IPS stop attack terminate nw connection or user session block access to target

Ips stop attack terminate nw connection or user

This preview shows page 1 - 2 out of 2 pages.

IPS stop attack, terminate nw connection or user session, block access to target, user account ip addy, block access. Change sec environment, reconfig NW devices, apply patches if find intrusion, bandwidth throttle, remove replace malicious portions make benign. IPS need more resources, inspect only critical. Snort element of ID. Primary assumptions observable normal intrusive activities distinct evidence tell differences. n algorithmic perspective: Features - capture intrusion evidences  Models - piece evidences together From a system architecture perspective:Audit data processor, knowledge base, decision engine, alarm generation and responses. Modeling how to tell different from other feat evidence extract from audit data. Piecing evidence together. Misuse= signature based virus well known attack; anomaly, statistical based, train system whats normal, stateful protocol, understand proto. Deply: network based and host based. SensororAgent. monitor and analyze activity. sensor is typically used for IDPSs that monitor networks, including network-based, wireless, and network behavior analysis technologies.  agent is typically used for host-based IDPS technologies.  ManagementServer. a centralized device that receives information from the sensors or agents and manages  Matching event information from multiple sensors or agents, such as finding events triggered by the same IP address, is known as correlation .  appliance and software-only products. DatabaseServer. a repository for event information recorded by sensors, agents, and/or management servers. Console. a program that provides an interface for the IDPS’s users and administrators. Standard separate nw: don’t impact network higher security more expensive. Packet decoder, preprocessor, detection eng, single test single aspect packet, output, visual put raw data readble. Modes sniffer packet logger, NIDS Inline act like IPS. Rules: rule = <action> <heacder>(<options)> Actions: Alert, pass, activate, dynamic, drop, reject log=log packet, pass=ignore pass, activate alert then turn on dynamic, dynamic
Image of page 1
Image of page 2

You've reached the end of your free preview.

Want to read both pages?

  • Fall '09
  • IP address

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture