By. P. Victer Paul
Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit....
http://recent-computer-technology.blogspot.com/ http://computertechnologiesebooks.blogspot.com/ Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog.
An IDS or Intrusion Detection System is a system designed to detect unauthorized access to secure systems, i.e. hacking, cracking or script based attacks.
Systems are generally composed of both sensors, such as snort, which watch network traffic and trigger security events, and a console interface – which shows and filters the security events, an example of which is sguil.
Definition : An intrusion can be defined as a subversion of security to gain access to a system. This intrusion can use multiple attack methods and can span long periods of time.
These unauthorized accesses to computer or network systems are often designed to study the system‘s weaknesses for future attacks. Other forms of intrusions are aimed at limiting access or even preventing access to computer systems or networks.
Basically, intrusion detection systems do exactly as the name implies: they detect possible intrusions.
More specifically, IDS tools aim to detect computer attacks and/or computer misuse and alert the proper individuals upon detection. An IDS provides much of the same functionality as a burglar alarm installed in a house. That is, both the IDS and the burglar alarm use various methods to detect when an intruder/burglar is present, and both subsequently issue some type of warning or alert
What are we protecting? - Data - Availability - Privacy
Who are the intruders? - Hackers - Thieves
The methods used by intruders can often contain any one, or even combinations, of the following intrusion types:
◦ ◦ ◦ ◦ ◦ ◦ Distributed Denial of Service Trojan Horse Viruses and Worms Spoofing Network/Port Scans Buffer Overflow
There are many approaches that are used to implement IDS. An in-depth look at these approaches will be presented in later sections. However, the majority of IDS systems contain the following 3 components: - Information Source - Analysis Engine - Response/Alert
All IDS need an information source in which to monitor for intrusive behavior. The information source can include: network traffic (packets), host resource (CPU, I/O operations, and log files), user activity and file activity, etc.
The information can be provided in real-time or in a delayed manner.
The Analysis Engine is the ―brains‖ behind IDS.
This is the actual functionality that is used to identify the intrusive behavior. As mentioned previously, there are many ways in which IDS analyze intrusive behavior. The majority of IDS implementations differ in the method of intrusion analysis.
Once an intrusive behavior is identified, IDS need to be able to respond to the attack and alert the appropriate individuals of the occurrence.
Response activities can include: applying firewall rules to drop traffic from a particular source IP, host port blocking, logging off a user, disabling an account, security software activation, system shutdown, etc.
Alerting measures are used to bring the attack to the attention of the proper individuals supporting the environment.
For example, an IDS alert can include an active measure, which may be sending an email or text page to the system administrator, or it could simply write a detailed log of the event, which is a passive measure.
The ultimate desire of IDS functionality is the identification of all intrusive behavior within an environment, and the reporting of that behavior in a timely manner.
However, in order for IDS to be successful in today‘s complex environments, there are some more characteristics that will be needed.
run continually with minimal human supervision withstand an attack and continue functioning monitor itself and resist local intrusion use minimal resources adapt and recognize "normal" behavior
Scalability: The IDS system must be able to function in large (and fast) network architectures. Low rate of false positives alerts: A false positive is, essentially, a false alarm. No false negative instances: A false negative is an instance when the network or system was under attack, but the IDS did not identify it as intrusive behavior, thus no alert was activated. Allow some anomalous events without flagging an emergency alert. This doesn't mean it should allow true malicious behavior, but it should be flexible/smart enough to allow for the occasional user mistake or communication blip.
Computer and network anomaly detection Intrusion Detection Systems models operate by building a model of ―normal‖ system behavior. Normal system behavior is determined by observing the standard operation of the system or network. Anomaly detection then takes the normal observation model and uses statistical variance, or as we shall see later, Data Mining techniques with artificial intelligence, to determine if the system or network environment behavior is running normally or abnormally. The assumption in anomaly detection is that an intrusion can be detected by observing a deviation from the normal or expected behavior of the system or network.
Threshold detection is the process in which certain attributes of user and computer system behavior are expressed in terms of counts, with some level established as permissible.
