Intrusion detection systems ( Download Full Seminar Report )
computer science crazy|
Joined: Dec 2008
09-04-2009, 01:16 PM
With hacker attacks against well-known businesses and organizations on the rise, network security has made headlines. Of course, there are many attacks that do not make headlines and are not reported due to a loss of credibility or embarrassment. Then there are the attacks that are not even detected. The Defence Information Services Agency (DISA) states that up to 98% of attacks go unnoticed. These revelations have caused many businesses to rethink or to start thinking about the security of their own networks. For some organizations security has always been a concern, for these organizations they were ahead of the game and already had a basic security policy in place. Security of a network cannot be trusted to just one method of security; it must consist of many layers of security measures. These security measures may consist of, strong passwords, screening routers, firewalls, proxy servers, and intrusion detection systems. Intrusion detection systems, also known as IDSs. An IDS is an important part of modern network security. Intrusion detection is the monitoring of a computer network with the goal of detecting an attack. IDSs do this well, but must be used in conjunction with other security measures.
Download Full Seminar Report
Use Search at http://topicideas.net/search.php wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion
Active In SP
Joined: Sep 2010
18-10-2010, 12:47 PM
SUMANTA KUMAR DAS
INTRUSION DETECTION SYSTEMS .PPT (Size: 1.41 MB / Downloads: 607)
What is intrusion?
Attempting to break into or misuse our system.
Intruders may be from outside
Intrusion can be a physical, system or remote intrusion
A agent which may responsible for policy violation
A potentially unwanted object which is harmful to our system
Definition of intrusion detection . System(IDS
An intrusion detection system(IDS) is a device or software application , that monitors network and/or system activities for malicious activities or policy violations and produces reports to management station
Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.
IDSs are software or hardware products that automate those monitoring and analysis process
Hence IDS can help us from attacking malwares, poisonous programs, security threats,finally a total protection can be accomplished by an IDS
Active In SP
Joined: Jun 2010
24-11-2010, 12:04 PM
Application-IDS_Jones-Sielken.doc (Size: 90 KB / Downloads: 214)
Robert S. Sielken
Anita K. Jones
Application Intrusion Detection Systems: The Next Step
Operating system intrusion detection systems (OS IDS) are frequently insufficient to catch internal intruders who neither significantly deviate from expected behavior nor perform a sequence of specific intrusive actions. We hypothesize that application intrusion detection systems (AppIDS) can use application semantics to detect more subtle attacks such as those carried out by internal intruders who possess legitimate access to the system and act within their bounds of normal behavior, but who are actually abusing the system. To test this hypothesis, we developed two extensive case studies from which we were able to discern some similarities and differences between the OS IDS and AppIDS. In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be set for the AppIDS’ relations that differentiate normal and anomalous behavior thereby improving the overall effectiveness of the IDS.
As information systems have become more comprehensive and a higher value asset of organizations, intrusion detection systems have been incorporated as elements of operating systems, although not typically applications. Intrusion detection involves determining that some entity, an intruder, has attempted to gain, or worse, has gained unauthorized access to the system.
Intruders are classified into two groups. External intruders do not have any authorized access to the system they attack. Internal intruders have at least some authorized access to the system. Internal intruders are further subdivided into the following three categories. Masqueraders are external intruders who have succeeded in gaining access to the system and are acting as an authorized entity. Legitimate intruders have access to both the system and the data but misuse this access (misfeasors). Clandestine intruders have or have obtained supervisory (root) control of the system and as such can either operate below the level of auditing or can use the privileges to avoid being audited by stopping, modifying, or erasing the audit records [Anderson80].
Intrusion detection systems (IDS) have a few basic objectives. Among these objectives are Confidentiality, Integrity, Availability, and Accountability.
