Scribd
Upload
60 views

Network Security Assignment: Submitted To: Ma'am Komal Name: Aiman Rizwan Roll No: Info-Tech 16010 BS-IT (8)

This document discusses network security and intrusion detection systems. It provides definitions of intrusion, intrusion detection systems, and intrusion prevention systems. It explains that intrusion detection systems are used to detect and respond to malicious network traffic. The document also summarizes different types of intrusion detection methodologies like signature-based detection, anomaly-based detection, and stateful protocol analysis. It compares their advantages and disadvantages.

Uploaded by

Âįmân Śhêikh
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
60 views

Network Security Assignment: Submitted To: Ma'am Komal Name: Aiman Rizwan Roll No: Info-Tech 16010 BS-IT (8)

This document discusses network security and intrusion detection systems. It provides definitions of intrusion, intrusion detection systems, and intrusion prevention systems. It explains that intrusion detection systems are used to detect and respond to malicious network traffic. The document also summarizes different types of intrusion detection methodologies like signature-based detection, anomaly-based detection, and stateful protocol analysis. It compares their advantages and disadvantages.

Uploaded by

Âįmân Śhêikh
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Network Security Assignment

Submitted To: Ma’am Komal


Name: Aiman Rizwan
Roll No: Info-Tech 16010
BS-IT (8th)
Threat To Network Security
A significant security problem for networked system is, or at least unwanted, trespass by users or
software. User trespass can take form of unauthorized logon to a machine or, in case of an
authorized user, acquisition of privileges or performance of actions beyond those that have been
authorized.

What is Intrusion?
Anybody trying to gain unauthorized access to the network. Virus, Trojans and Worms
replicating in the network. Sending specially crafted packets to exploit any specific vulnerability.
Attacks that would make the services unresponsive even for legitimate clients.

Why intrusion detection systems should be used?


A network intrusion detection system (NIDS) is crucial for
network security because it enables you to detect and
respond to malicious traffic. The primary purpose of an
intrusion detection system is to ensure IT personnel is
notified when an attack or network intrusion might be taking
place.

Intrusion Detection Prevention System


Intrusion Detection System (IDS) acts as a defensive tool to detect the security attacks on the
web. IDS is a known methodology for detecting network-based attacks but is still immature in
monitoring and identifying web-based application attacks.  An Intrusion detection system (IDS)
is software or hardware designed to monitor, analyze and respond to events occurring in a
computer system or network for signs of possible incidents of violation in security policies,
acceptable use policies, or standard security practices. It is more advanced packet filter than
conventional firewall. Analyses payload of each packet with predefined signature or anomaly
and flags the traffic as good or malicious.

An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion
detection system and can also attempt to stop possible incidents. It live in the same area of the
network as a firewall, between the outside world and the internal network. IPS
proactively deny network traffic based on a security profile if that packet represents a known
security threat.
Intrusion Detection System Advantages
It allows administrator to tune, organize and comprehend often incomprehensible operating
system audit trails and other logs. It can make the security management of systems by non-
expert staff possible by providing user friendly interface can recognize and report alterations to
data files
IDS generate alarm and report to administrator that security is breaches and also react to
intruders by blocking them or blocking server. It provides time to time information, it recognize
attacker (intrusion) & report alteration to data files.
 Report generation on detection of any malicious activity
 Record any alteration in data files caused due to suspicious activity detected
 Blocking intruders on detection of suspicious activity on the network
 Analyzes the type of attacks and records its patterns which help strategize better security
protocols

IDPS Detection Methodologies


IDPS technologies use many methodologies to detect attacks. The primary classes of detection
methodologies are signature-based, anomaly-based, and stateful protocol analysis, respectively.
Most IDPS technologies use multiple methodologies, either separately or integrated, to provide
more broad and accurate detection.

Classification of Intrusion Detection System (IDS)

Intrusion Detection
System (IDS)

Anomaly-Based Signature-Based
Detection Detection

Statistical anomaly based IDS


Signature Detection to discriminate between anomaly or attack patterns (signatures) and known
intrusion detection signatures. It is a technique often used in the Intrusion Detection System
(IDS) and many anti-mal ware systems such as anti-virus and anti-spyware etc. In the signature
detection process, network or system information is scanned against a known attack or malware
signature database. If match found, an alert takes place for further actions.
Signature-based detection is the simplest detection method because it just compares the current
unit of activity, such as a packet or a log entry, to a list of signatures using string comparison
operations. Detection technologies that are solely signature-based have little understanding of
many network or application protocols and cannot track and understand the state of
communications for example, they cannot pair a request with the corresponding response, nor
can they remember previous requests
when processing the current request.
This prevents signature-based methods
from detecting attacks that comprise
multiple events if no single event
contains a clear indication of an attack.

Anomaly-Based Detection
Anomaly-based detection is the
process of comparing definitions of
what activity is considered normal
against observed events to identify
significant deviations. An IDPS using
anomaly-based detection has profiles
that represent the normal behavior of
such things as users, hosts, network
connections, or applications. The
major benefit of anomaly-based
detection methods is that they can be
very effective at detecting previously
unknown attacks.
Another problem with building profiles is that it can be very challenging in some cases to make
them accurate because computing activity is so complex. For example, if a particular
maintenance activity that performs large file transfers occurs only once a month, it might not be
observed during the training period; when the maintenance occurs, it is likely to be considered a
significant deviation from the profile. Anomaly-based IDPS products often produce many false
positives because of benign activity that deviates significantly from profiles, especially in more
diverse or dynamic environments. Another noteworthy problem with the use of anomaly-based
detection techniques is that it is often difficult for analysts to determine what triggered a
particular alert.

Stateful Protocol Analysis


Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted
definitions of benign protocol activity for each protocol state against observed events to identify
deviations. Unlike anomaly-based detection, which uses host or network-specific profiles, stateful
protocol analysis relies on vendor-developed universal profiles that specify how particular protocols
should and should not be used. The “stateful” in stateful protocol analysis means that the IDPS is
capable of understanding and tracking the state of network, transport, and application protocols that
have a notion of state. Once the user has authenticated successfully, the session is in the
authenticated state, and users are expected to perform any of several dozen commands. Performing
most of these commands while in the unauthenticated state would be considered suspicious, but in
the authenticated state performing most of them is considered benign.

You might also like