IDS - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

IDS

Description:

IDS & IPS IDS information source analysis scheme ... – PowerPoint PPT presentation

Number of Views:133
Avg rating:3.0/5.0
Slides: 52
Provided by: 6649734
Category:

less

Transcript and Presenter's Notes

Title: IDS


1
IDS IPS
  • ?????

2
IDS
  • ?????????
  • ???????????
  • ????(information source)
  • ????(analysis scheme)
  • ????(response)

3
?????????
  • ??(audit)?????????????????
  • ???????????,????????????(accountability)?
  • ????????
  • ???????????
  • ?????????????
  • ??????????
  • ???????????

4
???????????
  • ????(????)
  • ????
  • ????

5
???????????
  • ????(????)
  • ???(host-based, HIDS)
  • ???(network-based, NIDS)
  • ?????(application-based)
  • ???(target-based)
  • ????
  • ????

6
??????(host-based monitor)
  • HIDS??????????,????????????????
  • NIDS????????,?????????????????????????
  • HIDS????????????????????(sensor),?????????????????
  • ????????????????,??????????????????
  • ?????????,???????????
  • ?????????????????

7
??????(cont.)
  • ??????????
  • ???????????
  • ??????IDS?????????
  • ????????????(Switch)???
  • ???????????HIDS??????????
  • ????????????,??5?15??CPU???
  • ???????????????,?????????????,?????????????????

8
HIDS??????????
  • ?????(Log analyzer)
  • ??????(Signature-based sensor)
  • ???????(System call analyzer)
  • ?????????(Application behavior analyzer)
  • ????????(File integrity checker)

9
?????(Log analyzer)
  • ??????????????????,????????????????
  • ?????????HIDS??????????,????????????
  • ????????,???????????????
  • ?????????????????????????
  • ?????????????
  • ?????????????????????????
  • ?????????????????????????,???????????????????????
    ??,?????????????????

10
??????(Signature-based sensor)
  • ????????,????(built-in)???????,????????(incoming)?
    ????????????????
  • ?????????????????,???????????????
  • ????????????????,????????????????
  • ????????????,????????HIDS????????????????????
  • ???HIDS?????????????????????

11
???????(System call analyzer)
  • ?????????????????????????,??????????
  • ?????HIDS???,??????????????????
  • ????????????,?????????,???????????????????
  • ??????????????,?????????IDS????????????
  • ?????????????????HIDS???,????????????????
  • ?????????????(????)????,???????????????,??????????
    ?????

12
?????????(Application behavior analyzer)
  • ?????????????????????,????????????????????????????
  • ??????????,?????????????????????????,?????????????
    ?????
  • ????????????,???????????????????????
  • ????????,??????????????
  • ????????????????????,?????????????,???????????????
    ?????

13
????????(File integrity checker)
  • ????????????????????????????????????????????
  • ???????????????(????????????),??????????????
  • ?????????,????????????????,???????????
  • ?????????????,??????????????????????,?????????????
    ???
  • ??????,???????????????????,???????????
  • ?????????,????????????????

14
????????(File integrity checker)cont..
  • ??????????,????????????
  • ??????????????
  • ????????????,??????????????,???????????????????
  • ????????????????????????,?????????????????????????
    ?

15
??????(network-based monitor)
  • ????????????????????????
  • ??????????????(promiscuous mode)???????????????,
    ??????????????????,???????????
  • ???????????????
  • ???????????
  • ???????
  • ???????????????
  • ???????

16
???IDS
  • NIDS?????????????????
  • NIDS?????????????????(???????????)?????,??????????
    ???????????????
  • NIDS???????????????
  • ?????????????,?????????????
  • ????????????????,NIDS????????
  • NIDS?????????????????????????????,????????????????
    ?????????????????????

17
?????????IDS???
18
????????(application-based monitor)
  • ??????????????????????????????,?????????????
  • ?????????????????????,??????????????,?????????????
    ???
  • Malicious injection attack
  • ?? protocol analysis ???
  • client-gtserver ? client flow
  • server-gtclient ? server flow

19
??????(target-based monitor)
  • ????????
  • ???????????????????????????,??????????????????????
    ????????,??????????????????,??????????????????

20
???????????
  • ????(????)
  • ????
  • ????(misuse detection)
  • ????(anomaly detection)
  • ???????
  • ??????vs.??
  • ????

21
????(misuse detection)
  • Misuse Detection (????)
  • Signature Based Detection (???????)
  • Knowledge-based intrusion detection (?????????)

22
????(misuse detection)
  • ???????????????????????,??????????????????????????
    ????????????????????????????(?????????)?????????
    ???(????pattern matching),????????????????????
  • ????
  • ????????????????????

23
????(anomaly detection)
  • ??????????,?????????????????????????,?????????????
    ??????????(Flooding?Scan...)
  • ????
  • ??????????????????
  • ????????????????

24
(No Transcript)
25
???
  • False positives v.s. False negatives
  • ??????(false positives) ????????????????????,?????
    ?????????
  • ??????(false negatives) ????????????????????????

26
???????
  • ??????(Immune System Approaches)
  • ?????????????
  • ?????(Genetic Algorithm)
  • ???????(Agent-Based Detection)
  • ????????????(Autonomous Agent for Intrusion
    Detection,AAFID)
  • ????(Data Mining)

27
??????vs.??
  • ?????????????????????????,????????????????,???????
    ?,???????????????????????????,????????????????????
    ????????????

