This nice Blogger theme is compatible with various major web browsers. You can put a little personal info or a welcome message of your blog here. Go to "Edit HTML" tab to change this text.
RSS

Saturday, 30 April 2011

Intrusion Detection System (IDS)

Posted in | 21:30 | by amalina farhan


by Mr Dahliyusmanto on 02/24/2011

Intrusion means any set of activities that attempts to compromise the integrity, confidentiality and availability of a resource. For example,
  • DoS: attempts to starve a host of resources needed to function correctly.
  • Compromises: obtain privilege access to a host by known vulnerabilities.
Intrusion Detection can be describe as the process of identifying and responding to intrusion activities.

Elements of Intrusion Detection:
1) Primary Assumptions:
  • System activities are observable
  • Normal and intrusive activities have distinct evidence

2) Components of Intrusion Detection Systems:
  • From an algorithmic perspective:
    •  Features – capture intrusion evidence
    • Models – piece evidence together
  • From a system architecture perspective:
    • Various components: audit data processor, knowledge base, decision engine, alarm generation and responses.

3) Parameters of IDS:
  • Accuracy
    • False Positive:  occurs when an activity is reported as an attack, while in reality it isn't an attack.
    • False Negative: occurs when an attack occurs without being reported.

4) Classification of IDS:
  • Host-based:
    • Definition: is an intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces (as a network-based intrusion detection system (NIDS) would do).
    • Using OS auditing mechanism
    • Monitoring user activities
    • Monitoring executions of system programs
    • Detect and examine malicious activity
    • Optimize for monitoring individual ghosts
    • Monitoring system network activity, file system, log files, user actions

  • Network-based
    • Definition: is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
    • Deploying sensors at strategic locations
    • Inspecting network traffic
    • Monitoring user activities
    • May be easily defeated by encryption

  • Application-based
    • Definition: is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.
    • monitor the dynamic behavior and state of the protocol
    • consist of a system or agent that would typically sit between a process, or group of servers, monitoring and analyzing the application protocol between two connected devices.

5) Detection Mechanism:
  • Misuse Detection
    • the IDS analyzes the information it gathers and compares it to large databases of attack signatures.
  • Anomaly Based
    • the system administrator defines the baseline, or normal, state of the networks traffic load, breakdown, protocol, and typical packet size.
  • Hybrid
    • Is a combination of host-based and network-based

6) Challenges of IDS
  • Run-time limitation
  • Specification of detection signatures
  • Dependency or environment

7) Potential Solution
  • Data mining
  • Machine learning technique
  • Co-simulation mechanism

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)