intruders types ,detection & prevention

Presented by: Tufail(130228)

2Central University of kashmir

In early study of Intrusion Anderson identified three classes of Intruders:

Masqueraders: An individual who is not authorized to use the computer & who penetrates a systems access controls to exploit a legitimate user’s account.

Misfeasor: A legitimate user who accesses data programs or resources for which such access is not authorized , or who is authorized for such access but misuses his/her privileges.

Clandestine User: An individual who seizes supervisory control of the system & uses this control to evade auditing & access controls or to suppress audit actions.


Central University of kashmir 4

Intrusion detection: is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible intrusions (incidents).

Intrusion detection system (IDS): is software that automates the intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities.

Intrusion prevention system (IPS): is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.

Intrusion Detection & prevention System (IDPS): evaluates a suspected intrusion once it has taken place ,signals an alarm& makes attempts to stop it. It watches for activities specifically designed to be overlooked by Firewall’s filtering rules.


Unauthorized access to the resources Password crackingSpoofing e.g. DNS spoofingScanning ports & services Network packet listeningStealing informationUnauthorized network accessUses of IT resources for private purpose

Unauthorized alternation of resourcesFalsification of identity Information altering and deletionUnauthorized transmission and creation of dataConfiguration changes to systems and n/w services


Denial of ServiceFlooding

Ping floodMail flood

Compromising system Buffer overflowRemote system shutdown

Web application attack

“Most attacks are not a single attack but a series of individual events developed in coordinated manner”


Audit Data Preprocessor

Audit Records

Activity Data

Detection Models Detection Engine

Alarms

Decision Table

Decision EngineAction/Report

system activities are system activities are observableobservable

normal and intrusive normal and intrusive activities have distinct activities have distinct

evidenceevidence

These are three models of intrusion detection mechanisms:

• Anomaly detection (statistical based)• Misuse Detection (Signature-based) • Hybrid detection.


1)Misuse Detection: The misuse detection concept assumes that each intrusive activity is representable by a unique pattern or a signature so that slight variations of the same activity produce a new signature and therefore can also be detected.

They work by looking for a specific signature on a system. Identification engines perform well by monitoring these patterns of known misuse of system resources.

Examples: A telnet attempt with a username of “root”, which is a violation of an

organization’s security policy An e-mail with a subject of “Free pictures!” and an attachment filename

of “freepics.exe”, which are characteristics of a known form of malware


2)Anomaly detection: monitors network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if the baselines are not intelligently configured.


True Positive: : Attack - AlertFalse Positive: : No attack - AlertFalse Negative: : Attack - No AlertTrue Negative: : No attack - No Alert


IDPS are classified based on their monitoring scope. They are:

1) network-based intrusion detection and2) host-based detections. Network-Based Intrusion Detection

Systems (NIDSs)/NDPSNIDSs have the whole network as the

monitoring scope. They monitor the traffic on the network to detect intrusions. They are responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized and harmful occurring on a network.


misuse is not confirmed only to the “bad” outsiders but the problem is more rampart within organizations. To tackle this problem, security experts have turned to inspection of systems within an organization network. This local inspection of systems is called host-based intrusion detection systems (HIDS).

Host-based intrusion detection is the technique of detecting malicious activities on a single computer.


A HIDS, is therefore, deployed on a single target computer and it uses software that monitors operating system specific logs including system, event, and security logs on Windows systems and syslog in Unix environments to monitor sudden changes in these logs.

When a change is detected in any of these files, the HIDS compares the new log entry with its configured attack signatures to see if there is a match. If a match is detected then this signals the presence of an illegitimate activity.


A honeypot is a system designed to look like something that an intruder can hack. to deceive attackers and learn about their tools

and methods. Honeypots are also add-on/tools that are not strictly

sniffer-based intrusion detection systems like HIDS and NIDS. However, they are good deception systems that protect the network in much the same way as HIDS and NIDS.

Since the goal for a honeypot is to deceive intruders and learn from them without compromising the security of the network, then it is important to find a strategic place for the honeypot. In the DMZ for those networks with DMZs or behind the network firewall if the private network does not have a DMZ.


A honey pot is a system that is deliberately named and configured so as to invite attackswift-terminal.bigbank.comwww-transact.site.comsource-r-us.company.comadmincenter.noc.company.net


intruders types ,detection & prevention

Devices & Hardware