Scribd
Upload
18 views

Lecture 13 Ips-ids

The document provides an overview of Intrusion Prevention Detection Systems (IDPS), detailing types of intruders, detection methods, and system classifications. It discusses host-based and network-based IDPS, their pros and cons, and the challenges associated with anomaly-based detection methods, including false positives and negatives. The content emphasizes the importance of monitoring and responding to unauthorized access attempts to enhance computer security.

Uploaded by

rana.69648
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
18 views

Lecture 13 Ips-ids

The document provides an overview of Intrusion Prevention Detection Systems (IDPS), detailing types of intruders, detection methods, and system classifications. It discusses host-based and network-based IDPS, their pros and cons, and the challenges associated with anomaly-based detection methods, including false positives and negatives. The content emphasizes the importance of monitoring and responding to unauthorized access attempts to enhance computer security.

Uploaded by

rana.69648
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17

Intrusion Prevention Detection System

Ali Ahmad Siddiqui


Welcome!!
Introduction to Computer Security
Intruder
 A person or an attacker attempt to breach the security of the network to gain unauthorized access to
the data
 Generally referred to as a Hacker
Classes of Intruders
Masquerader:
 An individual who is not authorized to use the computer and who penetrates a system's
access controls to exploit a legitimate user's account
 Likely to be an outsider

Misfeasor:
 A legitimate user who accesses data, programs, or resources for which such access is
not authorized, or who is authorized for such access but misuses his or her privileges
 Generally an insider
Intrusion Detection
 Security service that monitors and analyzes system events for the purpose of finding, and providing
real-time or near real-time warning of, attempts to access system resources in an unauthorized
manner
 An IDS detects activity in traffic that may or may not be an intrusion
IDPS Classification
IDPS can be classified as follows:
Host-based
 Monitors the characteristics of a single host and the events occurring within that host for suspicious
activity
 Host-based IDS are often critical in detecting internal attacks directed towards an organization’s
servers such as DNS, Mail, and Web Servers
 Cisco Security Agent (CSA), Tripwire
Network-based
 Monitors network traffic for particular network segments or devices and analyzes network, transport,
and application protocols to identify suspicious activity
 Instead of analyzing information that originates and resides on a host, Network-based IDS uses
packet sniffing techniques to pull data from TCP/IP packets or other protocols that are traveling
along the network
 Cisco IDS 4200 series, IBM Real Secure Network, Snort
Comparison
Host Based Network Based
• Narrow in scope (watches only specific • Broad in scope (watches all network
host activities) activities)
• More complex setup • Easier setup
• Better for detecting attacks from the inside • Better for detecting attacks from the outside
• More expensive to implement • Less expensive to implement
• Does not see packet headers • Examines packet headers
• OS-specific • OS-independent
• Detects local attacks before they hit the • Detects network attacks as payload is
network analyzed
Passive Systems
 Detects a potential security breach
 Logs the information
 Signals an alert on the console
 Does not take any preventive measures to stop the attack
Passive Systems
Reactive/Active Systems
 Responds to the suspicious activity like a passive IDS (IPS)
by logging, alerting and recording, but offers the additional
ability to take action against the offending traffic
Reactive/Active Systems
Types of Detection methods
The two common approaches are:
 Signature Based
 Anomaly Based
Signature Based
 Monitor network or server traffic and match bytes or packet sequences against a set of predetermined
attack lists or signatures.
 Should a particular intrusion or attack session match a signature configured on the IDS, the system
alerts administrators or takes other pre-configured action
 New vulnerabilities and exploits will not be detected until administrators develop new signatures
Anomaly Based:
 Involves the collection of data relating to the behavior of legitimate users over a period of time
 Use a type of statistical calculation to determine whether current traffic deviates from “normal” traffic,
which is either learned and/or specified by administrators.
 If network anomalies occur, the IDS alerts administrators.
 A new attack for which a signature doesn’t exist can be detected if it falls out of the “normal” traffic
patterns
Issues with Anomaly based IDS
False Negatives False Positives
• When an IDS fails to detect an attack • Described as a false alarm.
• False negatives occur when the pattern of • When an IDS mistakenly reports certain
traffic is not identified in the signature “normal” network activity as malicious.
database, such as new attack patterns • Administrators have to fine tune the signa-
• False negatives are deceptive because you tures or heuristics in order to prevent this type
usually have no way of knowing if and when of problem.
they occurred.
• You are most likely to identify false negatives
when an attack is successful and wasn’t
detected by the IDS
Pros and Cons
Pros:
 Can detect external hackers, as well as, internal network-based attacks
 Scales easily to provide protection for the entire network
 Offers centralized management for correlation of distributed attacks
 Provides defense in depth
 Gives administrators the ability to quantify attacks
 Provides an additional layer of protection

Cons:
 Generates false positives and negatives
 Reacts to attacks rather than preventing them
 Requires full-time monitoring and highly skilled staff dedicated to interpreting the data
 Requires a complex incident response process
 Cannot monitor traffic at higher network traffic rates
 Generates an enormous amount of data to be analyzed
 Cannot deal with encrypted network traffic
 It is expensive
Thank you

You might also like