Intruders Detection Systems Presently there is much interest in systems, which can detect intrusions, IDS (Intrusion Detection System). IDS are of very.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Intrusion Detection Somesh Jha University of Wisconsin.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
An Intrusion Detection System to Monitor Traffic Through the CS Department Christy Jackson, Rick Rossano, & Meredith Whibley April 24, 2000.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
An overview.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Firewalls Original slides prepared by Theo Benson.
Cryptography and Network Security Sixth Edition by William Stallings.
PERIMETER SECURITY Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Intrusion Detection System
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Machine Learning for Network Anomaly Detection Matt Mahoney.
CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Principles of Computer Security
Somesh Jha University of Wisconsin
SNORT RULES.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Network Intrusion Detection System (NIDS) Somesh Jha

NIDS Inspect packets at certain vantage points Behind the routers Look for malicious or anomalous behavior Much more fine-grained than firewalls Example: drop a packet whose payload “matches” a certain string

Classification of NIDS Signature-based Establish a database of malicious patterns If a sequence of packets “matches” one of the patterns, raise an alarm Positives Good attack libraries Easy to understand the results Negatives Unable to detect new attacks or variants of old attacks Example Snort, Bro, NFR, …

Classification of NIDS Anomaly-based Establish a statistical profile of normal traffic If monitored traffic deviates “sufficiently” from the established profile, raise an alarm Positives Can detect new attacks Negatives High false alarm rate Intruder can go under the “radar” Examples Mostly research systems

Classification of NIDS Stateless Need to keep no state Example: raise an alarm if you see a packet that contains the pattern “melissa” Positives Very fast Negatives For some attacks need to keep state

Classification of NIDS Stateful Keeps state Sometime need to do reassembly Reassemble packets that belong to the same connection, e.g., packets that belong to the same ssh session Quite hard! (out-of-order delivery) Positives Can detect more attacks Negatives Requires too much memory

Snort logs, alerts, ... malicious patterns libpcap Filtered packet stream libpcap

libpcap Takes the “raw” packet stream Parses the packets and presents them as a Filtered packet stream Website for more details http://www-nrg.ee.lbl.gov/.

Malicious Pattern Example alert tcp any any -> 10.1.1.0/24 80 (content: “/cgi-bin/phf”; msg: “PHF probe!”;) action pass log alert destination address destination port source address source port protocol

Malicious Patterns Example content: “/cgi-bin/phf” Matches any packet whose payload contains the string “/cgi-bin/phf” Look at http://www.cert.org/advisories/CA-1996-06.html msg: “PHF probe!” Generate this message if a match happens

More Examples alert tcp any any -> 10.1.1.0/24 6000:6010 (msg: “X traffic”;) alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 6000:6010 (msg: “X traffic”;)

How to generate new patterns? Buffer overrun found in Internet Message Access Protocol (IMAP) http://www.cert.org/advisories/CA-1997-09.html Run exploit in a test network and record all traffic Examine the content of the attack packet

Notional "IMAP buffer overflow" packet 052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143 TCP TTL:64 TOS:0x0 DF ***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............; 5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n. B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n..... 31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@........... 90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................ 2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........

Alert rule for the new buffer overflow alert tcp any any -> 192.168.1.0/24 143 (content:"|E8C0 FFFF FF|/bin/sh"; msg:"New IMAP Buffer Overflow detected!";) Can mix hex formatted bytecode and text

Advantages of Snort Lightweight Malicious patterns easy to develop Small footprint Focussed monitoring: highly tuned Snort for the SMTP server Malicious patterns easy to develop Large user community Consider the IRDP denial-of-service attack Rule for this attack available on the same day the attack was announced

Disadvantages Does not do an stream reassembly Attackers can use that to “fool” Snort Break one attack packet into a stream Pattern matching is expensive Matching patterns in payloads is expensive (avoid it!) Rule development methodology is adhoc

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.