CRYPTOGRAPHY AND NETWORK SECURITY . UNITS syaso0 1p Security & Intrusion Detection Systems ip security: IP Secutity Overview, P Security Architecture, Authentic Wn Header, Encapsulating east Payload, Combining Security Associations and Key Management tateusion detection: Overview, Approaches for IDS/IPS, Signature based IDS, Host based 105/1PS. 1p SECURITY OVERVIEW: 1 Engineering Task Force ((ETF) standard suite of protocols that provides data Ipsec is an Interne' tween communication points vvmanteation, integrity, and confidentiaity as data transferred De aaananip netuvorksiPSecprovides datasecurty tthe P packet level A packet isa data bundle that is rgamited fortransmission across a network, and it includes aheaderand payload (the data io the packet) ®Secemerged asa viable network security standard becouse enterprises wanted (0 ensure tat data could be securely transmitted over the Internet ‘psec protects against possible security exposures by protecting datawhilein transit. IPSEC SECURITY FEATURES: ipsecis the most secure method commercially avaiable for connecting network sites. IPSec Was fesigned to provide the following security festures when Transferring packets across networks: «authentication: Verifies thatthe packet received ctualY fromthe claimed sender. © iAtegrity: Ensures that the contents ofthe packer didnot change in transit. . case emtaity: conceals themessagecontent hough encrYPLon Ipsec ELEMENTS ipSeccontains the following elements: 5 encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integity, 7 huthontication Header (AH) provides authentication and integrity- Trchange (KE): Provides Key management and Secu ity Association (SA) + Internet Key ‘management. sgecurecommunications across 2 LAN, across private and public WANS, ipsecprovides thecapability tO ples ofits use include the following: and across the Internet. Exam > secure branch office connectivity overthe Internet > secure remote access overthe Internet net connectivity with partners: IPSec can be used to secure > Establishing extranet and intra ‘ensuring authentication, and confidentiality ond ommunication with other organizations, providing akey exchange mechanism > enhancing electronic commerce security: Even though some Web and electronic commerce Spplications have built-in security protocols, the use of IPSecenhances that securityFigure. An tP Security Scenorio \ BENEFITS OF teste: . FrcoannttsStongsecutywtinandacossthe Lag * Firewall uses psec to restrict all those incoming packets which firewallisthe eee NaY 0 enternto an organization reste 1 [Riscisbelow the transportlayer(Tch, uneyang $0 istranspare + There is no need tapesemented in thetirewallorrouter even vf |PSecis impl [aYersoftwate, including applications, notaffected tpacecen be transparentto enduser . InSeecn brovie secur for fnddalusersif needed, IP SECURITY ARCHITECTURE are not using IP. Since Packets cannot enter, "tO applications, Maly the PSecis constituted by three majorcofnponents, > 'PSec Documents > 'PSee Services > Security ‘Associations(sa) rnefats documents. Theimost important of thee sued n *3F2 RFCS 2401, 2402, 2406, and 2408, > RFC 2001: an overview of > RC 2402: Pescription of spacket authentication extension to IPv4 and IPvG P RFC 2406; Description Of a > RFC 2408: Specification of T ‘security arctitecture Packet encryption extension to IPv4 and Ive Key management capabilt fe hanE® Software on a tiser or server system when IPSec is lemented in end systems, upper. iThe header for authentication is Known as the Authentication header(AN); that f Anown as the Encapsulating Security Payload (ESP) header. pecataiaiie The documents are divided into seven groups, as depicted in Figure Figure. 1PSec DocumentOverview «architecture: Covers the general concepts, security requirements, definitions, and mechanisms defininglPSectechnology. = Encapsulating Security Payload (ESP): Covers the packet formatiand general issues related to the use of the ESP for packet encryption and, optionally, authentication. « Autitentication Header (AH): Covers the packet format and general issues related to the use of AH farpacketauthentication. Encryption Algorithm: A set of document algorithms are used for ESP. Lation Algorithm: A set of documents that desi {for AH and forthe authentication option of ESP. describe key management schemes. Domain of Interpretation (DOI}: Contains values needed for the other documents t9 (alate to each other, Theseinclude identifier forapprovedencryptionand authentication algorithms, as well as operational parameters uchaskey lifetime. ts that describe how various encryption scribe how various authentication © Authei algorithms are used Key Management: Documents that Ipsec Service IpSecprovides security se cryptographickeys as per t Two protocolsare used to provide security: vices