DCIT 418

System and Network

Security
Module 2: Detecting and Preventing System Intrusions
Lecturer: Dr E.D. Ansong, Dept of Computer Sc.
Contact Information: [email protected]
 Learning Objectives

By the end of this module, you should be able to:

• Provide an ove iew of what system intrusions are,

including common methods used by attackers to

gain unauthorized access to computer systems.

• Explain the role of intrusion detection systems in

identifying and ale ing to potential security

breaches, including network-based and host-

based IDS.
ED Ansong Dept of Slide
Computer Sc. 2
 Learning Objectives

• Describe how intrusion prevention systems go

beyond detection to actively block or mitigate

threats in real-time, enhancing overall network

security.
• Discuss challenges associated with intrusion

detection and prevention, such as false positives

(incorrectly identifying benign activity as malicious)

and false negatives (failing to detect actual

 Intrusion
Terminology
• Intrusion: attack on information where malicious
perpetrator tries to break into, disrupt system
• Intrusion detection: includes procedures and
systems
created and operated to detect system intrusions
• Intrusion reaction: covers actions organization takes
upon detecting intrusion
• Intrusion correction activities: restore normal
operations
• Intrusion prevention: actions that try to deter
intrusions proactively
 Intrusion Detection System (IDS)

• An Intrusion Detection System (IDS) is a security tool

designed to monitor network or system activities for

malicious or suspicious behavior.

• It works by analyzing incoming and outgoing network

tra c, as well as system logs, looking for patterns

that indicate unauthorized access, misuse, or
potential security threats.
 Some IDS
Terminologies
• Aler t,Alarm: A noti cation generated by an IDS to

indicate suspicious or potentially malicious activity

detected on the network or system.

• False Negative: A false negative occurs when an IDS fails

to detect actual malicious activity or an intrusion,

incorrectly classifying it as benign or normal behavior.

• False Positive: occurs when an IDS incorrectly identi es

legitimate activity as malicious or suspicious, generating

unnecessa ale s or alarms
 Some IDS Terminologies
Cont’d
• Conf idence Value: e con dence value represents the
level of ce ainty or reliability assigned to an ale or
detection event by the IDS.

• Alarm Filtering: Alarm ltering refers to the process of

prioritizing and managing ale s generated by an IDS to

reduce the volume of noti cations and focus attention on
the most critical security events.
 Terminologies Cont’d

• Conf idence Value: e con dence value represents the

level of ce ainty or reliability assigned to an ale or
detection event by the IDS.

• Alarm Filtering: Alarm ltering refers to the process of

prioritizing and managing ale s generated by an IDS to

reduce the volume of noti cations and focus attention on
the most critical security events.
 Why Use an IDS

• Prevent problem behaviors by increasing the perceived

risk of discove and punishment

• Detect attacks and other security violations

• Detect and deal with preambles to attacks

• Document existing threat to an organization

• Act as quality control for security design & administration

• Provide useful information about intrusions that take

place
 How IDS works

Figure 1.0 General IDS operation

 IDS Classi cation Methods

• IDS operation:
– Network-based intrusion detection syst. (NIDS)
– Host-based IDS (HIDS)
– Application-based systems (AppIDS)

• IDS detection methods:

– Signature-based (sig IDS)
– Statistical anomaly-based (stat IDS)
 Types of Intrusion Detection System
(IDS)
ere are two main types of IDS

• Network-based IDS (NIDS): NIDS monitors network tra c in

real-time, examining packets passing through the network. It

can detect anomalies or known attack patterns by comparing
network activity to a database of signatures or prede ned
rules

• Host-based IDS (HIDS): HIDS operates on individual host

machines, monitoring activities such as le system changes,

logins, and system calls. It compares these activities against
known patterns of malicious behavior from normal activity.
 Types of IDS Cont’d

ere is also Application-based Intrusion Detection

Systems (IDS)

Unlike network-based IDS, which focus on monitoring

network tra c, application-based IDS operate at the
application layer of the OSI (Open Systems Interconnection)
model, analyzing activity within individual applications or
se ices
 Advantages of NIDS

Advantages

• Organization can monitor large network

with few devices

• Passive; deployment minimally disrupts

operations

• Less susceptible to attack; attackers may

not detect them

 Disadvantages of NIDS

Disadvantages
• Can be overwhelmed by volume of network

traf fic

• Need to monitor all traf fic

• Cannot analyze encr y

pted network packets

• Cannot determine if attack was successful

• Cannot detect some attacks (e.g., fragmented

packets)
 How NIDS works

Figure 2.0 NIDS operation

 Statistical anomaly-based (stat IDS)

• Statistical anomaly-based IDS sample network activity,

compare to “known normal” tra c

IDS sounds alarm when activity is outside baseline

parameters
• Advantage: IDS can detect new types of attacks
• Disadvantages:

– Requires more overhead, compute power than

signature-based IDSs
– May generate many false positives
 Advantages of HIDS

Advantages

Detect local events, attacks on host systems that

NIDSs may not

 Can view encr y

pted traf fic (as it has been

dec pted on system)

 HIDS is unaffected by switched network

protocols

 Can detect inconsistencies in apps, programs by

 Disadvantages of HIDS

Disadvantages
• Harder to manage than NIDSs

• Vulnerable to attacks against host operating

system, HIDS

• Cannot detect scans of multiple hosts, non-

network devices

• HIDSs potential targets for denial- of-ser v

ice

(DoS) attack
 How HIDS works

Figure 3.0 HIDS operation

 IDS Deployment
Ove iew

NIST recommends four locations for NIDSs:

