intrusion detection final.ppt

Download Intrusion Detection Final.ppt

Post on 14-Oct-2015




2 download

Embed Size (px)


presentation on intrusion detection systems in network security


PowerPoint Presentation


PRESENTED BY: Manmeet Kaur 13-508Anmol Dabra 13-515Sapna 13-522

AgendaIntroduction to IDS Manmeet Kaur

Methodology of Intrusion Detection- Anmol Dabra

Deployment of IDS SapnaBrief Introduction to IntrusionThe level of seriousness and sophistication of recent cyber-attacks has risen dramatically over the past 10 years

The availability of widespread free automated intrusion tools and exploit scripts duplicate the known methods of attack

Attacks are getting more sophisticated and easy to copy

Increased connectivity and complexity, increased availability of vulnerability information and attack scripts via the Internet, and dependence on distributed network services

The nature of computer crime is that it is unpredictable, previous threats or attacks can not be used as a metric to prepare for future threats or attacks the basis for all todays signature-based ID products INTRUSIONDictionary meaning Entrance by force or without permission or welcome.

An intrusion is a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may render the property unreliable or unusable.

The person who intrudes is an intruder.Types of Intruders :

Attack and IntrusionAttack and intrusion can be viewed from a number of perspectives; the intruder and the victim Each perspective brings with it a criterion for judging the success of the attackAn intrusion has taken place if the attack is considered successful from the victims point of view (the victim has experienced some loss or consequences) Vulnerability in the victims system that is exploited by the intruder with an objective enables a successful attack The intrusion process ends when some or all objectives of the intruder are realized or the intruder gives up Because multiple perspectives are involved in a single attack, defining what constitutes an attack is difficult Intrusion is a significant security problem for networked systems and this trespass can be either:

User Trespass 1. in form of unauthorized logon to a machine or 2. authorized user acquiring privileges beyond those that have been authorized.

Software Trespass in the form of Virus , Worm or Trojan horses.Consequences of IntrusionIf an intrusion has occurred without the user knowing/reacting to it, the danger exists that the intruder gets control over all of the resources and thus over the whole computer/network Once accessing the network, the intruders main focus is to get control of the system and to erase signs of entry. The intruder may operate on stealth mode an secretly spread from system to system, using the compromised network as a springboard The intruder has various kinds of scripts; parking, cleanup of log files; system, event files, file integrity checker files, and ID systems files (Wipe 1.0, Wzap.c, Zap.c), etc. that he can use to strengthen his position and making it almost impossible to get control over the computer/network again.Loss of reputation Loss of confidentiality Loss of valuable data Intrusion TechniquesPassword GuessingIt is the most common attack.Following techniques are used to guess try default password shipped with systemexhaustively try all short passwords (1-3 characters long)try all words in systems online dictionarytrying users personal info (full name , spouse , children etc.)try all legitimate license plates no. for the statetry users phone no , social security no , room no etc.tap line between user and host system.

Password Capturewatching over shoulder as password is entered monitoring an insecure network login (e.g. telnet, FTP, web, email) extracting recorded info after successful login (web history/cache, last number dialled etc.) using Trojan horse to bypass restriction on accessEx -A game invited system operators to use it in spare time. It did play a game , but in the background it copied the password file.

