Intrusion Detection System

Submitted by:
Neha Bansal
M.C.A IInd (SEMESTER)
Roll.No. 219
MAHARAJA AGRASEN INSTITUTE OF
MANAGEMENT AND TECHNOLOGY
SESSION: 2011-2012
0
Submitted T:
M!" #!i$%&'% m%m
Le(tu!e! M"C"A

INDE)
1" I&t!du(ti& 2
2" Hi*t!$ O+ IDS ,
," De%-i&. /it0 I&t!ude!* 1
1" H/ de* IDS /!'2 3
3" T$4e* + IDS 5-6
5" Te(0&i7ue* + IDS 10-12
8" Fi!e/%-- 9e!*u* IDS 1,-11
:" ;e&e+it* + IDS 13
6" Di*%d9%&t%.e* + IDS 15
10" C&(-u*i& 18
11" Re+e!e&(e* 1:

1
2
INTRODUCTION
INTRUSION DETECTION SYSTEM
Intrusion is some time also called as hacker or cracker attempting to break into or misuse
your system. While introducing the concept of intrusion detection in 1980, defined an
i&t!u*i& %ttem4t or a t0!e%t to be the potential possibility of a deliberate unauthorized
attempt to
• access information,
• manipulate information, or
• ender a system unreliable or unusable.
Intrusion detection systems do e!actly as the name suggests" they detect possible
intrusions. #ore specifically, I$% tools aim to detect computer attacks and&or computer
misuse, and to alert the proper indi'iduals upon detection.
(n intrusion detection system )I$%* inspects all inbound and outbound net+ork acti'ity
and identifies suspicious patterns that may indicate a net+ork or system attack from
someone attempting to break into or compromise a system. (n I$% installed on a
net+ork pro'ides much the same purpose as a burglar alarm system installed in a house.
,hrough 'arious methods, both detect +hen an intruder&attacker&burglar is present, and
both subse-uently issue some type of +arning or alert.

.
HISTORY
( computer system should pro'ide confidentiality, integrity and assurance against denial
of ser'ice. /o+e'er, due to increased connecti'ity )especially on the Internet*, and the
'ast spectrum of financial possibilities that are opening up, more and more systems are
sub0ect to attack by intruders. %o I$% come in to e!istence.I$% pro'ides all facilities to
protect your system.
Intrusion $etection )I$* defined"
1rocess of monitoring computer net+orks and systems for 'iolations of security policy
2irst I$ %ystem33manual 4system audits5 1980, I$ +as born
G9e!&me&t *4&*!ed de9e-4me&t i& e%!-$ 16:0<*" Fi!*t ID *$*tem* +! Ai! F!(e
%&d N%9$"
2irst document need for automated audit trail re'ie+ to support security goals.
(s the 6ro+th of Internet force I$% to be de'eloped.
Cmme!(i%- ID *$*tem* be.%& %44e%!i&. i& e%!-$ 1660<*

