intrusion dection system and intrusion remedies
TRANSCRIPT
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
1/22
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
2/22
An intrusion is a deliberate
unauthorized attempt, successful or not,
to break into, access, manipulate, or
misuse some valuable property andwhere the misuse may result into or
render the property unreliable or
unusable.
The person who intrudes is an intruder.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
3/22
Three classes of intruders (hackers or crackers):
Masquerader
An unauthorized user who penetrates a computer systems
access control and gains acccess to user accounts.
Misfeasor A legitimate user who accesses resources he is not
authorized to access.
Who is authorized such access but misuses his privileges.
Clandestine user
A user who seizes the supervisory control of the system anduses it to evade auditing and access control.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
4/22
RelTunnelICMP Tunnel
You spend great money on concrete walls (firewalls) but theyare of no use if someone can dig through them.
http://www.detached.net/http://images.google.ca/imgres?imgurl=www.roreferat.f2s.com/img/gotomypc.gif&imgrefurl=http://www.roreferat.f2s.com/&h=125&w=125&prev=/images?q=gotomypc&svnum=10&hl=frhttp://www.innertek.com/ -
7/29/2019 Intrusion Dection System and Intrusion Remedies
5/22
Its a software that automates the
intrusion detection process. The
primary responsibility of an IDS
is to detect unwanted and
malicious activities. These are two models of
intrusion detection mechanisms:
anomaly-based detection,
signature-based detection.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
6/22
Anomaly based systems are learning systems in a sense that
they work by continuously creating norms of activities.
These norms are then later used to detect anomalies that might
indicate an intrusion.
There are two types of anomaly detection:
1. Static anomaly detection
2. Dynamic anomaly detection
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
7/22
A static anomaly detection system is based on the assumption
that there is a static portion of the system being monitored.
Static portions of the system can be represented as a binary
string or a set of binary strings.
If the static portion of the system ever deviates from its originalform, either an error has occurred or an intruder has altered the
static portion of the system.
Examples of static anomaly detectors are Tripwire and virus-
specific checkers.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
8/22
Tripwire functions as a host-based intrusion detection system.
Rather than attempting to detect intrusions at the network
interface level, Tripwire detects changes to file system objects.
When first initialized, Tripwire scans the file system as directed
by the administrator and stores information on each filescanned in a database. At a later date the same files are scanned
and the results compared against the stored values in the
database. Changes are reported to the user. Cryptographic
hashes are employed to detect changes in a file without storingthe entire contents of the file in the database.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
9/22
Also known as Statistical-Based IDS. More difficult than
detecting static string changes.
Define profiles for each user to characterize normal
behavior
User choices: Log-in Time, favorite programs
User sequence of actions
User CPU usage / network activity
Profiles can be gradually changed to reflect user behavioral
changes over time
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
10/22
Next-Generation Intrusion Detection Expert System
Builds statistical profiles of users by taking measures that fall
into three classes:
Audit record distributionstypes of audit records generated
over a period of time
Categoricaluser name, names of files accessed
Continuousany measure in which the outcome is how
often something occurred: total number of open files,
number of pages read off secondary storage
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
11/22
An insider could slowly modify their
behavior from over time until it is possible
to mount an attack without being flagged
as anomalous
Users with erratic schedules or hours can
be difficult to profile
Determining the deviation threshold can
be difficult
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
12/22
The misuse detection concept assumes that each intrusiveactivity is represent able by a unique pattern or asignatureso that slight variations of the same activity produce a newsignature and therefore can also be detected.
Misuse detection systems, are therefore, commonly known
as signature systems. They work by looking for a specificsignature on a system. Identification engines perform wellby monitoring these patterns of known misuse of systemresources.
This system uses state transition diagrams and model-based
rule organizations.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
13/22
Intrusion detection systems are classified based on theirmonitoring scope. They are: host-based intrusiondetection and network-based intrusion detection.
Host-Based Intrusion Detection Systems (HIDS) This local inspection of systems is called host-based
intrusion detectionsystems (HIDS). Host-based intrusiondetection is the technique of detecting malicious activitieson a single computer. It is deployed on a single targetcomputer and it uses logs including system, event, and
security logs on Windows systems and syslog in Unixenvironments to monitor sudden changes in these logs.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
14/22
NIDSs have the whole network as themonitoring scope. They monitor the
traffic on the network to detectintrusions. They are responsible fordetecting anomalous, inappropriate, orother data that may be consideredunauthorized and harmful occurring
on a network. There are strikingdifferences between NIDS andfirewalls.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
15/22
Both NIDS and HIDS are each patrolling its own area of the
network for unwanted and illegal network traffic. They,
however, complement each other. Both bring to the security
of the network their own strengths and weaknesses that
nicely complement and augment the security of the network. Hybrids are new and need a great deal of support to gain on
their two cousins. However, their success will depend to a
great extent on how well the interface receives and
distributes the incidents and integrates the reportingstructure between the different types of sensors in the
HIDS and NIDS spheres. Also the interface should be able
to smartly and intelligently gather and report data from the
network or systems being monitored.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
16/22
Although NIDS and HIDS and their hybrids are the most
widely used tools in network intrusion detection, there are
others that are less used but more targeting and, therefore, more
specialized.
Because many of these tools are so specialized, many are still
not considered as being intrusion detection systems but rather
intrusion detection add-ons or tools.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
17/22
System Integrity Verifiers (SIVs)
SIVs monitor critical files in a system, such as system files,
to find whether an intruder has changed them. They canalso detect when a normal user somehow acquires
root/administrator level privileges.
Log File Monitors (LFM)
LFMs first create a record of log files generated by networkservices. Then they monitor this record, just like NIDS,
looking for system trends, tendencies, and patterns in the
log files that would suggest an intruder is attacking.
Honeypots A honeypotis a system designed to look like something that
an intruder can hack. They are built for many purposes butthe overriding one is to deceive attackers and learn abouttheir tools and methods.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
18/22
Although IDS have been one of the
cornerstones of network security,
they have covered only passive
component which only detects and
reports without preventing. A promising new model of
intrusion is developing and
picking up momentum. It is the
intrusion prevention system (IPS)which, is to prevent attacks.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
19/22
The IPS stops the attack itself:
Terminate the network connection or user session that is beingused for the attack. Block access to the target from the
offending user account, IP address, or other attacker attribute. The IPS changes the security environment:
The IPS could change the configuration of other securitycontrols to disrupt an attack. Such as reconfiguring a networkdevice (e.g., firewall, router, switch) to block access from the
attacker or to the target, and altering a host-based firewall on atarget to block incoming attacks. Some IPSs can even causepatches to be applied to a host if the IPS detects that the hosthas vulnerabilities.
The IPS changes the attacks content:Some IPS technologies can remove or replace malicious
portions of an attack to make it benign. An example is an IPSremoving an infected file attachment from an e-mail and thenpermitting the cleaned email to reach its recipient.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
20/22
Intrusion Detection Systems and
Intrusion Prevention System are only
one piece of the whole security puzzle
These must be supplemented by the user
effort as well.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
21/22
User must have a good firewall and also IDS and IPS to protect
the system.
User should not replay to unknown E-mails by providing with
legitimate data.
User must protect his data or accounts by providing strong
password which must include (A,a,1,$) and should not be any
personal data or something related to the user.
His safety question should not be easy to find out since the
intruder(hacker) may have access to your personal life.
-
7/29/2019 Intrusion Dection System and Intrusion Remedies
22/22
By
J.Gautham
(08m31a1226)