Seminar Report IDS

CONTENTS
Introduction
Definitions
What is intrusion?
What is an IDS?
Need for IDS
Who are attacked
How are they attacked
Types of IDS
Network based IDS
Host based IDS
Working of IDS
Anomaly detection
Signature recognition
NIDS fights back
Benefits of an IDS
IDS and Firewalls
Liitations of IDS
Conclusion
!eferences
www.seminarsTopics.com
Seminar Report IDS
"BST!"CT
Internet Information Ser!ices "IIS# web ser!ers $ which host web
pages and ser!e them to users $ are highly popular among business
organi%ations& with o!er ' million such ser!ers installed worldwide(
)nfortunately& IIS web ser!ers are also popular among hackers and
malicious fame*seekers $ as a prime target for attacks( As a result& e!ery so
often& new e+ploits emerge which endanger your IIS web ser!er,s integrity
and stability( -any administrators ha!e a hard time keeping up with the
!arious security patches released for IIS to cope with each new e+ploit&
making it easy for malicious users to find a !ulnerable web ser!er on the
Internet( Immediate Intrusion Detection suggests that all of these
!ulnerabilities the same system files& careful monitoring of these files
could pro!ide you with an ine+pensi!e form of real*time intrusion
detection( .he market is currently filled mostly by rule*based IDS
solutions aiming at detecting already known attacks by analysing traffic
flow and looking for known signatures( .his fact re/uires such IDS to be
under constant construction updating and modifying attack signatures and
re/uiring to pay considerable financial amount for support( 0n the other
hand it is possible to use anomaly based IDS solutions detecting not 1ust
known attacks but also unknown attacks and informing network engineers
about possible network problems or helping them to troubleshoot them(
.he market is currently filled mostly by rule*based IDS solutions aiming at
detecting already known attacks by analysing traffic flow and looking for
known signatures(
www.seminarsTopics.com 2
Seminar Report IDS
INT!OD#CTION
A correct firewall policy can minimi%e the e+posure of many
networks howe!er they are /uite useless against attacks launched from
within( Hackers are also e!ol!ing their attacks and network sub!ersion
methods( .hese techni/ues include email based .ro1an& stealth scanning
techni/ues& malicious code and actual attacks& which bypass firewall
policies by tunneling access o!er allowed protocols such as I3-4& H..4&
DNS& etc( Hackers are also !ery good at creating and releasing malware for
the e!er*growing list of application !ulnerabilities to compromise the few
ser!ices that are being let through by a firewall(
IDS arms your business against attacks by continuously monitoring
network acti!ity& ensuring all acti!ity is normal( If IDS detects malicious
acti!ity it responds immediately by destroying the attacker5s access and
shutting down the attack( IDS reads network traffic and looks for patterns
of attacks or signatures& if a signature is identified& IDS sends an alert to
the -anagement 3onsole and a response is immediately deployed(
www.seminarsTopics.com 6
Seminar Report IDS
DEFINITIONS
W$at is intrusion%
An intrusion is somebody attempting to break into or misuse your
system( .he word 7misuse7 is broad& and can reflect something se!ere as
stealing confidential data to something minor such as misusing your email
system for Spam(
W$at is an IDS%
An IDS is the real*time monitoring of network8system acti!ity and
the analysing of data for potential !ulnerabilities and attacks in progress(

Figure1: A NIDS De!ice

Intrusion Detection Systes is a topic that has recently garnered
much interest in the computer security community( In the last few years&
this interest le!el has spurred the de!elopment of a !ariety of approaches
to pro!iding IDS capabilities that are both reliable and low*impact in terms
of management or cost( When presented with different types of IDS one
might be tempted to assume that one approach or another was inherently
superior( In fact& the mi+ture of approaches used for IDS offers the security
analyst a uni/ue opportunity in terms of the synergies inherent in
combined techni/ues( Intrusion Detection Systems are like a burglar alarm
for your computer network( .hey detect unathori%ed access attempts( .hey
are the first line of defence for your computer systems(
