Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion-Detection Systems

Published byせいごろう いくのや Modified over 5 years ago

Similar presentations

Presentation on theme: "Intrusion-Detection Systems"— Presentation transcript:

1 Intrusion-Detection Systems
Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018)

2 Objectives Explain how intrusion-detection systems work
Implement strategies for preventing intrusion Identify and describe several popular intrusion-detection systems Define the term honeypot Identify and describe at least one honeypot implementation

3 Introduction What is an IDS?
An Intrusion-Detection System (IDS) is a system that is designed to detect signs that someone (or something) is attempting to breach a system, and to alert the system administrator that suspicious activity is taking place.

4 Introduction Why do we use IDSs?
Intrusion-detection systems enable system administrators to detect possible attacks to the network.

5 Preemptive Blocking (as a primitive form of intrusion detection/prevention)
Sometimes called banishment vigilance Attempts to detect impending intrusions through examining their footprinting (c.f., a virus’s signature) Weaknesses? Susceptible to false positives May block legitimate traffic (i.e., false positive, or mistakenly identifying a legitimate packet as part of a threat) When an IP address is blocked, the attacker can switch to different IP addresses. Explain what false positives are and what false negatives are.

6 True/False Positive/Negative ?

7 IDS Detection Methodologies
Signature-based detection - Compares known threat signatures to observed events to identify incidents Anomaly-based detection - Compares definitions of what activity is considered normal against observed events to identify significant deviations Stateful protocol analysis - compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. Source: SP Guide to Intrusion Detection and Prevention Systems (IDPS) Date Published: February 2007  Supersedes: SP (November 2001) Author(s) Karen Scarfone (NIST), Peter Mell (NIST)

8 Anomaly Detection Anomaly Detection Q: Examples of anomalous behavior?
Any activity that does not match normal use is noted and saved in a log. Normal usage profiles are kept and updated and then compared to the user’s, the group’s, or the system’s behavior. Most IDSs work this way. Based on heuristics, and not on signatures or pre-stored patterns  can detect previously unknown threats Q: Examples of anomalous behavior?

9 Anomaly Detection Different ways an anomaly may be detected:
Threshold monitoring Resource profiling User/group work profiling Executable profiling

10 Types of Anomaly Detection
Threshold monitoring Defines acceptable behaviors Presets acceptable behavior levels – the threshold Monitors the exceeding of these thresholds Q: Example thresholds? Weaknesses? Can be difficult to set up the thresholds Difficult to set times for monitoring behavior (i.e., When? How often?) Susceptible to false positives and negatives List pros and cons of this type of anomaly detection.

11 Questions: Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Give an example. Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false positives? Explain what it means by saying that threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? Give an example. Explain why threshold monitoring (as a method of anomaly detection) is susceptible to false negatives? List pros and cons of this type of anomaly detection.

12 Types of Anomaly Detection
Resource Profiling Measures system-wide resource use to develop a historic usage profile. Abnormal readings can indicate illicit activity. c.f., threshold monitoring Q: What are the differences between resource profiling and threshold monitoring as means of anomaly detection?

13 Types of Anomaly Detection
User/Group Work Profiling Each user/group’s typical activities are stored in its work profile. Activities not typical of that user or group are suspected. Changes in work patterns need to be updated in the respective profiles. Weaknesses? Dynamic user base could be difficult to profile. Examples?

14 Types of Anomaly Detection
User/Group Work Profiling Q: Compare work profiling with other methods, such as threshold monitoring and resource profiling.

