SlideShare a Scribd company logo

Introduction To Intrusion Detection Systems

Download as PPT, PDF
P
Paul Green

An intrusion detection system (IDS) monitors network traffic and system activities for malicious activities or policy violations. An IDS typically consists of sensors to generate security events, a central engine to correlate events and generate alerts, and a console for administrators to monitor alerts. There are different types of IDS, including network IDS that monitor network traffic, and host-based IDS that monitor activities on individual hosts. While firewalls block unwanted traffic using rules, IDS are needed to monitor for attacks hidden in acceptable traffic and help identify unwanted network traffic using signatures and anomaly detection. IDS can operate passively by detecting anomalies and logging or actively by performing actions like blocking traffic (intrusion prevention system).

Technology
1 of 16
Downloaded 1,052 times
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
Most read
Introduction to Intrusion Detection Systems Paul Green CISSP
What is IDS? Software or hardware device Monitors network or hosts for: Malware (viruses, trojans, worms) Network attacks via vulnerable ports Host based attacks, e.g. privilege escalation
What is in an IDS? An IDS normally consists of: Various sensors based within the network or on hosts These are responsible for generating the security events A central engine This correlates the events and uses heuristic techniques and rules to create alerts A console To enable an administrator to monitor the alerts and configure/tune the sensors
Different types of IDS Network IDS (NIDS) Examines all network traffic that passes the NIC that the sensor is running on Host based IDS (HIDS) An agent on the host that monitors host activities and log files Stack-Based IDS An agent on the host that monitors all of the packets that leave or enter the host Can monitor a specific protocol(s) (e.g. HTTP for webserver)
Why do we need IDS? Firewalls use rules to reject unwanted network traffic Hackers can hide attacks in “acceptable” network traffic, therefore bypassing the firewall IDS actually monitor the network traffic, packet by packet IDS use rules as well as signatures to identify unwanted network traffic IDS can learn acceptable network traffic
Passive versus Reactive (IPS) A passive system detects the anomaly, logs the information and creates an alert Can be used to track a potential security breach without alerting the hacker A reactive system detects the anomaly and performs an action to limit the impact Also known as Intrusion Prevention System (IPS) Example actions: Reset the suspicious connection Create a new firewall rule to block the attack
NIDS in more detail Detects malicious activity such as port scans by monitoring network traffic Monitors incoming and outgoing network traffic Does not alter or affect the traffic on the wire, non-intrusive Compares activity to known attack signatures Can sometimes detect shellcodes in transit Example : snort
HIDS in more detail Monitors which program accesses what resources and when Monitors log files (syslog, event log etc) Monitors access to system files (e.g. password database) using a checksum database Monitors use of privileged users (administrator, root etc) Monitors system memory structures (vtables) Examples : Tripwire, OSSEC
Host-based IDS in more detail Monitors network packets as they traverse up the OSI layers Can monitor for specific protocols Allows the IDS to pull the packet before it gets to the application or OS Normally a hybrid HIDS agent Implementations differ from various vendors Examples : RealSecure
Simple implementation of IDS
Simple implementation of IDS Place HIDS on all hosts to be monitored Use hybrid HIDS where specific applications can be monitored Set the NIDS server NIC to promiscuous mode (to enable the NIDS to see all traffic) The HUB broadcasts all traffic on the network segment to all network nodes Need a NIDS on all network segments that need to be monitored
IDS in a switched network Switches do not broadcast network traffic to all nodes (point to point) Therefore, you need to copy traffic Need to use either a TAP or SPAN the required ports A tap will splice the data line copying all traffic without interfering with the original traffic SPAN is a switch feature that copies all traffic from a range of ports to another port (SPAN port), the IDS is then connected to the SPAN port
IDS in a switched network (TAP) TAP copies all packets to the NIDS There is no change or delay to existing packets To enable the copying of packets in both directions the TAP will need to provide two connections to NIDS
IDS in a switched network (SPAN) SPAN copies all packets (TX and RX) to the Span port Some packets are not copied (e.g. undersize/oversize packets) Can easily overload the Span port IDS is vulnerable to attack Need to use stealth mode Can affect the performance of the switch
Further reading Snort Intrusion Detection and Prevention Toolkit Brian Caswell et al Implementing Intrusion Detection Systems Tim Crothers Wikipedia – Search for IDS
Paul Green CISSP, MACS Paul is an information security practitioner, currently residing in Brisbane, Queensland. He has worked with government and financial institutions to help them understand their information security risks and identify suitable process and technical solutions to mitigate those risks. He has experience working with authentication and access control; network security; and monitoring solutions, as well as performing information security reviews and creation of security policies. Paul may be contacted through LinkedIN or via personal email : [email_address]