Intrusion detection has traditionally been performed at the operating system (OS) level mostly by comparing expected and observed system resource usage. OS intrusion detection systems (OS IDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence known to constitute an intrusion or those intruders whose behavior pattern statistically varies from a norm. Internal intruders are said to comprise at least fifty percent of intruders [ODS99], but OS intrusion detection systems are frequently insufficient to catch such intruders since they neither perform the specific intrusive actions because they are already legitimate users of the system, nor significantly deviate from expected behavior.
We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within their bounds of normal behavior, but who are actually abusing the system. This research will explore the opportunities and limits of utilizing application semantics to detect internal intruders through general discussion and extensive examples. We will also investigate the potential for application intrusion detection systems (AppIDS) to cooperate with OS intrusion detection systems (OS IDS) to further increase the level of defense offered by the collective intrusion detection system.
The rest of the paper is structured as follows. The next section will describe OS intrusion detection and intrusion detection in general. Then, two case studies will be presented that will be followed by a section describing the observations obtained from the case studies. The last section will present general conclusions.
State of Practice – OS IDS
OS IDS that monitor resource usage of the operating system and the network represent the state of practice. They only monitor the resource usage of the application and not the application activity itself. OS IDS typically obtain the values necessary to perform intrusion detection from the existing audit records of the system.
Intrusion Detection Approaches
Currently there are two basic approaches to intrusion detection. The first approach, anomaly detection, attempts to define and characterize correct static form of data and/or acceptable dynamic behavior. In effect, it searches for an anomaly in either stored data or in the system activity. IDS utilizing anomaly detection include Tripwire [Kim93], Self-Nonself [Forrest94], and NIDES [Anderson95].
The second approach, called misuse detection, involves characterizing known ways to penetrate a system in the form of a pattern. Rules are defined to monitor system activity essentially looking for the pattern. The pattern may be a static bit string or describe a suspect set or sequence of events. The rules may be engineered to recognize an unfolding or partial pattern. IDS utilizing misuse detection include NIDES [Anderson95], MIDAS [Sebring88], and STAT [Porras92].
Intrusion detection systems have been built to explore both approaches: anomaly detection and misuse detection. In some cases, they are combined in a complementary way in a single intrusion detector. There is a consensus in the community that both approaches continue to have value. Systems also apply these same approaches to detect intrusions across a network of computers. Representative systems include NADIR [Hochberg93], NSTAT [Kemmerer97], GrIDS [Staniford-Chen96], and EMERALD [Porras97].
Generic Characteristics of IDS
After analyzing the approaches taken by IDS at the operating system and network levels, some generic characteristics of intrusion detection became apparent. To characterize OS ID and then compare it to Application Intrusion Detection (AppID), we first need to define some terminology that will allow us to discuss the characteristics of both more precisely. This terminology is similar to that used for prior software and hardware error detection research.
A relation is an expression of how two or more values are associated. An observable entity is any object, such as a user, data object, or system device, that has or produces a value in the monitored system that can be used in defining a relation. Examples of operating system level observable entities include CPU time usage, the number of files associated with a user, and the timestamp of the last modification to a file. There are two basic types of relations although some blending between the two is possible. Statistical relations can be used to compare the current value of an observable entity to a profile, a collection of statistical and other relevant information characterizing normal or anomalous behavior. These are most often used in anomaly detection. Rule-based relations relate the immediate or accumulated value to a predefined expected value and are most often used in misuse detection.
Thresholds can be set for the relations regardless of whether they are statistical or rule-based. Thresholds determine how the result of the relation will be interpreted; results outside of the threshold will be considered anomalous and results within the threshold will be considered normal. Thresholds are normally characterized by a certain number of standard deviations for statistical distributions or by a range, either fixed in size or as a percentage of the expected value, for rule-based analysis.
Setting the thresholds will impact the effectiveness of the IDS in detecting intrusions. Tighter thresholds, permitting less discrepancy, allow for greater detection but at the risk of more false alarms, an indication of an intrusion in the absence of an intrusion. Looser thresholds produce fewer false alarms but potentially at the cost of diminished detection.
