Network Security:
Intrusion Detection Systems
Vo Viet Minh Nhat
Information Technology Dept.
Faculty of Sciences
Agenda
Introduction to Intrusion Detection
Host-Based IDSs
Network-Based IDSs
IDS Management Communications:
Monitoring the Network
Sensor Maintenance
Conclusion
Objectives
On completing this section, you will be able to
Explain the main differences between the various
IDSs
Describe host-based IDSs in detail
Describe network-based IDSs in detail
Explain how IDS management communication
works
Describe IDS tuning
Explain how IDS maintenance works
Introduction
to defend company resources: not only
passively by using firewalls, virtual private
networks (VPNs), encryption techniques, and
whatever other tricks, but also by deploying
proactive tools and devices throughout the
network => IDS
Intrusion = someone tries to break into, misuse,
or exploit a system => security policy defines
what and who constitutes attempts to break into,
abuse, or exploit a system.
Introduction
Two types of potential intruders exist:
Outside intruders: referred to as crackers
Inside intruders: occur from within the organization
IDSs are effective solutions to detect both
types of intrusions continuously. These
systems run constantly in a network, notifying
network security personnel when they detect
an attempt they consider suspicious.
Introduction
IDSs have two main components:
IDS sensors: they can be software and hardware based
used to collect and analyze the network traffic. They are
available in two varieties:
network IDS: can be embedded in a networking device, a
standalone appliance, or a module monitoring the network
traffic
host IDS: is a server-specific agent running on a server with
a minimum of overhead to monitor the operating system
IDS management: acts as the collection point for alerts and
performs configuration and deployment services for the IDS
sensors in the network.
Notification Alarms
The overall purpose of IDSs is to trigger
alarms when a given packet or sequence of
packets seems to represent suspicious
activity that violates the defined network
security policy.
However, it is critical for network security
personnel to configure the IDS to minimize
the occurrence of false negative and false
positive alarms.
Notification Alarms
A false positive is a condition in which valid traffic or
a benign action causes the signature to fire.
A signature is a set of events and patterns that is
recognized from a protocol-decoded packet. This set
defines an alarm-firing condition when offending network
traffic is seen
A false negative is a condition in which a signature is
not fired when offending traffic is transmitted.
when the IDS sensor does not detect and report a
malicious activity, and the system allows it to pass as
nonintrusive behavior.
Notification Alarms
two main reasons for a false negative:
from the sensor lacking the latest signatures.
because of a software defect in the sensor.
=> The IDS configuration should be
continuously updated with new exploits and
hacking techniques upon their discovery.
Notification Alarms
False positive alarms occur when the IDS sensor
classifies an action or transaction as anomalous
although it is actually legitimate traffic.
A false alarm requires an unnecessary intervention
to analyze and diagnose the event.
=> try to avoid this type of situation because a large
number of false positives can significantly drain
resources, and the specialized skills required for
analysis are scarce and costly.
Signature-Based IDS
The signature-based IDS monitors the
network traffic or observes the system and
sends an alarm if a known malicious event is
happening.
It does so by comparing the data flow against
a database of known attack patterns.
These signatures explicitly define what traffic
or activity should be considered as malicious.
Signature-Based IDS
Various types of signature-based IDSs:
Simple and stateful pattern matching
Protocol decode-based analysis
Heuristic-based analysis
The pattern-matching systems look for a fixed
sequence of bytes in a single packet
simple, generates reliable alerts, applicable to all protocols
any slightly modified attack leads to false negatives.
multiple signatures may be required to deal with a single
vulnerability
Signature-Based IDS
Protocol decode-based systems decode very
specific protocol elements, such as header
and payload size and field content and size,
and analyze for Request for Comment (RFC)
violations.
highly specific and minimize the chance for false
positives.
Signature-Based IDS
Overview of Signature-Based IDSs
Pros Cons
Low false positive rate (reliable
alerts)
Single vulnerability may require
multiple signatures
Simple to customize Continuous updates required
Applicable for all protocols Modifications lead to misses
(false negatives)
Cannot detect unknown attacks
Susceptible to evasion
Example of an attack against a
web server
Policy-Based IDS
The policy-based IDSs (mainly host IDSs)
trigger an alarm whenever a violation occurs
against the configured policy.
For instance, a network access policy defined in
terms of access permissions.
Policy-Based IDS
Overview of Policy-Based IDS
Pros Cons
Low false positive rate
(reliable alerts)
Network administrator must
design a set of policy rules
from scratch
Simple to customize Long deployment time
Anomaly-Based IDS
The anomaly-based IDS looks for traffic that
deviates from the normal.
but the definition of what is a normal network traffic
pattern is the tricky part.
The anomaly-based IDS can monitor the system or
network and trigger an alarm if an event outside
known normal behavior is detected.
Example: the detection of specific data packets that
originate from a user device rather than from a network
router.
Anomaly-Based IDS
Overview of Anomaly-Based IDS
Pros Cons
Unknown attack detection High false positive rate
Easy deployment for
networks with well-defined
traffic patterns
Interpretation of generated
alarms is difficult
Anomaly-Based IDS
Two types of anomaly-based IDS exist:
Statistical: Statistical anomaly detection learns the
traffic patterns interactively over a period of time
Nonstatistical: In the nonstatistical approach, the
IDS has a predefined configuration of the
supposedly acceptable and valid traffic patterns.
Network IDS versus Host IDS
Host IDSs and network IDSs are currently the most
popular approaches to implement analysis
technologies.
A host IDS can be described as a distributed agent residing
on each server of the network that needs protection.
Network IDSs can be described as intelligent sniffing
devices.
Data (raw packets) is captured from the network by a
network IDS, whereas host IDSs capture the data from the
host on which they are installed.
This raw data can then be compared against well-known
attacks and attack patterns that are used for packet and
protocol validation.
Host IDS
Network IDS