at the P layerby selecting requiredsecurityprotocos, algorithms and he services requested. an authentication protocotdesignated by the headerof the protocol, Authentication Meader (AH) cones combined eneryption/authentiation protocol designated by thevormat of the packet for that protocol, Encapsulating SecurityPayload (ESP).The services are Access control Connectiontess intenrity } Data origin authentication > Rejection of replayed packets. >» Confidentiality > Limited watficfow confidentiality An P (cneryption plus only) authentication) Access control Conneetiontess integrity Data origin authentication Rejection offeplayed packets Confidentiality Limited traffic Dow confidentiality Security Association A key concept that appears in both the authentication and confidentiality mechanisms for IP is the Security association (SA). An association is a one-way relationship between a sender and a receiver ‘hat affords security services to the traficcarried on it. fa peerrelationship is needed, fortwo-way Secure exchange, then two security associations ‘are required, Security services are afforded to an SA for the use of AH or ESP, but not both, A security association is uniquely identified by three parameters: + Security Parameters Index (SPI): A bit string assigned to this SA and having loca significance ‘only. SPIis located in AH and ESP headers. SPI enables the receiving system underwhich the Packet is toprocess. ‘+ IP Destination Address: It is the end point address of SA which can be end user system ora networksystem. + Security Protocol Identifier: security protocol identifier indicates whetherthe associationsis an AH or SP, SA Parameter ‘The implementation of IPSeccontain SA database which identifies the parameters rélated to SA. ‘+ Sequence Number Counter: A 32-bit value usedto genefatethe Sequeyce Numberfield hh AH or ESP headers. oe ‘+ Sequence Counter Overtiow: A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on. this A ‘+ Anti-Replay Window: Used o determine whetheraninbound AHor ESP packetis a replay * AH Information: Authentication algorithim, keys, key lifetimes, and related parameters being used witha, + ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes, and related parameters being used with SP (required for ESP implementations) * Lifetime of This Security Association: A time interval orbyte count afterwhich an SA must be replaced witha new SA or terminated,TaTTET made provides protection to the entire I packet, To achieve this, alter the AHLor ESP fields are added to the IP packet, the entire packet plus security fields is treat «as the payload of ner “outer” IP packet with a new outer IP header, The eat original, oF inner, packet travels throu a “tunnet" from ane point of an WP network to another; no routers along the way are able to examine the inner IP header. Necause the original packet Is encapsulated, the neve, larger packet may have totally cliferent source and destination addeesses, ang tothe security Tunnel mode is used when oncorboth ends of an SA are asecurity gateway, such as afirewall or routerthat implements IPSec, ESP in tunnel modeencrypts and opt inner iP packet, cluding the inner IP header. AH in tunnel mode authenticates the entice inner 1P packet and selected portions of the outer IP header. _ABTHENTICATION HEADER(AH ‘The Authentication Keaderprovides support fordata integrity and authentication of IP packets. Data integrity service insures that datainside IP packets is not altered during the transit. The authentication feature enables an end system to authenticate the useror application and filter trafficaccordingly. It also prevents the address spoofing attacks (A technique used’ to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host).Authentication is based on the use of a message authentication code (MACY; two communication parties mustshare asecret key. ly authenticates the entire Figure. IPSec Authentication Header Te AthenatonHeaderonsst ofthe olowing ls 1 entender (bs: ene tetypeot he dertotinmeaty flowing the Payond Length Lento Authentestoneatern 32 ards Reserved (16 bits): For future use. Sec aareters des (2 Bs dente sect associa Sequench Number(s] A monotony neering counter, fatenteaton Oatavrall A variable let td fut be an nal numero 32-5 words that contains tent Cheevakie (CV erMNG orto Anti-Replay Service: i A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it tothe intendeddestination. The receipt of duplicate, authenticated IP packets may disrupt Service in some way or may have some otherundesired consequence. The Sequence Number fields designed to stop such attacks. 