مقبل الحاج Intrusion Detection

8/2/2019 Intrusion Detection

1/15


2/15

Intrusion & Intrusion Detection

Intruders

Intrusion Detection systems

intrusion detection process

intrusion detection techniques

Data Mining for Intrusion Detection

2


3/15

The word:means a wrongful entry

or the act of seizing

or taking possession of the property of another

means identifying potentially malicious or undesirable activity

3


4/15

Outsiderpenetrates a systems access controls to usea users account

Insider makes unauthorized data, programsor resources access

both outsider and insider takes the system supervisory

control and uses it to avoid auditing and accesscontrols

4


5/15

The difficulty results from the fact that defender mustbe ready to prevent all possible attacks, whereas

attacker is free to find weakest link in the defense

chain and attack it

5


6/15

combination of software and hardware that attempts toperform intrusion detection

raises the alarm when possible intrusion happens

If afirewall is like having a security guard at your officedoor, checking the credentials of everyone coming andgoing,then an intrusion-detection system (IDS) is like having a

network of sensorsthat tells you when someone hasbroken in, where they are and what they're doing.

6


7/15

Information theft is up over 250% in the last 5 years.

99% of all major companies report at least one major incident.

Telecom and computer fraud totaled $10 billion in the US alone.

There are 5 million attacks in the DOD (Department of Defense)every day

7


8/15

Host-based IDSs analyze host-bound audit sources such as operating syst

audit trails, system logs, or application logs

Detect attacks against a single host

Network-Based IDSs Use network traffic as the audit data source, relieving the

burdenon the hosts that usually provide normal computin

services Detect attacks from network.

network-based IDS are likeneighborhood police patrols

8


9/15(BPM) for senesce & Technology UniversityIbb Branch9


10/1510


11/1511


12/1512


13/15

ModelLearn

Classifier

Tid SrcIP Starttime

Dest IP DestPort

Numberof bytes

Attack

1 206.135.38.95 11:07:20 160.94.179.223 139 192 No

2 206.163.37.95 11:13:56 160.94.179.219 139 195 No

3 206.163.37.95 11:14:29 160.94.179.217 139 180 No

4 206.163.37.95 11:14:30 160.94.179.255 139 199 No

5 206.163.37.95 11:14:32 160.94.179.254 139 19 Yes

6 206.163.37.95 11:14:35 160.94.179.253 139 177 No

7 206.163.37.95 11:14:36 160.94.179.252 139 172 No

8 206.163.37.95 11:14:38 160.94.179.251 139 285 Yes

9 206.163.37.95 11:14:41 160.94.179.250 139 195 No

10 206.163.37.9511:14:44 160.94.179.249 139 163 Yes1 0

Tid SrcIPStarttime

Dest PortNumberof bytes

Attack

1 206.163.37.81 11:17:51 160.94.179.208 150 ?

2 206.163.37.99 11:18:10 160.94.179.235 208 ?

3 206.163.37.55 11:34:35 160.94.179.221 195 ?

4 206.163.37.37 11:41:37 160.94.179.253 199 ?

5 206.163.37.41 11:55:19 160.94.179.244 181 ?

Rules Discovered:

{Src IP = 206.163.37.95,Dest Port = 139,

Bytes [150, 200]} --> {ATTACK}

Training Set

Test Set

13


14/15

Paul Dokas, Levent Ertoz, Vipin Kumar, Aleksandar Lazarevic, Jaideep ZSrivastava, Pang-

Ning Tan , Data Mining for Network Intrusion Detection

Vipin Kumar , Data Mining Based Network Intrusion Detection System

Stalling, Cryptography and Network Security Principles and

Practices, Fourth Edition, Prentice Hall,2005.

Marcin Dobrucki, Priorities in the deployment of networkintrusion detection systems

Phil Baskerville, Intrusion Prevention Systems: How

do they prevent intrusion?

Jie Lin, Intrusion Detection

Lisong Pei, Jakob Schtte, Carlos Simon, Intrusion detection systems

14


15/15

Thank you

Documents

مقبل الحاج Intrusion Detection