EC 407 COMPUTER COMMUNICATION MODULE III

MODULE VI
Introduction to information system security, common attacks. Security at Application Layer
(E-MAIL, PGP and S/MIME). Security at Transport Layer (SSL and TLS).Security at
Network Layer (IPSec).Defence and counter measures: Firewalls and their types. DMZ,
Limitations of firewalls, Intrusion Detection Systems -Host based, Network based, and
Hybrid IDSs

SECURITY SERVICES (KTU Dec 2018)

• Network security can provide the following services:
o Confidentiality: Only the sender and intended receiver should be able to
understand the contents of the transmitted message.
o Authentication: Both the sender and receiver need to confirm the identity
of other party involved in the communication
o Message Integrity: Both the sender and receiver must ensure that the
content of their communication is not altered during transmission.
o Availability and Access control: Availability refers to protection against
disruption of services. It ensures that services provided by any server
system is available to all authorized users. Access control mechanism
controls which users or computer programs can access data.
DIFFERENT TYPES OF NETWORK ATTACKS (KTU Dec 2018)
• Network attack is defined as a threat, intrusion, denial of service or other attack on
a network infrastructure.
• There are at least seven types of network attacks.
1. Spoofing
2. Sniffing
3. Mapping
4. Hijacking
5. Trojans
6. DoS and DDoS
7. Social engineering
1. Spoofing (Identity spoofing or IP Address Spoofing)
• If the attacker obtains control over the software running on a network device, they can
place any false IP address inpacket's source address field. This is known as IP
spoofing.
• With a spoofed source IP address, it is difficult to find the original sending host.
• The countermeasure for spoofing is ingress filtering.
• Routers that perform ingress filtering check the IP address of incoming datagrams and
determine whether the source address is in the range of network addresses that are
known to be reachable via that interface. If the source address is not in the valid
range, then such packets will be discarded.
2. Sniffing

DEPARTMENT OF ECE Page 1

EC 407 COMPUTER COMMUNICATION MODULE III

• Sniffing is a process of monitoring and capturing all data packets passing through a
given network.
• If any of the Ethernet NIC cards are in promiscuous mode (done remotely via a
sniffer program), the sniffer program will pick up all communication packets through
that network.
• The best countermeasure against sniffing is end-to-end or user-to-user encryption.
3. Mapping (Eavesdropping)
• Before attacking a network, attackers would like to know the IP address of machines
on the network, the operating systems they use, and the services that they offer. With
this information, their attacks can be more focused and are less likely to cause alarm.
The process of gathering this information is known as mapping.
• Counter measures are strong encryption services that are based on cryptography only.
4. Hijacking (man-in-the-middle attack)
• Hijacking occurs when someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling your
communication transparently.
• Man-in-middle attacks are like someone assuming your identity in order to read your
message.
5. Trojans
• These are programs that look like ordinary software, but actually performmalicious
actions when launched.
• The only protection is early use of a cryptographic checksum or binary digital
signature procedure.
6.Denial-of-Service attack (DoS) and Distributed-Denial-of-Service (DDoS)
• Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack is an attempt
to make a machine or network resource unavailable to its real users.
• There are three basic types of attack.
− Consumption of computational resources, such as band width, disk
space or CPU time.
− Disruption of configuration information, such as routing information.
− Disruption of physical network components.
• Common forms of denial of service attacks are,
a) Buffer Overflow Attacks
• Simply sends more traffic to a network address than the programmer's expectation on
size of buffers.
• Examples:
− Sending e-mail messages that have attachments with 256 character file names
to Netscape and Microsoft mail programs.
− Sending over sized Internet Control Message Protocol (ICMP) packets.
b) Smurf Attack
• In this attack, the attacker sends an IP ping request to a large number ofhosts with
source address of the target site.
• The result will be lots of ping replies flooding back to the innocent, spoofed host.
c) SYN floods
• Attacker sends a succession of SYN requests to a target's system to consume enough
server resources to make the system unresponsive to legitimate traffic.
Distributed Denial-of-Service attacks (DDoS)
• DDoS occurs when multiple attackers flood the band width or resources of a targeted
DEPARTMENT OF ECE Page 2
EC 407 COMPUTER COMMUNICATION MODULE III

system with useless traffic.