6++ tP5ee rrotocot Mod + Path MTU: Any ots can be tansmited}. | SA Selectors Hs the type of made used for IPSec To Ission tit (mn 'axienum size of a packet that WPSee provides fle burpose, SA's are WSec is sIs0 « A ‘bility in providing service sed. Different ¢ apable of difer traffieshould be ree Users according to their nceds. For this Tr natlons OF SA's can give ditterent Uusercontf fentiating traffic Le, igurations, * Which traffic is allowed to pass Wsecprotection, be associate ase called Security p les which maps aset of i basically uséd to define py icket should be re 's Performed oh SPDis table entri Selector’ are and which pas A sequence of steps i icy Database(spp), IP tratficto a sin vie that specitles which packet should bbe forwarded ected tofiter outgoing the outgoing trafic, vale ormore SAs, Compare the values 0 finda matching SPDentry, which Petermine the SA i any for this pa {5 one @ the fields of IPSec te association, Cf theappropriatefietds in the Packet (theselectorfelds) against the Sep ‘will Point tozeroor more SAs, icket and its associated SPL. g, Ader which is 2 unique ide Po the required IPSecprocessing (i owing selectors determineansPoent, 'ecurity Parameter indox(sPt) ntifier to identify a security The fotl + AHOr ESP processing), ry: be an individualprotocol number, a Source and Destination Ports: enumerated lis Transport and Tdnnel Mode: PV6 Next Headerfeld.this may 0f protocol numbers, orarange of protocal umbers. ‘These may be individual TCP or UDP pore values, en of ports, ara wildcard port, + Both AH and ESP supporttwo modes of use: fansport and tunnel mode, ‘The operation of these two modesis best understood in the context of a descri pt and Esp, Transport Mode ols. That i ion. primarily for upper-layer protocols. That Transport mode provides protection primar a wil sae satan : brotection extends to the payload of an IP packet. Transport = ie "a ie inde Jp nmunication between two hosts.tSP in transport mode encrypts and op he 'P payload but riot the IP header. Ait in transport mode authenticates the 1 payload and selected Payload but ri Portions of the IP header. Tunnel Mode: ion of AH is, transport modeAdvance window if val packet to te tight received 7 Fined wie ign ne ele z (ay When a new SA ts established, the senderinitializes asequenc: ‘a packet is sent on this SA, the sender increments the counter ani Number field. Thus, the first value t6 be used is 1.11 anticreplay is enat must not allow the sequence number to cycle past 2 multiple valid packets with the same sequence number. If the Should terminate this SA and negotiate @ new SA with a new Key. service, guarantee that all packets will be delivered. Therefore, that the receiver should implement a window of size Ws the window represents the highest sequence number, Ni packet properly authenticated), the corresponding s Inbound proces: 1 3 i ow Net Marked ifyatid Unanarked if yalid packet received packet not yet received Figure. Antireplay Mechanism fe numbertounterto 0. Each time that id places the value in the Sequence ed (the default), the sender i back to zero. Otherwise, there would be it of 2-1 is reached, the sender 1p is a connectionless, unreliable the protocol does not guarantee that packets will be delivered in ‘order and does not the IpSec authentication document dictates with a default of W = G4. The right edge of ‘so far received for a valid packet. For any v from H.W 1 to N that has been correctly received (Le, lotin the windowis marked (Figure). ‘a sequence numberin the rang 1 proceeds as follows when apacket is receved: in the windowand is new, the MACis checked. If the packe If the received packet falls withi 4 the corresponding sltin the window is marked “packet isto the right ofthe window and is new, the MACs checked. ifthe packet is authenticated, the window isadvanced $0 that this sequence number is the right Page of the window, and the corresponding ot In the window ismarked. wire received packet isto the Fett of the window, oF IF ‘authentication fails, the packetis discarded; thisis an auditable event. authenticate ifthe rec Integrity Check Value: The Authent message authentication Transs There are two ways in which t is provided directly between same network as the serve J protected secret Key, the aut! tie otherease, avemote worksta to the entire internal network oF feature. This case Us tion oata ets holds a value ferred as the Integrity Check Value, The CV ia rc ora truncated versionofa code produced bya MAC algorithm. * \d Tunnel Modes: ne Psecauthentcationservice can be used. Inone cae, authentication ae ver and lent workstations; the workstation can be either onthe onan externalietworkAs tong asthe workstation and the seryeshare vmnleation process Is secure. This case uses a transport mode SA. In ca antes itself to the corporate fiewal,eitherforaccess ecouse the requested server does not support the authentication jes a tunnel mode SA.Intental verweek Be Gees End-ioend swuibontizaton sovingrnedinte ‘th Figure. End-to-End versus End-to-Intermediate Authentication _/Meassslaton Security Pavoadls The Encapsuating Security Payload provides confidentoity services, including confidentaity of message contents and limited wfc low confidentiality. As anoptana feature, SP can ale provide an authentication service. ESP Format: It contains the following fields: Security Parameters Index (32 bits}: Identifies asecurity association. Sequence Number(32 bits): A monotonically increasing countervalue; this provides an anti replay function, as discussed for AH. : Payload Data (variable): This is a transport-level segment (transport mode) or IP packet {tunnel mode) thatis protected by encryption. 