seminar on Intrusion detection system - PowerPoint PPT Presentation

About This Presentation
Title:

seminar on Intrusion detection system

Description:

Overview of Intrusion Detection Systems: what are intrusions ? What is intrusion detection ? Functions of IDS Monitoring and analysis of user and system activity. – PowerPoint PPT presentation

Number of Views:1528
Avg rating:3.0/5.0
Slides: 23
Provided by: 123se70
Category:

less

Transcript and Presenter's Notes

Title: seminar on Intrusion detection system


1
seminar on
Intrusion detection
system
  • By Suchismita Kar Regd No
    -0701209021 CS A

2
Topics to be covered
  • Overview of IDS
  • Process model
  • Architecture
  • Information sources
  • Analysis techniques
  • Strengths
  • Limitations
  • Conclusion
  • Reference

3
Overview of Intrusion Detection Systems
  • what are intrusions ?
  • What is intrusion detection ?
  • Functions of IDS
  • Monitoring and analysis of user and system
    activity.
  • Auditing of system configurations .
  • Assessing the integrity of critical system and
    data files.
  • Recognition of activity patterns reflecting
    known attacks
  • Statistical analysis for abnormal activity
    patterns

4
Process model for Intrusion Detection
  • Information sources
  • network ,host ,application
  • Analysis
  • misuse detection , anomaly detection
  • Response
  • active measures involving some automated
    intervention on the part of the system, and
    passive measures involving reporting IDS
    findings to humans, who are then expected to
    take action based on those reports.

5
IDS Architecture
  • Audit Collection/Storage Unit
  • Processing Unit
  • Alarm/Response Unit

6
Information sources
  • Network based IDSs
  • Consist of a set of single-purpose sensors .
    These units monitor network traffic, performing
    local analysis of that traffic and reporting
    attacks to a central management console.
  • Host based IDSs
  • Operate on information collected from within an
  • Individual computer system.
  • Operating system audit trails, and system logs
  • Application based IDSs
  • Special subset of host-based IDSs .
  • The most common information sources used by
    these IDSs are the applications transaction log
    files.

7
IDS Analysis Techniques
  • Misuse detection
  • Anomaly detection
  • Specification based detection

8
Misuse detection
  • Misuse detectors analyze system activity, looking
    for events or sets of events that match a
    predefined pattern of events that describe a
    known attack.

9
Advantages
  • Misuse detectors are very effective at detecting
    attacks without generating an overwhelming number
    of false alarms.
  • Misuse detectors can quickly and reliably
    diagnose the use of a specific attack tool or
    technique. This can help security managers
    prioritize corrective measures.
  • Misuse detectors can allow system managers,
    regardless of their level of security expertise,
    to track security problems on their systems,
    initiating incident handling procedures.
  •  

10
Disadvantages
  • Misuse detectors can only detect those attacks
    they know about therefore they must be
    constantly updated with signatures of new
    attacks.
  • Many misuse detectors are designed to use tightly
    defined signatures that prevent them from
    detecting variants of common attacks. State-based
    misuse detectors can overcome this limitation,
    but are not commonly used in commercial IDSs.

11
Anomaly detection
  • Anomaly detectors identify abnormal unusual
    behavior (anomalies) on a host or network.

12
Advantages
  • IDSs based on anomaly detection detect unusual
    behavior and thus have the ability to detect
    symptoms of attacks without specific knowledge of
    details.
  • Anomaly detectors can produce information that
    can in turn be used to define signatures for
    misuse detectors

13
Disadvantages
  • Anomaly detection approaches usually produce a
    large number of false alarms due to the
    unpredictable behaviors of users and networks.
  • Anomaly detection approaches often require
    extensive training sets of system event records
    in order to characterize normal behavior
    patterns.

14
Specification based detection
  • They distinguished between normal and
    intrusive behaviour by monitoring the traces of
    system calls of the target processes. A
    specification that models the desired behaviour
    of a process tells the IDS whether the actual
    observed trace is part of an attack or not.

15
Advantages
  • More or less the same as for misuse detection.
    However these systems manage to detect some
    types/classes of novel attacks. Additionally,
    they are more resistant against subtle changes in
    attacks.

16
Disadvantages
  • Usually for every program that is monitored, a
    specification has to be designed. Furthermore,
    the modelling process can be regarded as more
    difficult than the design of patterns for misuse
    detection systems. Additionally some classes of
    attacks are not detectable at all.
  • Their systems managed the detection by inspecting
    log files.

17
Strengths of IDS
  • Testing the security states of system
    configurations
  • Base lining the security state of a system, then
    tracking any changes to that
  • Baseline
  • Recognizing patterns of system events that
    correspond to known attacks
  • Recognizing patterns of activity that
    statistically vary from normal activity
  • Managing operating system audit and logging
    mechanisms and the data they
    generate.
  • Alerting appropriate staff by appropriate means
    when attacks are detected.
  • Measuring enforcement of security policies
    encoded in the analysis engine
  • Providing default information security policies
  • Allowing non-security experts to perform
    important security monitoring
  • Functions.
  • Monitoring and analysis of system events and user
    behaviors

18
Limitations
  • Compensating for weak or missing security
    mechanisms in the protection
  • Infrastructure. Such mechanisms include
    firewalls, identification and
  • authentication, link encryption, access
    control mechanisms, and virus
  • detection and eradication.
  • Instantaneously detecting, reporting, and
    responding to an attack, when there is a heavy
    network or processing load.
  • Detecting newly published attacks or variants of
    existing attacks.
  • Effectively responding to attacks launched by
    sophisticated attackers
  • Resisting attacks that are intended to defeat or
    circumvent them
  • Compensating for problems with the fidelity of
    information sources
  • Dealing effectively with switched networks.

19
Conclusion
  • IDSs are here to stay, with billion dollar firms
    supporting the development of commercial security
    products and driving hundreds of millions in
    annual sales. However, they remain difficult to
    configure and operate and often cant be
    effectively used by the very novice security
    personnel who need to benefit from them most.

20
References
  • www.google.com
  • www.wikipedia.com
  • Yi Hu, Brajendra Panda A data mining approach
    for database intrusion detection.
  • Lee, V. C.S., Stankovic, J. A., Son, S. H.
    Intrusion Detection in Real-time Database Systems
    Via Time Signatures

21
Any queries ?????????
22
THANK U
Write a Comment
User Comments (0)
About PowerShow.com