Figure 10 4 Intrusion Detection Systems IDSs n

  • Slides: 8
Download presentation
Figure 10 -4: Intrusion Detection Systems (IDSs) n IDSs ¡ Event logging in log

Figure 10 -4: Intrusion Detection Systems (IDSs) n IDSs ¡ Event logging in log files ¡ Analysis of log file data ¡ Alarms ¡ n Too many false positives (false alarms) n Too many false negatives (overlooked incidents) Log files for retrospective analysis by humans 1

Figure 10 -4: Intrusion Detection Systems (IDSs) n Elements of an IDS (Figure 10

Figure 10 -4: Intrusion Detection Systems (IDSs) n Elements of an IDS (Figure 10 -5) ¡ Event logging ¡ Analysis method ¡ Action ¡ Management 2

Figure 10 -5: Elements of a Simple IDS Action: Alarms, Queries, Reports Management: Configuration,

Figure 10 -5: Elements of a Simple IDS Action: Alarms, Queries, Reports Management: Configuration, Tuning Analysis: Attack Signatures and Heuristics Logging (Data Collection): Individual Events are Time-Stamped Log is Flat File of Events 3

Figure 10 -4: Intrusion Detection Systems (IDSs) n Distributed IDSs (Figure 10 -6) ¡

Figure 10 -4: Intrusion Detection Systems (IDSs) n Distributed IDSs (Figure 10 -6) ¡ Managers ¡ Agents ¡ Distribution of functionality between agents and managers (analysis and action) 4

Figure 10 -6: Distributed IDS Manager Agent Host IDS Log File Transfer in Batch

Figure 10 -6: Distributed IDS Manager Agent Host IDS Log File Transfer in Batch Mode or Real Time Log File Internet Connection Agent Internal Switch-Based Network IDS Site Stand-Alone Agent FW Log Main Firewall Network IDS 5

Figure 10 -4: Intrusion Detection Systems (IDSs) n Distributed IDSs (Figure 10 -6) ¡

Figure 10 -4: Intrusion Detection Systems (IDSs) n Distributed IDSs (Figure 10 -6) ¡ Batch versus Real-Time Data Transfer n Batch mode: Every few minutes or hours; efficient n Real-time: As events occur or shortly afterward; little or no data loss if attacker eliminates log file on agent’s computer 6

Figure 10 -4: Intrusion Detection Systems (IDSs) n n Distributed IDSs (Figure 10 -6)

Figure 10 -4: Intrusion Detection Systems (IDSs) n n Distributed IDSs (Figure 10 -6) ¡ Secure manager-agent communication ¡ Vendor’s automatic updates with secure communication Network IDSs (NIDSs) ¡ Capture packets ¡ Stand-alone NIDS collects data for only its portion of the network ¡ Switch or router NIDSs can collect data on all ports 7

Figure 10 -4: Intrusion Detection Systems (IDSs) n Network IDSs (NIDSs) ¡ ¡ NIDS

Figure 10 -4: Intrusion Detection Systems (IDSs) n Network IDSs (NIDSs) ¡ ¡ NIDS placement n Between main firewall and internal or external network for relevant or all attacks n At internal points to detect internal mischief Weaknesses n Blind spots in network where no NIDS data is collected n Cannot filter encrypted packets 8

Intrusion Detection System 1 Intrusion Detection Intrusion detectionIntrusion Detection System 1 Intrusion Detection Intrusion detection
Figure 10 4 Intrusion Detection Systems IDSs nFigure 10 4 Intrusion Detection Systems IDSs n
Figure 10 4 Intrusion Detection Systems IDSs nFigure 10 4 Intrusion Detection Systems IDSs n
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection Arun Hodigere Intrusion and Intrusion DetectionIntrusion Detection Arun Hodigere Intrusion and Intrusion Detection
Intrusion Detection Systems Intrusion Detection Systems 1980 PaperIntrusion Detection Systems Intrusion Detection Systems 1980 Paper
Computer Security Intrusion Detection Systems Intrusion Detection SystemsComputer Security Intrusion Detection Systems Intrusion Detection Systems