intrusion detection system

Download Intrusion detection system

Post on 26-May-2015




3 download

Embed Size (px)


A detailed presentation about Intrusion detection system


  • 1.

2. By.P. Victer Paul Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit.... Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog. 3.

  • AnIDSorIntrusion Detection Systemis a system designed todetect unauthorized access to secure systems,i.e. hacking, cracking or script based attacks.
  • Systems are generallycomposed of both sensors , such assnort , which watch network traffic andtrigger security events, and a console interface which shows and filters the security events, an example of which issguil .


  • Definition :An intrusion can be defined as a subversion of security to gain access to a system. This intrusion can use multiple attack methods and can span long periods of time.
  • These unauthorized accesses to computer or network systems are often designed to study the systems weaknesses for future attacks.
  • Other forms of intrusions are aimed at limiting access or even preventing access to computer systems or networks.


  • Basically, intrusion detection systems do exactly as the name implies:they detect possible intrusions .
  • More specifically, IDS tools aim todetect computer attacks and/or computer misuse and alert the proper individuals upon detection.
  • An IDS provides much of the same functionality as a burglar alarm installed in a house.
  • That is, both the IDS and the burglar alarm use various methods to detect when anintruder/burglar is present , and both subsequently issue some type of warning or alert


  • What are we protecting? - Data - Availability - Privacy Who are the intruders? - Hackers - Thieves


  • The methods used by intruders can often contain any one, or even combinations, of the following intrusion types:
    • Distributed Denial of Service
    • Trojan Horse
    • Viruses and Worms
    • Spoofing
    • Network/Port Scans
    • Buffer Overflow


  • There are many approaches that are used to implement IDS.
  • An in-depth look at these approaches will be presented in later sections.
  • However, the majority of IDS systems contain the following 3 components: - Information Source - Analysis Engine - Response/Alert


  • All IDS need an information source in which to monitor for intrusive behavior.
  • The information source can include: network traffic (packets), host resource (CPU, I/O operations, and log files), user activity and file activity, etc.
  • The information can be provided in real-time or in a delayed manner.


  • The Analysis Engine is the brains behind IDS.
  • This is the actual functionality that is used to identify the intrusive behavior.
  • As mentioned previously, there are many ways in which IDS analyze intrusive behavior.
  • The majority of IDS implementations differ in the method of intrusion analysis.


  • Once an intrusive behavior is identified, IDS need to be able to respond to the attack and alert the appropriate individuals of the occurrence.
  • Response activities can include: applying firewall rules to drop traffic from a particular source IP, host port blocking, logging off a user, disabling an account, security software activation, system shutdown, etc.


  • Alerting measures are used to bring the attack to the attention of the proper individuals supporting the environment.
  • For example, an IDS alert can include an active measure, which may be sending an email or text page to the system administrator, or it could simply write a detailed log of the event, which is a passive measure.


  • The ultimate desire of IDS functionality is theidentification of all intrusive behaviorwithin an environment, and the reporting of that behavior in a timely manner.
  • However, in order forIDS to be successfulin todays complex environments, there are some more characteristics that will be needed.


  • run continually with minimal human supervision
  • withstand an attack and continue functioning
  • monitor itself and resist local intrusion
  • use minimal resources
  • adaptand recognize "normal" behavior


  • Scalability:The IDS system must be able to function in large (and fast) network architectures.
  • Low rate of false positives alerts : A false positive is, essentially, a false alarm.
  • No false negative instances : A false negative is an instance when the network or system was under attack, but the IDS did not identify it as intrusive behavior, thus no alert was activated.
  • Allow some anomalous eventswithout flagging an emergency alert. This doesn't mean it should allow true malicious behavior, but it should be flexible/smart enough to allow for the occasional user mistake or communication blip.


  • Anomaly-Based
  • Misuse-Based
  • Host-Based
  • Network-Based


  • Computer and network anomaly detection Intrusion Detection Systemsmodels operate by building a model of normal system behavior.
  • Normal system behavior is determinedby observing the standard operation of the system or network.
  • Anomaly detection then takes the normal observation model and uses statistical variance, or as we shall see later, Data Mining techniques with artificial intelligence, to determine if the system or network environment behavior is running normally or abnormally.
  • The assumption in anomaly detection is that an intrusion can be detected by observing a deviation from the normal or expected behavior of the system or network.


  • Threshold detection is the process in which certain attributes of user and computer system behavior are expressed in terms of counts, with some level established as permissible .
  • For example, such behavior attributes can include the number of files accessed by a given user over a certain period of time, the number of failed attempts to login to the system, the amount of CPU utilized by a process, etc.


  • Statistical measures: These measures can be parametric or non-parametric.
    • Parametric measuresare used when a distribution of the profiled attributes is assumed to fit a particular pattern.
    • Non-parametric measuresare used when the distribution of the profiled attribute is gathered from a set of historical values observed over time.


  • It can detect attempts to exploit new and unforeseen vulnerabilities.An IDS based on the detection of anomalies can detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. This is a very powerful advantage. It is for this reason alone that a majority of the research of future IDS models includes some sort of anomaly detection.
  • It can also be usedto detect abuse-of-privilege types of attacks , which generally do not involve exploiting any security vulnerabilities.
  • It can recognizeunusual network traffic based on network packet characteristics(payload, source IP, time, etc).
  • It canproduce information from the intrusive attackthat can be used to define signatures for misuse detectors.


  • "Misuse detection-based IDSfunction in much the same way as computer anti-virus applications.
  • Misuse detection IDS models function in very much the same sense as high-end computer anti-virus applications. That is, misuse detection IDS models analyze the system or network environment and compare the activity against signatures (or patterns) of known intrusive computer and network behavior.
  • These signatures must be updated over time to include the latest attack patterns, much like computer anti-virus applications.


  • Misuse-based IDScan be used very quickly . There isnt a need for the IDS to learn the network behavior before it can be of use.
  • Thesignature matching also provides fewer false alarms(false positives) than other IDS methods.
  • If the signatures of attacks used by the misuse detection system are reliable, then attacks that match those signatures are very quickly identified, which makes the determination of corrective measures easier.
  • Computer administrators can write their own signatures in accordance with the organizations security policy.


  • Like anti-virus software, the signatures containing the attack patterns are constantly changing.
  • Good computer and network hackers are well aware of the patterns of known exploi