28
??????vs.??(cont.)
  • ???????????????,??????????????????????
  • ?????????,??????,????????????,???????
  • ??????????,???????????????????????,????????,??????
    ??

29
???????????
  • ????(????)
  • ????
  • ????
  • ??vs.??
  • ????

30
??????vs.??
  • ??console messages?e-mail?cell phones or
    pagers??report???????SNMP alarms?alert?
  • ??
  • ??????
  • ???????
  • ????(??TCP RST??)
  • ?????????????(???????????)
  • ???????(??????????????port?????)
  • ????port?????(??HTTP)

31
????????
  • ??????
  • ??
  • ????
  • ????/???
  • ????/???
  • ?????/????
  • ???????

32
CIDFCommon Intrusion Detection Framework
  • CIDF Working Group (IETF)
  • Set of Components
  • Event Generator (E-Boxes)
  • Analysis Engines (A-Boxes)
  • Storage Mechanisms (D-Boxes)
  • Countermeasures (C-Boxes)
  • http//www.isi.edu/gost/cidf/

33
IDS on Linux
  • Linux Intrusion Detection System
  • http//www.lids.org/
  • Snort
  • http//www.snort.org/
  • Integrity Checking
  • Access Control

34
LIDSLinux Intrusion Detection/Defense System
  • Host-Based IDS
  • Kernel Patch and Utility
  • Port Scanner Detection
  • Process Control
  • File Control
  • Trojan Protection
  • Real-time Security Alert

35
SnortLightweight Intrusion Detection for Networks
  • Network-Based IDS
  • Packet Logging
  • Sniffer Mode
  • Security Alert
  • Pre-processor (Rules Engine)
  • Multi-OS (FreeBSD, Win2K)

36
???????????
  • ????????????
  • ?????????Signature-based??????????????????????????
    ???,??????(Signature)?????????????????
  • ???
  • ?????????

37
??????
38
??????
  • ???Probe???????,????????????????,??????????
  • ???Penetrate????????,?????????????????,????????Bu
    ffer overflow?,???????????????,???????
  • ???Persist???????????????????,??????????????????,
    ????????????????,???????????
  • ???Propagate????????????????,????????????????????
    ???????????????????????
  • ???Paralyze????????????,???????????,????,DDOS????
    ???

39
Firewall IDS IPS
  • Firewall
  • IDS
  • Firewall IDS IPS

40
Firewall
  • port number IP address??
  • SQL Slammer
  • SQL Server
  • UDP Port 1434????376 bytes UDP??
  • buffer overflow ????

41
IDS
  • ??????????????????
  • ????????
  • ??????
  • sniffer mode
  • TCP Reset ,??Firewall???????
  • ??????
  • ??IP address
  • ?????protocol?????
  • Slammer UDP 1434
  • ??????
  • software

42
IDS?????
43
?????
  • ??????????(Behavior-based)??????????????????
  • ??????????(Behavior-based)??????????
  • ??????????????,?????????????????
  • ????????????
  • ????????(Signature)????????????
  • ????,???????Intrusion Prevention?????????????(Sign
    ature)?
  • ??????????(Behavior-based)?????????????????????,??
    ?????????Intrusion Prevention?,???????????

44
IPS
  • IPS (Intrusion Prevention System)
  • ?IDS??????????
  • ?????????IN-line mode
  • ????????????
  • ????(wire-line speed)
  • ??????
  • block packet?block connection ? e-mail alarm ?log
    event

45
IPS
  • ??????
  • inline Mode - Detect and Action
  • monitor Mode - Detect Only
  • tap Mode - Detect and Send TCP Reset
  • bypass Mode - Bypass all packets
  • stop Mode - Drop all packets
  • span Mode - Detect and Send TCP Reset two network
    segment at same time
  • ??????
  • DDOS ? Buffer Overflow ? Access Control ?
    Trojan ? Scan ? Other

46
IPS????
47
Fire Wall vs. IPS
48
Fire Wall vs. IPS
Firewall IPS
???? ???? ????
???? Layer 4 Layer 7
???? ? ?????
Log Traffic Log ????? ????
??? IPS?Firewall?????????????? IPS?Firewall??????????????
49
IDS vs. IPS
  • Passive IDS ( sniffer mode)
  • Intrusion Prevention System (IPS)
  • In-Line mode

50
IDS vs. IPS
IDS IPS
???? Passive sniffer mode Active in-line mode
????? ????? TCP reset ???? ?????? ????
51
?????? ???????? ?????? ?????????? ??????????
BroadWeb ???????? (AIDP) ???????????? ??????????? ??????????????/UD ???????????
CA eTrust Firewall reconfigure ?????? Log??? N/A Software
Cisco IDS Router reconfigure ?????? Log??? ???????? Appliance
Enterasys Dragon Alert ????????? Log??? ???????? Appliance/ Software
ISS Real Secure Firewall reconfigure ?????? Log??? ????????/UD Software
Intrusion SecurNet Firewall reconfigure ?????? Log??? N/A Appliance/ Software
Symantec NetProwler Firewall reconfigure ?????? Log??? ????????/UD Software
HackerLab NIDS Alert ?????? N/A ???????? Appliance
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IDS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!