100%(1)1 out of 1 people found this document helpful
This preview shows page 1 - 2 out of 2 pages.
IPS stop attack, terminate nw connection or user session, block access to target, user account ip addy, block access. Change sec environment, reconfig NW devices, apply patches if find intrusion, bandwidth throttle, remove replace malicious portions make benign. IPS need more resources, inspect only critical.Snort element of ID. Primary assumptions observable normal intrusive activities distinct evidence tell differences. n algorithmic perspective: Features - capture intrusion evidences Models - piece evidences together From a system architecture perspective:Audit dataprocessor, knowledge base, decision engine,alarm generation and responses. Modeling how to tell different from other feat evidence extract from audit data. Piecing evidence together. Misuse= signature based virus well known attack; anomaly, statistical based, train systemwhats normal, stateful protocol, understand proto. Deply: network based and host based. SensororAgent.monitor and analyze activity.sensor is typically used for IDPSs that monitor networks, including network-based, wireless, and network behavior analysis technologies.agentis typically used for host-based IDPS technologies. ManagementServer.a centralized device that receives information from the sensors or agents and manages Matching event information frommultiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation. appliance and software-only products.DatabaseServer.a repository for event information recorded by sensors, agents, and/or management servers. Console.a program that provides an interface for the IDPS’s users andadministrators.Standard separate nw: don’t impact network higher security more expensive. Packet decoder, preprocessor, detection eng, single test single aspect packet, output, visual put raw data readble. Modes sniffer packet logger, NIDS Inline act like IPS. Rules: rule = <action> <heacder>(<options)> Actions: Alert, pass, activate, dynamic, drop, reject log=log packet, pass=ignore pass, activate alert then turn on dynamic, dynamic