Intrusion

Detection
Systems
LECTURE # 32, # 33
THURSDAY 8:00 AM TO 10:00AM ROOM:CR2
Today Topics

 Assignment # 2 Quiz
 Intrusion Detection Systems
A Comparison Between Signature Based and Anomaly
Based Intrusion Detection Systems

By: Brandon Lokesak

For: COSC 356
Date: 12/4/2008
 Outline

Introduction
Define an Intrusion

Objectives of Intrusion Detection Systems

Signature Based Detection
Advantages and Disadvantages
Anomaly Based Detection
Advantages and Disadvantages
Active Intrusion Detection Systems (IPS)
Cost

Conclusion
 Introduction

Intrusion Detection System: A system which inspects all

inbound and outbound network activity and identifies
suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise
a system.

An IDS is basically a sophisticated packet scanner.

Designed and put into use on production networks between

the late 1970's and early 1980's and still in use today.

The software scans all packets on the network and

attempts to classify the traffic as intrusive or non intrusive.
 What Is an Intrusion

An intrusion is “Any set of activities that attempt to compromise the

integrity, confidentiality or availability of a resource.

"Denial of Service – action or series of actions that prevent

some part of a system from performing as intended

Disclosure – unauthorized acquisition of sensitive information

Manipulation – improper modification of system information

whether being processed, stored, or transmitted

Masqueraders – attempt by an unauthorized user or process

to gain access to a system by posing as an authorized entity
 Threats Continued

Replay – retransmission of valid messages under invalid

circumstances to produce unauthorized effects

Repudiation – successful denial of an action

Device Malfunctions (health of the system) – partial or complete

failure of a monitored system device"
 Objectives of Intrusion Detection Systems

 "Confidentiality – ensuring that the data and system are

not disclosed to unauthorized individuals,
processes, or systems

 Integrity – ensuring that the data is preserved in regard to

its meaning, completeness, consistency, intended
use, and correlation to its representation

 Availability – ensuring that the data and system are

accessible and usable to authorized individuals
and/or processes

 Accountability – ensuring that transactions are recorded

so that events may be recreated and traced to users
or processes"
 Signature Based Detection
• Signature based detection works in a similar fashion to a virus
scanner. This style of detection relies on rules and tries to
associate possible patterns to intrusion attempts.

• Viruses are known to often attempt a series of steps to

penetrate a system. This series of steps would be compiled into
such a rule.

• Whenever the IDS software (an agent) collects the data it then
compares what it has observed against the rules that have been
defined and then has to decide whether it is a positive or a
negative attempt.
 Advantages of Signature Based Detection

 Often considered to be much more accurate at identifying

an intrusion attempt.
 Ease of tracking down cause of alarm due to detailed log
files
 Time is saved since administrators spend less time dealing
with false positives
 Disadvantages of Signature Based Detection

Signature based systems can only detect an

intrusion attempt if it matches a pattern that is in
the database, therefore causing databases to
constantly be updated

When ever a new virus or attack is identified it can

take vendors anywhere from a few hours to a few
days to update their signature databases.
 Disadvantages of Signature Based Detection

Hosts that are subjected to large amounts of traffic

the IDS can have a difficult time inspecting every
single packet that it comes in contact, which then
forces some packets to be dropped leaving the
potential for hazardous packets getting by without
detection
Systems can suffer a substantial performance slow
down if not properly equipped with the necessary
hardware to keep up with the demands
 Anomaly Based Detection
An anomaly is defined as something that is not not nominal or
normal. Anomaly detection is split into two separate categories:
static and dynamic.
 Static
assumes that one or more sections on the host should remain
constant
Focus only on the software side and ignore any unusual
changes in hardware
Used to monitor data integrity
 Dynamic
Depends on a baseline or profile
Baseline established by IDS or network administrator
Baseline tells the system what kind of traffic looks normal
May include information about bandwidth, ports, time
frames etc...
 Advantages of Anomaly Based Detection

 New threats can be detected with out having to worry about

databased being up to date

 Very little maintenance once system is installed it continues to

learn about network activity and continues to build its profiles.

 The longer the system is in use the more accurate it can

become at identifying threats
 Disadvantages of Anomaly Based Detection
 The network can be in an unprotected state as the system
builds its profile.

 If malicious activity looks like normal traffic to the system it will

never send an alarm.

 False positives can become cumbersome with an anomaly

based setup.

Normal usage such as checking e-mail after a meeting has

the potential to signal an alarm.
 Active Intrusion Detection Systems
Passive systems can only send an alarm to an administrator
when there is an attempt in progress. An active system can take
control of the situation by disconnecting the assailant
Methods:

Session Disruption:
IDS may send a TCP reset packet if the attacker has opened a
TCP connection to the victim
IDS may send various UDP packets to disrupt a UDP
connection
Will not permanently remedy the situation only disconnect the
current connection

Rule Modification
IDS is linked to a firewall via an administrative link
IDS communicates with the firewall telling it to drop all packets
from the attackers IP Address