Signature Based and Anomaly Based Network Intrusion Detection

Signature Based and Anomaly Based Network Intrusion Detection By Stephen Loftus and Kent Ho CS 158 B

Agenda • Introduce Network Intrusion Detection (NID) • Signature • Anomaly • Compare and Contrast: Signature based vs. Anomaly based NID • Example using Ethereal™

Intrusion Detection Systems • Intrusion detection begins where the firewall ends. • Preventing unauthorized entry is best, but not always possible. • It is important that the system is reliable and accurate and secure.

IDS (cont. ) • When designing a IDS, the mission is to protect the data’s – Confidentiality- read – Integrity- read/write – Availability- read/write/access • Threats can come from both outside and inside the network.

Signature • Signature based IDS are based on looking for “known patterns” of detrimental activity. • Benefits: – Low alarm rates: All it has to do is to look up the list of known signatures of attacks and if it finds a match report it. – Signature based NID are very accurate. – Speed: The systems are fast since they are only doing a comparison between what they are seeing and a predetermined rule.

Signature (cont. ) • Negatives: – If someone develops a new attack, there will be no protection. – “only as strong as its rule set. ” – Attacks can be masked by splitting up the messages. • Similar to Anti-Virus, after a new attack is recorded, the data files need to be updated before the network is secure. • Example: – Port Scan – DOS – Sniffing

Anomaly • Anomaly based IDS are based on tracking unknown unique behavior pattern of detrimental activity • Advantages: – Helps to reduce the “limitations problem”. – Conducts a thorough screening of what comes through.

Anomaly (cont. ) • Disadvantages: – False positives, catches too much because Behavior based NIDs monitor a system based on their behavior patterns. – Painstaking slow to do an exhaustive monitoring, uses up a lot or resource After an anomaly has been detected, it may become a “signature”.

Anomaly vs. Signature • Which is the best way to defend your network? – Both have advantages – Signature can be used as a stand alone system – Anomaly has a few weak points that prevent it from being a stand alone system. • Signature is the better of the two for defending you network • The best way is to use both!

Example • Using Ethereal™ to detect a port scan – A port scan is when a person executes sequential port open requests trying to find an open port. Most of these come back with a “reset” – Normal TCP/IP port request – Port request on closed port