SEMINAR

TOPIC:IDS Contents for the partial fulfillment of Seminar of paper MIT-209

Submitted to: Ms Rituraj Kothari

Submitted by : Pushpa Gurjar MSc(IT) III Sem

Intruder Detection System

Contents
Introduction False Positives and Negatives System Components Detection Types Technologies IDS Management Pros and Cons IDS Challenges

Conclusion

Introduction
The Defence Information Services Agency (DISA) states that up to 98% of attacks go unnoticed unnoticed. These revelations have caused many businesses to rethink or to start thinking about the security of their own networks. Security of a network cannot be trusted to just one method of security; it must consist of many layers of security measures. These security measures may consist of, strong passwords, screening routers, firewalls, proxy servers, and intrusion detection systems. systems.

Intruder
An entity who tries to find a way to gain unauthorized access to information, cause harm or engage in other malicious activities. Three classes of intruders:
Masquerader Misfeasor Clandestine user

Intrusion & Intrusion Detection

An intrusion is an unauthorized usage of or misuse of a computer system. Intrusion detection is the act of detecting unwanted traffic on a network or a device. OR Intrusion detection is a security technology that attempts to identify intrusions against a computer network.

Intrusion Detection System

An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, and traffic that violates security policy. Example of IDS Tools : Snort(open-source) Real Secure Tripwire Cisco ASA 5500 Series

False Positives and Negatives

False positives occur when the IDS erroneously detects a problem with gentle traffic. False negatives occur when unwanted traffic is undetected by the IDS.

System Components
Sensors : They take input from various sources,
including network packets, log files, and system call traces.

Analyzers: Analyzers collect data forwarded by

sensors and then determine if an intrusion has actually occurred.

User interface The user interface of the IDS interface:

provides the end user a view and way to interact with the system.

System Components(cont)
Honeypot : Honey Pot Systems are decoy servers or
systems setup to gather information regarding an attacker or intruder into our system.

File Integrity Checkers : They utilize message digest

or other cryptographic checksums for critical files and objects, comparing them to reference values, and flagging differences or changes.

Detection Types
Signature-Based Detection : relying on known Signaturetraffic data to analyze potentially unwanted traffic.

Anomaly-Based Detection : detecting unwanted Anomalytraffic that is not specifically known.

Stateful Protocol Inspection : similar to anomaly

based detection, but it can also analyze traffic at the network and transport layer and vender-specific traffic at the application layer, which anomaly-based detection cannot do.

Technologies
Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection, configuration and cost. Basic two are Network-Based IDS Network Host-based IDS Host-

NetworkNetwork-Based IDS

Definition
NetworkNetwork-based intrusion detection systems

are designed to precisely identify, categorize, and protect against known and unknown threats targeting a network. These threats include worms, DoS attacks, and any other detected weakness.

Detection methodologies
Pattern matching and Stateful patternmatching recognition Protocol analysis Heuristic-based analysis Anomaly-based analysis

Pattern Matching and Stateful PatternMatching Recognition Intrusion detection device searches for a fixed sequence of bytes within the packets traversing the network. This tactic uses the concept of signatures signatures. The signature could include an explicit starting point and endpoint for inspection within the specific packet.

Benefits Direct correlation of an exploit Trigger alerts on the pattern specified Can be applied across different services and protocols Disadvantages pattern matching can lead to a considerably high rate of false positives. positives.

stateful pattern-matching recognition patternTo address some of these limitations of patternmatching recognition, a more refined method was patterncreated. This methodology is called stateful patternmatching recognition. Advantages of stateful pattern-matching pattern It has the capability to directly correlate a specific exploit within the pattern. Supports all non-encrypted IP protocols.

Protocol Analysis
Protocol analysis (or protocol decode-base signatures) is often referred to as the extension to stateful pattern recognition. A NIDS accomplishes protocol analysis by decoding all protocol or client-server conversations. The NIDS identifies the elements of the protocol and analyzes them while looking for an intrusion.

Heuristic-Based Analysis
Heuristic scanning uses algorithmic logic from statistical analysis of the traffic passing through the network. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives.

Anomaly-Based Analysis
Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. A different practice keeps track of network traffic that diverges from "normal" behavioral patterns. sometimes it is challenging to classify a specific behavior as normal or abnormal based on different factors. These factors include negotiated protocols, specific application changes, and changes in the architecture of the network.

Advantages
 IDSs based on anomaly detection detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details.  Anomaly detectors can produce information that can in turn be used to define signatures for pattern-matching patternrecognition. recognition

Disadvantage Anomaly detection approaches usually produce a large number of false alarms due to the unpredictable behaviors of users and networks.

Profile-based & Protocol-based Detection

A variation of anomaly-based detection is profilebased detection. This allows systems to organize their alarms on alterations in the way that other systems or end users interrelate on the network. Another kind of anomaly-based detection is protocol-based detection. The protocol-based detection technique depends on well-defined protocols, because it detects as an anomaly any unpredicted value or configuration within a field in the respective protocol.

