Intrusion Detection Systems

Download Report

Transcript Intrusion Detection Systems

INTRUSION DETECTION
SYSTEMS
Tristan Walters
Rayce West
OVERVIEW
 Definition – What is intrusion detection and intrusion detection
systems(IDS)
 Characteristics of Intrusion Detection Systems
 Typical Components of Intrusion Detection Systems
 Types of Intrusion Detection Systems
 Network-Based
 Host-Based
 Wireless
 Conclusion
DEFINITION
 Intrusion Detection
 The process of monitoring and analyzing a computer system or network for
suspicious behavior or potential threats
 Intrusion Detection Systems
 The software and/or hardware that automate the process of monitoring events on a
system or network and analyzing gathered information for intrusions
CHARACTERISTICS
 Information recording
 Logging gathered information
 Analyzing information
 Notifying system administrators
 Reports
TYPICAL COMPONENTS
 Sensors
 Collect data from various sources.
 Network packets, log files, etc
 Management Servers
 Analyze information collected by sensors
 Can decide if an intrusion is occurring and take action
 User Interface
 Typically a software tool for system admins
 Allows admin interaction with the IDS
 Databases
 Store sensor gathered data, logging information, etc
NETWORK-BASED IDS
 Monitors computer networks for possible intruders
 Analyzes network traffic and transport/application protocols
 Primary component
 Sensors  Inline – sensors placed in direct network traffic flow
 Passive – sensors connected to the network from the outside
 Logging
 Focuses on network information
 IP addresses/MAC addresses, transportation protocols, etc
INLINE SENSOR
PASSIVE SENSOR
HOST-BASED IDS
 Monitors events on a single host machine for attacks
 Code analysis – malicious code, buffer overflows
 Running applications
 Changes in the host network settings
 File system monitoring – access and integrity
 Primary component
 Agents – Software installed on the host that monitors and communicates with the
management server
 Logging
 Focuses on application information, file paths and names, user information
HIDS ARCHITECTURE
WIRELESS IDS
 Very similar to NIDS. Monitors wireless networks rather than physical
 Analyzes wireless network protocols for suspicious activity
 Primary Component
 Sensors – samples frequency channels for malicious activities
 Channel Scanning – constantly scans different channels in different frequency bands
 Fixed sensors – a sensor placed in a fixed location
 Mobile sensors – sensors that allow movement around a network
 Logging
 Channel numbers, sensor ID that observed a malicious event, source MAC address
WIRELESS IDS SETUP
CONCLUSION
 There are a variety of different IDSs that contain a variety of
components
 IDSs are essential in any organization and institute that handle
important data
 Very helpful for system administrators