IPS stop attack, terminate nw connection or user session, block access to target, user account ip addy, block access.
Change sec environment, reconfig NW devices, apply patches if find intrusion, bandwidth throttle, remove replace
malicious portions make benign. IPS need more resources, inspect only critical.
Snort element of ID. Primary assumptions observable normal intrusive activities distinct evidence tell differences.
n algorithmic perspective: Features - capture intrusion evidences
Models - piece evidences together
From a system architecture perspective:Audit data
processor, knowledge base, decision engine,
alarm generation and responses. Modeling how to tell different from other feat evidence extract from audit data.
Piecing evidence together. Misuse= signature based
virus well known attack; anomaly, statistical based, train system
whats normal, stateful protocol, understand proto. Deply: network based and host based.
SensororAgent.
monitor and
analyze activity.
sensor
is typically used for IDPSs that monitor networks, including network-based,
wireless, and network behavior analysis technologies.
agent
is typically used for host-based IDPS technologies.
ManagementServer.
a centralized device that receives information from the sensors or agents and manages
Matching event information from
multiple sensors or agents, such as finding events triggered by the same IP address, is known
as
correlation
.
appliance and software-only products.
DatabaseServer.
a repository for event information recorded by sensors,
agents, and/or management servers.
Console.
a program that provides an interface for the IDPS’s users and
administrators.
Standard separate nw: don’t impact network higher security more expensive. Packet decoder, preprocessor, detection eng, single
test single aspect packet, output, visual put raw data readble. Modes sniffer packet logger, NIDS Inline act like IPS.
Rules: rule = <action> <heacder>(<options)>
Actions: Alert, pass, activate, dynamic, drop, reject log=log packet, pass=ignore pass, activate alert then turn on dynamic, dynamic
You've reached the end of your free preview.
Want to read both pages?
- Fall '09
- IP address