The frequency with which a relation is evaluated can also impact the effectiveness of the intrusion detection system. It is possible for the IDS to evaluate all relations immediately after each event, the results of actions taken by users, processes, or devices that may be related to a potential intrusion. However, this may place an intolerable processing burden on the IDS. Therefore, events are typically collected in audit records over a period of time. Audit records entries can be reduced by combining some events into a single entry for analysis. For example, a single, failed log-in attempt is most likely insignificant, but many failed log-in attempts over a relatively short period of time may indicate a possible intrusion. The period of time between audit record analysis may be determined using real time or logical time where the relations are evaluated after a certain number of events have occurred. Audit records only deal with notions defined by the OS. Many aspects of the application are not visible to the OS and thus are not in the audit records.
Case Studies of Application Intrusion Detection
OS IDS have matured since their inception. However, the rate of improvements to their effectiveness in detecting intrusions has probably decreased as intruders have become increasingly savvy. Therefore, a significant change in the approach to intrusion detection is needed to further increase the effectiveness of intrusion detection. We hypothesize that major improvements may be made by incorporating intrusion detection into an application intrusion detection system (AppIDS). We use three questions to guide the exploration of using the basic intrusion detection techniques and the additional knowledge of application semantics to improve the effectiveness of intrusion detection.
Opportunity – what types of intrusions can be detected by an AppIDS, especially those not visible to an OS IDS?
Effectiveness – how well can those intrusions be detected by an AppIDS?
Cooperation – how can an AppIDS cooperate with the OS IDS to be more effective than either alone?
Since the concept of intrusion detection at the application level is fairly new, there is a lack of established literature on the subject for use in answering these questions. Therefore, we have decided to develop case studies. From them, we hope to glean some general understanding about AppIDS and determine its viability. By developing the examples, we also hope to develop a possible method of reasoning about such systems more generally.
Electronic Toll Collection
The first case study involves an electronic toll collection (ETC) system comprised of numerous devices interconnected to expedite toll collection on highways. Despite being specific to transportation, we felt that ETC provides a particularly interesting example because of certain properties that it possesses. We looked at several real ETC systems on which to base this case study, but to not increase the risk to any of the observed systems, this case study is based on a generic ETC system. The system incorporates numerous devices distributed throughout the transportation infrastructure to collect ETC specific data such as vehicle identity, weight, number of axles, and license plate numbers. These devices are configured in a hierarchical fashion. The ETC system differs from an OS in that it has these independent, but linked, devices from which it gathers data about the external behavior that it monitors.
The ETC system has a three level hierarchy. At the lowest level are the individual toll booth lanes and the equipment installed in each lane. A collection of adjacent toll lanes comprises a toll plaza, the middle level in the hierarchy. The toll management center, the single node constituting the highest level in the hierarchy, is the central control headquarters that manages all of the system’s toll plazas as well as any other devices from the highway system that are not directly related to the toll lanes or toll plazas.
Active In SP
Joined: Aug 2011
15-08-2011, 07:20 PM
Thanx for helping me........
Joined: Jul 2011
16-08-2011, 09:59 AM
To get more information about the topic "Intrusion detection systems ( Download Full Seminar Report ) " please refer the link below
http://topicideas.org/how-to-intrusion-d...ll-seminar and presentation-report?pid=54611#pid54611
Active In SP
Joined: Feb 2012
14-02-2012, 04:59 PM
to get information about the topic Network Intrusion System full report ,ppt and related topic refer the link bellow
http://topicideas.org/how-to-intrusion-d...ll-seminar and presentation-report
http://topicideas.org/how-to-intrusion-d...ds-seminar and presentation-report
Joined: Apr 2012
24-04-2012, 10:24 AM
to get information about the topic "network intrusion detection" full report ,ppt and related topic refer the link bellow
http://topicideas.org/how-to-intrusion-d...ll-seminar and presentation-report
Joined: Feb 2013
25-02-2013, 12:57 PM
Intrusion Detection System(IDS)
Intrusion detection is the act of detecting unwanted traffic on a network or a device.
