Signature Based and Anomaly Based Network Intrusion Detection
![Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho](https://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-1.jpg)
Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158 B
![Agenda • Introduce Network Intrusion Detection (NID) • Signature • Anomaly • Compare and Agenda • Introduce Network Intrusion Detection (NID) • Signature • Anomaly • Compare and](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-2.jpg)
Agenda • Introduce Network Intrusion Detection (NID) • Signature • Anomaly • Compare and Contrast: Signature based vs. Anomaly based NID • Example using Ethereal™
![Intrusion Detection Systems • Intrusion detection begins where the firewall ends. • Preventing unauthorized Intrusion Detection Systems • Intrusion detection begins where the firewall ends. • Preventing unauthorized](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-3.jpg)
Intrusion Detection Systems • Intrusion detection begins where the firewall ends. • Preventing unauthorized entry is best, but not always possible. • It is important that the system is reliable and accurate and secure.
![IDS (cont. ) • When designing a IDS, the mission is to protect the IDS (cont. ) • When designing a IDS, the mission is to protect the](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-4.jpg)
IDS (cont. ) • When designing a IDS, the mission is to protect the data’s – Confidentiality- read – Integrity- read/write – Availability- read/write/access • Threats can come from both outside and inside the network.
![Signature • Signature based IDS are based on looking for “known patterns” of detrimental Signature • Signature based IDS are based on looking for “known patterns” of detrimental](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-5.jpg)
Signature • Signature based IDS are based on looking for “known patterns” of detrimental activity. • Benefits: – Low alarm rates: All it has to do is to look up the list of known signatures of attacks and if it finds a match report it. – Signature based NID are very accurate. – Speed: The systems are fast since they are only doing a comparison between what they are seeing and a predetermined rule.
![Signature (cont. ) • Negatives: – If someone develops a new attack, there will Signature (cont. ) • Negatives: – If someone develops a new attack, there will](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-6.jpg)
Signature (cont. ) • Negatives: – If someone develops a new attack, there will be no protection. – “only as strong as its rule set. ” – Attacks can be masked by splitting up the messages. • Similar to Anti-Virus, after a new attack is recorded, the data files need to be updated before the network is secure. • Example: – Port Scan – DOS – Sniffing
![Anomaly • Anomaly based IDS are based on tracking unknown unique behavior pattern of Anomaly • Anomaly based IDS are based on tracking unknown unique behavior pattern of](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-7.jpg)
Anomaly • Anomaly based IDS are based on tracking unknown unique behavior pattern of detrimental activity • Advantages: – Helps to reduce the “limitations problem”. – Conducts a thorough screening of what comes through.
![Anomaly (cont. ) • Disadvantages: – False positives, catches too much because Behavior based Anomaly (cont. ) • Disadvantages: – False positives, catches too much because Behavior based](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-8.jpg)
Anomaly (cont. ) • Disadvantages: – False positives, catches too much because Behavior based NIDs monitor a system based on their behavior patterns. – Painstaking slow to do an exhaustive monitoring, uses up a lot or resource After an anomaly has been detected, it may become a “signature”.
![Anomaly vs. Signature • Which is the best way to defend your network? – Anomaly vs. Signature • Which is the best way to defend your network? –](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-9.jpg)
Anomaly vs. Signature • Which is the best way to defend your network? – Both have advantages – Signature can be used as a stand alone system – Anomaly has a few weak points that prevent it from being a stand alone system. • Signature is the better of the two for defending you network • The best way is to use both!
![Example • Using Ethereal™ to detect a port scan – A port scan is Example • Using Ethereal™ to detect a port scan – A port scan is](http://slidetodoc.com/presentation_image_h/e09105c3168b244463c481b96f874724/image-10.jpg)
Example • Using Ethereal™ to detect a port scan – A port scan is when a person executes sequential port open requests trying to find an open port. Most of these come back with a “reset” – Normal TCP/IP port request – Port request on closed port
- Slides: 10