Presented by Keith Elliott Background Why are they used Movement towards more secured computing systems Management is becoming cognizant of growing cyberthreats Where are they used Medium to Large ID: 498637
Download Presentation The PPT/PDF document "Network Intrusion Detection Systems" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Network Intrusion Detection Systems
Presented by Keith ElliottSlide2
Background
Why are they used
?
Movement towards more secured computing systems
Management is becoming cognizant of growing cyber-threats
Where are they used?
Medium to Large
Businesses
Anyone than can afford them
Open-source solutions (SNORT)Slide3
Types of Attacks
Code Obfuscation
Polymorphism
Shell-code is constantly mutating
Characterized by:
Execution of
GetPC
code
Read operations from input
stream
Port Scans
Denial of Service (
DoS
)Slide4
Types of NIDS
HIDS (Host Intrusion Detection System)
Operates on a single host
Uses host’s computation resources
NIDS (Network Intrusion Detection System)
Stand-alone hardware
ExpensiveSlide5
Methods of Detection
Signature Based
Compares packets to database of known threats
Heuristics Based
Analyzes and categorizes packets into groups
Normal, Hostile
Many different techniques being developedSlide6
Pro’s and Con’s
Signature Based
Require constant updates by administrators
Can only detect currently known threats
Heuristics
Have the ability to identify new/unknown threats
Can easily mistake infrequent normal traffic as
hostileSlide7
Heuristic Detection Techniques
Cellular
Automata
Genetic Algorithms
Neural Networks
Bioinformatics
Network‐Level
Emulation
Measured: Slide8
Cellular Automata
Solves problems in an evolutionary way
Consists of number of cells organized in the form of a lattice
Each cell is considered independent
Its states only depends on its two adjacent cells
Fuzzy States are generally used
Categorizations are done using membership functions
As data is passed and classified each cell mutates randomlySlide9
Neural Networks
In general model multivariate non-linear functions using nodes called
neurons
Good at classification problems
Separated in 5 categories for experiment
Normal Connections
DoS
(Denial of Service)
R2L (Remote to Local), U2R (User to Remote)
Probe/Surveillance
Best Results came from Over-Sampling Training dataSlide10
Network-Level Emulation
Inspects client-initiated data of each network flow
Server-initiated data is ignored
Reconstructs the application-level stream using TCP stream reassembly
Emulator repeats execution of code from each possible entry point in the stream
Execution of polymorphic shell-code is identified by two runtime behavioral characteristics
Execution of
GetPC
code
Several Read operations from within the streamSlide11
Statistics Collected
Real World Deployment of
nemu
(Network-Level Emulation)
Sensors in Europe have been operating since March 9
th
, 2007
Collected from National Research Networks and one Educational Network
As of February 13
th
, 2008
1,053,332 attacks targeting 21 different ports
31% were launched from 8981 unique
Ips
68% (Rest) were from 204 infected hostsSlide12
Ports Attacked
25 - SMTP
42 – WINS,
Nameserver
80 - HTTP
110 – POP3
135 – Microsoft EPMAP
also known as DCE/RPC Locator
service,
used to remotely manage services including DHCP server, DNS server and
WINS
139 –
Netbios Session Service
143 - IMAP
445 – Microsoft Active Directory, Windows Shares, SMB File Sharing
1025 – NFS or IIS
2967 – Symantec Antivirus Corporate EditionSlide13
Evading NIDS
Insertion Attacks
Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.
Evading Attacks
Sends packets which the IDS rejects but target accepts
Both end up giving different streams to the IDS and End-Host
Fragmentation is used in both – we all should know this by nowSlide14
Methods of Evading NIDS
Case 1:
The
IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the
Victim.Slide15
Methods of Evading NIDS cont.
Case 2:
The IDS fragmentation reassembly timeout is more than the fragmentation reassembly timeout of the operating system.Slide16
Methods of Evading NIDS cont.
Case 2
:
TTL Based Attacks
Topology of victims network must be knowSlide17
Methods of Evading NIDS cont.
Overlapping Fragments
Exploits differences in Operating System BehaviorSlide18
Conclusion
Network Threats are on the rise
Better to have Heuristic based system
Tons of research being performed which is uncovering new and more efficient methods
SNORT can handle all mentioned methods
of evasion.
Any questions?