24-12-2012, 05:54 PM
SEMINAR PRESENTATION ON INTRUSION DETECTION SYSTEM
[attachment=45172]
What is the Intrusion Detection
Intrusions are the activities that violate the security policy of system.
Intrusion Detection is the process used to identify intrusions.
Types of Intrusion Detection System(1)
Based on the sources of the audit information used by each IDS, the IDSs may be classified into
Host-base IDSs
Distributed IDSs
Network-based IDSs
Types of Intrusion Detection System(2)
Host-based IDSs
Get audit data from host audit trails.
Detect attacks against a single host
Distributed IDSs
Gather audit data from multiple host and possibly the network that connects the hosts
Detect attacks involving multiple hosts
Network-Based IDSs
Use network traffic as the audit data source, relieving the burden on the hosts that usually provide normal computing services
Detect attacks from network.
Intrusion Detection Techniques
Misuse detection
Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities.
Anomaly detection
Detect any action that significantly deviates from the normal behavior.
Misuse Detection
Based on known attack actions.
Feature extract from known intrusions
Integrate the Human knowledge.
The rules are pre-defined
Disadvantage:
Cannot detect novel or unknown attacks
Anomaly Detection
Based on the normal behavior of a subject. Sometime assume the training audit data does not include intrusion data.
Any action that significantly deviates from the normal behavior is considered intrusion.
Anomaly Detection Disadvantages
Based on audit data collected over a period of normal operation.
When a noise(intrusion) data in the training data, it will make a mis-classification.
How to decide the features to be used. The features are usually decided by domain experts. It may be not completely.
Pattern Matching
KMP-Multiple patterns matching Algorithm
Using keyword tree to search
Building failure link to guarantee linear time searching
Shift-And(Or) pattern matching Algorithm
A classical approximate pattern matching algorithm
Karp-Rabin fingerprint method
Using the Modular arithmetic and Remainder theorem to match pattern
… (Such as regular expression pattern matching)
[attachment=45172]
What is the Intrusion Detection
Intrusions are the activities that violate the security policy of system.
Intrusion Detection is the process used to identify intrusions.
Types of Intrusion Detection System(1)
Based on the sources of the audit information used by each IDS, the IDSs may be classified into
Host-base IDSs
Distributed IDSs
Network-based IDSs
Types of Intrusion Detection System(2)
Host-based IDSs
Get audit data from host audit trails.
Detect attacks against a single host
Distributed IDSs
Gather audit data from multiple host and possibly the network that connects the hosts
Detect attacks involving multiple hosts
Network-Based IDSs
Use network traffic as the audit data source, relieving the burden on the hosts that usually provide normal computing services
Detect attacks from network.
Intrusion Detection Techniques
Misuse detection
Catch the intrusions in terms of the characteristics of known attacks or system vulnerabilities.
Anomaly detection
Detect any action that significantly deviates from the normal behavior.
Misuse Detection
Based on known attack actions.
Feature extract from known intrusions
Integrate the Human knowledge.
The rules are pre-defined
Disadvantage:
Cannot detect novel or unknown attacks
Anomaly Detection
Based on the normal behavior of a subject. Sometime assume the training audit data does not include intrusion data.
Any action that significantly deviates from the normal behavior is considered intrusion.
Anomaly Detection Disadvantages
Based on audit data collected over a period of normal operation.
When a noise(intrusion) data in the training data, it will make a mis-classification.
How to decide the features to be used. The features are usually decided by domain experts. It may be not completely.
Pattern Matching
KMP-Multiple patterns matching Algorithm
Using keyword tree to search
Building failure link to guarantee linear time searching
Shift-And(Or) pattern matching Algorithm
A classical approximate pattern matching algorithm
Karp-Rabin fingerprint method
Using the Modular arithmetic and Remainder theorem to match pattern
… (Such as regular expression pattern matching)