Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 04_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Chapter 3 - 02 - Discuss Network Security Fundamentals - 01_ocred.pdf
- Computer Forensics Investigation Team PDF
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role - 11_ocred PDF
- Cybersecurity Technician Network Security Controls PDF
- Chapter 7 - 04 Network Security Controls - Technical Controls PDF
- Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Classification @...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls IDS Classification @ An IDS is classified based on an approach, protected system, structure, data source, behavior, and time analysis { Classification of Intrusion Detection System }. = [wmu Copyright © by All Rights Reserved. Reproduction Is Strictly Prohibited IDS Classification Generally, an IDS uses anomaly-based detection and signature-based detection methods to detect intrusions. An IDS is classified based on an approach, protected system, structure, data source, behavior, and time analysis. The classification of IDSs is shown in following figure. This categorization depends on the information gathered from a single host or a network segment, in terms of behavior, based on continuous or periodic feed of information, and the data source. [ Classification of Intrusion Detection System J Bet lor after Analysls Timing an Attack On-the-fly Processing Anomaly Detection ":‘E{-" nt System Figure 7.66: Classification of Intrusion Detection System Module 07 Page 823 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Approach-based IDS Signature-Based Detection O Known as misuse detection O Monitors patterns of data packets in the network and compares them to pre-configured network attack patterns, known as signatures OQ This method uses string comparison operations to compare ongoing €l activity, such as a packet or a log entry, against a list of signatures ) Advantages = |t detects attacks with minimal false alarms = [t|t can quickly identify the use of a specific tool or technique = |t assists administrators to quickly track any potential security issues and initiate incident handling procedures Copyright © by All Rights Rights Reserved. Reserved. Reproduction Reproduction iss Strictly Strictly Prohibited Prohibited Approach-based IDS (Cont’d) QO In this approach, alarms for anomalous activities are generated by evaluating network patterns such as what sort of bandwidth is used, what protocols are used, and what ports and which devices are — connected to each other h;:) ¢ Zt-ibased O An IDS monitors the typical activity for a particular time interval and then builds the statistics for the o e network traffic O QO For example: anomaly-based 1DS monitors activities for normal Internet bandwidth usage, failed logon attempts, processor utilization levels, etc. Advantages Disadvantages v"v' An anomaly-based IDS identifies abnormal v'v The rate of generating false alarms is high due to behavior in the network and detects the unpredictable behavior of users and networks symptoms for attacks without any clear details v The need to create an extensive set of system ¥ Information acquired by anomaly detectors is events in order to characterize normal behavior further used to define the signatures for misuse patterns detectors Copyright © by AAll l Rights Reserved. Reproduction Reproductionis Strictly Prohibited Module 07 Page 824 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Approach-based IDS (Cont’d) @ This method compares observed g It also detects variations in command events with predetermined profiles length, minimum/maximum values for based on accepted definitions of attributes and other potential benign activity for each protocol to anomalies identify any deviations of the protocol state Stateful Protocol Analysis It can identify unpredictable For any protocol performing sequences of commands. For example, authentication, the IDS/IPS will keep it can identify activities such as issuing track of the authenticator being used for the same commands repeatedly or each session and will record the arbitrary commands being used : authenticator involved in the suspicious activity Approach-based IDS Signature-based Detection It is also known as misuse detection. Monitors patterns of data packets in the network and compares them to pre-configured network attack patterns known as signatures. A signature is a predefined pattern in the traffic on a network. Normal traffic signatures denote normal traffic behavior. However, attack signatures are malicious and are harmful to the network. These patterns are unique, and the attacker uses these patterns to get into the network. This method uses string comparison operations to compare ongoing activity, such as a packet or a log entry, against a list of signatures. Advantages = |t detects attacks with minimal false alarms. = |t can quickly identify the use of a specific tool or technique. = |t assists administrators to quickly track any potential security issues and initiate incident handling procedures. Disadvantages = This approach only detects known threats, the database must be updated with new attack signatures constantly. = |t utilizes tightly defined signatures that prevent it from detecting common variants of the attacks. Module 07 Page 825 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Examples of signatures: = Atelnet attempt with a username of ‘root’, which is a violation of the corporate security policy. = An operating system log entry with a status code of 645 indicates the host auditing system is disabled. Anomaly-based Detection The anomaly-based detection process depends on observing and comparing the observed events with the normal behavior and then detecting any deviation from it. Normal behavior depends on factors such as users, hosts, network connections, and/or applications. These factors are considered only after examining a particular activity over a period of time. Normal traffic behavior is based on various behavioral attributes such as normal email activity, reasonable number of failed attempts, processor usage, etc. Any activity that does not match normal behavior can be treated as an attack. For example, numerous emails coming from a single sender or a large number of failed login attempts can indicate suspicious behavior. Unlike signature-based detection, anomaly-based detection can detect previously unknown attacks. In this approach, alarms for anomalous activities are generated by evaluating network patterns such as what sort of bandwidth is used, what protocols are used, and what ports and which devices are connected to each other. An IDS monitors the typical activity for a particular time interval and then builds the statistics for the network traffic. For example: anomaly-based IDS monitors activities for normal Internet bandwidth usage, failed logon attempts, processor utilization levels, etc. Advantages = An anomaly-based IDS identifies abnormal behavior in the network and detects the symptoms for attacks without any clear details * |Information acquired by anomaly detectors is further used to define the signatures for misuse detectors Disadvantages = The rate of generating false alarms is high due to unpredictable behavior of users and networks * The need to create an extensive set of system events in order to characterize normal behavior patterns Stateful Protocol Analysis Network communication uses various types of protocols to exchange information on different layers. These protocols define the accepted behavior. Stateful protocol analysis—based IDS detects suspicious activity by analyzing the deviation of specific protocol traffic from its normal behavior. Using this analysis, an IDS can analyze the network, transport, and application layer protocols and traffic against their normal behavior. Module 07 Page 826 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Certain IDSs can specify suitable activities for each class of users in accordance with the authenticator information. This method compares observed events with predetermined profiles based on accepted definitions of benign activity for each protocol to identify any deviations of the protocol state. It can identify unpredictable sequences of commands. For example, it can identify activities such as issuing the same commands repeatedly or arbitrary commands being used. It also detects variations in command length, minimum/maximum values for attributes and other potential anomalies. For any protocol performing authentication, the IDS/IPS will keep track of the authenticator being used for each session and will record the authenticator involved in the suspicious activity. Module 07 Page 827 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
