Download - Intrusion detection systems
Intrusion Detection Systems an overview
Presented by:Nazir AhmadEnroll No.: 110215
Contents
i. Introduction ii. Process Modeliii. Terminology iv. Detection Methodologies v. Basic components and the Architecture vi. Types of IDSvii. Efficiency Metricsviii. References
Introduction
An Intrusion Detection System is a device or
software application that monitors network or
system activities for malicious activities or
policy violations and produces reports to
management station
Simple Process Model for ID
Terminology
• Alert/Alarm: A signal suggesting that a system has been or is being attacked.• True Positive: A legitimate attack which triggers an IDS to produce an alarm.• False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. • False Negative: A failure of an IDS to detect an actual attack.• True Negative: When no attack has taken place and no alarm is raised.
Detection Methodologies
IDS generally use two primary classes of
Methodologies to Detect an intrusion
1. Signature -based Detection
2. Behavior-based Detection
Signature-based ID
o A signature is a pattern that corresponds to
a known threat. Signature-based detection is
the process of comparing signatures against
observed events to identify possible
incidents.
o Also known as Misuse Intrusion Detection
and knowledge base Intrusion Detection.
Behavior-based ID
o Behavior-based intrusion-detection
techniques assume that an intrusion can be
detected by observing a deviation from the
normal or expected behavior of the system or
the users.
o Also called as Anomaly-based Intrusion
Detection.
Components: Sensors, Analyzers, Database Server and User Interface.• Sensor or Agent: sensors are responsible for collection of data. They continuously monitor the activity. The term “sensor” is typically used for IDSs that monitor the networks and network behavior analysis technologies. The term “agent” is used for host-based IDSs .• Analyzers: it receives information from the sensors and analyses them to determine if an intrusion has occurred.
Components of a typical IDS
• Database Server: A database server is a
repository for event information recorded by
sensors, agents, and/or Analyzers.
• User Interface/Console: A console is a
program that provides an interface for the
IDS’s users and administrators. Console
software is typically installed onto standard
desktop or laptop computers.
IDS components contd……
Basic Architecture
Example
Types of IDS
• Host Intrusion Detection System
(HIDS), which monitors the characteristics of
a single host and the events occurring within
that host for suspicious activity.
•Network Intrusion Detection (NIDS),
which identifies intrusions by examining
network traffic and monitors multiple hosts.
Efficiency of IDS
Accuracy: Accuracy deals with the proper detection of attacks
and the absence of false alarms. Inaccuracy occurs when an
intrusion-detection system flags a legitimate action in the
environment as anomalous or intrusive.
Performance: The performance of an intrusion-detection
system is the rate at which audit events are processed. If the
performance of the intrusion-detection system is poor, then real-
time detection is not possible.
Completeness: Completeness is the property of an intrusion-
detection system to detect all attacks. Incompleteness occurs
when the intrusion-detection system fails to detect an attack.
References i. Books/papers•Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publications USA, Karen Scarfone and Peter Mell•An Introduction to Intrusion-Detection Systems, IBM Research and Zurich Research Laboratory, Herve Debar• An overview to Software Architecture in Intrusion Detection System, Department of Computer Engineering I.A.U. Booshehr Branch Iran, Mehdi Bahrami and Mohammad Bahrami.•Next Generation Intrusion Detection Systems, McAfee Network Security Technologies Group, Dr. Fengmin Gong
ii. Internet• www.wikipedia.org• www.intursiondetectionsystem.org• www.sans.org