3, Padding (0-255 bytes): The purpose ofthis field is discussed later. Pad Length (8 bits): Indicates the numberof pad bytes immediately preceding this field. Identifies the type of data contained in the payload data field by 5, Next Header (8 bits identifying the first headerin that. ‘Authentication Data (variable): A variable-length field (must be an integral numberof 32-bit 6. words) that contains the Integrity Check Value computed over the ESP packet minus the ‘Authentication Datafield. i +~ Ateieten coven Cohen certgem Asin da (bigjon and Authentication Algorithms: ‘he Payload Data, Padding, Pad Length, and Nest Heauerfilds are encrypted by the ESP, various algorithms used for encryption are: Theee;key tiple DES, RCS, IDFA, Three-key CAST, Blowfish : ple IDEA, padding: ‘he padding field serves several purposes: Tif anendhyption algorithm requires the plantest tobe a multiple of some numberof bites ‘The Padding field is used to'expand the plaintext to the required length. Trees? format requires thatthe Pad Length and Next Header fields be right aligned within a 32-bit word. Equivalently, the ciphertext’ must be an integermultiple of 32 bits. The Padding fioldisused toassurethisalignment. 3, Additional padding may be added to provide partial trafficflow confidentiality by concealing the actual lengthof the payload, 2 ransport and Tunnel Modes: Figure shows two ways in which the IPSec ESP Service can be used. In the upper part ofthe figure, encryption (and optionally authentication) is provided directly between two hosts. Figure( b) shows how tunnel mode operation can be used to set up a virtual private network. In this example, an “orgenization has four private networks interconnected across the Internet. Hosts on the internal networks use the Internet for transport of data'but do not interact with other Internet-based hosts. By terminating the tunnels at the security gateway to each internal network, the configuration allows the hosts to avoig implementing thesecurty capabilty.The formertechniqueis support by atransport -mode SA, while thé lattertechnique uses atunnel mode SA. (0) Avia rememCOMBINING SECURITY ASSOCIATIONS: ‘ ‘An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular trafficflow willeall forthe services providedby both AHand ESP. Further, aparticulartrafficflow may ‘require IPSec services between hosts and, for that same flow, separate services between security Bateways, such as firewalls. n all of these cases, multiple SAs must be employed forthe same traffic flow to achieve the desired IPSecservices. The term securityassociation bundle refers to a sequence of SAs through which trafficmust be processed to provide adesired set of IPSecservices. Security associations may be combined into bundles in two ways: > Transport adjacency: Refers to applying more than one security protocol to the same IP ; packet, without invoking tunneling, > Mterated tunneling: Refers to the application of multiple layers of security protocols effected through IP tunneling, _/ SELMBNAGEMEN ‘The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP. ‘The IPSec Architecture document mandates support fortwo types of key management: Manual: A system administratormanuslly configures each system with its own keys and with the keys of other communicating ‘systems. This is suitable for small, relatively static environments, Automated: An automated system enables the on-demand creation of keys for SAS and facilitates the use of keysin alarge distributed system. ‘The default 2utomated key management protocol for IPSecis referred to as ISAKMP/Oakley and consists of the following elements: 1. Oakley Key Determination Protocol, 2. Internet Security Association and Key Management Protocol (ISAKMP). Oaidey Key DeterminationProtocol: alley is akey exchangepfotocolbasedon the Diffie-Hellman algorithimbut pros + Oakley is generic in that it does not dictate specificformats. The ingadded security e-Hellman algorithm has two attractive features: 1, Secretkeysare created only when needed. 