19-Intrusion Detection System

8/3/2019 19-Intrusion Detection System

http://slidepdf.com/reader/full/19-intrusion-detection-system 1/41



By.P. Victer Paul

Dear,We planned to share our eBooks and project/seminar contents

for free to all needed friends like u.. To get to know about morefree computerscience ebooks and technology advancements incomputer science. Please visit....

http://free-computerscience-ebooks.blogspot.com/

http://recent-computer-technology.blogspot.com/

http://computertechnologiesebooks.blogspot.com/

Please to keep provide many eBooks and technology news forFREE. Encourage us by Clicking on the advertisement in theseBlog.

















An IDS or Intrusion Detection System is a systemdesigned to detect unauthorized access to securesystems, i.e. hacking, cracking or script based attacks.

Systems are generally composed of both sensors , suchas snort , which watch network traffic and triggersecurity events, and a console interface – which shows

and filters the security events, an example of which issguil .

http://swik.net/snort

http://swik.net/sguil

http://swik.net/sguil

http://swik.net/snort



Definition : An intrusion can be defined as a subversion of security to gain access to a system. This intrusion can usemultiple attack methods and can span long periods of time.

These unauthorized accesses to computer or network systems are often designed to study the system‘s weaknesses for future attacks.

Other forms of intrusions are aimed at limiting access oreven preventing access to computer systems or networks.



Basically, intrusion detection systems do exactly as thename implies: they detect possible intrusions .

More specifically, IDS tools aim to detect computer attacksand/or computer misuse and alert the proper individualsupon detection.

An IDS provides much of the same functionality as aburglar alarm installed in a house.

That is, both the IDS and the burglar alarm use variousmethods to detect when an intruder/burglar is present , andboth subsequently issue some type of warning or alert



What are we protecting? - Data- Availability- Privacy

Who are the intruders? - Hackers- Thieves



The methods used by intruders can often contain anyone, or even combinations, of the following intrusiontypes:◦ Distributed Denial of Service◦ Trojan Horse◦ Viruses and Worms◦ Spoofing◦ Network/Port Scans◦ Buffer Overflow



There are many approaches that are used to implementIDS.An in-depth look at these approaches will be presentedin later sections.However, the majority of IDS systems contain thefollowing 3 components:- Information Source

- Analysis Engine- Response/Alert



All IDS need an information source in which tomonitor for intrusive behavior.

The information source can include: network traffic(packets), host resource (CPU, I/O operations, and logfiles), user activity and file activity, etc.

The information can be provided in real-time or in adelayed manner.



The Analysis Engine is the ―brains‖ behind IDS.

This is the actual functionality that is used to identify theintrusive behavior.

As mentioned previously, there are many ways in which IDSanalyze intrusive behavior.

The majority of IDS implementations differ in the method of intrusion analysis.



Once an intrusive behavior is identified, IDS need tobe able to respond to the attack and alert theappropriate individuals of the occurrence.

Response activities can include: applying firewallrules to drop traffic from a particular source IP, hostport blocking, logging off a user, disabling an

account, security software activation, systemshutdown, etc.



Alerting measures are used to bring the attack to theattention of the proper individuals supporting theenvironment.

For example, an IDS alert can include an activemeasure, which may be sending an email or text pageto the system administrator, or it could simply write a

detailed log of the event, which is a passive measure.



The ultimate desire of IDS functionality is theidentification of all intrusive behavior within anenvironment, and the reporting of that behavior in atimely manner.

However, in order for IDS to be successful in today‘s complex environments, there are some more

characteristics that will be needed.



run continually with minimal human supervisionwithstand an attack and continue functioningmonitor itself and resist local intrusion

use minimal resourcesadapt and recognize "normal" behavior



Scalability: The IDS system must be able to function in large(and fast) network architectures.Low rate of false positives alerts : A false positive is,essentially, a false alarm.

No false negative instances : A false negative is an instancewhen the network or system was under attack, but the IDS didnot identify it as intrusive behavior, thus no alert wasactivated.

Allow some anomalous events without flagging an emergencyalert. This doesn't mean it should allow true maliciousbehavior, but it should be flexible/smart enough to allow forthe occasional user mistake or communication blip.



Anomaly-BasedMisuse-BasedHost-Based

Network-Based



Computer and network anomaly detection Intrusion DetectionSystems models operate by building a model of ―normal‖systembehavior.Normal system behavior is determined by observing the standard

operation of the system or network.Anomaly detection then takes the normal observation model anduses statistical variance, or as we shall see later, Data Miningtechniques with artificial intelligence, to determine if the systemor network environment behavior is running normally orabnormally.The assumption in anomaly detection is that an intrusion can bedetected by observing a deviation from the normal or expectedbehavior of the system or network.