• In DDoS attacks, the attacker first gains access on numerous hosts. The attacker then
installs and runs a slave program at them, then the master program instructs them to
launch a denial-of-service attack directed at the same target host.
• Here also ingress filtering only can control DoS attack and that too to a small extent.
7. Social Engineering
• Social engineering is the practice of obtaining confidential information by
manipulation of legitimate users.
• A social engineer will commonly use the telephone or Internet to trick a person into
revealing sensitive information or getting them to do something that is against typical
policies.
Examples of social engineering
• Phishing
• Impersonation on help desk calls
• Physical access (such as tailgating)
• Shoulder surfing
• Dumpster diving
• Stealing important documents
• Fake software
SECURITY AT APPLICATION LAYER
• Security services for e-mails are provided by the protocols: Pretty Good Privacy
(PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).
E-mail Security
• Sending an e-mail is a one-time activity.
• In e-mail security, the sender of the message needs to include the name or identifiers
of the algorithms used in the message.
• In e-mail security, the encryption/decryption is done using a symmetric-key
algorithm, but the secret key to decrypt the message is encrypted with the public key
of the receiver and is sent with the message.
PRETTY GOOD PRIVACY (PGP)
• PGP is an open source and freely available software package for email security.
• PGP provides privacy, integrity, authentication, and non-repudiation
• PGP uses a digital signature (a combination of hashing and public key encryption) to
provide integrity, authentication, and non-repudiation. PGP uses a combination of
secret key encryption and public key encryption to provide privacy
• The best cryptographic algorithms such as RSA, Diffie-Hellman key exchange, DSS
are used for the public-key encryption (or) asymmetric encryption; CAST-128,
3DES,IDEA are used for symmetric encryption and SHA-1 is used for hashing
purposes.
• PGP’s operation consists of five services:
1. Authentication
2. Confidentiality
3. Compression
4. E-mail compatibility
5. Segmentation

DEPARTMENT OF ECE Page 3

EC 407 COMPUTER COMMUNICATION MODULE III

PGP Operation – Authentication

1. sender creates message
2. makes SHA-1 160-bit hash of message
3. attaches RSA signed hashusing sender’s private key (PRa) to message
4. receiver decrypts using sender’s public key (PUa) & recovers hash code
5. receiver verifies received message hash
PGP Operation – Confidentiality
1. sender forms 128-bit random session key
2. encrypts message with session key (Ks)through symmetric encryption
3. attaches session key encrypted through public key encryption (EP) using receiver’s
public key(PUb)
4. receiver decrypts using its private key (PRb)& recovers session key
5. session key is used to decrypt message
PGP Operation – Confidentiality & Authentication
• can use both services on same message
1.create signature & attach to message
2.encrypt both message & signature
3.attach encrypted session key
PGP Operation – Compression
• by default, PGP compresses message after signing but before encrypting
• can store uncompressed message & signature for later verification
• uses ZIP compression algorithm
PGP Operation – Email Compatibility
• Most email systems allow the message to consist of only ASCII characters. To
translate othercharacters not in the ASCII set, PGP uses Base- 64 conversion
PGP Operation – Segmentation
• PGP allows segmentation of the message if it is too big to make the size of
transmitted unit allowable by the email protocol

DEPARTMENT OF ECE Page 4

EC 407 COMPUTER COMMUNICATION MODULE III

S/MIME

• Secure/Multipurpose Internet Mail Extension (S/MIME) is a security service designed

for electronic mail.
• The protocol is an enhancement of the MIME protocol
• It uses public key cryptography, symmetric key cryptography, hash functions, and
digital signatures.
Cryptographic Message Syntax (CMS)
• The Cryptographic Message Syntax describes encapsulation syntax for data
protection. It supports digital signatures, message authentication codes, and
encryption
• The syntax in each case defines the exact encoding scheme for each content type.
Data Content Type
• This is an arbitrary string. The object created is called Data.
• Basically, there are six content types: data, signed-data, enveloped-data,
digested-data, encrypted- data, and authenticated-data.
Signed-Data Content Type
• This type provides only integrity of data. It contains any data type and zero or more
signature values. The encoded result is an object called signed- Data.
• The following are the steps in the process:
1. For each signer, a message digest is created from the content using the specific
hash algorithm.
2. Each message digest is signed with the private key of the signer.