www.seminarsTopics.com 9
Seminar Report IDS
NEED FO! IDS
W$o are attacked%
Internet Information Ser!ices "IIS# web ser!ers $ which host web
pages and ser!e them to users $ are highly popular among business
organi%ations& with o!er ' million such ser!ers installed worldwide(
)nfortunately& IIS web ser!ers are also popular among hackers and
malicious fame*seekers $ as a prime target for attacks:
As a result& e!ery so often& new e+ploits emerge which endanger
your IIS web ser!er,s integrity and stability( -any administrators ha!e a
hard time keeping up with the !arious security patches released for IIS to
cope with each new e+ploit& making it easy for malicious users to find a
!ulnerable web ser!er on the Internet( .here are multiple issues which can
completely endanger your Web ser!er $ and possibly your entire corporate
network and reputation(
4eople fell there is nothing on their system that anybody would
want( ;ut what they are unaware of is that& there is the issue of legal
liability( <ou are potentially liable for damages caused by a hacker using
your machine( <ou must be able to pro!e to a court that you took
7reasonable7 measures to defend yourself from hackers( =or e+ample&
consider if you put a machine on a fast link "cable modem or DS># and left
administrator8root accounts open with no password( .hen if a hacker
breaks into that machine& then uses that machine to break into a bank& you
may be held liable because you did not take the most ob!ious measures in
securing the machine(
www.seminarsTopics.com ?
Seminar Report IDS
&ow are t$ey attacked%
An intruder normally hacks into your system only after he has
carefully accessed you and your security and he attacks you in a systematic
way to cause ma+imum damage( .he normal steps towards intrusion are@
Outside reconnaissance' .he intruder will find out as much as possible
without actually gi!ing himself away( .hey will do this by finding public
information or appearing as a normal user( In this stage& you really can5t
detect them( .he intruder will do a 5whois5 lookup to find as much
information as possible about your network as registered along with your
Domain Name "such as foobar(com( .he intruder might walk through your
DNS tables "using 5nslookup5& 5dig5& or other utilities to do domain transfers#
to find the names of your machines( .he intruder will browse other public
information& such as your public web sites and anonymous =.4 sites( .he
intruder might search news articles and press releases about your company(
Inside reconnaissance' .he intruder uses more in!asi!e techni/ues to
scan for information& but still doesn5t do anything harmful( .hey might
walk through all your web pages and look for 3AI scripts "3AI scripts are
often easily hacked#( .hey might do a 5ping5 sweep in order to see which
machines are ali!e( .hey might do a )D48.34 scan8strobe on target
machines in order to see what ser!ices are a!ailable( .hey5ll run utilities
like 5rcpinfo5& 5showmount5& 5snmpwalk5& etc( in order to see what5s
a!ailable( At this point& the intruder has done 5normal5 acti!ity on the
network and has not done anything that can be classified as an intrusion( At
this point& a NIDS will be able to tell you that 7somebody is checking door
handles7& but nobody has actually tried to open a door yet(
E(ploit' .he intruder crosses the line and starts e+ploiting possible holes
in the target machines( .he intruder may attempt to compromise a 3AI
www.seminarsTopics.com '
Seminar Report IDS
script by sending shell commands in input fields( .he intruder might
attempt to e+ploit well*known buffer*o!errun holes by sending large
amounts of data( .he intruder may start checking for login accounts with
easily guessable "or empty# passwords( .he hacker may go through se!eral
stages of e+ploits( =or e+ample& if the hacker was able to access a user
account& they will now attempt further e+ploits in order to get root8admin
access(
Foot $old' At this stage& the hacker has successfully gained a foot hold in
your network by hacking into a machine( .he intruder5s main goal is to
hide e!idence of the attacks "doctoring the audit trail and log files# and
make sure they can get back in again( .hey may install 5toolkits5 that gi!e
them access& replace e+isting ser!ices with their own .ro1an horses that