• Location 1: behind each external f irewall, in the
network DMZ

• Location 2: outside an external f irewall

• Location 3: on major network backbones

• Location 4: on critical subnets

 IDS Deployment
Ove iew

Figure 4.0 NIDS Sensor locations

 Deploying HIDS

• Steps:

– First: install HIDSs on most critical

systems

– Next: install HIDSs on all systems or

until organization reaches tolerable

degree of coverage
 Measuring E ectiveness of
IDS
• IDSs are evaluated using two dominant metrics:
– # of attacks detected in a known collection of probes
– Network bandwidth at which IDSs fail

Example: At 1 Gbits/sec, IDS detected 95% of

directed attacks against it
• Many vendors provide test suites for veri cation
• Example test suites:
– Record, retransmit real packet trace from virus/worm
– Pe orm same for malformed packets (e.g., SYN ood)
– Launch
 Honeypots, Honeynets, and Padded Cell Systems

• Honeypots: decoy systems designed to lure

potential attackers away from critical systems

• Design goals:

– Dive attacker from accessing critical

systems

– Gather information about attacker’s activity

– Encourage attacker to linger so admins can

 Honeypots, Honeynets, and Padded Cell Systems

Honeynets: collection of honeypots connected in a

subnet

• Padded cell: honeypot protected in order to

hinder compromise

– Typically works in tandem with traditional IDS

– When IDS detects attackers, it transfers them to “special

environment” where they cannot cause harm (hence the
name)
 Scanning and Analysis Tools

ey are often used to collect information that attacker would

need to launch successful attack

Attack protocol: sequence of attacker’s steps to attack target

system/network

• Footprinting: determining what hostnames, IP addresses a

target org. owns

Fingerprinting: systematic su ey of resources found in

footprinting stage

– Useful for discovering weaknesses in org.’s network or

 Por tScanners

Tools used by attackers, defenders to identify computers on

network (plus other info.)
• Can scan for ce ain computers, protocols, resources
(or generic scans)
• Example: nmap (https://nmap.org/)
 Vulnerability Scanners

• Active vulnerability scanners scan networks for highly

detailed information; initiate tra c to determine holes

• Passive vulnerability scanners listen in on network and

determine vulnerable versions of both se er and client

software

• Passive vulnerability scanners have ability to nd client-

side vulnerabilities typically not found in active scanners

 Packet Sni ers

• Network tool that collects copies of packets from network

and analyzes them

• Can provide network administrator with valuable

information for diagnosing and resolving networking issues

• In the wrong hands, a sni er can be used to eavesdrop on

network tra c
• To use packet sni er legally, administrator must be on

network that organization owns, be under direct

authorization of owners of network and have consent of the
content creators
 Defense in Depth

e Defense in Depth strategy employs layered

security mechanisms to provide comprehensive

protection against diverse threats. By implementing

multiple layers of defense, organizations can

mitigate risks and minimize the impact of potential

security breaches.
 C ptography in Network Security

C ptography is a fundamental tool in network

security, facilitating secure communication and

data protection through enc ption and

dec ption processes. Key concepts include:

• Symmetric Enc ption: Utilizing a single

shared key for both enc ption and

dec ption.
 C ptography in Network Security

• Asymmetric Enc ption: Employing a pair of

keys (public and private) for enc ption and

dec ption.
• Digital Signatures: Verifying the authenticity

and integrity of digital messages.

 Secure Network
Protocols
Secure protocols are essential for safeguarding data

transmission over networks:

• SSL/TLS (Secure Sockets Layer/Transpo Layer Security):

Enc pts data exchanged between web se ers and clients,

ensuring con dentiality and integrity.

• IPsec (Internet Protocol Security): Provides secure

communication at the IP layer, enabling VPNs and secure

data transmission.

• SSH (Secure Shell): Facilitates secure remote access and

command execution on network devices.

 Access Control Devices

• A successful access control system includes

number of components, depending on system’s
needs for authentication and authorization

• Strong authentication requires at least two

forms of authentication to authenticate the
supplicant’s identity

• e technology to manage authentication

based on what a supplicant knows is widely
integrated into the networking and security
software systems in use across the IT indust
 Access Control Devices

• A successful access control system includes number of

components, depending on system’s needs for
authentication and authorization

• Strong authentication requires at least two forms of

authentication to authenticate the supplicant’s identity

• e technology to manage authentication based on

what a supplicant knows is widely integrated into the
networking and security software systems in use across
 Access Control Devices

• Access control: authenticates, authorizes users

• Authentication: validate a person’s identity

• Authorization: specify what the person can do

with computers, networks

• Recommended: use ≥ two types of auth.

technology
 Access Control Devices

Four main ways to authenticate person:

• What a person knows (e.g., password);

• What a person has (e.g., Duo Mobile app code);

• Who a person is (e.g., ngerprint);

 E ectiveness of Biometrics

Biometric technologies evaluated on three basic

criteria:

• False reject rate: e False Reject Rate, also

known as Type I error, measures the frequency

at which a biometric system incorrectly rejects

an authorized person.
 E ectiveness of Biometrics

• False accept rate: e False Accept Rate, also

known as Type II error, measures how often a

biometric system incorrectly accepts an

unauthorized person.

• Crossover error rate (CER): e Crossover Error

Rate is the point at which the False Reject Rate

and the False Accept Rate are equal.

Acceptability of Biometrics
 Summa

• Intrusion detection system (IDS) detects

con guration violation and sounds alarm
• Network-based IDS (NIDS) vs. host-based IDS
(HIDS)
• Complex selection of IDS products that t an

organization’s needs
• Scanning and analysis tools are used to

pinpoint vulnerabilities in systems, holes in