Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.

Similar presentations


Presentation on theme: "Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management."— Presentation transcript:

1 Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management

2 Overview Define IDPS The Prevention Configurations Two Types of IDPS Two types of Detection Managing IDPSs

3 What is an IDPS? Intrusion detection & prevention systems – also know as intrusion detection systems(IDS) or intrusion prevention system (IPS), are systems that notifies the user/s when the system detects a violation. Can be audible, visual, or silent alarms (messages, emails, notifications) Ex: burglar alarm – sets off audible/visible alarm when window is opened or broken

4 Who is notified? Most IDPS systems are set up to notify the administrators via Email Text Pages Systems can also be configured to notify outside InfoSec organizations As an alarm notifies you and the police

5 Prevention Systems prevent attacks from succeeding by one of the following: Stopping the attack by terminating the network connection or the attacker’s user session – Lock down the house Changing the security environment by reconfiguring network devices to block access to the targeted system – Change the locks Changing the attacker’s content to make it benign – Remove infect file in an email before the recipient gets/opens its

6 Configurations Admins can configure different levels of alarm levels of IDPS IDPS require complex configurations to provide appropriate detection and response IDPS are configured to be based on two different things Host-Based Network Based IDPS also are configured to be based on two different detection methods Signature-Based Statically Anomaly Based (Anomaly Based)

7 Hosted-Based IDPS (HIDPS) Detects and prevents unwanted actions on a host or multiple hosts computers Works by configuring and classifying various categories of systems and data files Can configure to report any changes to sensitive files or folders Ex: C:\Windows Ex: C:\Program Files\Office

8 Network-Based IDPS (NIPDS) Monitors Network Traffic Notifies when a predefined condition occurs Looks for patterns in network traffic Ex: Collection of related traffic that can be an indication of DoS Ex: series of related packets, which means a port scans Requires complex configuration Must match known and unknown attack patterns

9 Signature-Based Detection IDPS Very similar to anti-virus software Also known as knowledge-based IDPS Examines data traffic for something that matches the signature predetermined attack patterns Weakness Signature must be constantly updated Time frame of attack matters (slow attacks may be undetected)

10 Anomaly-Based Detection IDPS Behavior-Based IDPS Collects data from normal traffic to create baseline Then samples traffic using statistcal methods and compares to baseline When falls out of baseline parameters (clipping level) it notifies admins Variables include Host’s memory Host’s CPU usage Network packet types Packet quantities

11 Anomaly-Based Detection IDPS Advantages: able to detect new types of attacks due to abnormality to baseline Disadvantages: Require significant overhead and processing capacity May not detect minor changes in system

12 Managing an IDPS System needs human component so to respond to alerts IDPS does not take actions by itself, unless programmed to Needs to be configured by those with…knowledge Technical Business Security Needs to be configured and maintained to lower false- positive rates Configuration also helps out with different types of notifications

13 Managing an IDPS Bad configuration leads to Mostly false positive alerts Waste of time and resources Overload of data Humans making false positive worse Most IDPSs monitor systems by means of agents Agents (sensors) is a piece of software that resides on a system and reports back to a management server Must also be carefully configured to use secure communications

14 Managing an IDPS It is best to consolidate enterprise management services to manage a good IDPS Allows for collection of data from multiple host-bases and network-based IDPS and look for patterns This allows admin/manager to monitor all devices so that if the attacker moves his attack across the network Consolidation leads to a central monitor hub

15 Work Cited Whitman, E. Michael, and aHerbert J. Mattord. Management of Information Security. Cengage Learning, 2010. Print.


Download ppt "Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management."

Similar presentations


Ads by Google