DEPARTMENT OF ECE Page 5

EC 407 COMPUTER COMMUNICATION MODULE III

3. The content, signature values, certificates, and algorithms are then collected to
create the signed Data object.

Enveloped-Data Content Type

• This type is used to provide privacy for the message.
• It contains any message type and zero or more encrypted keys and certificates. The
encoded
• result is an object called envelopedData.
1. A pseudorandom session key is created for the symmetric-key algorithms to be
used.
2. For each recipient, a copy of the session key is encrypted with the public key of
each recipient.
3. The content is encrypted using the defined algorithm and created session key.
4. The encrypted contents, encrypted session keys, algorithm used, and certificates are
encoded using Radix-64.

DEPARTMENT OF ECE Page 6

EC 407 COMPUTER COMMUNICATION MODULE III

Digested-Data Content Type

• This type is used to provide integrity for the message.
• The result is normally used as the content for the enveloped-data content type. The
encoded result is an object called digested Data.
1. A message digest is calculated from the content.
2. The message digest, the algorithm, and the content are added together to create the
digested Data object.

Encrypted-Data Content Type

• This type is used to create an encrypted version of any content type.
• Although this looks like the enveloped-data content type, the encrypted-data content
type has no recipient. It can be used to store the encrypted data instead of transmitting

DEPARTMENT OF ECE Page 7

EC 407 COMPUTER COMMUNICATION MODULE III

it.
• The encrypted content is stored without including the key or the algorithm. The object
created is called encrypted Data.
Authenticated-Data Content Type
• This type is used to provide authentication of the data. The object is called
authenticated Data. Figure shows the process.
1. Using a pseudorandom generator, a MAC key is generated for each recipient.
2. The MAC key is encrypted with the public key of the recipient.
3. A MAC is created for the content.
4. The content, MAC, algorithms, and other information are collected together to
form the authenticated Data object.

SECURITY AT TRANSPORT LAYER (SSL AND TLS)

SECURE SOCKET LAYER (SSL) (KTU May 2019)
• SSL (Secure Socket Layer)provides secure and authenticated connections between
browsers and servers. SSL services include authentication, fragmentation,
compression (optional), message integrity and confidentiality.
• SSL is composed of four protocols in two layers, as shown in Figure. SSL protocols
are SSL Handshake Protocol,SSL Record Protocol,SSL Change Cipher Spec
Protocol and SSL Alert Protocol.

DEPARTMENT OF ECE Page 8

EC 407 COMPUTER COMMUNICATION MODULE III

• SSL involves three basic phases:

1. Handshake phase –negotiates an encryption algorithm and keys.
2. Authentication phase – Authenticates the server to the client. Optionally the
client can also be authenticated to the server.
3. Symmetric cipher-based traffic encryption phase – Once the handshake and
authentication is complete, and the transmission of application data begins, all
data is encrypted using session keys negotiated during the handshake phase.
SSL Handshake Protocol
• Handshake Protocol is used to establish a sessionbetween the server and the client.
• Allows the server and client to authenticate each other and to negotiate an encryption
and MAC algorithm and cryptographic keys
• SSL Handshake protocol works in four phases:
 Phase-1: Both Client and Server send hello-packets to each other. These packets
contain cipher suite (encryption algorithms, compression methods, etc) and
protocol version are exchanged.
 Phase-2: Server send its certificate followed by a Server-key-exchange. Server
end the phase-2 by sending Server-hello-done packet.
 Phase-3: In this phase Client reply to the server by sending its certificate
followed by Client-key-exchange.
 Phase-4: Change of cipher suite with new parameters occurs and after this
Handshake Protocol ends.

DEPARTMENT OF ECE Page 9

EC 407 COMPUTER COMMUNICATION MODULE III

The SSL Record Protocol

• The SSL Record Protocolprovides two services:
1. Confidentiality – usingencryption.
2. Message Integrity - using a Message Authentication Code (MAC).
• The operation of the SSL Record Protocol consists of the following five steps:
– Fragmentation: The message is fragmented into blocks whose length does not exceed
214 (16384) bytes.
– Compression: These blocks are then optionally compressed
– Adding MAC: This step computes the MAC (Message Authentication Code) over the
compressed data using a shared secret key. The MAC is appended to the compressed
message block.
– Encryption: The compressed message and the MAC are encrypted using

DEPARTMENT OF ECE Page 10

EC 407 COMPUTER COMMUNICATION MODULE III

symmetric-key encryption.
– Append SSL Record Header: Finally, an SSL header is appended to the encrypted
block. SSL header has Content type (8 bits),Major Version (8 bits),Minor Version (8 bits)
and Compressed Length (16 bits)

