Network Intrusion Detection

1
Network Intrusion Detection

• Traffic Analysis
• What traffic patterns are normal, and what are
  not?

2
Normal TCP Stimulus/Response

• Destination Host Listens on Requested Port
• Destination Host Not Listening on Requested Port

3
Continue

• Destination Host Doesnt Exist
• Destination Port Blocked
• Destination Port Blocked, Router Doesnt Respond

4
Normal TCP Session
5
UDP Stimulus-Response

• Destination Host Listening on Requested Port
• Destination Host Not Listening on Requested Port

6
ICMP Stimulus-Response

• Windows Tracert

7
Unix Traceroute

• The source sends UDP packets with increasing TTL
  until the destination is reached.

8
Traffic Analysis
9
Abnormal Stimuli

• Evasive Stimulus, Lack of Response
• Example Port scanning

10
Continue

• Evil Stimulus, Fatal Responses
• Example DoS

11
Continue

• No Stimulus, All Response
• Example Spoofing

12
Backdoor

• Back Orifice
• Backdoor server listens on UDP 31337 (default)
• Netbus
• Version 1, Backdoor server listens on TCP 12345
  or 12346
• Version 2, Backdoor server listens on TCP 20034
  (default)

13
Netbus
14
Insertion Attack

• Goal Evade the detection by NIDS
• Approach Insert certain packet that will be seen
  by NIDS but not be seen by the destination host,
  such that the attack signature is garbled at NIDS.

15
Evation Attack

• Goal Evade the detection by NIDS
• Approach Construct certain packet that will not
  be seen by NIDS but will be seen by the
  destination host, such that the attack signature
  is garbled at NIDS.

16
Worm
17
(No Transcript)