Threshold detection is the process in which certainattributes of user and computer system behavior areexpressed in terms of counts, with some levelestablished as permissible .

For example, such behavior attributes can include thenumber of files accessed by a given user over a

certain period of time, the number of failed attemptsto login to the system, the amount of CPU utilized bya process, etc.



Statistical measures: These measures can beparametric or non-parametric.◦ Parametric measures are used when a distribution

of the profiled attributes is assumed to fit aparticular pattern.◦ Non-parametric measures are used when the

distribution of the profiled attribute is gathered

from a set of historical values observed over time.



It can detect attempts to exploit new and unforeseen vulnerabilities.An IDS based on the detection of anomalies can detect unusualbehavior and thus have the ability to detect symptoms of attackswithout specific knowledge of details. This is a very powerfuladvantage. It is for this reason alone that a majority of the researchof future IDS models includes some sort of anomaly detection.It can also be used to detect ‗abuse-of- privilege‘ types of attacks ,which generally do not involve exploiting any securityvulnerabilities.

It can recognize unusual network traffic based on network packetcharacteristics (payload, source IP, time, etc).It can produce information from the intrusive attack that can be usedto define signatures for misuse detectors.



"Misuse detection-based IDS function in much the same wayas computer anti-virus applications. “

Misuse detection IDS models function in very much the same

sense as high-end computer anti-virus applications. That is,misuse detection IDS models analyze the system or network environment and compare the activity against signatures (orpatterns) of known intrusive computer and network behavior.

These signatures must be updated over time to include thelatest attack patterns, much like computer anti-virusapplications.



Misuse-based IDS can be used very quickly . There isn‘t aneed for the IDS to ―learn‖the network behavior before itcan be of use.The signature matching also provides fewer false alarms(false positives) than other IDS methods.If the signatures of attacks used by the misuse detectionsystem are reliable, then attacks that match those signaturesare very quickly identified, which makes the determination

of corrective measures easier.Computer administrators can write their own signatures inaccordance with the organizations security policy.



Like anti-virus software, the signatures containing theattack patterns are constantly changing.Good computer and network hackers are well aware of the patterns of known exploits.These patterns can be modified to decrease the chancesof raising any red flags.Intrusion detection systems that follow the misuse

detection model need to be constant updated to stay astep ahead of the hackers.



Since misuse detection operates by comparing known intrusivesignatures against the observed log, misuse detectors suffer from thelimitation of only being able to detect attacks that are known.Therefore, they must be constantly be updated with attack signaturesthat represent newly discovered attacks or modified existing attacks .Vulnerable to evasion . Once a security hole has been discovered anda signature has been written to capture it, several other iterations of ―copycat‖exploitations usually surface to take advantage of the samesecurity hole. Since the attack method is a variant of the original

attack method, it usually goes undetected by the original vulnerabilitysignature, requiring the constant rewrite of signatures.Many misuse detectors are designed to use tightly defined signaturesthat prevent them from detecting variants of common attacks .



Host-based Intrusion Detection Systems are confined tomonitoring activity on the local host computer.This monitoring can include network traffic to the host, orlocal object (files, processes, services) access on the host.For example, a HIDS implementation can be used toanalyze all the network traffic transmitted to the computerand pass only the packets deemed safe onto the computer.A HIDS could also be a service running on the localmachine that periodically examines the system security logsfor suspicious activity.



Keep in mind, suspicious activity in one environmentmay not equate to suspicious activity in anotherenvironment.So rules that define what suspicious activity need to becreated. Some examples of possible suspiciousactivities include;several unauthorized logon attempts, confidential file

access, deletion of logs, etc.



Direct system information access. Since HIDS exist directlyon the host system, it can directly access local systemresources (operating system configurations, files, registry,software installations, etc).

Can associate users with local computer processes.Since a host is part of the target, a HIDS can providedetailed information on the state of the system during theattack.Low resource utilization: HIDS only deal with theinspection of traffic and events local to the host.



The implementation of HIDS can get very complex in largenetworking environments . With several thousand possibleendpoints in a large network, collecting and auditing thegenerated log files from each node can be a daunting task.

If the IDS system is compromised, the host may cease tofunction resulting in a stop on all logging activity .Secondly, if the IDS system is compromised and thelogging still continues to function, the trust of such log data

is severely diminished.