Password File ProtectionTo protect the file that relates ids to passwords , one of the two ways can be employed:1. One-way function System stores only the value of a function based on users password. When user presents a password , system transforms the password and compares it with stored value2.Access Control Access to password file be limited to one or a very few accounts.Examples of Intrusion remote root compromise web server defacement guessing / cracking passwords copying databases containing credit card numbers viewing sensitive data without authorization running a packet sniffer distributing pirated software using an unsecured modem to access internalnetwork impersonating an executive to get information using an unattended workstationIntrusion DetectionWhat Is Intrusion DetectionE. Amoroso: Intrusion Detection is the process of identifying and responding to malicious activity targeted to computing and network resourcesAnalogy: security cameras and burglar alarms in a house; Intrusion detection in Information systems Categories: Attack detection and Intrusion detectionThe goal of intrusion detection is to positively identify all true attacks and negatively identify all non-attacks Characteristics of IDID monitors a whole System or just a part of it Intrusion Detection occurs either during an intrusion or after it ID can be stealth or openly advertised If suspicious activity occurs it produces an alarm and keeps logs that can be used for reports on long term development Human (Administrator) needed for alarm processing ID systems can produce an alarm and/or produce an automated response Motivation of IDThe motivation for intrusion detectionvaries for different sites:Some use IDS for tracking, tracing, and prosecution of intruders Some use IDS as a mechanism for protecting computing resources Some use IDS for identifying and correcting vulnerabilities Why Intrusion DetectionDetecting and reacting to an attack: Possible to stop the attack before anything serious happens and do damage control Knowledge of the attack and managing the damage Information gathering of the attack and trying to stop it from happening againInformation gathering of attacks against the ID system; useful data for the security administration Timely and correct response is imperative in IDS IDSAn intrusion detection system (IDS) is a system used to detect unauthorized intrusions into computer systems and networks. Intrusion detection as a technology is not new, it has been used for generations to defend valuable resources.If an intrusion is detected quickly enough , intruder can be identified and ejected from the system before any damage is done. Basis of IDSassumes intruder behavior differs from legitimate users in ways that can be quantified.cant expect to have a crisp , exact distinction.there will be some overlap , which causes problemsfalse +ves loose interpretation of intruder behaviour; auth. users identified as intrudersfalse ves tight interpretation of intruder behaviour; intruders not identified as intruders Behavior Profiles

Approaches to Intrusion Detection Detection MethodIt describes the characteristics of the analyzer. Detection can be performed according to two complementary strategies:Knowledge based intrusion detection (misuse detection)When the intrusion-detection system uses information about the attacks, we qualify it as knowledge-based.

Behaviour based intrusion detection (anomaly detection)When the intrusion-detection system uses information about the normal behavior of the system it monitors, we qualify it as behavior-based

Looking for events or sets of events that match a predefined pattern of events that describe a known attack. The patterns are called signatures. Rule-based systems: encoding intrusion scenarios as a set of rules. State-based intrusion scenario representations. Advantages: Very effective at detecting attacks without generating an overwhelming number offalse alarms. Disadvantages Can only detect those attacks they know abouttherefore they must be constanlyupdated with signatures of new attacks. Many misuse detectors are designed to use tighly defined signatures that prevent themfrom detecting variants of common attacks. Misuse detection(Signature based ID)Anomaly Detection

Identify abnormal unusual behavior (anomalies) on a host or network. They function on the assumption that attacks are different from normal (legitimate) activity and can therefore be detected by systems that identify these differences.

METHODS FOR ANOMALY DETECTION:Statistical measuresRule-based measuresMachine learning Data miningNeural networks

Anomaly Detection TechniquesStatistical measuresData related to behavior of legit users collected over a period of time.Statistical tests applied on observed behavior to determine whether that is not legit user behavior.Two types:1. Threshold detection2. Profile based1.Threshold Detectioninvolves counting the number of occurrences of a specific event type over an interval of timeif the count surpasses what is considered a reasonable number that one might expect to occur , intrusion is assumed.its a crude and ineffective detector of even slightly sophisticated attacks.hence it generates either a lot of false +ves or false ves.

2.Profile Based Anomaly Detectioncharacterizes past behavior of individual users or group of users.detects significant deviation from that behavior.a profile may contain a set of parameters , so that deviation on just a single parameter may not be sufficient to signal an alertfoundation of this approach is an analysis of audit records.Metrics for Profile Based Anomaly DetectionCounter non negative integer , only incremented. Ex no of logins in an hour by a userGauge non negative integer , may be inc or dec , used to measure current value of some en


View more >