Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection Systems Presented by Keith Elliott.

Published byWhitney Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection Systems Presented by Keith Elliott."— Presentation transcript:

1 Network Intrusion Detection Systems Presented by Keith Elliott

2 Background  Why are they used?  Movement towards more secured computing systems  Management is becoming cognizant of growing cyber-threats  Where are they used?  Medium to Large Businesses  Anyone than can afford them  Open-source solutions (SNORT)

3 Types of AttacksTypes of Attacks  Code Obfuscation  Polymorphism  Shell-code is constantly mutating  Characterized by:  Execution of GetPC code  Read operations from input stream  Port Scans  Denial of Service (DoS)

4 Types of NIDSTypes of NIDS  HIDS (Host Intrusion Detection System)  Operates on a single host  Uses host’s computation resources  NIDS (Network Intrusion Detection System)  Stand-alone hardware  Expensive

5 Methods of DetectionMethods of Detection  Signature Based  Compares packets to database of known threats  Heuristics Based  Analyzes and categorizes packets into groups  Normal, Hostile  Many different techniques being developed

6 Pro’s and Con’sPro’s and Con’s  Signature Based  Require constant updates by administrators  Can only detect currently known threats  Heuristics  Have the ability to identify new/unknown threats  Can easily mistake infrequent normal traffic as hostile

7 Heuristic Detection TechniquesHeuristic Detection Techniques  Cellular Automata  Genetic Algorithms  Neural Networks  Bioinformatics  Network‐Level Emulation  Measured:

8 Cellular AutomataCellular Automata  Solves problems in an evolutionary way  Consists of number of cells organized in the form of a lattice  Each cell is considered independent  Its states only depends on its two adjacent cells  Fuzzy States are generally used  Categorizations are done using membership functions  As data is passed and classified each cell mutates randomly

9 Neural NetworksNeural Networks  In general model multivariate non-linear functions using nodes called neurons  Good at classification problems  Separated in 5 categories for experiment  Normal Connections  DoS (Denial of Service)  R2L (Remote to Local), U2R (User to Remote)  Probe/Surveillance  Best Results came from Over-Sampling Training data

10 Network-Level EmulationNetwork-Level Emulation  Inspects client-initiated data of each network flow  Server-initiated data is ignored  Reconstructs the application-level stream using TCP stream reassembly  Emulator repeats execution of code from each possible entry point in the stream  Execution of polymorphic shell-code is identified by two runtime behavioral characteristics  Execution of GetPC code  Several Read operations from within the stream

11 Statistics CollectedStatistics Collected  Real World Deployment of nemu (Network-Level Emulation)  Sensors in Europe have been operating since March 9 th, 2007  Collected from National Research Networks and one Educational Network  As of February 13 th, 2008  1,053,332 attacks targeting 21 different ports  31% were launched from 8981 unique Ips  68% (Rest) were from 204 infected hosts

12 Ports AttackedPorts Attacked  25 - SMTP  42 – WINS, Nameserver  80 - HTTP  110 – POP3  135 – Microsoft EPMAP  also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS  139 – Netbios Session Service  143 - IMAP  445 – Microsoft Active Directory, Windows Shares, SMB File Sharing  1025 – NFS or IIS  2967 – Symantec Antivirus Corporate Edition

13 Evading NIDSEvading NIDS  Insertion Attacks  Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.  Evading Attacks  Sends packets which the IDS rejects but target accepts  Both end up giving different streams to the IDS and End- Host  Fragmentation is used in both – we all should know this by now

14 Methods of Evading NIDSMethods of Evading NIDS  Case 1: The IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the Victim.

15 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Case 2: The IDS fragmentation reassembly timeout is more than the fragmentation reassembly timeout of the operating system.

16 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Case 2: TTL Based Attacks  Topology of victims network must be know

17 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Overlapping Fragments  Exploits differences in Operating System Behavior

18 Conclusion  Network Threats are on the rise  Better to have Heuristic based system  Tons of research being performed which is uncovering new and more efficient methods  SNORT can handle all mentioned methods of evasion.  Any questions?

Download ppt "Network Intrusion Detection Systems Presented by Keith Elliott."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection Aaron Beach Spring 2004.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.

Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Similar presentations

Ads by Google