• The record protocol then transmits the resulting unit in a TCP segment. At the
receiver side, received data are decrypted, verified, decompressed and reassembled
and then delivered to the higher level protocol
SSL Change Cipher Spec Protocol
• This is used to cause the pending state to be copied into the current state which
updates the cipher suite.
SSL Alert Protocol
• This protocol is used to convey SSL-related alerts.
• It consists of two bytes the first of which takes the values 1 (warning) or 2 (fatal).
• If the level is fatal SSL immediately terminates the connection.
• The second byte contains a code that indicates the specific alert

SSL Services (KTU Dec 2018)

SSL provides several services on data received from the application layer.
Authentication:Authenticates the server and the client to each other.
Fragmentation: SSL divides the data into blocks of 214 bytes or less.
Compression: Each fragment of data is compressed by using one of the lossless
compression methods. This service is optional.
Message integrity: To preserve the integrity of data, SSL uses a keyed-hash function to
create MAC (Message Authentication Code) over the compressed data.
Confidentiality: The original data and MAC are encrypted using symmetric key
cryptography.

DEPARTMENT OF ECE Page 11

EC 407 COMPUTER COMMUNICATION MODULE III

Framing: A header is assed the encrypted payload. The payload is then passed to a reliable
transport layer protocol.

NETWORK LAYER SECURITY – IPSEC (KTU May 2019)

• IP security protocol is a suite of protocols that provides security at network layer
• IPSecservices include:
o Authentication- authenticating server and client to each other
o Confidentiality- encrypting the data
o data integrity- ensure by adding message authentication code (MAC)
o Anti-replay: each packet is unique, has not been duplicated.
o key management
• IPSec can be used to work with IPv6 and IPv4 internet protocol.
• Two principle protocolsin IPSec protocol suite – Authentication Header (AH)
protocol and Encapsulation Security Payload (ESP) protocol
• In both AH and ESP protocols, before sending secure packets from a source host to a
destination host, both handshake and create a network layer logical connection. This
logical channel is called a security association (SA).
• A SA is uniquely identified by a 3-tuple consisting of:
o A security protocol (AH or ESP) identifier;
o The source IP address for the simplex connection;
o A 32-bit connection identifier called the Security Parameter Index (SPI)
• Two modes of operation in IPSec:
Transport Mode:
• In transport mode, IPSec does not protect the IP header, it only protects the
information coming from the transport layer.
o IP header removed.
o Payload (including TCP header) encrypted/replaced by cipher text.
o Header attached and sent to destination
o Destination detaches and decrypts the payload

• Tunnel Mode:In tunnel mode, IPSec protects the entire IP packet. It takes an IP
packet, including the header, applies IPSec security methods to the entire packet and
then adds a new IP header.
o Entire packet is encrypted
o New IP header is added to cipher text and routed
o Decrypts the packet at destination

DEPARTMENT OF ECE Page 12

EC 407 COMPUTER COMMUNICATION MODULE III

o Secondary header is used for final routing

Authentication Header (AH) Protocol

• AH protocol provides source host authentication, data integrity and protection against
replay attacks but not confidentiality.
• Before sending datagrams to a destination, the source host first establishes an SA with
the destination.
• When the AH header is included, an IPv4 packet looks like

• When the AH header is included, an IPv6 packet may look like

• Figure shows the Authentication Header (AH).

• Next Header – indicates what follows the AH header. In transport mode it will be the
value of the upper-layer protocol being protected (e.g.UDP or TCP). In tunnel mode,
the value is 4 for IPv4encapsulation or 41 for IPv6 encapsulation.
• Payload length–indicates the length of authentication header in 32-bit words minus
two
• Security Parameter Index (SPI)– it is a 32-bit value, that in combination with
destination IP address identifies the Security Association (SA) for the packet.
• Sequence Number field – it is a 32-bit field containing a monotonically increasing
sequence number for each packet sent to prevent replay attacks. It is initially set to

DEPARTMENT OF ECE Page 13

EC 407 COMPUTER COMMUNICATION MODULE III

zero at the establishment of an SA. For each SPI, only one packet can have a given
sequence number.
• Authentication Data– it is a variable length field and holds the MAC (Message
Authentication Code) of the packet
ESP Protocol
• ESP provides confidentiality, data integrity,data source authentication of IP packets,
and protection against replay attacks.
• It does so by inserting a new header, an ESP header, after an IP header and before the
data to be protected and appending an ESP trailer.