ha!e backdoor passwords& or create their own user accounts( System
Integrity Berifiers "SIBs# can often detect an intruder at this point by
noting the changed system files( .he hacker will then use the system as a
stepping stone to other systems& since most networks ha!e fewer defenses
from inside attacks(
)rofit' .he intruder takes ad!antage of their status to steal confidential
data& misuse system resources "i(e( stage attacks at other sites from your
site#& or deface web pages(
www.seminarsTopics.com C
Seminar Report IDS
T*)ES OF IDS
.here are two primary types of IDS@
Network +ased IDS
A Network Intrusion Detection system "NIDS# transparently
monitors network traffic& looking for patterns indicati!e of an attack on a
computer or network de!ice( ;y e+amining the network traffic& a network
based intrusion detection system can detect suspicious acti!ity such as a
port scan or Denial of Ser!ice "D0S# attacks(
A NID monitors the network traffic it has access to& by comparing
the data in the .348I4 packet to a database of attack signatures( In a
network en!ironment& it can see packets to and from the system"s# that it
monitors( In a switched en!ironment& it can see packets coming to and
from the system"s# that it monitors& pro!iding it can see all data traffic on
the ports that connect to the systems( 0nce a NIDS detects an attack& the
following actions may be taken@
Send email notification
Send an SN-4 trap to a network management system
Send a page "to a pager#
;lock a .34 connection
Dill a .34 connection
Run a user defined script
In general terms a NID will be deployed on a D-E( .his assumes
that you ha!e a firewall in place and that you ha!e a D-E configured(
When deployed behind the firewalls& the NID will detect attacks from
www.seminarsTopics.com F
Seminar Report IDS
protocols and sources allowed through the firewall and from internal users(
;y taking an action& such as sending an SN-4 trap or a page& it can alert
network staff that an attack is in progress and enable them to make
decisions based on the nature of the attack( It is recommended that the IDS
is used for detection and alerting only and not for proacti!e defence i(e(
killing8blocking .34 connections as this can often cause more problems(

Figure 2: NIDS "Network Intrusion Detection System
&ost +ased IDS
In most cases& a Host Intrusion Detection System "HIDS#
component is made up of two parts@ a centralised manager and a ser!er
agent( .he manager is used to administer and store policies& download
policies to agents and store information recei!ed by agents( .he agent is
installed onto each ser!er and registered with the manager( Agents use
policies to detect and respond to specific e!ents and attacks( An e+ample of
a policy would be an agent that sends an SN-4 trap when three concurrent
logins as root ha!e failed on a )NIG ser!er( System logs and processes are
also monitored to see if any actions that !iolate the policy ha!e occurred( If
a policy has been !iolated& the agent will take a predefined action such as
sending an email or sending a SN-4 trap to a network management
system( Host based intrusion detection system may further be di!ided into
System integrity verifiers (SIV): monitors system files to find when a
intruder changes them "thereby lea!ing behind a backdoor#( .he most
www.seminarsTopics.com H
Seminar Report IDS
famous of such systems is 7.ripwire7( A SIB may watch other components
as well& such as the Windows registry and chron configuration& in order to
find well known signatures( It may also detect when a normal user
somehow ac/uires root8administrator le!el pri!ileges( -any e+isting
products in this area should be considered more 7tools7 than complete
7systems7@ i(e( something like 7.ripwire7 detects changes in critical system
components& but doesn5t generate real*time alerts upon an intrusion(
Log file monitors (LFM): monitor log files generated by network ser!ices(
In a similar manner to NIDS& these systems look for patterns in the log
files that suggest an intruder is attacking( A typical e+ample would be a
parser for H..4 ser!er log files that looking for intruders who try well*
known security holes& such as the 7phf7 attack( I+ample@ swatch
www.seminarsTopics.com J

Figure 3: 4lacement of HIDS and NIDS

Seminar Report IDS
WO!,IN- OF IDS