2. The exchange requires no preexiiting infrastructure otherthan an agreement on the * global parameters. ‘ However, there are anumberof weaknesses to Diffie-Hellman, as pointed out in 3 It does not provide any informatign about the identities of the parties Itis subjectto a man-in-the-middle attack 0‘Itis computationally intensive. As aresult, it is vulnerable to a clogging 0. Asa . a Being attack, in which Ver requests ahigh numberof keys. eee Oakley is designgd to retain the advantayes of Dilfie-ellman whilecountering its weaknesses. Features of Oakley: ‘The Oakley algorithm is characterized. by five important features > It employs amechanism known as cookies to thwart clogging attacks. > tt enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange. > It uses nonces to ensure against replay attacks. b it enables the exchangeof Diffie-Hellman publickey values. } tt authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks. Internet Security Association and Key Managentent Protocol {ISAKMP}: ISAKMP provides a framework for Internet key management and provides the specific protocol support, including formats, fornegotiation of security attributes. ISAKMP Header Format \ ‘An ISAKMP message consists of an ISAKMP header follower carried in a transport protocol. The specification dictates that of UDP for the transport protacol. (3) ISAKMP heider Ionsists of the following fields: : 1. Initiator Codkie (64 bits): Cookie of entity that initiated SA establishment, SA hotification, or SA deletion. Responder Cookie 64 bits): Cookie of responding entity; nulln first message from initiator. Next Payload (8 bits): Indicates the type of the first payload in the message Major Version (4 bits): Indicates majorversion of ISAKMP in use. Minor Version (4bits): Indicates minorversion in use. Exchange Type (8 bits): Indicates the type of exchange. Flags (8 bits): Indicates specific options set forthis ISAKMP exchange. Message 10 (32 bits): Unique ID for this message. Length (32 bits): Length of total message (headerplus all payloads)in octets. won anaen \ .d by one or more payloads. All of this is 1t implementations must support the usethon System: a cusion [A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource. It is act of gaining unauthorized access to a system s0 3s to cause loss. Intrusion detection The process of ident Intrusion prevention ing and responding to intrusion activities Extension of 1Dwith exercises of access control to protect computers from exploitation Terminology: > True Po: es: These'are alerts that something is not right when itis actually not right } True negatives: these are alerts that something is right when it actually right, > False positives: these are alerts indicating that something isnot right with a. packet when actually itis right, > False Negatives: these are alerts that something is ight when actually itis wrong, (area ee 1-1. Bion of tosPS'atrs Overview; & intrusion detection/prevention system (I0S/IPS) is another element k t the entrance of important netw: in which it employed to 1s positioned behind the firewal fork. Intrusion Detection las shown in Figure, The IDS/IPS provides deep packetinspectionte a forthe payload, IDs is based on out-of re Intrusions and theireporting, and Pi in-band fiterng to bio 8 Se pan ‘sions. IDSs pertormedthrougha wiretap, and is clearly an out-of-band operation. In contrast, IPS Is performed inline. And by preventing igtrusions, 1PSs eliminate the need for keeping anid reading extensive Inteusion-incident logs, which contributes to IDSs! considerable CPU, memory, and VO overhead, vite 9p IDS{/IPS BUILDING BLOCK: A block diagram that outlines the functions of an 10S; observable activities are preprocessed and forws Signature/Anomaly model. This information is then that uses classification algorithms to provide the alerts orblocking PS system is shown in Figure. As indicated, the farded to the detection engine that uses 2 forwarded to the classification decision engine ig actions FIGURE 19.3 An IDS/PS system processes dctivties and generates alerts and blockings, HOST-BASED OR NETWORK-BASED 105/1P: 10S/IPS can be either host-based or network-based, in which case it is labeled as HIDS/HIPS or NIDS/NIPS, réspectively.tn the HIDS/HIPS case, the monitoring and blocking activity Is performed on a single host. HIOS/HIPS has the advantage that it provides better visibility into the behavior of individual applications running on that host. HIDS/HIPS monitoring also includes attacks by genuine users/insiders. These includeillegitimate use of root privileges; unauthorized access to resources and data. In the NIDS/NIPS, itis often located behind a router or firewall that provides the guarded entrance to a critical asset. At this location traffié is monitored and packet headers and payloads are examined using the knowledge base in NIDS/NIPS. The advantage of this-location is that a single NIDS/NIPS can potect many hosts as well'as detect global