Download presentation
Presentation is loading. Please wait.
Published byWhitney Bryan Modified over 9 years ago
1
Network Intrusion Detection Systems Presented by Keith Elliott
2
Background Why are they used? Movement towards more secured computing systems Management is becoming cognizant of growing cyber-threats Where are they used? Medium to Large Businesses Anyone than can afford them Open-source solutions (SNORT)
3
Types of AttacksTypes of Attacks Code Obfuscation Polymorphism Shell-code is constantly mutating Characterized by: Execution of GetPC code Read operations from input stream Port Scans Denial of Service (DoS)
4
Types of NIDSTypes of NIDS HIDS (Host Intrusion Detection System) Operates on a single host Uses host’s computation resources NIDS (Network Intrusion Detection System) Stand-alone hardware Expensive
5
Methods of DetectionMethods of Detection Signature Based Compares packets to database of known threats Heuristics Based Analyzes and categorizes packets into groups Normal, Hostile Many different techniques being developed
6
Pro’s and Con’sPro’s and Con’s Signature Based Require constant updates by administrators Can only detect currently known threats Heuristics Have the ability to identify new/unknown threats Can easily mistake infrequent normal traffic as hostile
7
Heuristic Detection TechniquesHeuristic Detection Techniques Cellular Automata Genetic Algorithms Neural Networks Bioinformatics Network‐Level Emulation Measured:
8
Cellular AutomataCellular Automata Solves problems in an evolutionary way Consists of number of cells organized in the form of a lattice Each cell is considered independent Its states only depends on its two adjacent cells Fuzzy States are generally used Categorizations are done using membership functions As data is passed and classified each cell mutates randomly
9
Neural NetworksNeural Networks In general model multivariate non-linear functions using nodes called neurons Good at classification problems Separated in 5 categories for experiment Normal Connections DoS (Denial of Service) R2L (Remote to Local), U2R (User to Remote) Probe/Surveillance Best Results came from Over-Sampling Training data
10
Network-Level EmulationNetwork-Level Emulation Inspects client-initiated data of each network flow Server-initiated data is ignored Reconstructs the application-level stream using TCP stream reassembly Emulator repeats execution of code from each possible entry point in the stream Execution of polymorphic shell-code is identified by two runtime behavioral characteristics Execution of GetPC code Several Read operations from within the stream
11
Statistics CollectedStatistics Collected Real World Deployment of nemu (Network-Level Emulation) Sensors in Europe have been operating since March 9 th, 2007 Collected from National Research Networks and one Educational Network As of February 13 th, 2008 1,053,332 attacks targeting 21 different ports 31% were launched from 8981 unique Ips 68% (Rest) were from 204 infected hosts
12
Ports AttackedPorts Attacked 25 - SMTP 42 – WINS, Nameserver 80 - HTTP 110 – POP3 135 – Microsoft EPMAP also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS 139 – Netbios Session Service 143 - IMAP 445 – Microsoft Active Directory, Windows Shares, SMB File Sharing 1025 – NFS or IIS 2967 – Symantec Antivirus Corporate Edition
13
Evading NIDSEvading NIDS Insertion Attacks Send packets to end-system (victim) that will reject, but that the IDS thinks are valid. Evading Attacks Sends packets which the IDS rejects but target accepts Both end up giving different streams to the IDS and End- Host Fragmentation is used in both – we all should know this by now
14
Methods of Evading NIDSMethods of Evading NIDS Case 1: The IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the Victim.
15
Methods of Evading NIDS cont.Methods of Evading NIDS cont. Case 2: The IDS fragmentation reassembly timeout is more than the fragmentation reassembly timeout of the operating system.
16
Methods of Evading NIDS cont.Methods of Evading NIDS cont. Case 2: TTL Based Attacks Topology of victims network must be know
17
Methods of Evading NIDS cont.Methods of Evading NIDS cont. Overlapping Fragments Exploits differences in Operating System Behavior
18
Conclusion Network Threats are on the rise Better to have Heuristic based system Tons of research being performed which is uncovering new and more efficient methods SNORT can handle all mentioned methods of evasion. Any questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.