An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control.
Intrusion detection is just as essential to your network as a burglar alarm system is to commercial buildings or homes where valuables are kept. A good IDS will also include IPS functionality; rather than just telling you someone is breaking into your network, it will do something about it.
Progress of the work :
The IDS consists of at least the following subsystems:
6.Model base subsystem,
7.Database system, and
The IDS engine is the control unit of the intrusion detection system. Its main purpose is to manage the system, i. e., supervise all operations of the intrusion detection system. Its duty depends on the intrusion detection method used. These methods are addressed later in the full paper.
Several ways to categorize intrusion detection systems. The first is based on the scope of the IDS's monitoring; that is, whether it is installed on and uses data from a single host computer, or is a network-based product that monitors traffic on the network as a whole, as well as analyzes data from individual computers.
1)Host-based intrusion detection:
A host-based IDS is one in which the software is installed on a single system and the data from that system is used to detect intrusions. Because the host-based IDS protects the server "at the source," it can more intensely protect that specific computer.
The host-based system usually examines log files on the computer to search for attack signatures. Important system files and executables may also be checked periodically for unexpected changes. A host based system will also monitor ports and trigger an alert if certain ports are accessed.
2)Network-based intrusion detection:
A network-based IDS monitors data from network traffic as well as data from one or more host computers to detect intrusions. A network-based IDS analyzes data packets sent over the network, and generally uses a "promiscuous" network adapter (one that is capable of reading all of the packets sent over the network, rather than just those packets addressed to it). The network-based IDS examines packet headers, which are generally not seen by the host-based IDS. This allows the detection of Denial of Service (DOS) and other types of attacks that may not be detected by a host-based IDS.
How Intrusion Detection System works:
IDS systems can use different methods for detecting suspected intrusions . The two most common broad categories are by patten matching and detection of statistical anomalies.
Pattern matching is used to detect known attacks by their "signatures," or the specific actions that they perform. It is also known as signature-based IDS or misuse detection. The IDS looks for traffic and behavior that matches the patterns of known attacks. The effectiveness is dependent on the signature database, which must be kept up to date.
Pattern matching is analogous to identifying a criminal who committed a particular crime by finding his fingerprint at the scene. Fingerprint analysis is a type of pattern matching.
The biggest problem with pattern matching is that it fails to catch new attacks for which the software doesn't have a defined signature in its database.
Statistical anomalies :
Anomaly-based detection watches for deviations from normal usage patterns. This requires first establishing a baseline profile to determine what the norm is, then monitoring for actions that are outside of those normal parameters. This allows you to catch new intrusions or attacks that don't yet have a known signature.
To be effective, response must be as immediate as possible. That's why your IDS needs to include notification features and you need to set them up so that the alerts get to the proper people as quickly as possible after an intrusion is detected.
The best solution for your organization depends on your network's size, security needs, existing security infrastructure, budget and IT department structure and workload.
Components involved in detecting the intrusion :
Sensors: These are deployed in a network or on a device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized, and then forwarded to one or more analyzers.
Analyzers: Analyzers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. Output from the analyzers should include evidence supporting the intrusion report.
The analyzers may also provide recommendations and guidance on mitigation (action that to take before risk assessment) steps.
User interface : The user interface of the IDS provides the end user a view and way to interact with the system. Through the interface the user can control and configure the system. Many user interfaces can generate reports as well.
Government funding and corporate interest helped to develop their concept into a tangible technology that eventually found its way into the mainstream of network security. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. From theory to practice, and finally to commercially viable tools, IDS technology has gone through countless iterations and numerous owners. Nonetheless, the use of intrusion detection as a means of deterring misuse has ultimately become commonplace. Moreover, IDS has become essential.
Thinking To Register
28-09-2013, 03:01 PM
[font=Times New Roman][/font]