Scribd Logo
Upload

Welcome to Scribd!

  • 24 views

    Network Security

    Uploaded by

    Sumit Kumar Vohra
    Intrusion detection systems (IDS) monitor network traffic and system activities for malicious activity. There are two main types of IDS - signature-based systems detect known threats by matching signatures, while anomaly-based systems detect deviations from normal behavior. IDS can operate at the network level, monitoring all network traffic, or at the host level, monitoring a single system. Both have advantages and disadvantages around detection capabilities and deployment costs. A key challenge for both is minimizing false alarms without missing real attacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Network Security

    Uploaded by

    Sumit Kumar Vohra
    24 views11 pages
    Intrusion detection systems (IDS) monitor network traffic and system activities for malicious activity. There are two main types of IDS - signature-based systems detect known threats by matching signatures, while anomaly-based systems detect deviations from normal behavior. IDS can operate at the network level, monitoring all network traffic, or at the host level, monitoring a single system. Both have advantages and disadvantages around detection capabilities and deployment costs. A key challenge for both is minimizing false alarms without missing real attacks.

    Original Description:

    Original Title

    Ids

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Intrusion detection systems (IDS) monitor network traffic and system activities for malicious activity. There are two main types of IDS - signature-based systems detect known threats by matching signatures, while anomaly-based systems detect deviations from normal behavior. IDS can operate at the network level, monitoring all network traffic, or at the host level, monitoring a single system. Both have advantages and disadvantages around detection capabilities and deployment costs. A key challenge for both is minimizing false alarms without missing real attacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    24 views11 pages

    Network Security

    Uploaded by

    Sumit Kumar Vohra
    Intrusion detection systems (IDS) monitor network traffic and system activities for malicious activity. There are two main types of IDS - signature-based systems detect known threats by matching signatures, while anomaly-based systems detect deviations from normal behavior. IDS can operate at the network level, monitoring all network traffic, or at the host level, monitoring a single system. Both have advantages and disadvantages around detection capabilities and deployment costs. A key challenge for both is minimizing false alarms without missing real attacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 11

    Network Security

    Outline

    • Security Vulnerabilities
    • DoS and DDoS
    • Intrusion Detection Systems
    Intrusion Detection Systems
    • Firewalls allow traffic only to legitimate hosts and services
    • Traffic to the legitimate hosts/services can have attacks
    – CodeReds on IIS
    • Solution?
    – Intrusion Detection Systems
    – Monitor data and behavior
    – Report when identify attacks
    Types of IDS

    Signature-based
    Anomaly-based

    Network-based
    Host-based
    Signature-based IDS

    • Characteristics
    – Uses known pattern matching
    to signify attack
    • Advantages?
    – Widely available
    – Fairly fast
    – Easy to implement
    – Easy to update
    • Disadvantages?
    – Cannot detect attacks for which it has no signature
    Signature-Based

    • Set of rules defining a behavioral signature likely to be associated with


    attack of a certain type
    – Example: buffer overflow
    • A setuid program spawns a shell with certain arguments
    • A network packet has lots of NOPs in it
    • Very long argument to a string function
    – Example: SYN flooding (denial of service)
    • Large number of SYN packets without ACKs coming back
    • …or is this simply a poor network connection?
    • Attack signatures are usually very specific and may miss variants of
    known attacks
    – Why not make signatures more general?
    Anomaly-based IDS
    • Characteristics
    – Uses statistical model or machine learning engine to characterize normal
    usage behaviors
    – Recognizes departures from normal as potential intrusions
    • Advantages?
    – Can detect attempts to exploit new and unforeseen vulnerabilities
    – Can recognize authorized usage that falls outside the normal pattern
    • Disadvantages?
    – Generally slower, more resource intensive compared to signature-based IDS
    – Greater complexity, difficult to configure
    – Higher percentages of false alerts
    Signature vs. Anomaly
    • Password file modified Misuse

    • Four failed login attempts


    Anomaly

    • Failed connection attempts on 50 Anomaly


    sequential ports
    • User who usually logs in around 10am from UT Anomaly
    dorm logs in at 4:30am from a Russian IP address

    • UDP packet to port 1434 Misuse


    • “DEBUG” in the body of an SMTP message Not an attack! (most likely)
    Network-based IDS
    • Characteristics
    – NIDS examine raw packets in the network passively and triggers alerts
    • Advantages?
    – Easy deployment
    – Unobtrusive
    – Difficult to evade if done at low level of network operation
    • Disadvantages?
    – Fail Open
    – Different hosts process packets differently
    – NIDS needs to create traffic seen at the end host
    – Need to have the complete network topology and complete host behavior
    Host-based IDS
    • Characteristics
    – Runs on single host
    – Can analyze audit-trails, logs, integrity of files and directories, etc.
    • Advantages
    – More accurate than NIDS
    – Less volume of traffic so less overhead
    • Disadvantages
    – Deployment is expensive
    – What happens when host get compromised?
    Intrusion Detection Errors

    • False negatives: attack is not detected


    – Big problem in signature-based misuse detection
    • False positives: harmless behavior is classified as an
    attack
    – Big problem in statistical anomaly detection
    • Both types of IDS suffer from both error types
    • Which is a bigger problem?
    – Attacks are fairly rare events
    – IDS often suffer from base-rate fallacy

    You might also like