Signature based and Anomaly based Network Intrusion Detection
Download
Report
Transcript Signature based and Anomaly based Network Intrusion Detection
Signature Based and Anomaly
Based Network Intrusion
Detection
By Stephen Loftus and Kent Ho
CS 158B
Agenda
•
•
•
•
Introduce Network Intrusion Detection (NID)
Signature
Anomaly
Compare and Contrast:
Signature based vs. Anomaly based NID
• Example using Ethereal™
Intrusion Detection Systems
• Intrusion detection begins where the firewall ends.
• Preventing unauthorized entry is best, but not
always possible.
• It is important that the system is reliable and
accurate and secure.
IDS (cont.)
• When designing a IDS, the mission is to protect
the data’s
– Confidentiality- read
– Integrity- read/write
– Availability- read/write/access
• Threats can come from both outside and inside the
network.
Signature
• Signature based IDS are based on looking for
“known patterns” of detrimental activity.
• Benefits:
– Low alarm rates: All it has to do is to look up
the list of known signatures of attacks and if it
finds a match report it.
– Signature based NID are very accurate.
– Speed: The systems are fast since they are only
doing a comparison between what they are
seeing and a predetermined rule.
Signature (cont.)
• Negatives:
– If someone develops a new attack, there will be no
protection.
– “only as strong as its rule set.”
– Attacks can be masked by splitting up the messages.
• Similar to Anti-Virus, after a new attack is recorded, the
data files need to be updated before the network is secure.
• Example:
– Port Scan
– DOS
– Sniffing
Anomaly
• Anomaly based IDS are based on tracking unknown unique
behavior pattern of detrimental activity
• Advantages:
– Helps to reduce the “limitations problem”.
– Conducts a thorough screening of what comes through.
Anomaly (cont.)
• Disadvantages:
– False positives, catches too much because Behavior
based NIDs monitor a system based on their behavior
patterns.
– Painstaking slow to do an exhaustive monitoring, uses
up a lot or resource
After an anomaly has been detected, it may become a
“signature”.
Anomaly vs. Signature
• Which is the best way to defend your network?
– Both have advantages
– Signature can be used as a stand alone system
– Anomaly has a few weak points that prevent it from
being a stand alone system.
• Signature is the better of the two for defending you network
• The best way is to use both!
Example
• Using Ethereal™ to detect a port scan
– A port scan is when a person executes
sequential port open requests trying to find an
open port. Most of these come back with a
“reset”
– Normal TCP/IP port request
– Port request on closed port