More Related Content

What's hot (20)

PPTX
Beginner's Guide to SIEM
AlienVault
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PPTX
Intrusion detection system
Sweta Sharma
 
PPTX
Intrusion prevention system(ips)
Papun Papun
 
PPT
intrusion detection system (IDS)
Aj Maurya
 
DOCX
Intrusion Detection System
Devil's Cafe
 
PDF
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
PPTX
Intrusion Detection System(IDS)
shraddha_b
 
PPTX
SOC and SIEM.pptx
SandeshUprety4
 
PDF
Introduction to QRadar
PencilData
 
PPTX
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
PPTX
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Jowin John Chemban
 
PPTX
Intrusion detection system
Aparna Bhadran
 
PPTX
Five Major Types of Intrusion Detection System (IDS)
david rom
 
PPTX
Open source SOC Tools for Home-Lab
Boni Yeamin
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
PDF
Cyber Threat Intelligence
Marlabs
 
PPTX
Wazuh Security Platform
Pituphong Yavirach
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PPTX
Network intrusion detection system and analysis
Bikrant Gautam
 
Beginner's Guide to SIEM
AlienVault
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Intrusion detection system
Sweta Sharma
 
Intrusion prevention system(ips)
Papun Papun
 
intrusion detection system (IDS)
Aj Maurya
 
Intrusion Detection System
Devil's Cafe
 
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
Intrusion Detection System(IDS)
shraddha_b
 
SOC and SIEM.pptx
SandeshUprety4
 
Introduction to QRadar
PencilData
 
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...
Jowin John Chemban
 
Intrusion detection system
Aparna Bhadran
 
Five Major Types of Intrusion Detection System (IDS)
david rom
 
Open source SOC Tools for Home-Lab
Boni Yeamin
 
Intrusion Prevention System
Vishwanath Badiger
 
Cyber Threat Intelligence
Marlabs
 
Wazuh Security Platform
Pituphong Yavirach
 
Security operation center (SOC)
Ahmed Ayman
 
Network intrusion detection system and analysis
Bikrant Gautam
 

Similar to Introduction To Intrusion Detection Systems (20)

PPT
Intrusion detection and prevention
Nicholas Davis
 
PPT
Intrusion Detection And Prevention
Nicholas Davis
 
PPTX
Cours_4_IDS_IPS.pptx
ssuserc517ee1
 
PPT
Ids
Savyasachi14
 
PPTX
Intrusion Detection System
Preshan Pradeepa
 
PPTX
INTERNET SECURITY SYSTEM
Bhushan Gajare
 
PPSX
Intrusion detection system
gaurav koriya
 
PPTX
Information Security.pptx
DrRajapraveen
 
DOC
06686259 20140405 205404
Manasa Deshaboina
 
PDF
IDS (intrusion detection system)
Netwax Lab
 
PPTX
Intrusion dDetection
Aayush Khandelwal
 
PDF
Intrusion Detection System Project Report
Raghav Bisht
 
PPTX
Intrusion Detection Systems of Cyber Security
SumaiyaSk
 
PPTX
IDS VS IPS.pptx
Tapan Khilar
 
PPSX
Ids 001 ids vs ips
jyoti_lakhani
 
PPTX
IDS n IPS
SAurabh PRajapati
 
PPTX
ch03.pptx
HaipengCai1
 
PPTX
Intrusion Detection systems detaild.pptx
SoundariyaSathish
 
PDF
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
PPTX
Intrusion Detection Systems.pptx
AnonymousEImkf6RGdQ
 
Intrusion detection and prevention
Nicholas Davis
 
Intrusion Detection And Prevention
Nicholas Davis
 
Cours_4_IDS_IPS.pptx
ssuserc517ee1
 
Ids
Savyasachi14
 
Intrusion Detection System
Preshan Pradeepa
 
INTERNET SECURITY SYSTEM
Bhushan Gajare
 
Intrusion detection system
gaurav koriya
 
Information Security.pptx
DrRajapraveen
 
06686259 20140405 205404
Manasa Deshaboina
 
IDS (intrusion detection system)
Netwax Lab
 
Intrusion dDetection
Aayush Khandelwal
 
Intrusion Detection System Project Report
Raghav Bisht
 
Intrusion Detection Systems of Cyber Security
SumaiyaSk
 
IDS VS IPS.pptx
Tapan Khilar
 
Ids 001 ids vs ips
jyoti_lakhani
 
IDS n IPS
SAurabh PRajapati
 
ch03.pptx
HaipengCai1
 
Intrusion Detection systems detaild.pptx
SoundariyaSathish
 
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
Intrusion Detection Systems.pptx
AnonymousEImkf6RGdQ
 