Anomaly detection
.he most common way people
approach network intrusion detection is to
detect statistical anomalies( .he idea
behind this approach is to measure a
7baseline7 of such stats as 34) utili%ation&
disk acti!ity& user logins& file acti!ity& and
so forth( .hen& the system can trigger when
there is a de!iation from this baseline(
.he benefit of this approach is that it can
detect the anomalies without ha!ing to
understand the underlying cause behind the anomalies(
=or e+ample& let5s say that you monitor the traffic from indi!idual
workstations( .hen& the system notes that at 2am& a lot of these
workstations start logging into the ser!ers and carrying out tasks( .his is
something interesting to note and possibly take action on(
Signature recognition
.he ma1ority of commercial products are based upon e+amining the
traffic looking for well*known patterns of attack( .his means that for e!ery
hacker techni/ue& the engineers code something into the system for that
techni/ue(
www.seminarsTopics.com

Figure4@ Steps in IDS

Seminar Report IDS
.his can be as simple as a pattern match( .he classic e+ample is to
e+ample e!ery packet on the wire for the pattern 78cgi*bin8phf?7& which
might indicate somebody attempting to access this !ulnerable 3AI script
on a web*ser!er( Some IDS systems are built from large databases that
contain hundreds "or thousands# of such strings( .hey 1ust plug into the
wire and trigger on e!ery packet they see that contains one of these strings(
.raffic consists of I4 datagrams flowing across a network( A NIDS
is able to capture those packets as they flow by on the wire( A NIDS
consists of a special .348I4 stack that reassembles I4 datagrams and .34
streams( It then applies some of the following techni/ues@
Protocol stac verification @ A number of intrusions& such as 74ing*0*
Death7 and 7.34 Stealth Scanning7 use !iolations of the underlying I4&
.34& )D4& and I3-4 protocols in order to attack the machine( A simple
!erification system can flag in!alid packets( .his can include !alid& by
suspicious& beha!ior such as se!erally fragmented I4 packets(
!""lication "rotocol verification@ A number of intrusions use in!alid
protocol beha!ior& such as 7WinNuke7& which uses in!alid Net;I0S
protocol "adding 00; data# or DNS cache poisoning& which has a !alid&
but unusually signature( In order to effecti!ely detect these intrusions& a
NIDS must re*implement a wide !ariety of application*layer protocols in
order to detect suspicious or in!alid beha!ior(
#reating ne$ logga%le events: A NIDS can be used to e+tend the auditing
capabilities of your network management software( =or e+ample& a NIDS
can simply log all the application layer protocols used on a machine(
Downstream e!ent log systems "WinN. I!ent& )NIG syslog& SN-4
www.seminarsTopics.com 2
Seminar Report IDS
.RA4S& etc(# can then correlate these e+tended e!ents with other e!ents on
the network(
NIDS fig$ts +ack
0nce intrusion has been detected NIDS reacts by performing the
following tasks@
&econfigure fire$all
3onfigure the firewall to filter out the I4 address of the intruder(
Howe!er& this still allows the intruder to attack from other addresses(
3heckpoint firewall5s support a 7Suspicious Acti!ity -onitoring 4rotocol
"SA-4#7 for configuring firewalls( 3heckpoint has their 704SI37
standard for re*configuring firewalls to block the offending I4 address(
#'ime
;eep or play a (WAB file( =or e+ample& you might hear a recording
7<ou are under attack7(
S(MP )ra"
Send an SN-4 .rap datagram to a management console like H4
0penBiew& .i!oli& 3abletron Spectrum& etc(
() *vent
Send an e!ent to the WinN. e!ent log(
syslog
Send an e!ent to the )NIG syslog e!ent system(
www.seminarsTopics.com 6
Seminar Report IDS
sen+ e,mail
Send e*mail to an administrator to notify of the attack(
"age
4age "using normal pagers# the system administrator(
Log t'e attac
Sa!e the attack information "timestamp& intruder I4 address& !ictim
I4 address8port& protocol information#(
Save evi+ence
Sa!e a tracefile of the raw packets for later analysis(
Launc' "rogram
>aunch a separate program to handle the e!ent(
)erminate t'e )#P session
=orge a .34 =IN packet to force a connection to terminate
www.seminarsTopics.com 9
Seminar Report IDS
BENEFITS OF "N IDS
In today,s corporate market& the ma1ority of businesses consider the
