intrusion dection system and intrusion remedies

7/29/2019 Intrusion Dection System and Intrusion Remedies

1/22


2/22

An intrusion is a deliberate

unauthorized attempt, successful or not,

to break into, access, manipulate, or

misuse some valuable property andwhere the misuse may result into or

render the property unreliable or

unusable.

The person who intrudes is an intruder.


3/22

Three classes of intruders (hackers or crackers):

Masquerader

An unauthorized user who penetrates a computer systems

access control and gains acccess to user accounts.

Misfeasor A legitimate user who accesses resources he is not

authorized to access.

Who is authorized such access but misuses his privileges.

Clandestine user

A user who seizes the supervisory control of the system anduses it to evade auditing and access control.


4/22

RelTunnelICMP Tunnel

You spend great money on concrete walls (firewalls) but theyare of no use if someone can dig through them.
http://www.detached.net/http://images.google.ca/imgres?imgurl=www.roreferat.f2s.com/img/gotomypc.gif&imgrefurl=http://www.roreferat.f2s.com/&h=125&w=125&prev=/images?q=gotomypc&svnum=10&hl=frhttp://www.innertek.com/


5/22

Its a software that automates the

intrusion detection process. The

primary responsibility of an IDS

is to detect unwanted and

malicious activities. These are two models of

intrusion detection mechanisms:

anomaly-based detection,

signature-based detection.


6/22

Anomaly based systems are learning systems in a sense that

they work by continuously creating norms of activities.

These norms are then later used to detect anomalies that might

indicate an intrusion.

There are two types of anomaly detection:

1. Static anomaly detection

2. Dynamic anomaly detection


7/22

A static anomaly detection system is based on the assumption

that there is a static portion of the system being monitored.

Static portions of the system can be represented as a binary

string or a set of binary strings.

If the static portion of the system ever deviates from its originalform, either an error has occurred or an intruder has altered the

static portion of the system.

Examples of static anomaly detectors are Tripwire and virus-

specific checkers.


8/22

Tripwire functions as a host-based intrusion detection system.

Rather than attempting to detect intrusions at the network

interface level, Tripwire detects changes to file system objects.

When first initialized, Tripwire scans the file system as directed

by the administrator and stores information on each filescanned in a database. At a later date the same files are scanned

and the results compared against the stored values in the

database. Changes are reported to the user. Cryptographic

hashes are employed to detect changes in a file without storingthe entire contents of the file in the database.


9/22

Also known as Statistical-Based IDS. More difficult than

detecting static string changes.

Define profiles for each user to characterize normal

behavior

User choices: Log-in Time, favorite programs

User sequence of actions

User CPU usage / network activity

Profiles can be gradually changed to reflect user behavioral

changes over time


10/22

Next-Generation Intrusion Detection Expert System

Builds statistical profiles of users by taking measures that fall

into three classes:

Audit record distributionstypes of audit records generated

over a period of time

Categoricaluser name, names of files accessed

Continuousany measure in which the outcome is how

often something occurred: total number of open files,

number of pages read off secondary storage


11/22

An insider could slowly modify their

behavior from over time until it is possible

to mount an attack without being flagged

as anomalous

Users with erratic schedules or hours can

be difficult to profile

Determining the deviation threshold can

be difficult


12/22

The misuse detection concept assumes that each intrusiveactivity is represent able by a unique pattern or asignatureso that slight variations of the same activity produce a newsignature and therefore can also be detected.

Misuse detection systems, are therefore, commonly known

as signature systems. They work by looking for a specificsignature on a system. Identification engines perform wellby monitoring these patterns of known misuse of systemresources.

This system uses state transition diagrams and model-based

rule organizations.


13/22

Intrusion detection systems are classified based on theirmonitoring scope. They are: host-based intrusiondetection and network-based intrusion detection.

Host-Based Intrusion Detection Systems (HIDS) This local inspection of systems is called host-based

intrusion detectionsystems (HIDS). Host-based intrusiondetection is the technique of detecting malicious activitieson a single computer. It is deployed on a single targetcomputer and it uses logs including system, event, and

security logs on Windows systems and syslog in Unixenvironments to monitor sudden changes in these logs.


14/22

NIDSs have the whole network as themonitoring scope. They monitor the

traffic on the network to detectintrusions. They are responsible fordetecting anomalous, inappropriate, orother data that may be consideredunauthorized and harmful occurring

on a network. There are strikingdifferences between NIDS andfirewalls.


15/22

Both NIDS and HIDS are each patrolling its own area of the

network for unwanted and illegal network traffic. They,

however, complement each other. Both bring to the security

of the network their own strengths and weaknesses that

nicely complement and augment the security of the network. Hybrids are new and need a great deal of support to gain on

their two cousins. However, their success will depend to a

great extent on how well the interface receives and

distributes the incidents and integrates the reportingstructure between the different types of sensors in the

HIDS and NIDS spheres. Also the interface should be able

to smartly and intelligently gather and report data from the

network or systems being monitored.


16/22

Although NIDS and HIDS and their hybrids are the most

widely used tools in network intrusion detection, there are

others that are less used but more targeting and, therefore, more

specialized.

Because many of these tools are so specialized, many are still

not considered as being intrusion detection systems but rather

intrusion detection add-ons or tools.


17/22

System Integrity Verifiers (SIVs)

SIVs monitor critical files in a system, such as system files,

to find whether an intruder has changed them. They canalso detect when a normal user somehow acquires

root/administrator level privileges.

Log File Monitors (LFM)

LFMs first create a record of log files generated by networkservices. Then they monitor this record, just like NIDS,

looking for system trends, tendencies, and patterns in the

log files that would suggest an intruder is attacking.

Honeypots A honeypotis a system designed to look like something that

an intruder can hack. They are built for many purposes butthe overriding one is to deceive attackers and learn abouttheir tools and methods.


18/22

Although IDS have been one of the

cornerstones of network security,

they have covered only passive

component which only detects and

reports without preventing. A promising new model of

intrusion is developing and

picking up momentum. It is the

intrusion prevention system (IPS)which, is to prevent attacks.


19/22

The IPS stops the attack itself:

Terminate the network connection or user session that is beingused for the attack. Block access to the target from the

offending user account, IP address, or other attacker attribute. The IPS changes the security environment:

The IPS could change the configuration of other securitycontrols to disrupt an attack. Such as reconfiguring a networkdevice (e.g., firewall, router, switch) to block access from the

attacker or to the target, and altering a host-based firewall on atarget to block incoming attacks. Some IPSs can even causepatches to be applied to a host if the IPS detects that the hosthas vulnerabilities.

The IPS changes the attacks content:Some IPS technologies can remove or replace malicious

portions of an attack to make it benign. An example is an IPSremoving an infected file attachment from an e-mail and thenpermitting the cleaned email to reach its recipient.


20/22

Intrusion Detection Systems and

Intrusion Prevention System are only

one piece of the whole security puzzle

These must be supplemented by the user

effort as well.


21/22

User must have a good firewall and also IDS and IPS to protect

the system.

User should not replay to unknown E-mails by providing with

legitimate data.

User must protect his data or accounts by providing strong

password which must include (A,a,1,$) and should not be any

personal data or something related to the user.

His safety question should not be easy to find out since the

intruder(hacker) may have access to your personal life.


22/22

By

J.Gautham

(08m31a1226)

intrusion dection system and intrusion remedies

Documents