Professional Documents
Culture Documents
BY:
P
RAGHUDATHESH G P
Asst Professor
Dept of ECE, GMIT
G
Davangere - 577004
Cell: +91 - 7411459249
Mail: datheshraghu@gmail.com
H
Website: raghudathesh.weebly.com
GitHub : https://github.com/dathu
ES
Youtube: dathu’s class
Quotes:
H
We can make a million excuses or a million dollars.
If our eyes are positive, We will love the world but If our tounge is positive the world
AT
will love us.
Confidence is silent - Insecurities are loud.
Time & good friends are two things that become more valuable the older we get.
D
P
systems are capable of taking actions when malicious activity or anomalous traffic is
detected, including blocking traffic sent from suspicious IP addresses.
G
Capabilities of intrusion detection systems:
Intrusion detection systems monitor network traffic in order to detect when an
H
intrusion is being carried out by unauthorized entities.
IDS do this by providing some or all of these functions to security professionals:
ES
1. Monitoring the operation of routers, firewalls, key management servers
and files that are needed by other security controls aimed at detecting,
preventing or recovering from cyberattacks;
H
2. Providing administrators a way to tune, organize and understand relevant
operating system audit trails and other logs that are often otherwise
AT
difficult to track or parse;
3. Providing a user-friendly interface so non-expert staff members can assist
with managing system security;
D
altered;
6. Generating an alarm and notifying that security has been breached; and
G
P
G
H
Ids Placement Strategy:
ES
H
1. Distributed IDS Placement Strategy:
In a distributed IDS placement, the IDS placed every physical object for
AT
detecting attacks.
The main goal of these IDS is to decrease the number of matches needed
for detecting attacks.
D
The IDS dedicated host is wire connected to the IDS sensors, avoiding the
transmission of IDS data and network regular data in the same wireless
network. Therefore, if a DoS attack degrades the wireless transmission
quality, IDS data transmission would not be affected.
3. Hybrid Ids Placement:
P
Hybrid IDS placement combines the concepts of centralized and
distributed placement to take advantage of their strong points and avoid
G
their drawbacks.
The first approach for hybrid placement organizes the network into
clusters or regions, and only the main node of each cluster hosts an IDS
H
instance. Then, this node becomes responsible for monitoring the other
ES
nodes of its cluster.
The hybrid placement IDSs may be designed to consume more resources
than distributed placement IDSs.
H
Selected nodes in the network host an IDS. These selected nodes
(watchdogs) aim to identify intrusions by eavesdropping the exchanged
AT
packets in their neighborhood. The watchdog decides whether a node is
compromised according to a set of rules. Each watchdog has a particular
set of rules because each component in the network might have a different
D
behavior.
Ex: a border router usually experiences higher rates of messages than a
U
Types of IDS:
1. Signature Based Ids:
RA
P
2. Anomaly Based IDS:
This technique is also known as event-based detection. This technique
G
identifies malicious activities by analyzing the event.
Firstly, it defines the normal behavior of the network. Then, if any activity
differs from normal behavior then its mark as an intrusion.
H
In this approach, a malicious node can be detected by matching the
ES
current protocol specification with previously defined protocol state. This
approach detects attacks more efficiently than Signature based IDS.
3. Specification Based IDS:
H
This technique is somewhat similar to anomaly detection technique. In this
technique, the normal behavior of the network is defined by manually, so
AT
it gives less incorrect positives rate.
This technique attempts to extract best between signature-based and
anomaly based detection approaches by trying to clarify deviations from
D
normal behavioral patterns that are created neither by the training data nor
by the machine learning method.
U
Security Threats:
The objective of this subsection is to discuss how different attack types have been
addressed in the IDS proposals for IoT. Enabling IoT solutions involves a
composition of several technologies, services, and standards, each one with its
security and privacy requirements.
With this in mind, it is reasonable to assume that the IoT paradigm has at least the
same security issues as mobile communication networks (e.g., WSNs), cloud
services and the Internet.
P
We shall assess the performance of their IDS with conventional attack scenarios
that included worm propagation, tunneling, SQL code injection, and directory
G
traversal attacks.
1. Sinkhole Attack:
In this attack, malicious node attracts network traffic towards it. To launch
H
these types of attack, a malicious node attract all adjacent nodes to
ES
forward their packets through the malicious node by showing its routing
cost minimum.
