Intrusion and it’s types

5TH SEMESTER

BSCS (MA)

SUBMITTED BY

SANA JAVED(2104) AMNA AFZAL (2105)

BARIRA SHAHZAD(2106) MAHNOOR(21121)

SUBMITTED TO
MAM SAIRA NOSHEEN
 Intrusion

Intrusion can be defined as any kind of unauthorized

activities that cause damage to an information
system. This means any attack that could pose a
possible threat to the information confidentiality,
integrity or availability will be considered an
intrusion
 Example

Activities that would make the computer services

unresponsive to legitimate users are considered an
intrusion.
 Intrusion detection systems

An IDS is a software or hardware system that

identifies malicious actions on computer systems in
order to allow for system security to be maintained
 Goal

The goal of an IDS is to identify different kinds of

malicious network traffic and computer usage, which
cannot be identified by a traditional firewall
This is vital to achieving high protection against
actions that compromise the availability, integrity, or
confidentiality of computer systems.
 Categories of IDS

IDS systems can be broadly categorized into two

groups:
Signature-based Intrusion Detection System (SIDS)
Anomaly-based Intrusion Detection System (AIDS).
Signature-based intrusion detection systems (SIDS)

Signature intrusion detection systems (SIDS) are

based on pattern matching techniques to find a
known attack; these are also known as Knowledge-
based Detection or Misuse Detection (Khraisat et al.,
2018).
In SIDS, matching methods are used to find a
previous intrusion. In other words, when an
intrusion signature matches with the signature of a
previous intrusion that already exists in the
signature database, an alarm signal is triggered.
For SIDS, host’s logs are inspected to find sequences
of commands or actions which have previously been
identified as malware. SIDS have also been labeled in
the literature as Knowledge-Based Detection or
Misuse Detection (Modi et al., 2013).
Figure 1 demonstrates the conceptual working of SIDS approaches.
The main idea is to build a database of intrusion signatures and to
compare the current set of activities against the existing signatures
and raise an alarm if a match is found
 For example

A rule in the form of “if: antecedent -then:

consequent” may lead to
“if (source IP address=destination IP address) then
label as an attack ”.
SIDS usually gives an excellent detection accuracy
for previously known intrusions (Kreibich &
Crowcroft, 2004)
However, SIDS has difficulty in detecting zero-day
attacks for the reason that no matching signature
exists in the database until the signature of the new
attack is extracted and stored
SIDS are employed in numerous common tools, for
instance, Snort (Roesch, 1999) and NetSTAT (Vigna
& Kemmerer, 1999).