Intrusion Detection Systems An Introduction Copyright 2019 Curt
- Slides: 19
Intrusion Detection Systems An Introduction Copyright © 2019 – Curt Hill
Introduction • An IDS does just what its name says – Raise an alert when an intrusion is detected • A firewall will prevent certain types of packets from entering the intranet • An IDS will detect but not always stop • They use a variety of techniques in the detection Copyright © 2019 – Curt Hill
Several Categories • Where located and protect – Network (NIDS) vs. host (HIDS) • Detection method – Signature and/or anomaly-based • What they remember – Stateless vs. state • Protection – Active vs. passive Copyright © 2019 – Curt Hill
NIDS • Usually placed at a strategic location in the network – Usually near the gateway router • Examines all the packets that pass by – Both inbound and outbound – Looks for unexpected packets • Maintains a log of activity • Anomaly causes notification – Typically administrator or security officer Copyright © 2019 – Curt Hill
HIDS • Resident on and protects a single device – Monitors packets from and to that device only • Records state of system and executables – Compares this with the previous detect changes • Also logs and notifies • Similar to antivirus in some respects Copyright © 2019 – Curt Hill
Signature Detection • The signature method of the antiviruses is used here as well – Applied to packets • Like an antivirus a database of packet signatures is used – Needs to be updated regularly Copyright © 2019 – Curt Hill
• HIDS Anomalies – Programs that have not generated packets before that start may indicate an infection – Excessive run times for programs may also indicate an anomaly • NIDS – Changes in traffic patterns or types of packets • Anomaly detection has a chance of working before the signature is observed Copyright © 2019 – Curt Hill
Anomaly Detection • As in an antivirus the signature method has some drawbacks – Fails on unknown attacks, etc. • A machine learning approach may be used – We train the system with normal packets – Then when it sees the unusual it complains Copyright © 2019 – Curt Hill
Machine Learning • There are several learning algorithms – Bayesian, neural network and others • We expose these to a variety of examples – Each marked as good or bad • Once trained it predicts which are good and bad – There are possible false positives and false negatives Copyright © 2019 – Curt Hill
Active and Passive • Passive systems detect only – Packets are inspected but not interfered with – This may be in real-time or after the fact examining the log and other records • Active systems may block packets as well as do alerts – These are called Intrusion Prevention Systems (IPS) or Intrustion Dection and Prevention Systems (IDPS) Copyright © 2019 – Curt Hill
Stateless or Stateful • A stateless system has no memory – It looks at individual packets for issues without any information gleaned from previous runs • A stateful system looks for patterns in the number and types of packets – During some interval of time – A sharp rise in a particular type of packet may trigger an alert Copyright © 2019 – Curt Hill
Stateless • Each packet is examined individually • Much like an antivirus program it looks for patterns in packets that indicate malware • Also look for malformed packets Copyright © 2019 – Curt Hill
Stateful • The stateful IDS looks for patterns as well • The most common thing to look for are Denial of Service Attacks – Many of the same packet from the same IP – Multiple IPs that are sending the same packet Copyright © 2019 – Curt Hill
Problems • Noise from malformed packets can create false alarms – High false positives trains the personnel to ignore • Encrypted packets are not well handled • There is a lag between threat detection by the manufacturer and a database update • Will not detect or correct problems with weak authentication Copyright © 2019 – Curt Hill
Rules • Most IDS have rules that determine what to look for either to filter out or allow • These rules cover: – Type of packet, protocol, port – The action to perform when finding the intended packets • These may be distributed with the IDS and augmented by the user Copyright © 2019 – Curt Hill
Rule Lists • The rules are often organized into a whitelist or a blacklist – Somewhat different from IP whitelists or blacklists • Whitelist are the only packets allowed • Blacklists are the only packets filtered out Copyright © 2019 – Curt Hill
Counter Measures • IDS systems typically look at different ports for different threats – Putting the packet to a different port may confuse the IDS • Rearranging the contents of the packet to fool the signature matching • Span the information over several packets to prevent pattern recognition – AKA Fragmentation Copyright © 2019 – Curt Hill
Open Source IDS • SNORT is currently maintained by CISCO – Network Intrusion Detection and Prevention System • Suricata – Another rule based NIDS/NIPS system Copyright © 2019 – Curt Hill
Finally • Antivirus and IDS have a lot in common – Signature matching among other things • They tend to complement each other and the use of a firewall • There are several free IDS as well Copyright © 2019 – Curt Hill
- L
- Ids sensors
- Fiber optic perimeter intrusion detection systems
- Intrusion detection system open source
- Common intrusion detection framework
- Bro intrusion detection system
- Infrasonic intrusion detection
- Circuit curt
- Curt jones
- Curt pederson
- Improving vocabulary skills 4th edition pdf
- Lex status
- Novel·les cavalleresques
- Curt cam
- Curt with requester
- Curt hinton
- Nist sp 800-53 rev. 5
- Lightening radar
- Rodrigo rubira branco
- Language meaning