Transcript Intrusion Detection

Intrusion Detection Systems
Intrusion Detection Systems
1980-Paper written detailing importance of audit
data in detecting misuse + user behavior
1984-SRI int’l develop method of tracking and
analyzing of users of ARPANET, resulting 1st IDS
1988-Haystack project - IDS based on using
defined patterns of misuse, resulting in
Distributed IDS
1990-Todd Heberlein - Network Security Monitor –
1st network monitor, lots of interest leading to
commercial development, leading to the IDS
boom we see today.
What are Intrusion Detection Systems?

Not a firewall!
Firewall is just that; a wall (allow/deny)
 IDS is a monitoring system; it takes
notes of what is going on, and reports it to
someone else to deal with.

What are Intrusion Detection Systems?
Sensors -> report security events
Console -> monitor events/alerts
control sensors
Engine -> logs events reported by sensor
generate alerts based upon
security rules
Can have all 3 components in a single place
Types of IDS
Based upon where the sensors are placed in
the system as well as the rules used to
generate alerts
Network IDS
Host-based IDS
Network IDS

Ideally scan all, but not always practical

Examines network traffic
connected to network device allowing port
mirroring or network tap

Signature vs anomaly based
Network IDS
Signature Based (knowledge based)
most IDS are signature based

works like antivirus software – looks
for attempts to exploit known
vulnerabilities

This type is ineffective if an exploit
type is unknown to the system

Network IDS
Anomaly based (behavior based)
This type observes the deviation from
“normal” behavior of the system.
 Not vulnerable to new/unforeseen
vulnerabilities
 High “false positive” rate; requires a
“learning phase” and subsequent
“retraining” as network changes.

Host based IDS

Host based
Individual devices
 Monitors PC – sys calls, app logs, file
mods
 Single device only!
 Alerts user/admin if detected

Hybrid IDS

Hybrid systems
Can be combination of these systems
 Such as host based + network based


With the host reporting to the network based
system for a more comprehensive protection
Passive VS Reactive IDS

Among the variety of “flavors” of IDS they
can be categorized into two major groups:

Passive Systems  work by simply monitoring,
detecting and alerting

Reactive Systems  perform any necessary
action or actions to a detected threat
Passive IDS
Monitors System for any suspicious or
malicious intrusion
 If found, evaluates it to determine
whether it is a threat
 If detected as so, generates and sends an
I just found
alert to user
a threat,
user
 Up to the user to take action

Reactive IDS
Alerts console user and attempts to respond
according to security rules/capabilities
I found a threat and I’m
 reprogram firewall
taking care of it, oh yeah
 reset connections
 block IP addresses
Typically called Intrusion Prevention System
Essentially a firewall with network and
application level filtering
IDS Evasion Techniques
Closely related to network attack methods
 Designed to avoid detection by the IDS
 Some basic and commonly known
methods to attack IDS are through:




String matching weaknesses
Session assembly weaknesses
Denial of service techniques
String Matching Weaknesses
Easiest to implement and understand
 Most IDS strong dependency on string
matching
 Using variants, string manipulation
techniques, and character substitution
techniques so strings don’t match
 Strings don’t match no threat is detected

Session Assembly Weakness
Works by dividing string across several
packets
 Data will be delivered a few bytes at the
time with modified IP packets to evade
string match
 To defend IDS should fully understand
session (difficult and processor intensive)

Denial of Service Technique
Characterized by preventing legitimate
users of a service from using that service
 Examples






Consume device’s processing power
Fill up disk space
More alarms than can be handled by
management systems
Personnel not being able to investigate all the
alarms
Device lock up
Towards the Future
IDS vendors and hardware will have to
keep a pace with all the switched
networks and traffic increases
 The future of IDS lies in data correlation




AI
Data mining
Future IDS, produce result by examining
input from different sources
Conclusion
Nearly every company dependent on
Internet to survive, so IDS here to stay
 Also as technology advances for new IDS
so does the possibility of new threats
 Security issues are always present
 However promising future



Statistical Analysis
Predictive AI