A network-based intrusion detection system uses a firewallapproach to examine the network traffic (packets) at the router orhost level for intrusive activity.NIDS scans any traffic that is transmitted over the segment of the

network and only permits through the packets that are notidentified as intrusive.With the explosive growth of networking and data sharing , NIDShave become the most popular form of Intrusion Detection.The need to scan the voluminous amounts of network activityand successfully recognize and tag network-wide intrusivebehavior is well received within the security industry.



Relatively easy deployment - NIDS are installed pernetwork segment. Deployment to 50 servers may onlyrequire 1 network-based intrusion detection systeminstallation.A NIDS can be configured to be invisible to the attacker.Can view intrusive activity that is targeting several hosts.Provides greater detail into the nature of network traffic.

NIDS can interact with firewall technologies todynamically block recognized intrusion behavior.



Network-based intrusion detection seems to offer themost detection coverage while minimizing the IDSdeployment and maintenance overhead. However, themain problem with implementing a NIDS with thetechniques described in the previous sections is the highrate of false alarms.Modern day enterprise network environments amplifythis disadvantage due to the massive amounts of dynamicand diverse data that needs to be analyzed.



All the previously defined IDS techniques have theirshare of disadvantages. There just isn't a single IDSmodel that offers 100% intrusion detection with a 0%false alarm rate that can be applied in today'scomplex networking environment.However, incorporating multiple IDS techniques

can, to a certain extent, minimize many of the

disadvantages illustrated in the previous section.



Common implementations of IDS use a combination of the IDS approaches that have been discussed so far. Thecombination of these techniques reduces the limitationsthat are associated with a single-method IDSimplementation.

For example, misuse-based HIDS and anomaly-basedNIDS are usually implemented together to form a hybridHost/Network IDS architecture. This hybrid IDS allowsthe correlation between the events on the network andevents of the target host(s).



Minimization of anomaly-based false alerts. Correlating thealerts generated in both IDS provide a much greaterlikelihood that an actual intrusion is occurring. This type of example minimizes the inherent disadvantage of anomaly-based IDS – which is the excessive false alerts.

Since host-based misuse IDS can‘t detect a signature if theattack is new, hence the signature doesn‘t exist, there is anadditional benefit to misuse detection IDS environments by

applying a network-based anomaly IDS that has the abilityto capture new attacks and evasive patterns techniques.



The advantages of the combination of HIDS and NIDS appliedto an enterprise network and system architecture may seem tooffer sufficient protection against intrusive behavior.However, there are some major problems that these HIDS and

NIDS systems, even when combined, don‘t resolve.In 1998, a study was conducted to highlight the strengths andweaknesses of current research approaches to anomaly andmisuse intrusion detection.

The study used synthesized network traffic to replicate normaltraffic as well as traffic that contained intrusive patterns. Thenetwork traffic was generated to represent the following types of services: FTP, HTTP, SMTP, IRC, POP3, telnet, SQL, DNS,SNMP, and time.



Attack on the test systems were divided into four categories:- Denial-of-service attacks- Probing/surveillance attacks- Remote-to-local attacks

- User-to-root attacks



The denial of service attacks attempt to render asystem or service unusable to legitimate users.Probing/surveillance attacks attempt to map outsystem vulnerabilities and usually serve as alaunching point for future attacks.Remote to local attacks attempt to gain local accountprivilege from a remote and unauthorized account or

system.User to root attacks attempt to elevate the privilege of a local user to root (or super user) privilege.



However, the performance of the top three IDS had a roughly 20%detection rate for new denial-of-service and less than 10% detectionrate for new remote-to-local attacks.This result shows that the best of today's IDS have a problemdetecting new denial-of-service and remote-to-local attacks --arguably two of the most concerning types of attacks againstcomputer systems and networks today.Other areas in which common HIDS and NIDS implementations fallshort are in the amount of data that is provided the IDS . Often the

data is insufficient . The data present in the network packets orsystem calls may not be complete, making it difficult to determineconclusively whether an intrusion is taking place.



Another pitfall has to do with throughput issues — both host-based and network-based IDS are required to filter orexamine large quantities of data.

Today‘s networking equipment often runs at speeds of 100Mbps or greater and can overwhelm the processingcapability of IDS products, which often lack sufficientthroughput to examine all data .

The findings from the study resulted in the conclusion that afundamental paradigm shift in intrusion detection researchis necessary to provide reasonable levels of detectionagainst new attacks and even variations of known attacks .



Central to this goal is the ability to generalize frompreviously observed behavior to recognize futureunseen, but similar behavior.Future IDS will also have to address scalability anddistributed data collection issues in order to achieve thelevel of effectiveness that is required.



19-Intrusion Detection System

Documents