Internet as a ma1or tool for communication with their customers& business
partners and the corporate community( .his mentality is here to stayK as a
result businesses need to consider the risks associated with using the
Internet as communication tool& and the methods a!ailable to them to
mitigate these risks( -any businesses are already aware of the types of
risks that they are facing& and ha!e implemented measures such as
=irewalls& Birus detection software& access control mechanisms etc(
Howe!er it is all too apparent that although these measures may deter the
Lhobby hackerM& the real danger and threat comes from the Ldetermined
hackerM( .he determined hacker is 1ust that LdeterminedM and they will find
a way of penetrating your system& sometimes for malicious intent but
mostly because they can and it is a test of skills( Whilst the abo!e
mentioned tools are pre!entati!e measures& an IDS is more of an analysis
tool& that will gi!e you the following information@
Instance of attack
-ethod of attack
Source of attack
Signature of attack
.his type of information is becoming increasingly important when
trying to design and implement the right security programme for an
organisation( Although some of this information can be found in de!ices
such as =irewalls and access control systems as they all contain log
information on system acti!ity In these instances the onus is on the
administrator to check the logs to determine if an attempted attack has
occurred or after the e!ent find out when the attack occurred and the
www.seminarsTopics.com ?
Seminar Report IDS
source of the attack( )sually information pertaining to the method of the
attack and the signature of the attack cannot be found in the logs( .his is
because de!ices such as =irewalls are designed to check the I4 packet
header information and not the payload portion of the I4 packet(
An IDS will check the payload of the packet to determine if the
pattern of data held within& matches that of a known attack signature( .he
benefits of the abo!e information are as follows@
Instance of attac' An IDS will alert when an attack is in progress& this
gi!es you the benefit of counteracting the attack as it happens& without
ha!ing to go through lengthy logs to find out when this particular attack
occurred(
Met'o+ of attac' An IDS will let you know what area of your network
or
system on your network is under attack and how it is being attacked( .his
enables you to react accordingly and hopefully limit the damage of the
attack by i(e( disabling communications to these systems(
Source of attac' An IDS will let you know the source of an attack& it is
then down to the administrator to determine if it is a legitimate source( ;y
determining the legitimacy of the source the administrator is able to
determine if he8she can disable communications from this source(
Signature of attac' An IDS will identify the nature of the attack& and the
pattern of the attack and alert accordingly( .his information alerts the
organi%ation to the types of !ulnerabilities that they are susceptible to and
permits them to take precautions accordingly(
www.seminarsTopics.com '
Seminar Report IDS
.he abo!e information allows an organisation to@
;uild a !ulnerability profile of their network and the re/uired
precautions(
4lan its corporate defence strategy
;udget for security e+penditure
IDS and Firewalls
A common misunderstanding is that firewalls recogni%e attacks and
block them( .his is not true(
=irewalls are simply a de!ice that shuts off e!erything& then turns
back on only a few well*chosen items( In a perfect world& systems would
already be 7locked down7 and secure& and firewalls would be unneeded(
.he reason we ha!e firewalls is precisely because security holes are left
open accidentally( .hus& when installing a firewall& the first thing it does is
stops A>> communication( .he firewall administrator then carefully adds
7rules7 that allow specific types of traffic to go through the firewall( =or
e+ample& a typical corporate firewall allowing access to the Internet would
stop all )D4 and I3-4 datagram traffic& stops incoming .34 connections&
but allows outgoing .34 connections( .his stops all incoming connections
from Internet hackers& but still allows internal users to connect in the
outgoing direction(
