Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection System (NIDS)

Published byGilbert Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection System (NIDS)"— Presentation transcript:

1 Network Intrusion Detection System (NIDS)
Somesh Jha

2 NIDS Inspect packets at certain vantage points
Behind the routers Look for malicious or anomalous behavior Much more fine-grained than firewalls Example: drop a packet whose payload “matches” a certain string

3 Classification of NIDS
Signature-based Establish a database of malicious patterns If a sequence of packets “matches” one of the patterns, raise an alarm Positives Good attack libraries Easy to understand the results Negatives Unable to detect new attacks or variants of old attacks Example Snort, Bro, NFR, …

4 Classification of NIDS
Anomaly-based Establish a statistical profile of normal traffic If monitored traffic deviates “sufficiently” from the established profile, raise an alarm Positives Can detect new attacks Negatives High false alarm rate Intruder can go under the “radar” Examples Mostly research systems

5 Classification of NIDS
Stateless Need to keep no state Example: raise an alarm if you see a packet that contains the pattern “melissa” Positives Very fast Negatives For some attacks need to keep state

6 Classification of NIDS
Stateful Keeps state Sometime need to do reassembly Reassemble packets that belong to the same connection, e.g., packets that belong to the same ssh session Quite hard! (out-of-order delivery) Positives Can detect more attacks Negatives Requires too much memory

7 Snort logs, alerts, ... malicious patterns libpcap
Filtered packet stream libpcap

8 libpcap Takes the “raw” packet stream
Parses the packets and presents them as a Filtered packet stream Website for more details

9 Malicious Pattern Example
alert tcp any any -> / (content: “/cgi-bin/phf”; msg: “PHF probe!”;) action pass log alert destination address destination port source address source port protocol

10 Malicious Patterns Example
content: “/cgi-bin/phf” Matches any packet whose payload contains the string “/cgi-bin/phf” Look at msg: “PHF probe!” Generate this message if a match happens

11 More Examples alert tcp any any ->
/ :6010 (msg: “X traffic”;) alert tcp ! /24 any -> / :6010 (msg: “X traffic”;)

12 How to generate new patterns?
Buffer overrun found in Internet Message Access Protocol (IMAP) Run exploit in a test network and record all traffic Examine the content of the attack packet

13 Notional "IMAP buffer overflow" packet
:27: :1034 -> :143 TCP TTL:64 TOS:0x0 DF ***PA* Seq: 0x5295B44E Ack: 0x1B4F Win: 0x7D78 EB 3B ; 5E ED 31 C9 31 C0 88 6E E 0C ^.v n..n. B0 0B 89 F3 8D 6E E9 8D 6E 0C 89 EA CD n....n..... 31 DB 89 D8 40 CD E8 C0 FF FF FF 2F E 2F /bin/sh

14 Alert rule for the new buffer overflow
alert tcp any any -> / (content:"|E8C0 FFFF FF|/bin/sh"; msg:"New IMAP Buffer Overflow detected!";) Can mix hex formatted bytecode and text

15 Advantages of Snort Lightweight Malicious patterns easy to develop
Small footprint Focussed monitoring: highly tuned Snort for the SMTP server Malicious patterns easy to develop Large user community Consider the IRDP denial-of-service attack Rule for this attack available on the same day the attack was announced

16 Disadvantages Does not do an stream reassembly
Attackers can use that to “fool” Snort Break one attack packet into a stream Pattern matching is expensive Matching patterns in payloads is expensive (avoid it!) Rule development methodology is adhoc

Download ppt "Network Intrusion Detection System (NIDS)"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Backtracking Algorithmic Complexity Attacks Against a NIDS

Backtracking Algorithmic Complexity Attacks Against a NIDS
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)

Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Snort - Open Source Network Intrusion Detection System Survey.

Snort - Open Source Network Intrusion Detection System Survey.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
BCIS 4630 Fundamentals of IT Security

BCIS 4630 Fundamentals of IT Security
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Department Of Computer Engineering

Department Of Computer Engineering
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Similar presentations

Ads by Google