patterns. aThere are various types of IPS products. e > Host-basgd application firewalls perform the IPS function independently of the operating system and block the entry of application level and web based intrusions, much ike network firewalls barentry to unwanted trafic. > A network-based IPS blocks network-lovel intrusions, such as denial-of-service attacks, and ‘may use anomaly detection to recognize threats based on theiebehavior. > Combining network: and host-based IPSs provides the best protection against all types of intrusions THE APPROACHES U: wsjies: ‘The approaches to'intrusion detection can generally be clasified as either anomaly/behaviorbased or signature-based. > anomaly-based detectors generatethe normalbehavior/pattern of theprotected system, and deliveran anomalyalarm if the observed behaviorat an instant does not conform to expected behavior. > Anomaly-based IDS/IPSare more likely to generating false positives dueto the dynamicnature ‘of netwrks, applications and exploits. > According to the type of processing, anomaly detection techniques can be classifiedinto three ‘main categories: statistical-based, knowledge-based, and machine learning-based. STATISTICAL-BASED 105/1PS: In the statistical-basei 1DS/IPS, the behaviorf the system is represented from the captured network traffic activity and a profile representing its stochastic behavior {s created. Ths profile is based on metrics such 2s the trafic rate, the number of packets fr each protocol, the ate of connections, the number of different IP addresses, et. This method employs the collected profile that relates to the behaviorof genuine users and is then used in statistical tests to determine ifthe behaviorundet detection is genuine or not. During theanomalydetection process, onecorresponding to the currently captured profile is compared with the previously trained statistical profile. As the network events ‘occur, the current profile is determined and an anomaly score estimated by comparison of the two behaviors. The score normally indicates the degreco! deviation foraspecificevent. Advantages > First they do not require prior knowledge about the normal activity ofthe target system; instead, ey havethe ability to learn the expectedbehaviorof the system {rom observations. > Second, statistical methods can provide accurate notiication of malicious activites occurting «+ overiong periods of time. Drawbacks > setting the values ofthe thresholds, prameters/metries that isa difficult task, especialy because the balance between falsepositives and false negatives is affected, > Not all behaviors can be modeled by using stochasticmethods. KHOWLEDGE-/EXPERT-BASED 108/1PS: i Knowledge-based IDS/IPS capturesthe normal behaviorfromavailable information, including expert knowledge, protocol specifications, network traffic instances, etc. The normal behavior is represented as a set of rules. Attributes and classes are identified from the training data or specifications. Then a set of classification rules, parameters or procedures are Generated. The rules are used for detecting anomaly behaviors. Specitication-based anomaly methods require thatthe 14model is manually constructed by human experts {n terms ofa set af tules (the specificatfons) tha describing the system behavior, Specification-based techniques have Uren shown to produce a ] rate of false alarms, but are not as effective as other anomaly detection methods In delecting novel BEEACES, expeclaly when hfeaies to network probing and! danlalof-servica attacks ‘The mest gaicant advantapes of knawigdge/expert-based detection see th tow false alarm rate andthe fac that they may detect zero-day and mutated attacks. The main drawback is that the development of Ihigh-quality rulesis time-consuming and labor-intensive \ MACHINE LEARNING-DASEDIDS/IPS: Jon the establishment of an explicit or implicit model that Wd, Machine learning is different from statstical-based characteristics forbuilding amodel of behaviors. As roreaccurate. The discovery and learning process ;nt_ amount of computational Machine learning 10S/IPSschemes are base’ allows the patterns analyzed to be categorie methods because machinelearning discovers the more learning is performed, the modetwillbecome m te the advantage of machine learning: however, it requires 9 siar resources. : ‘SIGNATURE BASED 1DS: +. A signature is aknown pattern of a threat, such 2s: ing malware with an interesting subject. this a clear violation of an organization's “This mechanism proceeds against Known threat = Ane-mail with anattachment conta «A tcemote login” by an admin user, wh policy. signature-based detection isthe simplest form of detection becauseit just the trafficwith the ftababe. famatch found then thealert is generated, match is not found thenthe traffic enatute-baséd detection, detection