Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS."— Presentation transcript:

1 5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS

2 5/1/2006Sireesha/IDS2 Goals Identify types of network attacks Explore IDS details –Benefits, Categories, Detection Techniques, Performance measurements Snort –Why Snort, Components and operation, Snort Rules Future enhancements

3 5/1/2006Sireesha/IDS3 Network Attacks With ever-increasing Internet enabled services, a computer network should be guarded against network attacks. A few network threats –Worms Self-propagating malicious code, automatic distribution via network connections –Virus Self-replication code. Can be attached to any host application –Denial of Service Overloading of resources making them unavailable to legitimate users.

4 5/1/2006Sireesha/IDS4 IDS Details - Why an IDS? Firewalls - Though a valid first step, not enough –Attacks can happen before its rules are updated. –Laptops can be infected outside the network and then brought in. –Wireless accesses into a network. Benefits –Detection of Attacks –Enforcing policies –Audit trails

5 5/1/2006Sireesha/IDS5 IDS Details - Types Two types of IDS –Network-based IDS (NIDS) Analyze packets coming across a network connection. Logs for after attack analysis Real time alerts –Host-based IDS (HIDS) Monitors a single system File integrity checks Analyze system logs for unusual activities - multiple login attempts

6 5/1/2006Sireesha/IDS6 IDS Details - Detection Techniques Two techniques –Signature based Maintain a store of known attack signatures. Analyze new traffic against the contents of the store Only known attacks can be detected, so first occurrence of a new attack cannot be detected. –Anomaly based Create and maintain a profile based on normal behavior. Analyze new traffic against a model profile. New attacks can be detected.

7 5/1/2006Sireesha/IDS7 IDS Details - Performance Performance –Measured in terms of False positives –Alert generated on traffic that is not an attack. –Alert generated on attack not intended for the system being monitored. False negatives –Alerts not generated for real attacks. –Most dangerous leading to undetected attacks.

8 5/1/2006Sireesha/IDS8 Snort Open Source, Signature detecting, Network based IDS Passive - No changes required for the system being monitored. Versatile - Can be used as IDS, IPS (Intrusion Prevention System), Inline firewall. Available for all major operating systems. Logging to Oracle, SQL, MySQL, PostGre SQL Rules are very simple, easy to develop and effective.

9 5/1/2006Sireesha/IDS9 Snort Packet Processing A packet capture library captures raw data form network card and sends it to Snort. Snort decodes the packets based on protocol. Preprocessors applied to normalize traffic. Normalized traffic passed through detection engine. Alert generated if traffic matches a rule.

10 5/1/2006Sireesha/IDS10 Snort - Rules Snort Rule –Header Rule Action (log, alert, pass …) Protocol (IP, ICMP,TCP,UDP) Source Address and Port Flow Destination Address and Port –Body Output message Additional tests –Example alert tcp 192.168.1.18/32 any -> any 1:1023 (msg :”eBaying”; uricontent:”ebay.com”;)

11 5/1/2006Sireesha/IDS11 Research for enhancements Enhancement goals –Extend Snort to include a automatic signature generation component. –Extend Snort to detect anomaly based intrusions.

12 5/1/2006Sireesha/IDS12 Semantics-Aware Signatures Nemean -- Automatic generation of intrusion signatures from honeynet packet traces. –Aggregate and transform the packet trace into well-defined data structures and group packets into sessions and flows. –Generate clusters of sessions based on similarity analysis. –Normal traffic will not result in a cluster formation. –A cluster generated represents a single attack. Slight variations are accounted for. –An attack signature is generated from the generated clusters. Usenix security 2005 symposium

13 5/1/2006Sireesha/IDS13 Anomaly Detection Payload based Anomaly detection. Operates in two phases –Learning Phase A profile of expected payload is constructed during the normal operation by using a byte frequency distribution analysis of the payload. –Anomaly Detection Phase Incoming payload is compared against the profile. Statistical distributions are compared and alert generated when the comparison yields greater than a threshold value. Resistant to mimicry attacks, since payloads are compared.

14 5/1/2006Sireesha/IDS14 Resources Snort Page : www.snort.org Anomaly Detection on ITArchitect http://www.itarchitect.com/showArticle.jh tml?articleID=163700677 More links to resources available in the project report.

Download ppt "5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS."

Similar presentations

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
BCIS 4630 Fundamentals of IT Security

BCIS 4630 Fundamentals of IT Security
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google