Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection Systems Presented by Keith Elliott.

Similar presentations


Presentation on theme: "Network Intrusion Detection Systems Presented by Keith Elliott."— Presentation transcript:

1 Network Intrusion Detection Systems Presented by Keith Elliott

2 Background  Why are they used?  Movement towards more secured computing systems  Management is becoming cognizant of growing cyber-threats  Where are they used?  Medium to Large Businesses  Anyone than can afford them  Open-source solutions (SNORT)

3 Types of AttacksTypes of Attacks  Code Obfuscation  Polymorphism  Shell-code is constantly mutating  Characterized by:  Execution of GetPC code  Read operations from input stream  Port Scans  Denial of Service (DoS)

4 Types of NIDSTypes of NIDS  HIDS (Host Intrusion Detection System)  Operates on a single host  Uses host’s computation resources  NIDS (Network Intrusion Detection System)  Stand-alone hardware  Expensive

5 Methods of DetectionMethods of Detection  Signature Based  Compares packets to database of known threats  Heuristics Based  Analyzes and categorizes packets into groups  Normal, Hostile  Many different techniques being developed

6 Pro’s and Con’sPro’s and Con’s  Signature Based  Require constant updates by administrators  Can only detect currently known threats  Heuristics  Have the ability to identify new/unknown threats  Can easily mistake infrequent normal traffic as hostile

7 Heuristic Detection TechniquesHeuristic Detection Techniques  Cellular Automata  Genetic Algorithms  Neural Networks  Bioinformatics  Network‐Level Emulation  Measured:

8 Cellular AutomataCellular Automata  Solves problems in an evolutionary way  Consists of number of cells organized in the form of a lattice  Each cell is considered independent  Its states only depends on its two adjacent cells  Fuzzy States are generally used  Categorizations are done using membership functions  As data is passed and classified each cell mutates randomly

9 Neural NetworksNeural Networks  In general model multivariate non-linear functions using nodes called neurons  Good at classification problems  Separated in 5 categories for experiment  Normal Connections  DoS (Denial of Service)  R2L (Remote to Local), U2R (User to Remote)  Probe/Surveillance  Best Results came from Over-Sampling Training data

10 Network-Level EmulationNetwork-Level Emulation  Inspects client-initiated data of each network flow  Server-initiated data is ignored  Reconstructs the application-level stream using TCP stream reassembly  Emulator repeats execution of code from each possible entry point in the stream  Execution of polymorphic shell-code is identified by two runtime behavioral characteristics  Execution of GetPC code  Several Read operations from within the stream

11 Statistics CollectedStatistics Collected  Real World Deployment of nemu (Network-Level Emulation)  Sensors in Europe have been operating since March 9 th, 2007  Collected from National Research Networks and one Educational Network  As of February 13 th, 2008  1,053,332 attacks targeting 21 different ports  31% were launched from 8981 unique Ips  68% (Rest) were from 204 infected hosts

12 Ports AttackedPorts Attacked  25 - SMTP  42 – WINS, Nameserver  80 - HTTP  110 – POP3  135 – Microsoft EPMAP  also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS  139 – Netbios Session Service  143 - IMAP  445 – Microsoft Active Directory, Windows Shares, SMB File Sharing  1025 – NFS or IIS  2967 – Symantec Antivirus Corporate Edition

13 Evading NIDSEvading NIDS  Insertion Attacks  Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.  Evading Attacks  Sends packets which the IDS rejects but target accepts  Both end up giving different streams to the IDS and End- Host  Fragmentation is used in both – we all should know this by now

14 Methods of Evading NIDSMethods of Evading NIDS  Case 1: The IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the Victim.

15 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Case 2: The IDS fragmentation reassembly timeout is more than the fragmentation reassembly timeout of the operating system.

16 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Case 2: TTL Based Attacks  Topology of victims network must be know

17 Methods of Evading NIDS cont.Methods of Evading NIDS cont.  Overlapping Fragments  Exploits differences in Operating System Behavior

18 Conclusion  Network Threats are on the rise  Better to have Heuristic based system  Tons of research being performed which is uncovering new and more efficient methods  SNORT can handle all mentioned methods of evasion.  Any questions?


Download ppt "Network Intrusion Detection Systems Presented by Keith Elliott."

Similar presentations


Ads by Google