Professional Documents
Culture Documents
,Shirpur
CHAPTER 1
INTRODUCTION
1.1 INTRODUCTION
An intrusion detection system (IDS) is a device or software application that
monitors a network or systems for malicious activity or policy violations. Any
detected activity or violation is typically reported either to an administrator or
collected centrally using a security information and event management (SIEM)
system. A SIEM system combines outputs from multiple sources, and uses alarm
filtering techniques to distinguish malicious activity from false alarms.
There is a wide spectrum of IDS, varying from antivirus software to
hierarchical systems that monitor the traffic of an entire backbone network.The
most common classifications are network intrusion detection systems (NIDS)
and host-based intrusion detection systems (HIDS). A system that monitors
important operating system files is an example of a HIDS, while a system that
analyzes incoming network traffic is an example of a NIDS. It is also possible to
classify IDS by detection approach: the most well-known variants are signature-
based detection (recognizing bad patterns, such as malware) and anomaly-based
detection (detecting deviations from a model of "good" traffic, which often relies
on machine learning). Some IDS have the ability to respond to detected
intrusions. Systems with response capabilities are typically referred to as
an intrusion prevention system.
CHAPTER-2
TYPES OF INTRUSION DETECTION SYSTEM
NIDS is one common type of IDS that analyzes network traffic at all layers
of the Open Systems Interconnection (OSI) model and makes decisions about the
purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to
deploy on a network and can often view traffic from many systems at once.
The aim is to inform about an intrusion in order to look for the IDS capable
to react in the post. Report of the damages is not sufficient. It is necessary that the
IDS react and to be able to block the detected doubtful traffics. These reaction
techniques imply the active IDS.
According to the source of the data to examine, the Host Based Intrusion
Detection System can be classified in two categories:
The IDS of this type receive the data in application, for example, the logs
files generated by the management software of the database, the server web or the
firewalls. The vulnerability of this technique lies in the layer application.
The IDS of this type receive the information of the activity of the supervised
system. This information is sometimes in the form of audit traces of the operating
system. It can also include the logs system of other logs generated by the
processes of the operating system and the contents of the object system not
reflected in the standard audit of the operating system and the mechanisms of
logging. These types of IDS can also use the results returned by another IDS of
the Based Application type.
Some of the most current intrusion detection system only uses one of the two
detection methods, misused detection or anomaly detection both of them have
their own limitations, this is the technique which combines misuse detection
system and anomaly detection system is known as hybrid intrusion detection
system or we can say that the techniquewhich combines the network intrusion
detection system and host intrusion detection system is known as hybrid intrusion
detection system.
CHAPTER-3
ANOMALY BASED NETWORK
INTRUTION DETECTION SYSTEM
Priority
Practice
CHAPTER-4
BLOOM FILTER
4.1 INTRODUCTION
Bloom filter is probabilistic space efficient data structure supporting add,
find and sometimes delete operation widely used for testing if element is in a set,
especially if set is huge. Probabilistic in this case means that there is no 100%
guarantee that find won't have false positive result. It's hash table like data
structure using multiple hash functions for the same key but unlike hash tables it
does not store the actual key value in a bucket it just marks all buckets for all hash
functions applied to a key as used. So, it's obviously more space efficient than
ordinary hash table.
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
To add an element, we give it to our hash functions as an input. Each hash
function will output an array index. Lets say we passed the string foo to two hash
functions which give us indices 0 and 4. We set the corresponding bits in our bit
array to 1:
[1, 0, 0, 0, 1, 0, 0, 0, 0, 0]
Querying for an element is just as straightforward. We pass the element to
our hash functions and check the returned indices to see whether the
corresponding bits in the array have a value of 1 or 0. If none of them are 1, the
element in question is not part of the set. We dont necessarily even need to check
all of the values at the given indices. If we find at least one where the bit is zero,
then the element cant be part of the set. Lets say we query for the
string bar using our two hash functions. Lets further assume that the functions
output indices 1 and 5. Checking either one of these bit array indices is enough
for us to conclude that bar is not part of our set, since the value at both indices is
0. If all the corresponding bits are set, then the element may be part of the set.
Since hash functions have a nasty habit of producing collisions, we cant be 100%
sure that the queried element is part of the set. Theres a chance that another
previously added element caused the same bits to be flipped. Removing an
element is a simple operation inasmuch as it cant be done. If we were to reset the
corresponding bits of the element we wish to remove, we may end up removing
other elements that have the same corresponding bits. What happens in a Bloom
filter stays in a Bloom filter.
