Intrusion Detection Systems An Introduction Copyright 2019 Curt
- Slides: 19
Intrusion Detection Systems An Introduction Copyright © 2019 – Curt Hill
Introduction • An IDS does just what its name says – Raise an alert when an intrusion is detected • A firewall will prevent certain types of packets from entering the intranet • An IDS will detect but not always stop • They use a variety of techniques in the detection Copyright © 2019 – Curt Hill
Several Categories • Where located and protect – Network (NIDS) vs. host (HIDS) • Detection method – Signature and/or anomaly-based • What they remember – Stateless vs. state • Protection – Active vs. passive Copyright © 2019 – Curt Hill
NIDS • Usually placed at a strategic location in the network – Usually near the gateway router • Examines all the packets that pass by – Both inbound and outbound – Looks for unexpected packets • Maintains a log of activity • Anomaly causes notification – Typically administrator or security officer Copyright © 2019 – Curt Hill
HIDS • Resident on and protects a single device – Monitors packets from and to that device only • Records state of system and executables – Compares this with the previous detect changes • Also logs and notifies • Similar to antivirus in some respects Copyright © 2019 – Curt Hill
Signature Detection • The signature method of the antiviruses is used here as well – Applied to packets • Like an antivirus a database of packet signatures is used – Needs to be updated regularly Copyright © 2019 – Curt Hill
• HIDS Anomalies – Programs that have not generated packets before that start may indicate an infection – Excessive run times for programs may also indicate an anomaly • NIDS – Changes in traffic patterns or types of packets • Anomaly detection has a chance of working before the signature is observed Copyright © 2019 – Curt Hill
Anomaly Detection • As in an antivirus the signature method has some drawbacks – Fails on unknown attacks, etc. • A machine learning approach may be used – We train the system with normal packets – Then when it sees the unusual it complains Copyright © 2019 – Curt Hill
Machine Learning • There are several learning algorithms – Bayesian, neural network and others • We expose these to a variety of examples – Each marked as good or bad • Once trained it predicts which are good and bad – There are possible false positives and false negatives Copyright © 2019 – Curt Hill
Active and Passive • Passive systems detect only – Packets are inspected but not interfered with – This may be in real-time or after the fact examining the log and other records • Active systems may block packets as well as do alerts – These are called Intrusion Prevention Systems (IPS) or Intrustion Dection and Prevention Systems (IDPS) Copyright © 2019 – Curt Hill
Stateless or Stateful • A stateless system has no memory – It looks at individual packets for issues without any information gleaned from previous runs • A stateful system looks for patterns in the number and types of packets – During some interval of time – A sharp rise in a particular type of packet may trigger an alert Copyright © 2019 – Curt Hill
Stateless • Each packet is examined individually • Much like an antivirus program it looks for patterns in packets that indicate malware • Also look for malformed packets Copyright © 2019 – Curt Hill
Stateful • The stateful IDS looks for patterns as well • The most common thing to look for are Denial of Service Attacks – Many of the same packet from the same IP – Multiple IPs that are sending the same packet Copyright © 2019 – Curt Hill
Problems • Noise from malformed packets can create false alarms – High false positives trains the personnel to ignore • Encrypted packets are not well handled • There is a lag between threat detection by the manufacturer and a database update • Will not detect or correct problems with weak authentication Copyright © 2019 – Curt Hill
Rules • Most IDS have rules that determine what to look for either to filter out or allow • These rules cover: – Type of packet, protocol, port – The action to perform when finding the intended packets • These may be distributed with the IDS and augmented by the user Copyright © 2019 – Curt Hill
Rule Lists • The rules are often organized into a whitelist or a blacklist – Somewhat different from IP whitelists or blacklists • Whitelist are the only packets allowed • Blacklists are the only packets filtered out Copyright © 2019 – Curt Hill
Counter Measures • IDS systems typically look at different ports for different threats – Putting the packet to a different port may confuse the IDS • Rearranging the contents of the packet to fool the signature matching • Span the information over several packets to prevent pattern recognition – AKA Fragmentation Copyright © 2019 – Curt Hill
Open Source IDS • SNORT is currently maintained by CISCO – Network Intrusion Detection and Prevention System • Suricata – Another rule based NIDS/NIPS system Copyright © 2019 – Curt Hill
Finally • Antivirus and IDS have a lot in common – Signature matching among other things • They tend to complement each other and the use of a firewall • There are several free IDS as well Copyright © 2019 – Curt Hill
L
Ids sensors
Fiber optic perimeter intrusion detection systems
Intrusion detection system open source
Common intrusion detection framework
Bro intrusion detection system
Infrasonic intrusion detection
Circuit curt
Curt jones
Curt pederson
Improving vocabulary skills 4th edition pdf
Lex status
Novel·les cavalleresques
Curt cam
Curt with requester
Curt hinton
Nist sp 800-53 rev. 5
Lightening radar
Rodrigo rubira branco
Language meaning