Ad

Recently uploaded (20)

PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Ad

Introduction To Intrusion Detection Systems

  • 1. Introduction to Intrusion Detection Systems Paul Green CISSP
  • 2. What is IDS? Software or hardware device Monitors network or hosts for: Malware (viruses, trojans, worms) Network attacks via vulnerable ports Host based attacks, e.g. privilege escalation
  • 3. What is in an IDS? An IDS normally consists of: Various sensors based within the network or on hosts These are responsible for generating the security events A central engine This correlates the events and uses heuristic techniques and rules to create alerts A console To enable an administrator to monitor the alerts and configure/tune the sensors
  • 4. Different types of IDS Network IDS (NIDS) Examines all network traffic that passes the NIC that the sensor is running on Host based IDS (HIDS) An agent on the host that monitors host activities and log files Stack-Based IDS An agent on the host that monitors all of the packets that leave or enter the host Can monitor a specific protocol(s) (e.g. HTTP for webserver)
  • 5. Why do we need IDS? Firewalls use rules to reject unwanted network traffic Hackers can hide attacks in “acceptable” network traffic, therefore bypassing the firewall IDS actually monitor the network traffic, packet by packet IDS use rules as well as signatures to identify unwanted network traffic IDS can learn acceptable network traffic
  • 6. Passive versus Reactive (IPS) A passive system detects the anomaly, logs the information and creates an alert Can be used to track a potential security breach without alerting the hacker A reactive system detects the anomaly and performs an action to limit the impact Also known as Intrusion Prevention System (IPS) Example actions: Reset the suspicious connection Create a new firewall rule to block the attack
  • 7. NIDS in more detail Detects malicious activity such as port scans by monitoring network traffic Monitors incoming and outgoing network traffic Does not alter or affect the traffic on the wire, non-intrusive Compares activity to known attack signatures Can sometimes detect shellcodes in transit Example : snort
  • 8. HIDS in more detail Monitors which program accesses what resources and when Monitors log files (syslog, event log etc) Monitors access to system files (e.g. password database) using a checksum database Monitors use of privileged users (administrator, root etc) Monitors system memory structures (vtables) Examples : Tripwire, OSSEC
  • 9. Host-based IDS in more detail Monitors network packets as they traverse up the OSI layers Can monitor for specific protocols Allows the IDS to pull the packet before it gets to the application or OS Normally a hybrid HIDS agent Implementations differ from various vendors Examples : RealSecure
  • 11. Simple implementation of IDS Place HIDS on all hosts to be monitored Use hybrid HIDS where specific applications can be monitored Set the NIDS server NIC to promiscuous mode (to enable the NIDS to see all traffic) The HUB broadcasts all traffic on the network segment to all network nodes Need a NIDS on all network segments that need to be monitored
  • 12. IDS in a switched network Switches do not broadcast network traffic to all nodes (point to point) Therefore, you need to copy traffic Need to use either a TAP or SPAN the required ports A tap will splice the data line copying all traffic without interfering with the original traffic SPAN is a switch feature that copies all traffic from a range of ports to another port (SPAN port), the IDS is then connected to the SPAN port
  • 13. IDS in a switched network (TAP) TAP copies all packets to the NIDS There is no change or delay to existing packets To enable the copying of packets in both directions the TAP will need to provide two connections to NIDS
  • 14. IDS in a switched network (SPAN) SPAN copies all packets (TX and RX) to the Span port Some packets are not copied (e.g. undersize/oversize packets) Can easily overload the Span port IDS is vulnerable to attack Need to use stealth mode Can affect the performance of the switch
  • 15. Further reading Snort Intrusion Detection and Prevention Toolkit Brian Caswell et al Implementing Intrusion Detection Systems Tim Crothers Wikipedia – Search for IDS
  • 16. Paul Green CISSP, MACS Paul is an information security practitioner, currently residing in Brisbane, Queensland. He has worked with government and financial institutions to help them understand their information security risks and identify suitable process and technical solutions to mitigate those risks. He has experience working with authentication and access control; network security; and monitoring solutions, as well as performing information security reviews and creation of security policies. Paul may be contacted through LinkedIN or via personal email : [email_address]