Bloom filter to decide which CSS selectors to even bother with before processing
declarations. Off the top of my head, I can think of many more applications,
including eliminating unnecessary calls to web caches, preventing the use of
weak passwords, and checking for reserved usernames during registration
processes. Ill leave the rest of the ideation up to the readers of this blog post;
learning what a data structure does and thinking about what can be achieved with
it evokes a childlike sense of discovery in me, and I hope it does the same for
you!
Chapter-5
INTRUTION DETECTION SYSTEM (IDS)
ports to connect other computers. For larger networks e.g., for business
purpose business networking firewall solutions are available.
Software firewalls are installed on your computers. A software firewall
protects your computer from internet threats.
5.1.3 ANTIVIRUS
An antivirus is a tool that is used to detect and remove malicious software.
It was originally designed to detect and remove viruses from computers.
Modern antivirus software provide protection not only from virus, but also
from worms, Trojan-horses, adwares, spywares, keyloggers, etc. Some products
also provide protection from malicious URLs, spam, phishing attacks, botnets,
DDoS attacks, etc.
5.1.4CONTENT FILTERING
Content filtering devices screen unpleasant and offensive emails or
webpages. These are used as a part of firewalls in corporations as well as in
personal computers. These devices generate the message "Access Denied" when
someone tries to access any unauthorized web page or email.
Content is usually screened for pornographic content and also for violence-
or hate-oriented content. Organizations also exclude shopping and job related
contents.
Content filtering can be divided into the following categories
Web filtering
Screening of Web sites or pages
E-mail filtering
Screening of e-mail for spam
Other objectionable content
FIG:5.1 Schema
They are also called Intrusion detection devices; their traffic rules are
configured according to the company policy rules. For example, you block all
incoming traffic to port POP because you dont want to receive a mail so as to be
secured from all possible mail attacks. They log all the network attempts for a
latter audit for you.
They also can work as packet filters this means that the firewall takes the
decisions to forward or not the packet based on source and destination addresses
and ports.
Some of the recommended brands are
Cisco ASA Series
Checkpoint
Fortinet
Juniper
SonicWALL
PfSense
CHAPTE-6
MALWARE
6.1 INTRODUCTION
Protecting your computer from malicious software is perhaps the most
important aspect of computer ownership. A wide range of products are available
that offer computer security. However, did you know that certain products only
offer protection against a few malicious attacks? Are you concerned that your
computer may not be fully secured? Before you take the necessary measures of
securing your computer, you should understand the different types of attacks that
could harm your machine.
6.2 WHAT IS MALWARE?
Malicious software (malware) is the wide range of software applications
developed with a malicious intent. The methods used for malware installation is
unlike any other software installation you are accustomed to because malware is
installed through devious means. People often use the terms virus and malware
interchangeably. However, a virus is a type of malware.
6.3 COMPUTER SECURITY-MALWARE
In the previous chapter we treated antiviruses which helped us to protect our
systems but in this chapter we will treat malwares, how to detect them manually,
what are their forms, what are their file extensions, signs of an infected
computer, etc. They are important to be treated because the infection rates of
businesses and personal computers are too high in nowadays.
They are self-replication programs that reproduce their own codes by
attaching themselves to other executable codes. They operate without the
For example You can see this in the following image for better
understanding as in my computer I found this file.
After finding this file, I opened it with a text editor and as thought the text
was not understandable as shown in the following screenshot.
After finding this, I tried it on a base64 decoder and I found that it was a
Virus file.
Then we should look for any modified, replaced or deleted files and
the shared libraries should also be checked. They generally infect executable
program files with extension like .EXE, .DRV, .SYS, .COM, .BIN. Malwares
changes extension of genuine files, for example: File.TXT to File.TXT.VBS.
If you are a system administrator of a webserver, then you should be aware
of another form of malware which is called as webshell. It generally is in a .php
extension but with strange file names and in an encrypted form. You should
delete them in case you detect them.
After that is done, we should update the antivirus program and rescan the
computer again.
Your hard disk is accessed most of the time as you can see from the LED
light on your computer case.
OS files are either corrupted or missing.
If your computer is consuming too much bandwidth or network resources
this is the case of a computer worm.
Hard disk space is occupied all the time, even when you are not taking any
action, for example installing a new program.
Files and program sizes changes comparing to its original version.
6.6.1 SOME PRACTICAL RECOMMENDATIONS TO AVOID
VIRUSES
Dont open any email attachment coming from unknown people or from
known people that contain suspicious text.
Dont accept invitation from unknown people on social media.
Dont open URL sent by unknown people or known people that are in any
weird form.