Chapter 7 - Section 7.5
Download
Report
Transcript Chapter 7 - Section 7.5
7.5 Intrusion Detection Systems
Network Security / G.Steffen
1
In This Section
Intrusion Detection Systems (IDS)
Types of IDSs
IDS Strengths & Limitations
Network Security / G.Steffen
2
Intrusion Detection Systems (IDSs)
IDS is a device that monitors activity to identify
malicious or suspicious events.
It acts like a sensor.
It can perform a variety of functions such as:
Monitoring users & system activity
Auditing system configuration
Assessing the integrity of critical system & data files
Identifying abnormal activity
Correcting system configuration errors
Network Security / G.Steffen
3
Types of IDSs 1
Signature-based IDS
It performs simple pattern-matching & report situations
that matches a pattern corresponding to a known attack
type.
It tends to use statistical analysis
The problem is the signature itself
Heuristic IDS (Anomaly based IDS)
It builds a model of acceptable behavior & flag
exceptions to that model
Network Security / G.Steffen
4
Types of IDSs 2
Network-based IDS
It is a stand-alone device attached to the network to
monitor traffic throughout that network.
Host-based IDS
It runs on a single workstation or client/host to protect
that one host.
State-based IDS – It sees the system going through
changes of overall state or configuration
Model-based IDS
Misuse ID – In this the real activity is compared against
a known suspicious area.
Network Security / G.Steffen
5
Stealth Mode
Most IDSs run in stealth mode
Stealth Mode IDS Connected to Two Networks
Network Security / G.Steffen
6
Design Approach for an IDS
Filter on packet headers
Filter on packet content
Maintain connection state
Use complex, multi packet signatures
Filter in real time, online
Hide its presence
Use minimal number of signatures with maximum
effect
Use optimal sliding time window size to match
segments
Network Security / G.Steffen
7
IDS Strengths & Limitations
Upside of IDSs
It can detect ever-growing number of serious problems
Evolving with time
Continuous improvement
Downside of IDSs
It is sensitive, therefore difficult to measure and adjust
It does not run itself
Network Security / G.Steffen
8