Intrusion Detection Systems an overview

Presented by:Nazir AhmadEnroll No.: 110215

Contents

i. Introduction ii. Process Modeliii. Terminology iv. Detection Methodologies v. Basic components and the Architecture vi. Types of IDSvii. Efficiency Metricsviii. References

Introduction

An Intrusion Detection System is a device or

software application that monitors network or

system activities for malicious activities or

policy violations and produces reports to

management station

Simple Process Model for ID

Terminology

• Alert/Alarm: A signal suggesting that a system has been or is being attacked.• True Positive: A legitimate attack which triggers an IDS to produce an alarm.• False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. • False Negative: A failure of an IDS to detect an actual attack.• True Negative: When no attack has taken place and no alarm is raised.

Detection Methodologies

IDS generally use two primary classes of

Methodologies to Detect an intrusion

1. Signature -based Detection

2. Behavior-based Detection

Signature-based ID

o A signature is a pattern that corresponds to

a known threat. Signature-based detection is

the process of comparing signatures against

observed events to identify possible

incidents.

o Also known as Misuse Intrusion Detection

and knowledge base Intrusion Detection.

Behavior-based ID

o Behavior-based intrusion-detection

techniques assume that an intrusion can be

detected by observing a deviation from the

normal or expected behavior of the system or

the users.

o Also called as Anomaly-based Intrusion

Detection.

Components: Sensors, Analyzers, Database Server and User Interface.• Sensor or Agent: sensors are responsible for collection of data. They continuously monitor the activity. The term “sensor” is typically used for IDSs that monitor the networks and network behavior analysis technologies. The term “agent” is used for host-based IDSs .• Analyzers: it receives information from the sensors and analyses them to determine if an intrusion has occurred.

Components of a typical IDS

• Database Server: A database server is a

repository for event information recorded by

sensors, agents, and/or Analyzers.

• User Interface/Console: A console is a

program that provides an interface for the

IDS’s users and administrators. Console

software is typically installed onto standard

desktop or laptop computers.

IDS components contd……

Basic Architecture

Example

Types of IDS

• Host Intrusion Detection System

(HIDS), which monitors the characteristics of

a single host and the events occurring within

that host for suspicious activity.

•Network Intrusion Detection (NIDS),

which identifies intrusions by examining

network traffic and monitors multiple hosts.

Efficiency of IDS

Accuracy: Accuracy deals with the proper detection of attacks

and the absence of false alarms. Inaccuracy occurs when an

intrusion-detection system flags a legitimate action in the

environment as anomalous or intrusive.

Performance: The performance of an intrusion-detection

system is the rate at which audit events are processed. If the

performance of the intrusion-detection system is poor, then real-

time detection is not possible.

Completeness: Completeness is the property of an intrusion-

detection system to detect all attacks. Incompleteness occurs

when the intrusion-detection system fails to detect an attack.

References i. Books/papers•Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publications USA, Karen Scarfone and Peter Mell•An Introduction to Intrusion-Detection Systems, IBM Research and Zurich Research Laboratory, Herve Debar• An overview to Software Architecture in Intrusion Detection System, Department of Computer Engineering I.A.U. Booshehr Branch Iran, Mehdi Bahrami and Mohammad Bahrami.•Next Generation Intrusion Detection Systems, McAfee Network Security Technologies Group, Dr. Fengmin Gong

ii. Internet• www.wikipedia.org• www.intursiondetectionsystem.org• www.sans.org