For example, such behavior attributes can include the number of files accessed by a given user over a certain period of time, the number of failed attempts to login to the system, the amount of CPU utilized by a process, etc.
Statistical measures: These measures can be parametric or non-parametric. ◦ Parametric measures are used when a distribution of the profiled attributes is assumed to fit a particular pattern. ◦ Non-parametric measures are used when the distribution of the profiled attribute is gathered from a set of historical values observed over time.
It can detect attempts to exploit new and unforeseen vulnerabilities. An IDS based on the detection of anomalies can detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. This is a very powerful advantage. It is for this reason alone that a majority of the research of future IDS models includes some sort of anomaly detection. It can also be used to detect ‗abuse-of-privilege‘ types of attacks, which generally do not involve exploiting any security vulnerabilities. It can recognize unusual network traffic based on network packet characteristics (payload, source IP, time, etc). It can produce information from the intrusive attack that can be used to define signatures for misuse detectors.
"Misuse detection-based IDS function in much the same way as computer anti-virus applications.“
Misuse detection IDS models function in very much the same sense as high-end computer anti-virus applications. That is, misuse detection IDS models analyze the system or network environment and compare the activity against signatures (or patterns) of known intrusive computer and network behavior. These signatures must be updated over time to include the latest attack patterns, much like computer anti-virus applications.
Misuse-based IDS can be used very quickly. There isn‘t a need for the IDS to ―learn‖ the network behavior before it can be of use. The signature matching also provides fewer false alarms (false positives) than other IDS methods. If the signatures of attacks used by the misuse detection system are reliable, then attacks that match those signatures are very quickly identified, which makes the determination of corrective measures easier. Computer administrators can write their own signatures in accordance with the organizations security policy.
Like anti-virus software, the signatures containing the attack patterns are constantly changing. Good computer and network hackers are well aware of the patterns of known exploits. These patterns can be modified to decrease the chances of raising any red flags. Intrusion detection systems that follow the misuse detection model need to be constant updated to stay a step ahead of the hackers.
Since misuse detection operates by comparing known intrusive signatures against the observed log, misuse detectors suffer from the limitation of only being able to detect attacks that are known. Therefore, they must be constantly be updated with attack signatures that represent newly discovered attacks or modified existing attacks. Vulnerable to evasion. Once a security hole has been discovered and a signature has been written to capture it, several other iterations of ―copycat‖ exploitations usually surface to take advantage of the same security hole. Since the attack method is a variant of the original attack method, it usually goes undetected by the original vulnerability signature, requiring the constant rewrite of signatures. Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks.
Host-based Intrusion Detection Systems are confined to monitoring activity on the local host computer. This monitoring can include network traffic to the host, or local object (files, processes, services) access on the host. For example, a HIDS implementation can be used to analyze all the network traffic transmitted to the computer and pass only the packets deemed safe onto the computer. A HIDS could also be a service running on the local machine that periodically examines the system security logs for suspicious activity.
Keep in mind, suspicious activity in one environment may not equate to suspicious activity in another environment. So rules that define what suspicious activity need to be created. Some examples of possible suspicious activities include; several unauthorized logon attempts, confidential file access, deletion of logs, etc.
Direct system information access. Since HIDS exist directly on the host system, it can directly access local system resources (operating system configurations, files, registry, software installations, etc). Can associate users with local computer processes. Since a host is part of the target, a HIDS can provide detailed information on the state of the system during the attack. Low resource utilization: HIDS only deal with the inspection of traffic and events local to the host.
The implementation of HIDS can get very complex in large networking environments. With several thousand possible endpoints in a large network, collecting and auditing the generated log files from each node can be a daunting task. If the IDS system is compromised, the host may cease to function resulting in a stop on all logging activity. Secondly, if the IDS system is compromised and the logging still continues to function, the trust of such log data is severely diminished.
A network-based intrusion detection system uses a firewall approach to examine the network traffic (packets) at the router or host level for intrusive activity. NIDS scans any traffic that is transmitted over the segment of the network and only permits through the packets that are not identified as intrusive. With the explosive growth of networking and data sharing, NIDS have become the most popular form of Intrusion Detection. The need to scan the voluminous amounts of network activity and successfully recognize and tag network-wide intrusive behavior is well received within the security industry.
