A SEMINAR ON

INTRUSION DETECTION
SYSTEM
DEFINITIONS

• What is intrusion?

• What is intrusion detection?

• What is intrusion detection system?

Functions of IDS
 Monitoring and analysis of user and system
activity
 Auditing of system configurations and
vulnerabilities
 Assessing the integrity of critical system and data
files
 Recognition of activity patterns reflecting known
attacks
 Statistical analysis for abnormal activity patterns
Benefits of intrusion detection
 Improving integrity of other parts of the information security
infrastructure
 Improved system monitoring
 Tracing user activity from the point of entry to point of exit or
impact
 Recognizing and reporting alterations to data files
 Spotting errors of system configuration and sometimes correcting
them
 Recognizing specific types of attack and alerting appropriate staff
for defensive responses
 Keeping system management personnel up to date on recent
corrections to programs
 Allowing non-expert staff to contribute to system security
 Providing guidelines in establishing information security policies
Ids taxonomy

IDS
Distributed

Centralized

Active
Passive

Real Time
Periodical

Misuse Detection
Anomaly Detection
Network
Host
Application
Process model for intrusion detection
 Information Sources

 Analysis

 Response
 architecture
 The Audit Collection/Storage Unit

 The Processing Unit

 Alarm/Response Unit
 Types of IDS
Network-based IDS

 The NIDS detect attacks by capturing and analyzing

network packets.

 Network-based IDSs often consist of a set of single-

purpose sensors or hosts placed at various points in a
network.
 NIDS
Advantages Disadvantages
 NIDS can monitor a large  Fail to recognize an attack
network launched during periods of
high traffic.
 Network-based IDSs can be
made very secure against  Network-based IDSs cannot
attack and even made analyze encrypted
invisible to many attackers. information.
Host-Based IDS

• Host-based IDSs operate on information collected

from within an Individual computer system.

• Host-based IDSs normally utilize information sources

of two types, operating system audit trails, and
system logs.
 HIDS
Advantages Disadvantages
 It can detect attacks that  Host-based IDSs are harder
cannot be seen by network- to manage.
based IDS.  host-based IDSs reside on
 Host-based IDSs can often the host targeted by attacks,
operate in an environment in So the IDS may be attacked
which network traffic is and disabled as part of the
encrypted attack
 Host-based IDSs are
unaffected by switched
networks.
Application-Based IDS
 Application-based IDSs are a special subset of host-
based IDSs that analyze the events transpiring within
a software application.
 Application-Based IDS
Advantages Disadvantages
 It can monitor the  Application-based IDSs
interaction between user and may be more vulnerable
application.
 They often monitor events
• They can often work in at the user level of
encrypted environments. abstraction, they usually
cannot detect Trojan horse.
 IDS ANALYSIS
Misuse Detection
• Misuse detection, in which the analysis targets
something known to be “bad”.

• The patterns corresponding to known attacks are

called signatures, misuse detection is sometimes
called “signature-based detection.”
Advantages Disadvantages
• Misuse detectors are very • Misuse detectors can only
effective at detecting attacks. detect those attacks they know
• Misuse detectors can quickly
and reliably diagnose the use • They are designed to use
of a specific attack tool tightly defined signatures that
• Misuse detectors can allow prevent them from detecting
system managers, to track variants of common attacks
security problems on their
systems, initiating incident
handling procedures
Anomaly Detection

• Anomaly detectors identify abnormal unusual

behaviour (anomalies) on a host or network.

• They function on the assumption that attacks are

different from “normal” (legitimate) activity and can
therefore be detected by systems that identify these
differences.
Advantages Disadvantages
• It detect unusual behaviour • They usually produce a large
number of false alarms due to
• Anomaly detectors can the unpredictable behaviours
produce information that can of users and networks.
in turn be used to define • They often require extensive
signatures for misuse detectors “training sets” of system event
records in order to characterize
normal behaviour patterns
•  
Where IDS should be Placed?
 Strengths of IDS
 Monitoring and analysis of system events and user behaviours
 Testing the security states of system configurations
 Recognizing patterns of system events that correspond to known
attacks
 Measuring enforcement of security policies encoded in the analysis
engine
 Managing operating system audit and logging mechanisms and the
data they generate
 Alerting appropriate staff by appropriate means when attacks are
detected
 Allowing non-security experts to perform important security
monitoring functions.
 Recognizing patterns of activity that statistically vary from normal
activity
 Limitations Of IDS
• Instantaneously detecting, reporting, and responding to an
attack, when there is a heavy network or processing load.
• Detecting newly published attacks or variants of existing
attacks.
• Effectively responding to attacks launched by sophisticated
attackers
• Automatically investigating attacks without human
intervention
Challenges with IDS technique

There exist over 100 Intrusion Detection Systems

 Both open source and commercial
 Can be network based or host based or combination
Main problem
 Too many false positives
 System administrators tend to ignore warnings after a while
 Difficult to determine a good IDS policy
Other problems
 Protecting the IDS itself against attack
CONCLUSION
THANK YOU