A firewall is simply a fence around you network& with a couple of
well chosen gates( A fence has no capability of detecting somebody trying
to break in "such as digging a hole underneath it#& nor does a fence know if
www.seminarsTopics.com C
Seminar Report IDS
somebody coming through the gate is allowed in( It simply restricts access
to the designated points(
In summary& a firewall is not the dynamic defensi!e system that
users imagine it to be( In contrast& an IDS is much more of that dynamic
system( An IDS does recogni%e attacks against the network that firewalls
are unable to see(
=or e+ample& in April of HHH& many sites were hacked !ia a bug in
3old=usion( .hese sites all had firewalls that restricted access only to the
web ser!er at port FJ( Howe!er& it was the web ser!er that was hacked(
.hus& the firewall pro!ided no defense( 0n the other hand& an intrusion
detection system would ha!e disco!ered the attack& because it matched the
signature configured in the system(
Another problem with firewalls is that they are only at the boundary
to your network( Roughly FJN of all financial losses due to hacking come
from inside the network( A firewall a the perimeter of the network sees
nothing going on insideK it only sees that traffic which passes between the
internal network and the Internet(
Some reasons for adding IDS to you firewall are@
Double*checks misconfigured firewalls(
3atches attacks that firewalls legitimate allow through "such as attacks
against web ser!ers#(
3atches attempts that fail(
3atches insider hacking(
www.seminarsTopics.com F
Seminar Report IDS
LI.IT"TIONS OF IDS
Network intrusion detection systems are unreliable enough that
they should be considered only as secondary systems designed to backup
the primary security systems(
4rimary systems such as firewalls& encryption& and authentication
are rock solid( ;ugs or misconfiguration often lead to problems in these
systems& but the underlying concepts are 7pro!ably7 accurate( .he
underlying concepts behind NIDS are not absolutely accurate( Intrusion
detection systems suffer from the two problems whereby normal traffic
causes many false positi!es "cry wolf#& and careful hackers can e!ade or
disable the intrusion detection systems( Indeed& there are many proofs that
show how network intrusion detection systems will ne!er be accurate(
.his doesn5t mean intrusion detection systems are in!alid( Hacking
is so per!asi!e on today5s networks that people are regularly astounded
when they first install such systems "both inside and outside the firewall#(
Aood intrusion detection systems can dramatically impro!e the security of
a site( It 1ust needs to be remembered that intrusion detection systems are
backup(
Switc$ed network /in$erent liitation0
Switched networks poses dramatic problems to network intrusion
detection systems( .here is no easy place to 7plug in7 a sensor in order to
see all the traffic( =or e+ample& somebody on the same switched fabric as
the 3I0 has free reign to attack the 3I05s machine all day long& such as
www.seminarsTopics.com H
Seminar Report IDS
with a password grinder targetting the =ile and 4rint sharing( .here are
some solutions to this problem& but not all of them are satisfactory(
!esource liitations
Network intrusion detection systems sit at centrali%ed locations on
the network( .hey must be able to keep up with& analy%e& and store
information generated by potentially thousands of machines( It must
emulate the combined entity of all the machines sending traffic through its
segment( 0b!iously& it cannot do this fully& and must take short cuts( Some
typical resource issues(
(et$or traffic loa+s
3urrent NIDS ha!e trouble keeping up with fully loaded segments(
.he a!erage website has a frame si%e of around FJ*bytes& which translates
to about ?J&JJJ packets8second on a JJ*mbps Ithernet( -ost IDS units
cannot keep up with this speed( -ost customers ha!e less than this& but it
can still occasionally be a concern(
)#P connections
IDS must maintain connection state for a large number of .34
connections( .his re/uires e+tensi!e amount of memory( .he problem is
e+acerbated by e!asion techni/ues& often re/uiring the IDS to maintain
connection information e!en after the client8ser!er ha!e closed it(
Long term state
A classic problem is 7slow scans7& where the attacker scans the
