INTRUSION DETECTION SYSTEMS

(IDS)


SUMANTA KUMAR DAS
0701218126
P.I.E.T
DATE:24.09.10
VENUE:SEMINAR HALL (P.I.E.T)

What is intrusion?
+ Attempting to break into or misuse our system.
+ Intruders may be from outside
+ Intrusion can be a physical, system or remote
intrusion
+ A agent which may responsible for policy
violation
+ A potentially unwanted object which is harmful
to our system



Definition of intrusion detection
. System(IDS)
An intrusion detection system(IDS) is a device or software
application , that monitors network and/or system activities for
malicious activities or policy violations and produces reports to
management station
Intrusion prevention is the process of performing intrusion
detection and attempting to stop detected possible incidents.
IDSs are software or hardware products that automate those
monitoring and analysis process
Hence IDS can help us from attacking malwares, poisonous
programs, security threats,finally a total protection can be
accomplished by an IDS


To prevent the problem behavior by increasing
the perceived risk of discovery and punishment
for those who would attack or otherwise abuse
the system
To detect attacks and other security violations that
are not prevented by other security measures
To document existing threats to an organizations
To detect and deal with intrusion
To provide useful information about intrusion and its
imapct on network
Finally protect our system from
attackers

Why should I use IDS I have a
. firewall?
Todays security infrastucture are
becoming very complex which cannot be
accomplished by simple firewall
Failure to provide one components of the structere may
leads to attacked by attackers
Not all traffic may go through firewall, e.g:modem on a user
computer.
Not all threats originate from outside, threat may be created
inside the system, which enters into the system by
encrypted form.
Firewall doesnot protect appropiately against application
level weakness and attacks .
Firewall cannot protect themselves, hence they subjected
to be attacked!
What an IDS can do for us
Monitor and analyze user and system activities
Auditing of system and configuration
vulnerabilities
Asses integrity, of critical system and data files
statistical analysis of abnormal activities
Reorganization of pattern reflecting known
attacks.

What IDS cannot do for us??
Investigation of attacks without human interaction
(mainly asks what to do when an intrusion is
detected)
Analyze all traffic on a very high speed network.
Deal adequately with attacks at the packet level.
Guess the contents of the policies of your
organization policies
Deals adequately with modern network hardware
Types of IDS
Host based IDS(HIDS)


Network based IDS(NIDS)


Application based IDS(APIDS)

1. Host based IDS
E Intrusion detection system is installed on a
host in the network
E Host based IDS analyzes the traffic that is
originated or is intended to that of host.
E Made up of two parts 1.centralised manager
2.server agent
E Manger is used to administer and store
policies, download policies to agents and store
information received by agents
E Agent is installed onto each server and
registered with manager. Agent use policies to
detect and responds to specific events and
attacks.
2. Network based IDS
+ Network based IDSs are placed in key areas of
network infrastructure and monitors the traffic as it
flows to other hosts
+ Unlike host based IDS, network based IDS have
the capability of monitoring the network and
detecting the malicious activities intended for that
network
+ Strictly and transparently monitors the traffic or
network (by retaining all the policies of TCP/IP)
+ In switched network, it can see the packets to and
from systems that it monitors
3. Aplication based IDS
Focuses its monitoring and analysis on a specific
application protocol or protocol used by computer
system.
Monitor the dynamic behavior and state of the
protocol which is typically consists of a system or
agent that would typically sit between a process, a
group of servers, two devices connected etc.
Typical place for an application based IDS would
be between a web server and the database
management system (DBMS), monitoring SQL
protocol which interacts with database of an
organization



IDS and Firewall
A common misunderstanding is that firewalls recognize
attacks and block them, this is not true as firewall are
simply a device that shuts off everything, then turns
back on only a few well-chosen items.
A firewall is not the dynamic defensive system that users
imagine.
Yes, your system will of course be attacked, still you
have the firewall
Firewall is that they are only at the boundary to your
network not beyond your network.
Reasons for adding IDS to your firewall
Double checks misconfigured firewalls
Catches attacks that firewalls legitimate allow through
Catches attempts that fails
Catches insider hackings
Suddenly alerts users if any intrusion is detected
Has the power to preven intrusion also
Greater potentiality against newly published intruders

Mechanism of putting IDS with firewall
After installing Netscape's Directory Server 4 for
Solaris, one of the final options is to remove a file
called 'install.inf' which the install process claims
could contain sensitive information. Answering yes to
this question will delete the file.
However there is another file left behind after
installation which contains the un-encrypted 'admin'
password. This file has world read permissions and is
located in /usr/netscape/server4/admin-
serv/config/adm.conf

INTRUSION DTECTION MECHANISM
1. signature based detection

2.behavioral anomaly detection


Protocol anomaly detection
1.Signature based detction
w For every exploit, the IDS vendor must code a
signature specifically for that attack in order to detect
it, and therefore the attacks must be known. So data
packets are compared with signature database and
find the fault one.
w This IDS sensor Can operate at speed of 60mbps
w almost all IDS systems are structured around a large
signature database and attempt to compare every
packets to every signature in the database.
w Another approach is that it provides the vendor to
identify new attacks, create a signature, and release
an update.

2.Behaviorial anomaly
detection
Ability to detect statistical anomalies
The framework of statistical anomaly
detection is the baseline of certain system
statistics, or pattern of behaviour that are
tracked continually by the system, changes in
these patterns are used to indicate attacks

The benefit of this approach is that it can
detect the anomalies without having to
understand the underlying cause behind the
anomalies


3.Protocol anomaly detection
It is performed at the application protocol layer.
e.g:HTTP,FTP,SMTP,RPC etc

It focuses on the structure and content of the
communications.
When protocol rules are modeled directly in the
sensors, it is easy to identify traffics that violates the
rules, such as unexpected data, extra characters, and
invalid characters .
The IDS recognizes this attack as a protocol violations
and is reported to the system administrator .
OTHER APPROACHES OF SECURITY
You spend great money on concrete walls (firewalls)
but they are of no use of someone can dig through
them.!!!
LAYERED APPROACH OF
PROTECTION
We can align our intrusion sensors with
firewall which combining can reduce the
risk.
3 layers:1.HIDS2.NIDS3.PASSIVE
When threats go through these layers
they will automatically be eliminated by
these layers

Intrusion detection in DNS
servers

http server
intrusion
detection
system
Computer attacks &vulnerabilities
Attack may be caused
by violating following
In a system
Confidentiability!
Integrity!
Availability!
Control!


Types of computer attacks
commonly detected by IDS
Scanning attack
Port scan attack
A denial of service attack
Peer to peer attack
Penetration attack

Limitations of IDS
4 Dealing effectively with switched
network
4 automatically investing attacks
Without human interaction
4 May not effectively responding
To newly published attack or variants of
Existing attacks
4 Cannot automatically collect the
Organizations policy


Future of IDS
1 Even IDS research field is maturing still further
improvement is required to accomplish.
1 Reduce no. of false alarms
1 Effectively work with high speed & switched
networks
1 To challenge newly published
threats
1 To enhance more security
conclusion
+IDS is now very useful to our nation as
well as our security system
+We can get full information about threats
+IDS is a challenge to threats
+IDS can save our time and money
(directly or indirectly
+IDS opens new era of protection and
security