Scribd
Upload
15 views

Intrusion Detection System

r;4ktpk4pkt

Uploaded by

aashima.it
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
15 views

Intrusion Detection System

r;4ktpk4pkt

Uploaded by

aashima.it
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Intrusion detection system

Topics to be covered…
Overview of IDS
Process model
Architecture
Information sources
Analysis techniques
Strengths
Limitations
Conclusion
Reference
Overview of Intrusion Detection Systems:
what are intrusions ?

What is intrusion detection ?

Functions of IDS
Monitoring and analysis of user and system activity.
Auditing of system configurations .
Assessing the integrity of critical system and data files.
Recognition of activity patterns reflecting known
attacks
Statistical analysis for abnormal activity patterns
Process model for Intrusion Detection:
Information sources:
network ,host ,application

Analysis:
misuse detection , anomaly detection

Response:
active measures involving some automated
intervention on the part of the system, and passive
measures involving reporting IDS findings to humans,
who are then expected to take action based on those
reports.
IDS Architecture
Audit Collection/Storage Unit

 Processing Unit

Alarm/Response Unit
Information sources
Network based IDSs:
Consist of a set of single-purpose sensors . These units
monitor network traffic, performing local analysis of that traffic
and reporting attacks to a central management console.
Host based IDSs:
Operate on information collected from within an
Individual computer system.
Operating system audit trails, and system logs
Application based IDSs:
Special subset of host-based IDSs .
The most common information sources used by these
IDSs are the application’s transaction log files.
IDS Analysis Techniques
Misuse detection

Anomaly detection

Specification based detection


Misuse detection
Misuse detectors analyze system activity,
looking for events or sets of events that
match a predefined pattern of events that
describe a known attack.
Advantages
Misuse detectors are very effective at detecting
attacks without generating an overwhelming
number of false alarms.
 Misuse detectors can quickly and reliably diagnose
the use of a specific attack tool or technique. This
can help security managers prioritize corrective
measures.
 Misuse detectors can allow system managers,
regardless of their level of security expertise, to
track security problems on their systems, initiating
incident handling procedures.
Disadvantages
Misuse detectors can only detect those
attacks they know about –therefore they must
be constantly updated with signatures of new
attacks.
Many misuse detectors are designed to use
tightly defined signatures that prevent them
from detecting variants of common attacks.
State-based misuse detectors can overcome
this limitation, but are not commonly used in
commercial IDSs.
Anomaly detection
Anomaly detectors identify abnormal unusual
behavior (anomalies) on a host or network.
Advantages
 IDSs based on anomaly detection detect
unusual behavior and thus have the ability to
detect symptoms of attacks without specific
knowledge of details.
 Anomaly detectors can produce information
that can in turn be used to define signatures
for misuse detectors
Disadvantages
Anomaly detection approaches usually
produce a large number of false alarms due
to the unpredictable behaviors of users and
networks.
Anomaly detection approaches often require
extensive “training sets” of system event
records in order to characterize normal
behavior patterns.
Specification based detection
They distinguished between normal and
intrusive behaviour by monitoring the traces
of system calls of the target processes. A
specification that models the desired
behaviour of a process tells the IDS whether
the actual observed trace is part of an attack
or not.
Advantages

More or less the same as for misuse


detection. However these systems manage to
detect some types/classes of novel attacks.
Additionally, they are more resistant against
subtle changes in attacks.
Disadvantages
Usually for every program that is monitored,
a specification has to be designed.
Furthermore, the modelling process can be
regarded as more difficult than the design of
patterns for misuse detection systems.
Additionally some classes of attacks are not
detectable at all.
Their systems managed the detection by
inspecting log files.
Strengths of IDS
 Testing the security states of system configurations
 Base lining the security state of a system, then tracking any changes to that
 Baseline
 Recognizing patterns of system events that correspond to known attacks
 Recognizing patterns of activity that statistically vary from normal activity
 Managing operating system audit and logging mechanisms and the data
they generate.
 Alerting appropriate staff by appropriate means when attacks are detected.
 Measuring enforcement of security policies encoded in the analysis engine
 Providing default information security policies
 Allowing non-security experts to perform important security monitoring
Functions.
 Monitoring and analysis of system events and user behaviors
Limitations
 Compensating for weak or missing security mechanisms in the
protection
 Infrastructure. Such mechanisms include firewalls, identification and
authentication, link encryption, access control mechanisms, and virus
detection and eradication.
 Instantaneously detecting, reporting, and responding to an attack,
when there is a heavy network or processing load.
 Detecting newly published attacks or variants of existing attacks.
 Effectively responding to attacks launched by sophisticated attackers
 Resisting attacks that are intended to defeat or circumvent them
 Compensating for problems with the fidelity of information sources
 Dealing effectively with switched networks.
Conclusion
IDSs are here to stay, with billion dollar firms
supporting the development of commercial
security products and driving hundreds of
millions in annual sales. However, they
remain difficult to configure and operate and
often can’t be effectively used by the very
novice security personnel who need to benefit
from them most.
References
www.google.com
www.wikipedia.com
Yi Hu, Brajendra Panda: A data mining
approach for database intrusion detection.
Lee, V. C.S., Stankovic, J. A., Son, S. H.
Intrusion Detection in Real-time Database
Systems Via Time Signatures
Any queries ?????????
THANK U

You might also like