Transcript Intrusion Detection Systems

Intrusion
Detection
Systems
By: William Pinkerton and Sean Burnside
What is IDS
• IDS is the acronym for Intrusion Detection Systems
• Secure systems from attack
• Attacks on a system are through the network, by either:
 Crackers
 Hackers
 Disgruntled Employees
• Five different kinds of intrusion detection systems
1.
2.
3.
4.
5.
Network-based
Protocol-based
Application-based
Host-based
Hybrid
History of IDS
• Began
• Mid 1980’s
• James P. Anderson
• “Computer Security Threat Monitoring and Surveillance”
• Fred Cohen
• The inventor of defenses against viruses
• Said, “It is impossible to detect an intrusion in every case” and
“the resources needed to detect intrusion grows with the amount
of usage”
• Dorthy E. Denning assisted by Peter Neuman
• Created an anomaly-based intrusion detection system
• Named Intrusion Detection Expert System
• Later version was named Next-generation Intrusion Detection
Expert System
Passive vs. Reactive Systems
• Passive System
• First detects a breach
• Logs the breach and/or alerts the administrator(s)
• Reactive System
• Takes more action of alerting the breach, by either:
 Resetting the connection
 Reprograms the firewall
Firewall and Antivirus vs. IDS
• Firewall
• Blocks potentially harmful incoming or outgoing traffic
• Does not detect intrusions
• Antivirus
• Scans files to identify or eliminate, either:
 Malicious Software
 Computer Viruses
• Intrusion Detection Systems
• Alert an administrator(s) of suspicious activity
• Looks for intrusions before they happen
**Note: For maximum protection it is best to have all three!!**
5 Methods of IDS
1.
2.
3.
4.
5.
Network-based Intrusion Detection System
Protocol-based Intrusion Detection System
Application-based Intrusion Detection System
Host-based Intrusion Detection System
Hybrid Intrusion Detection System
Network-based Intrusion Detection
System
•
•
•
•
Runs on different points of a network
Scans for DOS attacks, activities on ports and hacking
Also scans incoming and outgoing packets that are bad
Pros
• Not much overhead on network
• Installing, upkeep and securing is easy
• Undetectable by most hacks
• Cons
• Has trouble with large networks
Network-based Intrusion Detection
System (cont.)
•
Cons (cont.)
• Has trouble with switch based networks
• No reporting if attack fails or succeeds
• Cannot look at encrypted data
Protocol-based Intrusion Detection
System
•
•
•
Sits at the front end of a server
Usually used for web servers
Two uses
• Making sure a protocol is enforced and used correctly
• Teaching the system constructs of a protocol
• Pros
• Easier for system to pick up on attacks since it is protocol
based
• Cons
• Rules for protocols come out slowly could be a gap in
attacks
Host-based Intrusion Detection System
•
•
Internally based detection system
Analyses a system four ways
• File system monitoring
• Logfile analysis
• Connection analysis
• Kernel based intrusion
• Pros
• Analyses encrypted data
• Can keep up with switch based networks
• Provides more information about attacks
Host-based Intrusion Detection System
(cont.)
•
Pros (cont.)
• System can tell what processes where used in the attack
• System can tell the users involved in the attack
• Cons
• Decrease in network performance if multiple hosts are
analyzed
• If the host machine is broken the system can be disabled
• Affected by DOS attacks
• Needs allot of resources
Application-based Intrusion Detection
System
•
•
•
System is application specific
Monitor dynamic behaviors and states of protocol
The system analyzes the communication between
applications
• Pros
• Greater chance of detecting an attack since it is
application specific
• Can look at encrypted data
• Con
• Needs a lot of processing power
Hybrid Intrusion Detection System
•
•
Combines two or more systems
Pros
• It has the same pros as the systems that it is based on
• Cons
• It has the same cons as the systems that it is based on
Top 5 IDS
1.
2.
3.
4.
5.
Snort
OSSEC HIDS
Fragrouter
BASE
Squil
• Lightweight, open source
• Originally named bro
• Developed by Lawrence Berkeley National Laboratory in 1998
• The most widely used Intrusion detection system
• Capable of performing packet logging and real time traffic
analysis over IP networks
OSSEC HIDS
• Strong log analysis engine
• Correlate and analyze logs from different devices and formats
• Can be centralized
• Many different systems can be monitored
• Runs on most operating systems
• Linus
• OpenBSD
• Mac OS X
• Solaris
• FreeBSD
• Windows
Fragrouter
• Used to evade intrusion detection systems
• Limited to certain operating systems
• BSD
• Linux
• Good tool for finding weaknesses on a network, computers, or
servers that ids may not be able to find
BASE
• Written in php
• Nice web front in
• Analyzes data stored in a database that is populated by
firewalls, ids, and network monitoring tools
Sguil
• Known for it’s graphical user interface
• Runs on operating systems that support tcl/tk
• Linux
• BSD
• Solaris
• MacOS
• Win32
• Network security monitoring
• Provides intrusion detection system alerts
Question Time…