1
Department Of Computer
Engineering
2
INTRUSION
Intrusion Detection system
Intrusion Preventation system
3
What is intrusion…???
INTRUSIONS are the activities that violate the security policy of system.
Intrusion Detection System (IDS) : is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted activities.
Intrusion Prevention System (IPS) : is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
4
WHAT ARE THE TYPES AND
TECHNIQUES INRUSION
DETECTION SYSTEM…???
5
Types of IDS…
Based on the sources of the audit information used by each IDS, the IDSs may be classified into
Host-base IDSs
Distributed IDSs
Network-based IDSs
6
Types in little details….
• Host Based IDS• Get data from host trails.
• Detect attacks against a single host
• Distributed IDS• Gather data from multiple host and possibly the
network that connects the hosts
• Detect attacks involving multiple hosts
• Network-Based IDS• Detect attacks from network.
7
Intrusion Detection Techniques
Misuse detection
Anomaly detection`
8
Misuse Detection
• Based on known attack actions.
• Feature extract from known intrusions
• Integrate the Human knowledge.
• The rules are pre-defined
• Disadvantage:• Cannot detect novel or unknown
attacks
9
Anomaly Detection
• Based on the normal behavior of a subject. Sometime assume the training data does not include intrusion data.
• This type of detection is known as anomaly detection.
• Here any action that significantly deviates from the normal behavior is considered intrusion.
10
Anomaly Detection Disadvantages
• Based on data collected over a period of normal operation.
• When a noise(intrusion) data in the training data, it will make a mis-classification.
11
Some of the benefits of IDS
• monitors the operation of firewalls, routers, key management servers and files critical to other security mechanisms
• allows administrator to tune, organize and comprehend often incomprehensible operating system audit trails and other logs
• can make the security management of systems by non-expert staff possible by providing nice user friendly interface
• comes with extensive attack signature database against which information from the customers system can be matched
• can recognize and report alterations to data files
12
IDS is not a SILVER BULLET
• cannot conduct investigations of attacks without human intervention
• cannot compensate for weaknesses in network protocols
• cannot compensate for weak identification and authentication mechanisms
• capable of monitoring network traffic but to a certain extent of traffic level
13
NOW ITS TIME FOR INRUSION PREVENTION
SYSTEM AND ITS TYPES…
14
Intrusion Prevention System
Intrusion prevention systems are network security devices that monitor network and/or system activities for malicious activity (intrusion)
Main functions of Intrusion Prevention System (IPS) are:
– Identify intrusion
– Log information about intrusion
– Attempt to block/stop intrusion and
– Report intrusion
• Intrusion Detection System (IDS) only detect intrusions
• Intrusion Prevention System (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, and prevent the attack from being successful.
WHAT IS IPS?
Intrusion Prevention Systems (IPS)
The bad guys are always one step ahead of the security professionals.
Security professionals try and come up with innovative means to detect and prevent attacks.
IPS is a preventive device rather than a detective device (IDS).
Broadly classified into two categories
• Host IPS (HIPS)
• Network IPS (NIPS)
CLASSIFICATION OF IPS
• HIPS is installed directly on the system being protected
• It binds closely with the operating system kernel and services, it monitors and intercepts system calls to the kernel in order to prevent attacks as well as log them.
HOST-IPS
• Has two network interfaces, one designated as internal and one as external.
• Packets passed through both interfaces and they determined whether the packet being examined poses a threat.
• If it detects a malicious packet, an alert is raised, the packets are discarded immediately. Legitimate packets are passed through to the second interface and on to their intended destination.
NETWORK-IPS
INTRUSION PREVENTION TECHNIQUES..
• Inline network intrusion protection systems.
• Layer seven switches.
• Application firewalls.
• Hybrid switches.
• Deceptive applications.
INLINE NETWORK IPS
• It is configured with two NICs, one for management and one for detection.
• NIC that is configured for detection usually does not have an IP address assigned .
• It works by sitting between the systems that need to be protected and the rest of the network.
• It inspects the packet for any intrusion that it is configured to look for.
LAYER SEVEN SWITCHES
• Placing these devices in front of your firewalls would give protection for the entire network.
• However the drawbacks are that they can only stop attacks that they know about.
• The only attack they can stop that most others IPS can’t are the DoS attacks.
APPLICATION FIREWALLS
• These IPSs are loaded on each server that is to be protected.
• These types of IPSs are customizable to each application that they are to protect.
• It profiles a system before protecting it. During the profiling it watches the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like.
• The drawback is that when the application is updated it might have to be profiled again so that it does not block legitimate use.
HYBRID SWITCHES
• They inspect specific traffic for malicious content as has been configured .
• Hybrid switch works in similar manner to layer seven switch, but has detailed knowledge of the web server and the application that sits on top of the web server.
• It also fails,if the user’s request does not match any of the permitted requests.
DECEPTIVE APPLICATIONS
• It watches all your network traffic and figures out what is good traffic.
• When an attacker attempts to connect to services that do not exist, it will send back a response to the attacker
• The response will be “marked” with some bogus data. When the attacker comes back again and tries to exploit the server the IPS will see the “marked” data and stop all traffic coming from the attacker.
26
Bibliography
[1] “An Introduction To Intrusion Detection Systems”
http://www.securityfocusonline.com
[2] “Intrusion Detection and Prevention Product Update”
http://www.cisco.com
[3] “An Introduction to Intrusion Detection”
http://www.acm.org
27
Akshay Patel (11ce20 ) Saurabh Prajapati(11ce21)
Thank you for your attention and time
Recommended