The attacker creates an attack by introducing false node inside a network.
H
R.Stephen proposed an Intrusion Detection System (IDS) to detect the
sinkhole attack in the network which uses the RPL as a routing protocol.
AT
The proposed algorithm uses the detection metrics such as number of
packets received and transmitted to validate the Intrusion Ratio (IR) by the
IDS agent.
D
it sends the alert message to the leaf nodes to isolate the malicious node in
H
next data transmission. The aim of the proposed work is to minimize the
Intrusion Ratio.
G
2. Wormhole attack:
In this attack, the adversary node creates a virtual tunnel between two
RA
P
strength to identify attacker nodes.
Design of such system will help in securing the IoT network and may
G
prevents such attacks.
This method is very energy efficient and only takes fixed number of UDP
packets for attack detection, hence it is beneficial for resource constrained
H
environment.
ES
3. Selective Forwarding Attack:
In this attack, malicious node acts as a normal node but it selectively drops
some packets.
H
Black hole attack is the simplest form of selective forwarding attack in
which all packets are dropped by the malicious node.
AT
Shapla Khanam et.al propose a game - theory based attack model to
analyze the malicious behavior of attackers in the IoT networks.
In this model two players are involved in the game where player_1 and
D
In this attack, the node has multiple identities. The routing protocol,
detection algorithm and co-operation processes can be attacked by a
RA
malicious node.
Kuan Zhang et.al defines three types Sybil attacks: SA-1, SA-2, and SA-3
according to the Sybil attacker’s capabilities and then present some Sybil
defense schemes, including social graph-based Sybil detection (SGSD),
P
This attack can damage the availability of resources. When this attack is
made, resources are not available to legitimate users.
G
Such type of attacks, when launched by various malicious nodes is called
DDoS. This attack may affect the network resources, bandwidth, CPU
time etc.
H
ES
Validation Strategy:
A validation consists of checking that the built model behaves with satisfactory
accuracy within the study objectives.
H
There are many validation techniques, and they may be distinguished by two
sources of information:
AT
a. Experts: the use of experts provides a subjective and often qualitative
model validation
b. Data: the use of data may allow a quantitative and more objective
D
validation
The validation strategy employed in the intrusion detection methods for IoT
U
includes:
H
P
Detection Systems, this alliance coming naturally as both technologies often use shared
technologies.
G
Predominantly an IPS is not only found on security appliances, such as certain firewalls,
but also on stand alone appliances delivered.
H
The idea to implement IPS here is driven by commercial as well as technical aspects. To-
date IPS have had the most success with ‘‘flood’’ (i.e. DoS) type attacks.
ES
The devices often look like firewalls and often have some basic firewall functionality. But
firewalls block all traffic except that for which they have a reason to pass, whereas IPS
pass all traffic except that for which they have a reason to block.
H
Definition: An IPS can be defined as an in-line product that focuses on identifying and
blocking malicious network activity in real time.
AT
There are two categories:
1. Rate-based IPS:
Rate-based Intrusion Prevention Systems block traffic based on network load.
D
Ex.: too many packets, or too many connects, or too many errors.
U
In the presence of too much of anything, a rate-based IPS kicks in and blocks,
throttles or otherwise mediates the traffic.
H
E.x: limit queries to the DNS server to 1000 per second and/or offer other
simple rules covering bandwidth and connection limiting.
RA
P
blocked.
2. Packets that do not comply with TCP/IP RFCs can be dropped.
G
3. Suspicious behavior such as port scanning triggers the IPS to block
future traffic from a single host.
The best content-based IPS offer a range of techniques for identifying
H
malicious content and many options for how to handle the attacks, such as
ES
simply dropping bad packets to dropping future packets from the same
attacker, and advanced reporting and alerting strategies.
As content-based IPS offer IDS-like technology for identifying threats and
H
blocking them, they can be used deep inside the network to complement
firewalls and provide security policy enforcement as they often require less
AT
manual maintenance and fine-tuning to perform a useful function than their
rate-based cousin.
D
U
H
G
RA
P
G
H
ES
H
AT
D
U
H
G
RA
Question Bank:
P
G
H
ES
H
AT
D
U
H
G
RA