15 Types of Anomaly Detection
Executable Profiling Measures and monitors how programs use system resources Helpful in detecting many types of malware attacks Profiles how system objects (files and printers) are normally used Enables the IDS to identify activity that might indicate an attack

16 IDS Components Activity Administrator
Sensor (or agent) – collects data and passes it to the analyzer for analysis Analyzer Alert – a message from the analyzer sent to the administrator Manager (or management server) – part of the IDS (e.g., a console)

17 IDS Components Notification – the method by which the IDS manager notifies the operator Operator -- administrator Event – an occurrence of a suspicious activity Data source – the raw data used by the IDS Database server -- a repository for event information recorded by sensors, agents, and/or management servers

18 IDS Components

19 IDS vs IPS source: https://www.youtube.com/watch?v=dYQMzyfFrTE

20 IDS vs IPS Intrusion Detection System Intrusion Prevention System
Passive Logs the activity Alerts an administrator (perhaps) Active Takes steps to prevent an attack in progress Problem of false positives Intrusion Detection/Protection System (IDPS)

21 Snort Possibly the most well-known open source IDS
Available on multiple platforms including: UNIX, Linux, and Windows Three modes of operation: Sniffer Packet logger Network intrusion-detection Discuss the three modes of operation with the following three slides.

22 Snort Modes Packet Sniffer Mode
Monitors all traffic coming and going on a computer (i.e., host-based IDS) A good way to check encryption (because the console displays a continuous stream of the contents of all packets coming across that machine) Helps determine potential sources of problems Discuss the differences between sniffer mode and packet logging. You might also include other examples of sniffer programs that are on the market.

23 Snort Modes Packet Logger Mode Similar to sniffer mode
Packet contents are written to a text file Contents can be searched for specific items Discuss the differences between sniffer mode and packet logging. You might also include other examples of sniffer programs that are on the market.

24 Snort Modes Network Intrusion-Detection Mode
Uses a heuristic approach to detect anomalous traffic (i.e., network-based IDS) Rules-based Command-line-based interface Need to know commands and what they do Explain that Snort’s network intrusion-detection learns from experience and can modify rules based on certain behavior. This is what is meant by heuristic. Also point out that it is command-line-based; therefore, administrators must be familiar with documentation and the commands used in Snort. This is not intuitive.

25 Cisco Intrusion-Detection and Prevention
Past models Cisco IDS 4200 Series Sensors Cisco Catalyst 6500 Series Intrusion-Detection System Services Module (IDSM-2) Current system offering Cisco Next-Generation IPS Solution There are a number of products in this group Firepower 4100 series – smaller networks Firepower 8000 series Firepower 9000 series – large-scale networks Discuss these Cisco IDS implementations and refer to the figure on how they might be deployed on the network.

26 Understanding and Implementing Honeypots
A honeypot is a single machine set up to appear to be an important (and possibly vulnerable) server All traffic to the machine is suspicious; no legitimate users should connect Honeypots can be configured to emulate many server services Honeypots can help track and catch hackers Provide an introduction and discussion of what honeypots are used for and how they can benefit administrators in the fight to know how hackers work and where they go when they connect to a system.

27 Specter A software honeypot solution
Can simulate AIX, Solaris, Unix, Linux, and Mac OS X Works by appearing to run a number of services common to network servers SMTP, FTP, TELNET, FINGER, POP3, IMAP4, HTTP, SSH, DNS, SUN-RPC, NETBUS, SUB-7, BO2K, GENERIC TRAP You may provide additional examples of other services that can be emulated.

28 Specter Can be set up in one of five modes:
Open Secure Failing Strange Aggressive Fake password files can also be configured: Easy Normal Hard Fun Warning Describe each mode of operation for Specter: Open – Behaves like a badly configured server. Secure – Behaves like a secure server. Failing – Behaves like a server with hardware and software problems. Strange – Behaves in unpredictable ways. Aggressive – This system will try to actively trace the origin of the connection of the intruder. Also, types of intruders for each type of server configuration might be mentioned. Outline each type of password configuration, its benefits, and possible drawbacks, if any.

29 Summary A variety of intrusion-detection systems are available
Should be used with firewalls Can run at the perimeter and internally as sensors Ideally implemented on every server Free IDS solutions are available Honeypots entice hackers to a fake server

Download ppt "Intrusion-Detection Systems"

Similar presentations

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.

Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Similar presentations

Ads by Google