Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam."— Presentation transcript:

1 Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam

2 How insecure are we? Attacks on computer infrastructures are a serious problem. Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident. Telecom and computer fraud totaled $10 billion in the US alone. *Source: Eugene H Spafford. Security Seminar, Department of Computer Sciences, Purdue University, Jan 1996.

3 IDS Based on Data Source Host Based IDS –Its role is to identify tampering or malicious activity occurring on the system. –This is achieved by monitoring log files, users, and the file system. Network Based IDS –Its role is to identify tampering or malicious activity occurring in the network traffic. –This is achieved by monitoring network traffic on the wire for specific activities/signatures that represent an attack. Hybrid IDS –Combination of network and host based IDS.

4 Host Based - Network Based

5 Advantages NetworkHost Lowers cost of ownershipLower cost of entry Detects what HIDS missDetects what NIDS miss Difficult to remove evidenceVerifies success/failure of attack Real-time detection & responseSuited for encrypted environments Detects unsuccessful attacksMonitors specific activities OS independentRequires no additional hardware

6 Host Based IDS Specific files to be monitored are defined in a configuration file. Digest of the file is stored in a database. Multiple digest algorithms can be used. Examples: TRIPWIRE/AIDE/SAMHAIN

7 TRIPWIRE Can be reconfigured to prevent false-alarms. Flexible policy language with predefined policy files and wildcard support. AIDE Similar to lighter version TRIPWIRE SAMHAIN Support for Stealth mode of operation. Encrypted and authenticated client/server connections.

8 Network Based IDS Packet Sniffing front end. Pattern matching engine. Backend database. Examples: SNORT/SHOKI/BRO

9 SNORT Provides its own language. Passive, doesn’t terminate malicious activity. SHOKI Multi-filter rule sets that match individual packets. SNORT rules can be converted to SHOKI filters. BRO Can also operate as packet sniffer/logger. Flexible rule based language to describe traffic. Can perform protocol analysis, content searching/matching.

10 SNORT Rules var EXTERNAL_NET ![128.3.0.0/16,131.243.0.0/16] var HTTP_SERVERS [128.3.0.0/16,131.243.0.0/16] var HTTP_PORTS 80 preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace output alert_fast: alarms.log include file1.config alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;)

11 Bro’ Rules rule sid-1328 { header ip[9:1] == 6 header ip[12:4] != 128.3.0.0/16,131.243.0.0/16 header ip[16:4] == 128.3.0.0/16,131.243.0.0/16 header tcp[2:2] == 80 tcp-state originator,established http /.*[\/\\][bB][iI][nN][\/\\][pP][sS]/ msg "WEB-ATTACKS ps command attempt" } SHOKI Rules tcp 65536 THRESHOLD:1:10:20 SAMP-6 http h([t]*p):// ALL tcp 65536 HOST_SCAN:2:20:40 SAMP-7 host scan NULL ALL tcp 65536 PORT_SCAN:3:30:50 SAMP-8 p_scan 0x687474 ALL

12 ACID screen capture for SNORT

13 Hybrid IDS Can be clustered Centralized database Provides file protection by using digest Network sensing using packet sniffing Blends strengths of HIDS & NIDS Examples: MANHUNT/PRELUDE/DRAGON

14 MANHUNT Detects new and modified attacks Dynamically reassign ports scanned Flowchaser and Trackback to fight DDoS PRELUDE Incorporates information from other IDS Provides hooks to firewalls, honeypots, etc Uses multiple sensors and a report server DRAGON Provides IDS evasion counter measures, by Keeping a large database of known hacker techniques and searching for anomalies.

15 Goals Design a hybrid system Send instantaneous alerts to network administrator and other hosts Use secure communication channels Keep configuration file secure Keep checksum database secure Maintain list of intruders Maintain a log of attacks

16 Design Intruder Database Firewall Other Hosts Administrator Host

17 Implementation Dedicated Sockets for Communication Messages encrypted using AES Configuration file included in list of secure files Checksums encoded using AES Network Administrator maintains log of intrusions Hosts maintain a list of intruders

18 Sample execution

19 Future Work Network sensors to defend DDoS attacks Incorporate different hashing algorithms Add feature to track sources of DDoS Incorporate data from existing IDS Add a file change notification component Lessons Learned Hybrid IDS involves a lot of components Comm. between hosts and admins must be secure Configuration files are vulnerable Hybrid IDS provides better security

20 References Intrusion Detection Systems By Ricky M. Magalhaes http://www.windowsecurity.comhttp://www.windowsecurity.com An Introduction to Intrusion Detection By Aurobindo Sundaram, ACM Crossroads Network Vs. Host Based Intrusion Detection http://www.isskk.co.jp IDS Products http://www.netsmart.net.au Intrusion Detection and Network Auditing on the Internet http://www.infosyssec.com

Download ppt "Intrusion Detection Systems Sai Nandoor Priya Selvam Balaji Badam."

Similar presentations

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.

Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Distributed Intrusion Detection Mamata Desai (99305903) M.Tech.,CSE dept, IIT Bombay.

Distributed Intrusion Detection Mamata Desai ( ) M.Tech.,CSE dept, IIT Bombay.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond

Similar presentations

Ads by Google