Network Security:
Intrusion Detection Systems
Vo Viet Minh Nhat
Information Technology Dept.
Faculty of Sciences

Agenda

Introduction to Intrusion Detection

Host-Based IDSs

Network-Based IDSs

IDS Management Communications:
Monitoring the Network

Sensor Maintenance

Conclusion

Objectives

On completing this section, you will be able to

Explain the main differences between the various
IDSs

Describe host-based IDSs in detail


Describe network-based IDSs in detail

Explain how IDS management communication
works

Describe IDS tuning

Explain how IDS maintenance works

Introduction

to defend company resources: not only
passively by using firewalls, virtual private
networks (VPNs), encryption techniques, and
whatever other tricks, but also by deploying
proactive tools and devices throughout the
network => IDS

Intrusion = someone tries to break into, misuse,
or exploit a system => security policy defines
what and who constitutes attempts to break into,
abuse, or exploit a system.

Introduction

Two types of potential intruders exist:

Outside intruders: referred to as crackers

Inside intruders: occur from within the organization


IDSs are effective solutions to detect both
types of intrusions continuously. These
systems run constantly in a network, notifying
network security personnel when they detect
an attempt they consider suspicious.

Introduction

IDSs have two main components:

IDS sensors: they can be software and hardware based
used to collect and analyze the network traffic. They are
available in two varieties:

network IDS: can be embedded in a networking device, a
standalone appliance, or a module monitoring the network
traffic

host IDS: is a server-specific agent running on a server with
a minimum of overhead to monitor the operating system

IDS management: acts as the collection point for alerts and
performs configuration and deployment services for the IDS
sensors in the network.


Notification Alarms

The overall purpose of IDSs is to trigger

alarms when a given packet or sequence of
packets seems to represent suspicious
activity that violates the defined network
security policy.

However, it is critical for network security
personnel to configure the IDS to minimize
the occurrence of false negative and false
positive alarms.

Notification Alarms

A false positive is a condition in which valid traffic or
a benign action causes the signature to fire.

A signature is a set of events and patterns that is
recognized from a protocol-decoded packet. This set
defines an alarm-firing condition when offending network
traffic is seen

A false negative is a condition in which a signature is
not fired when offending traffic is transmitted.

when the IDS sensor does not detect and report a
malicious activity, and the system allows it to pass as
nonintrusive behavior.

Notification Alarms

two main reasons for a false negative:


from the sensor lacking the latest signatures.

because of a software defect in the sensor.

=> The IDS configuration should be
continuously updated with new exploits and
hacking techniques upon their discovery.

Notification Alarms

False positive alarms occur when the IDS sensor
classifies an action or transaction as anomalous
although it is actually legitimate traffic.

A false alarm requires an unnecessary intervention
to analyze and diagnose the event.

=> try to avoid this type of situation because a large
number of false positives can significantly drain
resources, and the specialized skills required for
analysis are scarce and costly.

Signature-Based IDS

The signature-based IDS monitors the
network traffic or observes the system and
sends an alarm if a known malicious event is
happening.


It does so by comparing the data flow against
a database of known attack patterns.

These signatures explicitly define what traffic
or activity should be considered as malicious.

Signature-Based IDS

Various types of signature-based IDSs:

Simple and stateful pattern matching

Protocol decode-based analysis

Heuristic-based analysis

The pattern-matching systems look for a fixed
sequence of bytes in a single packet

simple, generates reliable alerts, applicable to all protocols

any slightly modified attack leads to false negatives.

multiple signatures may be required to deal with a single
vulnerability

Signature-Based IDS

Protocol decode-based systems decode very
specific protocol elements, such as header

and payload size and field content and size,
and analyze for Request for Comment (RFC)
violations.

highly specific and minimize the chance for false
positives.

Signature-Based IDS
Overview of Signature-Based IDSs
Pros Cons
Low false positive rate (reliable
alerts)
Single vulnerability may require
multiple signatures
Simple to customize Continuous updates required
Applicable for all protocols Modifications lead to misses
(false negatives)
Cannot detect unknown attacks
Susceptible to evasion

Example of an attack against a
web server

Policy-Based IDS

The policy-based IDSs (mainly host IDSs)
trigger an alarm whenever a violation occurs
against the configured policy.

For instance, a network access policy defined in

terms of access permissions.


Policy-Based IDS
Overview of Policy-Based IDS
Pros Cons
Low false positive rate
(reliable alerts)
Network administrator must
design a set of policy rules
from scratch
Simple to customize Long deployment time

Anomaly-Based IDS

The anomaly-based IDS looks for traffic that
deviates from the normal.

but the definition of what is a normal network traffic
pattern is the tricky part.

The anomaly-based IDS can monitor the system or
network and trigger an alarm if an event outside
known normal behavior is detected.

Example: the detection of specific data packets that
originate from a user device rather than from a network
router.

Anomaly-Based IDS

Overview of Anomaly-Based IDS
Pros Cons
Unknown attack detection High false positive rate
Easy deployment for
networks with well-defined
traffic patterns
Interpretation of generated
alarms is difficult

Anomaly-Based IDS

Two types of anomaly-based IDS exist:

Statistical: Statistical anomaly detection learns the
traffic patterns interactively over a period of time

Nonstatistical: In the nonstatistical approach, the
IDS has a predefined configuration of the
supposedly acceptable and valid traffic patterns.

Network IDS versus Host IDS

Host IDSs and network IDSs are currently the most
popular approaches to implement analysis
technologies.

A host IDS can be described as a distributed agent residing
on each server of the network that needs protection.

Network IDSs can be described as intelligent sniffing

devices.

Data (raw packets) is captured from the network by a
network IDS, whereas host IDSs capture the data from the
host on which they are installed.

This raw data can then be compared against well-known
attacks and attack patterns that are used for packet and
protocol validation.

Host IDS

Network IDS