• SPI: helps the receiving host identify the security association to which the packet
belongs.
• Sequence Number - protects against replay attacks.
• Payload Data- contains the data described by the Next Header field and being
protected by the ESP. If confidentiality is selected, then the data is encrypted by
encryption algorithm associated with the SA.
• Padding is sometimes necessary, for example, because the encryption algorithm
requires the plaintext to be a multiple of some number of bytes. The Pad Length field
records how much padding was added to the data.
• Authentication data- used to hold the result of the data integrity check.
SA and Key Management
• Several protocols have been defined for a scalable and automated SA and key
management, including:
• The Internet Key Exchange (IKE) algorithm is the default key management protocol
for IPsec.

DEPARTMENT OF ECE Page 14

EC 407 COMPUTER COMMUNICATION MODULE III

• The Internet Security Association and Key Management Protocol (ISKMP) defines
procedures for establishing and tearing down SAs.
DEFENCE AND COUNTER MEASURES:
FIREWALLS
• A firewall is a piece of hardware or software or combination of bothto prevent
unauthorized external users (from other networks) from accessing or modifying the
resources of a network.
• It enforces an access control policy between two or more networks. It is also called a
Border Protection Device (BPD).
• They sit at the junction point or gateway between the two networks, usually between a
private network and a public network such as the internet.

• Firewall examines all traffic routed between the two networks to see if it meets certain
criteria. If it does, it is routed between the two networks, otherwise it is stopped.
• Firewalls can filter packets based on their source and destination addresses and port
numbers. This is known as address filtering.
• Firewalls can also filter specific types of network traffic. This is also known protocol
filtering because the decision to forward or reject traffic is dependent on the protocol
used.
• Firewalls can also filter traffic by packet attribute or state.
• Firewalls fall into four broad categories.
1. Filter- Based Firewalls
a. Frame filtering Firewalls
b. Packet filtering Firewalls
2. Circuit level Gateway Firewalls
3. Proxy- Based Firewalls or Application Gateways
4. Stateful Multilayer Inspection Firewalls
1.Filter - Based Firewalls
• Filter-based firewalls are the simplest and most widely used. They are configured
with a table of addresses that characterize the packets (or frames) they will, and will
not, forward.
a)Frame filtering firewalls
• Frames that do not belong to a trusted network are summarily rejected.

DEPARTMENT OF ECE Page 15

EC 407 COMPUTER COMMUNICATION MODULE III

b)Packet filtering firewalls

• Packet filtering firewalls work at the network level of the OSI model, or the IP layer
of TCP/IP. They are usually part of a router
• In a packet filtering firewall each packet is compared to a set of criteria before it is
forwarded. Depending on the packet and the criteria, the firewall can drop the packet,
forward it or send a message to the originator.
• Rules can include source and destination IP address, source and destination port
number and protocol used.
• For example, a firewall may filter (not forward) all packets that match the following
description:〈192.12.13.14, 1234, 128.7.6.5, 80 〉.This pattern says to filter all
packets from port 1234 on host 192.12.13.14 addressed to port 80 on host 128.7.6.5.
• Forwarding/filtering decisions are based on level 4 port numbers, in addition to level
3 host addresses. Hence, they are also called level 4 switches.
2.Circuit level Gateway Firewalls
• Circuit level gateways work at the session layer of the OSI model, or the TCP layer of
TCP/IP. They monitor TCP handshaking between packets to determine whether a
requested session is legitimate.
• Circuit level gateways are relatively inexpensive and have the advantage of hiding
information about the private network they protect.
• They do not filter individual packets.
3.Application Gateways or Proxy- Based Firewalls
• Application level gateways, also called proxies, examines data in all network packets
at the application layer.
• The application gateway decides whether to transmit or discard the message based on
header fields, message size, or even the content.
• Anapplication gateway or proxy sits between a client process and a server
processthrough which all application data (inbound and outbound) must pass.
• To the client, the proxy appears to be the server; to the server, the proxy appears to be
the client. Usually a cache is integrated along with a proxy.Whenever a request comes
from a client, proxy first check in the cache for requested information

• Proxy-based firewalls can be either transparent or classical.