system !ery slowly( .he IDS is unable to store that much information o!er
that long a time& so is unable to match the data together(
www.seminarsTopics.com 2J
Seminar Report IDS
"ttacks against t$e NIDS
.he intrusion detection system itself can be attacked in the
following ways(
-lin+ t'e sensor
Network intrusion detection systems are generally built as 7passi!e
monitors7 from 30.S "commercial*off*the*shelf# computers( .he monitors
are placed alongside the networking stream& not in the middle( .his means
that if they cannot keep up with the high rates of traffic& they ha!e no way
to throttle it back( .hey must start dropping packets( Not only will the
sensor start dropping packets& high traffic rates can completely shut down
the sensor( .herefore& an intruder can attack the sensor by saturating the
link(
-lin+ t'e event storage (sno$ %lin+)
.he 5nmap5 port scanning tool contains a feature known as 7decoy7
scans( It scans using hundreds of spoofed source addresses as well as the
real I4 address of the attacker( It therefore becomes an improbable task for
the administrator to find disco!er which of the I4 addresses was real& and
which was one of the decoy addresses( Any attack can be built from the
same components( A massi!e attack with spoofed addresses can always
hide a real attack inserted somewhere inside( Administrators would be hard
pressed to disco!er the real attack inside of all that noise(
.hese two scenarios still retain forensics data& though( If the
attacker is suspected& the data is still there to find( Another attack is to fill
up e!ent storage( When the database fills up& no more attacks will be
www.seminarsTopics.com 2
Seminar Report IDS
disco!ered& or older attacks will be deleted( Iither way& no e!idence e+ists
anywhere that will point to the intruder(
Sim"le evasion
.his section describes simple e!asion tactics that fool basic
intrusion detection systems(
Fragmentation
=ragmentation is the ability to break up a single I4 packet into
multiple smaller packets( .he recei!ing .348I4 stack then reassembles the
data back again before forwarding the data back up to the application(
-ost intrusion detection systems do not ha!e the ability to reassemble I4
packets( .herefore& there e+ist simple tools that can auto*fragment attacks
in order to e!ade IDS(
Slo$ scans
;ecause of the !olume of traffic on the wire& NIDS ha!e difficulty
maintaining long*term traffic logs( It is therefore difficult to detect 7slow
scans7 "ping sweeps or port*scans# where intruders scan one port8address
e!ery hour(
#oor+inate+. lo$,%an+$i+t' attacs
Sometimes hackers get together and run a slow scan from multiple
I4 addresses( .his make it difficult for an intrusion detection system to
correlate the information(
!++ress s"oofing/"ro0ying
0ne goal of intrusion detection is to point fingers at who is
attacking you( .his can be difficult for a number of reasons( In 5Smurf5
attack& for e+ample& you recei!e thousands of replies from a packet that
www.seminarsTopics.com 22
Seminar Report IDS
you ne!er sent( .he NIDS can detect those replies& but cannot disco!er
who sent the forged packet(
www.seminarsTopics.com 26
Seminar Report IDS
CONCL#SION
As IDS technologies continue to e!ol!e& they will more closely
resemble their real*world counterparts( Instead of isolated sensor units& the
IDS of the future will consist of sensor units that report to master
!isuali%ation consoles which are responsible for checking whether alerts
from the sensors agree or correlate to likely e!ent*chains( In the future&
IDS& firewalls& B4Ns& and related security technologies will all come to
interoperate to a much higher degree( As IDS data becomes more
trustworthy because of better co!erage& firewalls and B4N administrators
will be more comfortable with reacting based on the input from the IDS(
.he current generation of IDS "HIDS and NIDS# are /uite effecti!e
alreadyK as they continue to impro!e they will become the backbone of the
more fle+ible security systems we e+pect to see in the not*too*distant
future(
www.seminarsTopics.com 29
Seminar Report IDS
!EFE!ENCES
www(iec(org
www(cisco(com8asiapac8security
www(securitymetrics(com
www(robertgraham(com8pubs8network*intrusion*detection(html
www(intrusion(com
www(seminarsonly(com
www.seminarsTopics.com 2?
Seminar Report IDS
www.seminarsTopics.com 2'