is based on comparing the traffic vo he known signatures for possible attacks. They ean only detect knowe threats and hence, are win dentin detecting unknown theeats To detect an attack the signals ‘matching has to be peecue otherwise, even if the attack has a smal variation from the known threat signature, then the very easy for the attackers to compromise and breach into the signature di flows without any problem. In si system will not detect. Hence, it trusted network Signature database needsto be updatedconstantl, almost on adaly basis from theanti tabs, if tne signature isnot up to date, chances are thatthe IDS systems will faito detet® some of the tates attacks. The other disadvantage that they have very little information about previous requests when processing the current ones Te REQUEST message! Figure. Signature baseddetection Senate based deetion cn offer very specificdetection threats by comparing network trafficwith the heat ture database. Thedetection canbe enanced if thenetwork traffic insidethenctwork ‘mage to learn specificpatters, thus reducing false positives. Signaturedetection enginestend{0 degrade in pevformance over period of tine a more and more signatures ae added to the database. i takes more time fr engine to doa pattern search a5 the signature databace f alwaye rowing as more and more definitionsare add to it Nencearobust platform is neededtorsignature detection considering this growth. HOST-BASEO IDS; Host-based Intrusion Detection System refers'to the détection intrusion Single system. This it normally software-baseddeployment where an agent, as showin Figue, is installed onthe localhost {hat monitors and reports the application activity, MIDS monitors the access to the system and ie pplication and sendsaertsforany unusual activities It constantly monitors eventlogs, sytemlogs, application logs, user policy enforcement rootkit detection, file integrity and otheritrusions to the Sistem. I constently monitors these logs and creates a baseline. if any log enves appesy, ris snecis the data agains the baseline andi entries are found ouside of this baseline. HOS tippers an Bere any unauthorized activity is detected 05 can alert the user or block the act or peronn any otherdecision based the policy thatis configured on the system, Pare 11-2, tot Dazed Inirusion Detection Stem host ofthe HIDS products have abilty to prevent attacks so. However, itis initially deployed in the prevention sae and then there fs of the System activity, a baseline fs and then ioe deployed , the intruder as functionalityHibs dependsthe logs generated by tne System and the fact that the intruders eave evidence of theiractivities, Generally, hackers ‘get access to the System and install imalicous tools that future accés becomes ‘aie, i these teas change we operating system configurations, or entries of some windows repsty, It is ogged in the systems/event log, thus triggering an alert by the HIDS system. 1iD5 is generally installed on servers, oF end point devices to Pena he Sestem from intrusion, The function of HIDS solely depends on the ourit trails generated by the system, f hackers manage to turn off these logs, if you have a Hibs gent running, it may not ‘Wiggerany alertsaThis isthe biggest disadvantage of HID, Advantages of HIDS ay © Systemlevel protection Protectstromatiacksdirected tothe sytem © Any unauthotized activity on the system (configuration changes, file changes, registry changes, etc) are detected andan alerts generated forfuthesartine 6Disadvantages © HDS furktionalty workonly ifthe systems eneratelous and match against the pre-defined policies, If forsome reason, ystems do not generate [98% HIDS may not function properly. © Whackers bring down the HIDS server, then Huiosis of no use. Thisis true forany vulnerability ‘Software. HOST-BASED IDS/IPS: Many host security products contain integrated host-based 10S/IPS systems: (HIDS/HIPS), anti- malware and a firewall. These HIDS/HIPS systems have both advantages ‘and weaknesses. They are capable of protecting mobile hosts from an ‘attack when outside the protected internalnetwork, and they can defend local attacks, such as malwarein removable devices. They also protect against attacks from network and encrypted attacks in which the encrypted datastream terminates at the host being protected. They have the capability of detecting jgnomalies of hast software execution, ¢-B- system Tall patterns. HIDS/HIPS builds adynamicdatabase of system objects that can be monitored. On the negative side, if an attacker takes Control) agent software can be compro the malware. Invaddition, HIDS/HIPS has only a local view of the attack, and host-based anomaly detection has 2 high false alarm rate. oifer a host, the HIDS/HIPS and NAC (Network Access mised and disabled, and the audit logs are modified to