IDS Final Presentation

8/7/2019 IDS Final Presentation

1/21

-D I F F E R E N T T Y P E S

-D ET EC T IO N M ET H OD S

-T Y P E S O F A T T A C K S

Intrusion Detection Systems(IDS)


2/21

Whats an IDS?

y Detects & identifies unauthorized or unusualactivityon the system

y Monitors system and network resources and

activities, uses information gathered from sources &notifies authorities when it identifies a possibleintrusion

y While a firewall only protects point of entry, IDS can

identifywhobreaks in, where theyare and whattheyre doing.


3/21

Two types

y 1. Host-based IDS

Uses a single computer

Ability to pinp0int compromised files and processes

Disadvantages:

Unable to detect network-onlyattacks, or attacks on othersystems

Easier to locate where software is

Performance of monitored computer is reduced

Costly to manage


4/21

y Network-based IDS

Detects attacks by capturing/evaluating network packets

Installed onto single-purpose computer:

Hardens against attacks Reduces number of vulnerabilities

Allows stealth mode operation

Disadvantages:

Hard to keep up withhigh volume networks

Unlike host-based, onlyable to tell ifan attack is made or ongoing

False alarms & requires significant mgmt


5/21

Two Methods

y Knowledge-based

Also known as signature based or pattern-matching detection

Function is similar to antivirus software

Onlyable to detect attacks that is already knows Must keep signature file up to date


6/21

y Behavior-based IDS

Also called statistical instruction detection, anomaly detectionor heuristics-based detection

Lea

rns normal

a

ctivities th

rough

wa

tch

inga

ndlea

rning Can detect abnormaland possible malicious activities based on

normalactivity

Partially identified as an A.I. or expert system.

Disadvantages:

Many false alarms

Long time to establish normalactivity


7/21

Honey pots

y An IDS tool, used to lure intruders

y Offers an attractive nuisance to attackers

y Attacks against honey pot are made to seem

successful in order to give administrators time totrackattacker without exposing production systems


8/21

BR U T E - F O R C E A N D D I C T I O N A R Y

D E N I A L O F S E R V I C E

S P O O F I N G

M A N - I N - T H E - M I D D L E

S P A M M I N G

S N I F F E R S

Types of Attacks


9/21

Brute-force and Dictionary

y Brute-force use every possible combination ofletters,number and symbols

Passwords carrying 14 characters or less can be discovered

with

in 7 days

y Dictionaryattackattempts every possible passwordfrom a predefined list of common or expected words


10/21

DoS

y Denial-of-Service attacks prevent systems fromprocessing or responding to legitimate traffic orrequests for resources and objects

Can result in: System crashes

Reboots

Data corruption

Blockage of service


11/21

Spoofing & Man-in-the-Middle

y Spoofing is when an intruder uses a stolen usernameand password to gain entry to a web site

There, theyassume the identity ofa client and fool the server

into tra

nsmitting controll

ed da

ta

y Man-in-the-Middle, as discussed in class, happenwhen a malicious user gains a position between two

endpoints of ongoing communications Able to collect logon credentials and change content of

messages exchanged


12/21

Spamming & Sniffer attacks

y Spamming describes unwanted email, newsgroups ordiscussion forum messages

Can contain viruses or Trojan horses

Not as much ofa threat as DoS

y Sniffer, or snooping attack is anyactivity that resultsin a malicious user getting ahold of info about a

networkand duplicating the contents of packetstraveling over the network medium into a file


13/21

-Difference Between

-IDS & IPS

-TYPESOF PRODUCTS

Intrusion Prevention Systems (IPS)


14/21

Your SystemYourNetwork


15/21

IPS Functional

ityy1. Drop attacksyDrop/Block single packet, session and traffic flow during an attack

y2.Terminate session

yAbility to stop/terminate application that are vulnerable to attacks

y3. Modify firewall policies

yTemporarily change user specified access control policy

y real-time altering to the system.

y4. Generate Alerts

yAlert user ofan attack

y5. Log packages


16/21


17/21

PRO

DU

CT

SSnort

an open-source IDS/IPS developed by Sourcefire.

Snort is the most widely deployed IDS/ISP technology world with

over 300,000 registered users.


18/21

PRO

DU

CT

SAirMagnet Enterprise

a simple, scalable WLAN monitoring solution that enables any

organization to proactively mitigate all type of wireless threats,

enforce enterprise policies, prevent performance problems and

audit the regulatory compliance ofall their WiFi access and

users worldwide.


19/21

PRO

DU

CT

SBro Intrusion Detection System

another open-source, Unix-based, Network IDS that passively

monitors network traffic and looks for suspicious activity.


20/21

PRO

DU

CT

SCisco IPS.

most widely deployed, protects against 30,000 known threats. Itdynamically recognize, evaluate, and stop emerging Internet

threats. Cisco IPS includes industry-leading researchand theexpertise of Cisco Security Intelligence. It also protect againstdirected attacks, Worms, Botnets, Malware, Application abuse


21/21

PRO

DU

CT

SStrata Guard IDS/IPS .

high-speed intrusion detection/prevention system that givesreal-time, zero-day protection from networkattacks and

malicious traffic, preventing Malware, Sypware, port scan,virus, and DoS and DDoS from compromising hosts,Device and network outages, Dataleakage, High-riskprotocols, suchas BitTorrents, Kazaa, and TelNet fromrunning on your network

IDS Final Presentation

Documents