DEALING =ITH INTRUDRES
7
$ue to increase connecti'ity )more specially on internet*,and much chances of financial
possibility that are opening more and more system are sub0ect to attack by
intruders)intruders are the hacker or cracker those are unauthorised usres*,because
completelt secure system is still a dream.
2ire+all and filterring router are not enough to protect electronic assets.so detection is
needed. In terms of the relation intruder3'ictim, attacks are categorized as"
-E>te!&%- I&t!ude!*: +ho are unauthorised usres of the machines they attack,they
coming from outside, fre-uently 'ia the Internet.they can be any person +hich are not in
our kno+ledge.
3I&te!&%- I&t!ude!*" +ho has permission to access system but not some portion of it,
they coming from o+n enterprise8s employees or their business partners or customers.
further subdi'ided"
-M%*7ue!%de " ,hose user +ho mas-uerade another user means using others usre no or
identification no access the non permitted information.
-Le.itim%te:,hose user +ho legally access the information but they are not allo+ed to
access information.but using some kind of techni-ues they able to access sensiti'e data
legally.,hey are most dangerous type.
-C-%&de*ti&e:9ser +ho ha'e po+er to turnoff audit control for them sel'es and steal
information.
:
HO= DOES IDS =OR?2
Intrusion detection systems ser'e three essential security functions" they monitor, detect,
and respond to unauthorized acti'ity by company insiders and outsider intrusion.
Intrusion detection systems use policies to define certain e'ents that, if detected +ill issue
an alert. In other +ords, if a particular e'ent is considered to constitute a security
incident, an alert +ill be issued if that e'ent is detected. ;ertain intrusion detection
systems ha'e the capability of sending out alerts, so that the administrator of the I$% +ill
recei'e a notification of a possible security incident in the form of a page, email, or
%<#1 trap. #any intrusion detection systems not only recognize a particular incident
and issue an appropriate alert, they also respond automatically to the e'ent. %uch a
response might include logging off a user, disabling a user account, and launching of
scripts.
In terms of response I$% classified as"
• 4%**i9e *$*tem" in a passi'e system, the I$% detects a potential security breach,
logs the information and signals an alert
• R e%(ti9e *$*tem. In a reacti'e system, the I$% respond to the suspicious acti'ity
by logging off a user or by reprogramming the fire+all to block net+ork traffic
from the suspected malicious source.
=
T$4e* + IDS
>asically I$% are of t+o type8s i.e.
33<I$% )Net/!' I&t!u*i& Dete(ti& S$*tem*@
33/I$% )H*t I&t!u*i& Dete(ti& S$*tem**
>oth of them has their o+n prone and cons. let us discuss both of them one by one.
Net/!' I&t!u*i& Dete(ti& S$*tem*
( net+ork I$% )<I$%* monitors all traffic on the net+ork segment that it is placed on.
,his is generally accomplished by placing the net+ork interface card in promiscuous
mode to capture all net+ork traffic that crosses its net+ork segment. <et+ork traffic on
other segments can?t be monitored unless the traffic is directed to the <I$% promiscuous
interface.
<et+ork Intrusion $etection in'ol'es looking at the packets on the net+ork as they pass
by the <I$%. ,he <I$% can only see the packets that are carried on the net+ork segment
it8s attached to. 1ackets are considered to be of interest if they match a signature or
certain beha'ior. <et+ork Intrusion $etection %ystems are placed at a strategic point or
points +ithin the net+ork to monitor traffic to and from all de'ices on the net+ork.
Ideally you +ould scan all inbound and outbound traffic@ ho+e'er doing so might create
a bottleneck that +ould impair the o'erall speed of the net+ork.
A
H*t ;%*ed I&t!u*i& Dete(ti& S$*tem*
( /ost I$% )/I$%* uses a piece or pieces of soft+are on the system to be monitored. ,he
loaded soft+are uses log files and&or the system?s auditing agents as sources of data. In
contrast, a <I$% monitors the traffic on its net+ork segment as a data source.
/ost based intrusion detection in'ol'es not only looking at the net+ork traffic in and out
of a single computer, but also checking the integrity of your system files and +atching for
suspicious processes. ,o get complete co'erage at your net+ork +ith /I$%, you must
load the soft+are on e'ery computer. /ost based Intrusion $etection is much more
effecti'e in detecting insider attacks than is <I$%. /ost Intrusion $etection %ystems are
run on indi'idual hosts or de'ices on the net+ork. ( /I$% monitors the inbound and
outbound packets from the de'ice only and +ill alert the user or administrator of
suspicious acti'ity is detected
,he belo+ diagram sho+s a /I$%.
8
Fi. " 1: HIDS
9
HIDS 9* NIDS
• U&%ut0!iAed ut*ide! %((e**: When an unauthorized user logs in successfully,
or attempts to log in, they are best tracked +ith host3based I$%. /o+e'er,
detecting the unauthorized user before their log on attempt is best accomplished
+ith net+ork3based I$%.
• ;%&d/idt0 t0e+tBde&i%- + *e!9i(e" ,hese attacks from outside the net+ork
single out net+ork resources for abuse or o'erload. ,he packets that initiate&carry
these attacks can best be noticed +ith use of net+ork3based I$%.
• T!%++i( m&it!*: <I$% monitors all traffic on a net+ork segment B can detect
intrusion that crosses a specific net+ork segment. It +ill not see traffic that passes
bet+een C(< computers. Whereas a /I$% e!amines all traffic and acti'ity for a
particular machine and can detect system log files as +ell as inbound and
outbound packets. Dach system is re-uiring its o+n I$%.
HIDS %&d NIDS U*ed i& Cmbi&%ti&
,he t+o types of intrusion detection systems differ significantly from each other, but
complement one another +ell. ,he best I$% tools combine both approaches under one
management console. ,hat +ay, the user gets comprehensi'e co'erage, making sure to
guard against as many threats as possible.
