Académique Documents
Professionnel Documents
Culture Documents
Contents
Introduction False Positives and Negatives System Components Detection Types Technologies IDS Management Pros and Cons IDS Challenges
Conclusion
Introduction
The Defence Information Services Agency (DISA) states that up to 98% of attacks go unnoticed unnoticed. These revelations have caused many businesses to rethink or to start thinking about the security of their own networks. Security of a network cannot be trusted to just one method of security; it must consist of many layers of security measures. These security measures may consist of, strong passwords, screening routers, firewalls, proxy servers, and intrusion detection systems. systems.
Intruder
An entity who tries to find a way to gain unauthorized access to information, cause harm or engage in other malicious activities. Three classes of intruders:
Masquerader Misfeasor Clandestine user
System Components
Sensors : They take input from various sources,
including network packets, log files, and system call traces.
System Components(cont)
Honeypot : Honey Pot Systems are decoy servers or
systems setup to gather information regarding an attacker or intruder into our system.
Detection Types
Signature-Based Detection : relying on known Signaturetraffic data to analyze potentially unwanted traffic.
Technologies
Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection, configuration and cost. Basic two are Network-Based IDS Network Host-based IDS Host-
NetworkNetwork-Based IDS
Definition
NetworkNetwork-based intrusion detection systems
are designed to precisely identify, categorize, and protect against known and unknown threats targeting a network. These threats include worms, DoS attacks, and any other detected weakness.
Detection methodologies
Pattern matching and Stateful patternmatching recognition Protocol analysis Heuristic-based analysis Anomaly-based analysis
Pattern Matching and Stateful PatternMatching Recognition Intrusion detection device searches for a fixed sequence of bytes within the packets traversing the network. This tactic uses the concept of signatures signatures. The signature could include an explicit starting point and endpoint for inspection within the specific packet.
Benefits Direct correlation of an exploit Trigger alerts on the pattern specified Can be applied across different services and protocols Disadvantages pattern matching can lead to a considerably high rate of false positives. positives.
stateful pattern-matching recognition patternTo address some of these limitations of patternmatching recognition, a more refined method was patterncreated. This methodology is called stateful patternmatching recognition. Advantages of stateful pattern-matching pattern It has the capability to directly correlate a specific exploit within the pattern. Supports all non-encrypted IP protocols.
Protocol Analysis
Protocol analysis (or protocol decode-base signatures) is often referred to as the extension to stateful pattern recognition. A NIDS accomplishes protocol analysis by decoding all protocol or client-server conversations. The NIDS identifies the elements of the protocol and analyzes them while looking for an intrusion.
Heuristic-Based Analysis
Heuristic scanning uses algorithmic logic from statistical analysis of the traffic passing through the network. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives.
Anomaly-Based Analysis
Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. A different practice keeps track of network traffic that diverges from "normal" behavioral patterns. sometimes it is challenging to classify a specific behavior as normal or abnormal based on different factors. These factors include negotiated protocols, specific application changes, and changes in the architecture of the network.
Advantages
IDSs based on anomaly detection detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. Anomaly detectors can produce information that can in turn be used to define signatures for pattern-matching patternrecognition. recognition
Disadvantage Anomaly detection approaches usually produce a large number of false alarms due to the unpredictable behaviors of users and networks.
Component Types
Sensor The sensor or agent is the NIDS component that sees network traffic and can make decisions regarding whether the traffic is malicious. Management server as the analyzer, a management server is a central location for all sensors to send their results. The management server will make decisions based on what the sensor reports. It can also correlate information from several sensors and make decisions based on specific traffic in different locations on the network.
Database server Database servers are the storage components of the NIDS. From these servers, events from sensors and correlated data from management servers can be logged. Console as the user interface of the NIDS, the console is the portion of the NIDS at which the administrator can log into and configure the NIDS or to monitor its status. The console can be installed as either a local program on the administrator s computer or a secure Web application portal.
Advantages of NIDS
A few well-placed NIDS can monitor a large network network. The deployment of NIDS has little impact upon an existing network. Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include NIDS with minimal effort. NIDS can be made very secure against attack and even made invisible to many attackers.
Disadvantages of NIDS
may fail to recognize an attack launched during periods of high traffic. NIDS cannot analyze encrypted information This information. problem is increasing as more organizations (and attackers) use virtual private networks. Most NIDS cannot tell whether or not an attack was successful. Some NIDS have problems dealing with network based attacks that involve fragmenting packets. These malformed packets cause the IDSs to become unstable and crash.
Host-Based IDS
HostHost-based intrusion detection systems (HIDS) analyze network traffic and system-specific settings such as system calls, local security policy, local log Audits and more. A HIDS must be installed on each machine and requires configuration specific to that operating system and software.
Device Types.
The sensor, or agent, is located on or near a host, such as a server, workstation, or application service. The event data is sent to logging services to record the events and possibly correlate them with other events. A server is typically a computer dedicated to running services in which clients connect to, send, or receive data, such as Web, email, or FTP servers. An application service is software that runs on a server, such as a Web service or database application.
Advantages of HIDS
can detect attacks that cannot be seen by NIDS. HIDS are unaffected by switched networks. When Host-based IDSs operate on OS, they can help detect Trojan Horse or other attacks that involve breaches. These appear as inconsistencies in process execution.
Disadvantages of HIDS
HIDS are harder to manage manage. HIDS may be attacked and disabled as part of the attack. HIDS are not well suited for detecting network scans that targets an entire network Host-based IDSs can be disabled by certain denial-ofdenial-ofservice attacks. requiring additional local storage on the system. Causing a performance cost on the monitored systems.
NIDS Vs HIDS
IDS Sensors
IDS Management
Maintenance Tuning Detection Accuracy
Benefits
1.If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. 2. Monitoring and analysis of system events and user behaviors 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.
Limitations
1. Noise can severely limit an IDS's effectiveness. 2. It is not uncommon for the number of real attacks to be far below the false-alarm rate falserate. 3. Many attacks are prepared for specific versions of software that are usually outdated, that may go undetected.
Firewall Vs IDS
Firewall cannot detect security breaches associated with traffic that does not pass through it. Not all access to the Internet occurs through the firewall. Firewall does not inspect the content of the permitted traffic as IDS does. Firewall is more likely to be attacked more often than IDS.
IDS Challenges
1. Tools Used in Attacks 2. Social Engineering 3. IDS Scalability in Large Networks 4. Vulnerabilities in Operating Systems 5. Limits in Network Intrusion Detection Systems 6. Signature-Based Detection 7. Over-Reliance on IDS
Conclusion
References
www.wikipedia.org cert.org iac.dtil.mil/iatac www.pamukcular.com compnetworking.about.com www.webopedia.com cryptome.org