Introduction to Intrusion Detection System IDS

1
Introduction to Intrusion Detection System (IDS)

• Yuhong Dong
• ydong_at_cse.fau.edu

2
Contents

• Introduction
• Intrusion Detection Categories
• - Host-based IDS
• - Network Based IDS
• Intrusion Detection Technique
• - Anomaly vs. Misuse Detection
• - Others
• Example of IDS

3
Introduction to IDS

• What is intrusion?
• An intrusion is somebody (hacker or
  cracker) attempting to break into or misuse
  your system. ( such as reading your email.)
• What is Intrusion Detection System?
• IDS is a system for detecting such intrusions.

4
IDS Categories HIDS vs. NIDS

• Host-based IDS (HIDS)
• HIDS can protect critical network devices storing
  sensitive and security information.
• Intrusions are detected by analyzing operating
  system and application audit trails.
• Network-based IDS (NIDS)
• NIDS monitors activities within a network
  connections and sessions, and performs the
  analysis on the network traffic.

5
The properties of HIDS

• Dont need to add additional hardware
• Closely real time detection and response
• Operating System-Dependent

6
The properies of NIDS

• Less cost
• Real time detection and response to attacks
• Can detect unsuccessful attack attempts
• Operating System-independent
• It is very difficult that attackers displace
  their evidence

7
Intrusion Detection Techniques

• Anomaly Intrusion Detection
• Anomaly intrusion detection tries to determine
  whether deviation from the established normal
  usage patterns can be flagged as intrusions.
• Misuse Intrusion Detection
• Misuse intrusion detection uses patterns of
  known attacks or week spots of the system to
  match and identify attacks.

8
Anomaly Intrusion Detection

• Advantage
• The operator needs not to configure the system.
  It automatically learns the behavior of a large
  number of subjects.
• It has the possibility of catching novel
  intrusions, as well as variations of known
  intrusions.
• Disadvantage
• It only flags unusual behavior, not necessarily
  bad behavior
• The system can be trained by intruders to accept
  the intruders behavior, --very dangerously!
• It is very hard to update and correcting the
  current behaviors.

9
Misuse Intrusion Detection

• Advantage
• - Good against known attacks
• - False alarms can be kept low
• - Normally less computationally
• Disadvantage
• - Very susceptible to novel or unusual attacks
• - Writing the rules can be very tedious
• - If the rules become known to an attacker,
  they can be avoided

10
Open Issue

• System Effectiveness
• -Detecting a wider range of attacks with fewer
  false positives.
• Performance
• -Keep up with the input-event stream
• generated by high-speed networks.
• (Gigabit Ethernet )
• Network-Wide Analysis
• Placing sensors at critical network locations
  let administrators detect attacks against the
  network as a whole.

11
Example of IDS

• Snort 2.x
• RealSecurity

12
Reference

• Intrusion Detection A Brief History and
  Overview. Richard A. Kemmerer and Giovanni Vegan.
  Reliable Software Group, Computer Science
  Department, University of California Santa
  Barbara
• Useful link
• Snort 2.x