Intrusion Detection System (IDS)

By – Nilesh Dalavi
What Is Intrusion Detection

 process of
Intrusion Detection is the
identifying and responding to
malicious activity targeted to
computing and network resources.
Characteristics of ID
 ID monitors a whole System or just a part of it.
 Intrusion Detection occurs either during an
intrusion or after it.
 ID can be stealth or openly advertised.
 If suspicious activity occurs it produces an alarm
and keeps logs that can be used for reports on long
term development.
 ID systems can produce an alarm and/or produce
an automated response.
Motivation of ID
The motivation for intrusion detection varies
for different sites:

 Some use IDS for tracking, tracing, and prosecution

of intruders.

 Some use IDS as a mechanism for protecting

computing resources.

 Some use IDS for identifying and correcting

vulnerabilities.
 Why Intrusion Detection
 Detecting and reacting to an attack:

 Possible to stop the attack before anything serious

happens and do damage control.

 Knowledge of the attack and managing the

damage.

 Information gathering of the attack and trying to

stop it from happening again.
IDS Classification
 ID systems can be classified into one of the
following categories based on the types of data
they examine.

 Host
 Network
 Application
IDS Classification (cont.)
 Host : A host-based IDS examines data such as
log files, process accounting information, user
behaviour, or outputs from application-based
ID systems operating on a host.

 Network : A network-based IDS examines

network traffic. It may have access to outputs
from host-based and application-based ID
systems operating within the monitored
network environment.
IDS Classification (cont.)
 Application : An application-based IDS
examines the behaviour of an application
program, generally in the form of log files.
Methodology of Intrusion
Detection
 Passive: (after the fact or on-line solution)
o Audit trail analysis
o Network traffic analysis
o Anomaly detection
o Misuse detection
o Combination of these methods

 Positive: (before the fact)

o Honeypot
What is NIDS?
 Network Intrusion Detection Systems (NIDS)

Is a system which monitors packets on

the network wire and attempts to
discover if a hacker/cracker is attempting
to break into a system (or cause a denial
of service attack).
Traffic Analysis & Network
Monitoring
Main problems
 To actually recognize an attack, you usually
need more information
 Can not monitor user activities on the consol
 Since traffic analysis collect all traffic on the
network, a vast amount of stoage is necessary
and there is the processing overhead of hardware
such as CPU and NIC (network interface card)
Wireshark – Experts Info.
Intrusion Can Be Detected Using Wireshark - >
Expert Info’s.

The expert info’s is a kind of log of the

anomalies found by Wireshark in a capture file.
Each expert info will contain the following
things.
severity
Chat (grey): information about usual workflow
e.g. a TCP packet with the SYN flag set
Note (cyan): notable things
e.g. an application returned a "usual" error code like
HTTP 404
Warn (yellow): warning
e.g. application returned an "unusual" error code
like a connection problem
Error (red): serious problem
e.g. [Malformed Packet]
Experts info.
INTRUSION DETECTION USING
WIRESHARK – 2. Firewall ACL
Using Wireshark firewall can be applied for any of
the IP address to deny/allow packet from that
particular IP.
Firewall ACL
INTRUSION DETECTION USING
WIRESHARK – 2. Flow Graphs
B. Intrusion Can Be Detected Using Wireshark -> Chats

Chats for the TCP connection should contain sequence of SYN,

SYN+ACK and ACK messages.
Flow Graphs
Wireshark – Monitoring
Proxy Servers
Is a server (a computer system or an application)
that acts as an intermediary for requests
from clients seeking resources from other
servers.

Types

1. Open Proxy

2. Reverse Proxy
Proxy Servers
Online Web Proxy Servers Provider websites

1. https://proxy-list.org/english/index.php

2. http://proxylist.hidemyass.com/

3. https://www.torvpn.com/en/proxy-list