Relatively easy deployment - NIDS are installed per network segment. Deployment to 50 servers may only require 1 network-based intrusion detection system installation. A NIDS can be configured to be invisible to the attacker. Can view intrusive activity that is targeting several hosts. Provides greater detail into the nature of network traffic. NIDS can interact with firewall technologies to dynamically block recognized intrusion behavior.
Network-based intrusion detection seems to offer the most detection coverage while minimizing the IDS deployment and maintenance overhead. However, the main problem with implementing a NIDS with the techniques described in the previous sections is the high rate of false alarms. Modern day enterprise network environments amplify this disadvantage due to the massive amounts of dynamic and diverse data that needs to be analyzed.
All the previously defined IDS techniques have their share of disadvantages. There just isn't a single IDS model that offers 100% intrusion detection with a 0% false alarm rate that can be applied in today's complex networking environment. However, incorporating multiple IDS techniques can, to a certain extent, minimize many of the disadvantages illustrated in the previous section.
Common implementations of IDS use a combination of the IDS approaches that have been discussed so far. The combination of these techniques reduces the limitations that are associated with a single-method IDS implementation.
For example, misuse-based HIDS and anomaly-based NIDS are usually implemented together to form a hybrid Host/Network IDS architecture. This hybrid IDS allows the correlation between the events on the network and events of the target host(s).
Minimization of anomaly-based false alerts. Correlating the alerts generated in both IDS provide a much greater likelihood that an actual intrusion is occurring. This type of example minimizes the inherent disadvantage of anomalybased IDS – which is the excessive false alerts.
Since host-based misuse IDS can‘t detect a signature if the attack is new, hence the signature doesn‘t exist, there is an additional benefit to misuse detection IDS environments by applying a network-based anomaly IDS that has the ability to capture new attacks and evasive patterns techniques.
The advantages of the combination of HIDS and NIDS applied to an enterprise network and system architecture may seem to offer sufficient protection against intrusive behavior. However, there are some major problems that these HIDS and NIDS systems, even when combined, don‘t resolve. In 1998, a study was conducted to highlight the strengths and weaknesses of current research approaches to anomaly and misuse intrusion detection. The study used synthesized network traffic to replicate normal traffic as well as traffic that contained intrusive patterns. The network traffic was generated to represent the following types of services: FTP, HTTP, SMTP, IRC, POP3, telnet, SQL, DNS, SNMP, and time.
Attack on the test systems were divided into four categories: - Denial-of-service attacks - Probing/surveillance attacks - Remote-to-local attacks - User-to-root attacks
The denial of service attacks attempt to render a system or service unusable to legitimate users. Probing/surveillance attacks attempt to map out system vulnerabilities and usually serve as a launching point for future attacks. Remote to local attacks attempt to gain local account privilege from a remote and unauthorized account or system. User to root attacks attempt to elevate the privilege of a local user to root (or super user) privilege.
However, the performance of the top three IDS had a roughly 20% detection rate for new denial-of-service and less than 10% detection rate for new remote-to-local attacks. This result shows that the best of today's IDS have a problem detecting new denial-of-service and remote-to-local attacks -arguably two of the most concerning types of attacks against computer systems and networks today. Other areas in which common HIDS and NIDS implementations fall short are in the amount of data that is provided the IDS. Often the data is insufficient. The data present in the network packets or system calls may not be complete, making it difficult to determine conclusively whether an intrusion is taking place.
Another pitfall has to do with throughput issues—both hostbased and network-based IDS are required to filter or examine large quantities of data. Today‘s networking equipment often runs at speeds of 100Mbps or greater and can overwhelm the processing capability of IDS products, which often lack sufficient throughput to examine all data. The findings from the study resulted in the conclusion that a fundamental paradigm shift in intrusion detection research is necessary to provide reasonable levels of detection against new attacks and even variations of known attacks.
Central to this goal is the ability to generalize from previously observed behavior to recognize future unseen, but similar behavior. Future IDS will also have to address scalability and distributed data collection issues in order to achieve the level of effectiveness that is required.