/
Network Intrusion Detection Systems Network Intrusion Detection Systems

Network Intrusion Detection Systems - PowerPoint Presentation

pamella-moone
pamella-moone . @pamella-moone
Follow
463 views
Uploaded On 2016-12-07

Network Intrusion Detection Systems - PPT Presentation

Presented by Keith Elliott Background Why are they used Movement towards more secured computing systems Management is becoming cognizant of growing cyberthreats Where are they used Medium to Large ID: 498637

methods network system nids network methods nids system evading code detection fragmentation stream ids reassembly level execution timeout based packets attacks service

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Network Intrusion Detection Systems" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Network Intrusion Detection Systems

Presented by Keith ElliottSlide2

Background

Why are they used

?

Movement towards more secured computing systems

Management is becoming cognizant of growing cyber-threats

Where are they used?

Medium to Large

Businesses

Anyone than can afford them

Open-source solutions (SNORT)Slide3

Types of Attacks

Code Obfuscation

Polymorphism

Shell-code is constantly mutating

Characterized by:

Execution of

GetPC

code

Read operations from input

stream

Port Scans

Denial of Service (

DoS

)Slide4

Types of NIDS

HIDS (Host Intrusion Detection System)

Operates on a single host

Uses host’s computation resources

NIDS (Network Intrusion Detection System)

Stand-alone hardware

ExpensiveSlide5

Methods of Detection

Signature Based

Compares packets to database of known threats

Heuristics Based

Analyzes and categorizes packets into groups

Normal, Hostile

Many different techniques being developedSlide6

Pro’s and Con’s

Signature Based

Require constant updates by administrators

Can only detect currently known threats

Heuristics

Have the ability to identify new/unknown threats

Can easily mistake infrequent normal traffic as

hostileSlide7

Heuristic Detection Techniques

Cellular

Automata

Genetic Algorithms

Neural Networks

Bioinformatics

Network‐Level

Emulation

Measured: Slide8

Cellular Automata

Solves problems in an evolutionary way

Consists of number of cells organized in the form of a lattice

Each cell is considered independent

Its states only depends on its two adjacent cells

Fuzzy States are generally used

Categorizations are done using membership functions

As data is passed and classified each cell mutates randomlySlide9

Neural Networks

In general model multivariate non-linear functions using nodes called

neurons

Good at classification problems

Separated in 5 categories for experiment

Normal Connections

DoS

(Denial of Service)

R2L (Remote to Local), U2R (User to Remote)

Probe/Surveillance

Best Results came from Over-Sampling Training dataSlide10

Network-Level Emulation

Inspects client-initiated data of each network flow

Server-initiated data is ignored

Reconstructs the application-level stream using TCP stream reassembly

Emulator repeats execution of code from each possible entry point in the stream

Execution of polymorphic shell-code is identified by two runtime behavioral characteristics

Execution of

GetPC

code

Several Read operations from within the streamSlide11

Statistics Collected

Real World Deployment of

nemu

(Network-Level Emulation)

Sensors in Europe have been operating since March 9

th

, 2007

Collected from National Research Networks and one Educational Network

As of February 13

th

, 2008

1,053,332 attacks targeting 21 different ports

31% were launched from 8981 unique

Ips

68% (Rest) were from 204 infected hostsSlide12

Ports Attacked

25 - SMTP

42 – WINS,

Nameserver

80 - HTTP

110 – POP3

135 – Microsoft EPMAP

also known as DCE/RPC Locator

service,

used to remotely manage services including DHCP server, DNS server and 

WINS

139 –

Netbios Session Service

143 - IMAP

445 – Microsoft Active Directory, Windows Shares, SMB File Sharing

1025 – NFS or IIS

2967 – Symantec Antivirus Corporate EditionSlide13

Evading NIDS

Insertion Attacks

Send packets to end-system (victim) that will reject, but that the IDS thinks are valid.

Evading Attacks

Sends packets which the IDS rejects but target accepts

Both end up giving different streams to the IDS and End-Host

Fragmentation is used in both – we all should know this by nowSlide14

Methods of Evading NIDS

Case 1:

The

IDS fragmentation reassembly timeout is less than fragmentation reassembly timeout of the

Victim.Slide15

Methods of Evading NIDS cont.

Case 2:

The IDS fragmentation reassembly timeout is more than the fragmentation reassembly timeout of the operating system.Slide16

Methods of Evading NIDS cont.

Case 2

:

TTL Based Attacks

Topology of victims network must be knowSlide17

Methods of Evading NIDS cont.

Overlapping Fragments

Exploits differences in Operating System BehaviorSlide18

Conclusion

Network Threats are on the rise

Better to have Heuristic based system

Tons of research being performed which is uncovering new and more efficient methods

SNORT can handle all mentioned methods

of evasion.

Any questions?