Component Types
Sensor The sensor or agent is the NIDS component that sees network traffic and can make decisions regarding whether the traffic is malicious. Management server as the analyzer, a management server is a central location for all sensors to send their results. The management server will make decisions based on what the sensor reports. It can also correlate information from several sensors and make decisions based on specific traffic in different locations on the network.

 Database server Database servers are the storage components of the NIDS. From these servers, events from sensors and correlated data from management servers can be logged. Console as the user interface of the NIDS, the console is the portion of the NIDS at which the administrator can log into and configure the NIDS or to monitor its status. The console can be installed as either a local program on the administrator s computer or a secure Web application portal.

NIDS Sensor Placement

There are several ways to connect a NIDS sensor to the network 1. Inline an inline NIDS sensor is placed between two network devices, such as a router and a firewall. This means that all traffic between the two devices must travel through the sensor, guaranteeing that the sensor can analyze the traffic. 2. Passive a passive sensor analyzes traffic that has been copied from the network versus traffic that passes through it. The copied traffic can come from numerous places, such as Spanning port and Network tap

Locations of Network-based IDS sensors

Advantages of NIDS
A few well-placed NIDS can monitor a large network network. The deployment of NIDS has little impact upon an existing network. Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include NIDS with minimal effort. NIDS can be made very secure against attack and even made invisible to many attackers.

Disadvantages of NIDS
may fail to recognize an attack launched during periods of high traffic. NIDS cannot analyze encrypted information This information. problem is increasing as more organizations (and attackers) use virtual private networks. Most NIDS cannot tell whether or not an attack was successful. Some NIDS have problems dealing with network based attacks that involve fragmenting packets. These malformed packets cause the IDSs to become unstable and crash.

Cisco ASA 5500 Series IPS Edition

With its solid firewall and advanced application security capabilities, the Cisco ASA 5500 Series IPS Edition provides strong and stable policy enforcement. Capabilities Accurate, multi-vector threat protection Network integration Threat-protected VPN Complete incident life-cycle management

Host-Based IDS

HostHost-based intrusion detection systems (HIDS) analyze network traffic and system-specific settings such as system calls, local security policy, local log Audits and more. A HIDS must be installed on each machine and requires configuration specific to that operating system and software.

Device Types.
The sensor, or agent, is located on or near a host, such as a server, workstation, or application service. The event data is sent to logging services to record the events and possibly correlate them with other events. A server is typically a computer dedicated to running services in which clients connect to, send, or receive data, such as Web, email, or FTP servers. An application service is software that runs on a server, such as a Web service or database application.

Advantages of HIDS
can detect attacks that cannot be seen by NIDS. HIDS are unaffected by switched networks. When Host-based IDSs operate on OS, they can help detect Trojan Horse or other attacks that involve breaches. These appear as inconsistencies in process execution.

Disadvantages of HIDS
HIDS are harder to manage manage. HIDS may be attacked and disabled as part of the attack. HIDS are not well suited for detecting network scans that targets an entire network Host-based IDSs can be disabled by certain denial-ofdenial-ofservice attacks. requiring additional local storage on the system. Causing a performance cost on the monitored systems.

IBM RealSecure Server Sensor

IBM RealSecure Server Sensor provides automated, real-time intrusion protection and detection by analyzing events, host logs. Benefits Server protection Advanced intrusion prevention/blocking Console and network intrusion protection Broad platform coverage Audit policy management Global technical support

NIDS Vs HIDS

IDS Sensors

IDS Management
Maintenance Tuning Detection Accuracy

Benefits
1.If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. 2. Monitoring and analysis of system events and user behaviors 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

Limitations
1. Noise can severely limit an IDS's effectiveness. 2. It is not uncommon for the number of real attacks to be far below the false-alarm rate falserate. 3. Many attacks are prepared for specific versions of software that are usually outdated, that may go undetected.

Firewall Vs IDS
Firewall cannot detect security breaches associated with traffic that does not pass through it. Not all access to the Internet occurs through the firewall. Firewall does not inspect the content of the permitted traffic as IDS does. Firewall is more likely to be attacked more often than IDS.

Firewall Vs IDS (Cont)

Firewall is usually helpless against tunneling attacks, whereas IDS provides protection against tunneling attacks. IDS is capable of monitoring messages from other pieces of security infrastructure whereas firewall is not.

IDS Challenges
1. Tools Used in Attacks 2. Social Engineering 3. IDS Scalability in Large Networks 4. Vulnerabilities in Operating Systems 5. Limits in Network Intrusion Detection Systems 6. Signature-Based Detection 7. Over-Reliance on IDS

Conclusion

References
www.wikipedia.org cert.org iac.dtil.mil/iatac www.pamukcular.com compnetworking.about.com www.webopedia.com cryptome.org