Documente Academic
Documente Profesional
Documente Cultură
1
Intrusion Detection Systems (IDSs) IDS Terminology
Alert or alarm
Detects a violation of its configuration and False negative
activates alarm False positive
Where should the alarm be sent? False attack stimulus
Noise
– Notify administrators directly of trouble via e-
e-mail True attack stimulus
or pagers
Confidence value
– Notify an external security service organization Alarm filtering
7 8
9 10
Signature-
Signature-Based IDS Statistical Anomaly-
Anomaly-Based IDS
Widely used because many attacks have clear and Requires much more overhead and processing capacity
11 12
2
Types of IDSs
IDSs operate as
– network-
network-based
– host-
host-based
– application-
application-based
13 14
Network-
Network-Based IDS (NIDS) NIDS Signature Matching
Resides on computer or appliance connected to To detect an attack, NIDSs look for attack patterns
segment of an organization’
organization’s network; looks for signs
stack:
When examining packets, a NIDS looks for attack
Good network design and placement of NIDS can Can become overwhelmed by network volume and fail to
enable organization to use a few devices to monitor
recognize attacks
large network Require access to all traffic to be monitored
– Having problems with certain switches
NIDSs are usually passive and can be deployed into
17 18
3
Host-
Host-Based IDS Advantages of HIDSs
Host-
Host-based Can detect local events on host systems and detect
detect when intruder creates, modifies, or attacks that may elude a network-
network-based IDS
deletes key system files or log files Functions on host system, where encrypted traffic will
Most HIDSs work on the principle of have been decrypted and is available for processing
19 20
Application-
Application-based IDS (AppIDS) examines application (database
Pose more management issues management systems, content management systems, accounting
systems, etc ) for abnormal events
Vulnerable both to direct attacks and attacks against
host operating system
AppIDS may be configured to intercept requests:
Does not detect multi-
multi-host scanning, nor scanning of
– File System
non-
non-host network devices
21 22
23 24
4
Deploying Network-
Network-Based IDSs
25 26
Deploying Host-
Host-Based IDSs Active Intrusion Prevention
30
5
Scanning and Analysis Tools (continued) Port Scanners
Fingerprinting: systematic survey of all of target Tools used by both attackers and defenders to identify
organization’
organization’s Internet addresses collected during the computers active on a network, and other useful
footprinting phase information
Fingerprinting reveals useful information about internal Can scan for specific types of computers, protocols, or
structure and operational nature of target system or resources, or their scans can be generic
network for anticipated attack
The more specific the scanner is, the better it can give
These tools are valuable to network defender since they attackers and defenders useful information
can quickly pinpoint the parts of the systems or
network that need a prompt repair to close the Example software: nmap
vulnerability
31 32
33 34
– XProbe
35 36
6
Vulnerability Scanners
37 38
Attack Toolkit
39 40
41 42
7
Packet Sniffers
45