Source Address | Destination | Payload |
Week 3
The Network Intrusion Detection Engine Network based IDS engines process a stream of time sequential TCP/IP packets to determine a sequence of patterns. Patterns are also known as signatures. Most network signatures are based on the contents of the packets (Packet Content Signature = Payload of a packet). Patterns are also detectable in the header and flow of the traffic, relieving the need for looking into packets.
Operational Concept
Two primary operational modes 1. Tip off - Look for something new, something not previously classified. 2. Surveillance - Look for patterns from "targets"
Forensic work bench * Same tool as in surveillance * Monitor online transactions * track network growth - PCs; mobile devices * System services usage * Identify unexpected changes in the network
Benefits of a Network IDS 1. Outsider Deterrence - Make life hard for the hackers 2. Detection - Deterministic; Stochastic 3. Automated Response and Notification - Notifications(email, SNMP, pager, onscreen, audible)
Response: Reconfigure router/firewalls; Doing a counter attack is not smart; Lose the connection.
Challenges for network based technologies 1. Packet reassembly - Broken packets might not be enough detection. Pattern broken into different packets. 2. High Speed Networks - Flooding and dropping of packets 3. Anti Sniff (Sniffer Detection) - Designed by hackers to detect IDS. Find where exactly a sensor is situated. You do not have to worry if you are you using a Host based system yet. 4. Encryption - Done in SSH or SSL (detection impossible) 1. Some possible solutions are to the put a sensor inside the VPN [Application Layer(decryption)] The data remains encrypted until it reaches the application layer but it could already be to late. 2. Preserve the encryption