• A transparent proxy is not explicitly visible to either the sender or the receiver; In
contrast, the source purposely addresses messages to a classical proxy, which then
forwards the message to the ultimate destination.
4.Stateful multilayer inspection firewalls

DEPARTMENT OF ECE Page 16

EC 407 COMPUTER COMMUNICATION MODULE III

• Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets
are legitimate and evaluate contents of packets at the application layer.
• They monitor all transactions between two systems.
• Stateful multilayer inspection firewalls offer a high level of security, good
performance and transparency to end users.
• They are expensive and complex.
Advantages of firewalls
• Defines a single choke point to keep unauthorized users out of protected network
• Provides protection from various kinds of IP spoofing
• Provides a location for monitoring security-related events
• Prohibits potentially vulnerable services from entering or leaving the network
• Audits and alarms can be implemented on the firewall systems
Limitations of firewalls
• It doesn’t protect against internal threats from traitors.
• It can’t prevent uncontrolled traffic.
• It can’t protect against completely new threats.
• It can’t prevent virus attacks.
• It can’t protect against any attacks that bypass the firewall

INTRUSION DETECTION SYSTEM (IDS)

• Defined as the tools, methods, and resources to help identify, assess, and report
unauthorized or unapproved network activity.
• An IDS detects activity in traffic that may or may not be an intrusion.
• IDSes can detect and deal with insider attacks, as well as, external attacks, and are
often very useful in detecting violations of corporate security policy and other internal
threats
Typical features of an Intrusion Detection System:

1. Monitors and analyze the user and system activities.

2. Performs auditing of the system files and other configurations and the operating
DEPARTMENT OF ECE Page 17
EC 407 COMPUTER COMMUNICATION MODULE III

system.
3. Assesses the integrity of system and data files
4. Conducts analysis of patterns based on known attacks
5. Detects errors in system configuration
6. Detects and cautions if the system is in danger
Classification of Intrusion Detection Systems:

Based on the type of systems the IDS protects:

Host Based Intrusion Detection

• Host-based intrusion detection systems are aimed at collecting information about

activity on a particular single system, or host.
• These host-based agents, referred to as sensors, are installed on a host based IDS
machine Sensors work by collecting data about events taking place on the system
being monitored.
• It is focused on analyzing the specific operating systems and applications, resource
utilization and other system activity of the Host-based IDS system.
• Incoming and outgoing packets are constantly monitored and also the auditing of the
files is done.
• Host-based IDS are often critical in detecting internal attacks directed towards an
organization’s servers such as DNS, Mail, and Web Servers.
Network Based Intrusion Detection

• These systems collect information from the network itself, rather than from each
separate host.
• This system monitors the contents and header information of all the packets moving
across the network by continuously analyzing the traffic and comparing it with the
known attacks in the library.
• If an attack is detected, an alert is sent to the system administration.
• It is placed mostly at important points in the network so that it can keep an eye on the
traffic travelling to and from the different devices on the network.
• The IDS is placed along the network boundary or between the network and the server.
• An advantage of this system is that it can be deployed easily and at low cost, without
having to be loaded for each system.
Comparison between Host based IDS and Network based IDS:

DEPARTMENT OF ECE Page 18

EC 407 COMPUTER COMMUNICATION MODULE III

Hybrid Intrusion Detection

• Are systems that combine both Host-based IDS, which monitors events occurring on
the host system and Network-based IDS, which monitors network traffic.
• A Hybrid IDS is often deployed on an organization’s most critical servers.
Based on the method of working:

Signature based Intrusion Detection System:

• This system works on the principle of matching.

• The data is analyzed and compared with the signature of known attacks.
• In case of any matching, an alert is issued.
• An advantage of this system is it has more accuracy and standard alarms understood
by user.
Anomaly based Intrusion Detection System:

• It consists of a statistical model of a normal network traffic which consists of the

bandwidth used, the protocols defined for the traffic, the ports and devices which are
part of the network.
• It regularly monitors the network traffic and compares it with the statistical model.
• In case of any anomaly or discrepancy, the administrator is alerted.
• An advantage of this system is they can detect new and unique attacks.
Comparison between Firewall and IDS:

DEPARTMENT OF ECE Page 19

EC 407 COMPUTER COMMUNICATION MODULE III

DEPARTMENT OF ECE Page 20