Intrusion Detection Systems By William Pinkerton and Sean
Intrusion Detection Systems By: William Pinkerton and Sean Burnside
What is IDS • IDS is the acronym for Intrusion Detection Systems • Secure systems from attack • Attacks on a system are through the network, by either: Ø Crackers Ø Hackers Ø Disgruntled Employees • Five different kinds of intrusion detection systems 1. 2. 3. 4. 5. Network-based Protocol-based Application-based Host-based Hybrid
History of IDS • Began • Mid 1980’s • James P. Anderson • “Computer Security Threat Monitoring and Surveillance” • Fred Cohen • The inventor of defenses against viruses • Said, “It is impossible to detect an intrusion in every case” and “the resources needed to detect intrusion grows with the amount of usage” • Dorthy E. Denning assisted by Peter Neuman • Created an anomaly-based intrusion detection system • Named Intrusion Detection Expert System • Later version was named Next-generation Intrusion Detection Expert System
Passive vs. Reactive Systems • Passive System • First detects a breach • Logs the breach and/or alerts the administrator(s) • Reactive System • Takes more action of alerting the breach, by either: Ø Resetting the connection Ø Reprograms the firewall
Firewall and Antivirus vs. IDS • Firewall • Blocks potentially harmful incoming or outgoing traffic • Does not detect intrusions • Antivirus • Scans files to identify or eliminate, either: Ø Malicious Software Ø Computer Viruses • Intrusion Detection Systems • Alert an administrator(s) of suspicious activity • Looks for intrusions before they happen **Note: For maximum protection it is best to have all three!!**
5 Methods of IDS 1. 2. 3. 4. 5. Network-based Intrusion Detection System Protocol-based Intrusion Detection System Application-based Intrusion Detection System Host-based Intrusion Detection System Hybrid Intrusion Detection System
Network-based Intrusion Detection System Runs on different points of a network Scans for DOS attacks, activities on ports and hacking Also scans incoming and outgoing packets that are bad Pros • Not much overhead on network • Installing, upkeep and securing is easy • Undetectable by most hacks • Cons • Has trouble with large networks • •
Network-based Intrusion Detection System (cont. ) • Cons (cont. ) • Has trouble with switch based networks • No reporting if attack fails or succeeds • Cannot look at encrypted data
Protocol-based Intrusion Detection System Sits at the front end of a server Usually used for web servers Two uses • Making sure a protocol is enforced and used correctly • Teaching the system constructs of a protocol • Pros • Easier for system to pick up on attacks since it is protocol based • Cons • Rules for protocols come out slowly could be a gap in attacks • • •
Host-based Intrusion Detection System Internally based detection system Analyses a system four ways • File system monitoring • Logfile analysis • Connection analysis • Kernel based intrusion • Pros • Analyses encrypted data • Can keep up with switch based networks • Provides more information about attacks • •
Host-based Intrusion Detection System (cont. ) Pros (cont. ) • System can tell what processes where used in the attack • System can tell the users involved in the attack • Cons • Decrease in network performance if multiple hosts are analyzed • If the host machine is broken the system can be disabled • Affected by DOS attacks • Needs allot of resources •
Application-based Intrusion Detection System is application specific Monitor dynamic behaviors and states of protocol The system analyzes the communication between applications • Pros • Greater chance of detecting an attack since it is application specific • Can look at encrypted data • Con • Needs a lot of processing power • • •
Hybrid Intrusion Detection System Combines two or more systems Pros • It has the same pros as the systems that it is based on • Cons • It has the same cons as the systems that it is based on • •
Top 5 IDS 1. 2. 3. 4. 5. Snort OSSEC HIDS Fragrouter BASE Squil
• Lightweight, open source • Originally named bro • Developed by Lawrence Berkeley National Laboratory in 1998 • The most widely used Intrusion detection system • Capable of performing packet logging and real time traffic analysis over IP networks
OSSEC HIDS • Strong log analysis engine • Correlate and analyze logs from different devices and formats • Can be centralized • Many different systems can be monitored • Runs on most operating systems • Linus • Open. BSD • Mac OS X • Solaris • Free. BSD • Windows
Fragrouter • Used to evade intrusion detection systems • Limited to certain operating systems • BSD • Linux • Good tool for finding weaknesses on a network, computers, or servers that ids may not be able to find
BASE • Written in php • Nice web front in • Analyzes data stored in a database that is populated by firewalls, ids, and network monitoring tools
Sguil • Known for it’s graphical user interface • Runs on operating systems that support tcl/tk • Linux • BSD • Solaris • Mac. OS • Win 32 • Network security monitoring • Provides intrusion detection system alerts
Question Time…
- Slides: 20