10
IDS Te(0&i7ue*
<o+ that +e ha'e e!amined the t+o basic types of I$% and +hy they should be used
together, +e can in'estigate ho+ they go about doing their 0ob. 2or each of the t+o types,
there are t+o basic techni-ues used to detect intruders"
Mi*u*e dete(ti& CSi.&%tu!e dete(ti& ! #%tte!& Dete(ti& @"
A&m%-$ dete(ti& C;e0%9i! dete(ti&@
Mi*u*e Dete(ti& ! Si.&%tu!e b%*ed IDS ! #%tte!& Dete(ti&
(lmost all I$%s are signature based, also kno+n as kno+ledge based. %ignature based
I$%s monitor net+ork traffic and analyzes this traffic against specific predefined attacks.
When an attack is detected an alarm is generated. ,his means that any traffic that doesn8t
specifically match a signature is considered safe. %ignature based I$%s ob'iously re-uire
that the signature base be updated regularly to detect ne+ e!ploits. If legitimate net+ork
traffic triggers an alarm this is called a false positi'e. ,he amount of false positi'es
generated by signature based I$%s can be significantly less than beha'ior based I$%s.
11
( signature based I$% +ill monitor packets on the net+ork and compare them against a
database of signatures or attributes from kno+n malicious threats. ,his is similar to the
+ay most anti'irus soft+are detects mal+are. ,he issue is that there +ill be a lag bet+een
a ne+ threat being disco'ered in the +ild and the signature for detecting that threat being
applied to your I$%. $uring that lag time your I$% +ould be unable to detect the ne+
threat.
;e0%9i! b%*ed IDS ! Ab&!m%- be0%9i!
It does +hat its name describes. It looks for abnormal beha'ior. /o+ is this different
from suspicious detectionE /ere is an e!ample@ most corporate C(<s are only acti'e
during business hours. 2rom 9 (# 3 = 1#, the ser'ers are acti'e, users are logged on,
and the routers are busy. /o+e'er, during non3business hours, the net+ork should be
rather stagnant. ,his is +here the abnormal I$% come into play. In the e'ent that a
+orkstation on your net+ork is infected +ith a ,ro0an, the hacker could use that machine
to gain access to the rest of your net+ork including the file ser'ers. 9sually, this is late at
night +hen the administrator and users +on?t notice. (bnormal I$% +ould record
net+ork acti'ity and file re-uests during non3business hours. %o, if a user +as all of the
sudden re-uesting files from ser'er at 2 (#, the abnormal detection I$% +ould send a
red flag. ,his allo+s net+ork administrators to kno+ e!actly +hat is going on +hen they
12
Intrusion
1atterns
acti'ities
pattern
matching
intrusion
are not there.
>eha'ior3based intrusion detection techni-ues assume that an intrusion can be detected
by obser'ing a de'iation from normal or e!pected beha'ior of the system or the users.
,he model of normal or 'alid beha'ior is e!tracted from reference information collected
by 'arious means. ,he intrusion detection system later compares this model +ith the
current acti'ity. When a de'iation is obser'ed, an alarm is generated. In other +ords,
anything that does not correspond to a pre'iously learned beha'ior is considered
intrusi'e.
(d'antages of beha'ior3based approaches are that they can detect attempts to e!ploit ne+
and unforeseen 'ulnerabilities. ,hey can e'en contribute to the automatic disco'ery of
these ne+ attacks. ,hey also help detect ?internal abuse? types of attacks that do not
actually in'ol'e e!ploiting any security 'ulnerability.
(n I$% +hich is anomaly based +ill monitor net+ork traffic and compare it against an
established baseline. ,he baseline +ills an e!ample of this +ould be if a user logs on and
off of a machine 20 times a day instead of the normal 1 or 2. (lso, if a computer is used
at 2"00 (# +hen normally no one outside of business hours should ha'e access, this
should raise some suspicions.
1.
Fi!e/%-- 9*" IDS
(lthough I$%s may be used in con0unction +ith fire+alls, +hich aim to regulate and
control the flo+ of information into and out of a net+ork, the t+o security tools should
not be considered the same thing. 9sing the pre'ious e!ample, fire+alls can be thought
of as a fence or a security guard placed in front of a house. ,hey protect a net+ork and
attempt to pre'ent intrusions, +hile I$% tools detect +hether or not the net+ork is under
attack or has, in fact, been breached. I$% tools thus form an integral part of a thorough
and complete security system. ,hey don8t fully guarantee security, but +hen used +ith
security policy, 'ulnerability assessments, data encryption, user authentication, access
control, and fire+alls, they can greatly enhance net+ork safety. most fire+alls ne'er alert
an administrator. ,he administrator may notice if he&she checks the access log of the
fire+all, but that could be +eeks or e'en months after the attack. ,his is +here an I$%
comes into play.
 2ire+all cannot detect security breaches associated +ith traffic that does not pass
through it. Fnly I$% is a+are of traffic in the internal net+ork
 <ot all access to the Internet occurs through the fire+all.
 2ire+all does not inspect the content of the permitted traffic
 2ire+all is more likely to be attacked more often than I$%
 2ire+all is usually helpless against tunneling attacks
17
 I$% is capable of monitoring messages from other pieces of security
infrastructure
Whereas a fire+all may be used in both home and commercial en'ironments, Intrusion
$etection %ystems are only really feasible +ithin commerce.
,he combination of the Intrusion $etection %ystem and a fire+all +ill allo+ ma!imum
filtering of net+ork traffic and +ill definitely pre'ent the ma0ority of attacks.
%ome reasons for adding I$% to you fire+all are"
• $ouble3checks misconfigured fire+alls.
• ;atches attacks that fire+alls legitimate allo+ through )such as attacks
against +eb ser'ers*.
• ;atches attempts that fail.
• ;atches insider hacking.
1:
;e&e+it* + IDS
 #onitors the operation of fire+alls, routers, key management ser'ers and files
critical to other security mechanisms.
 (llo+s administrator to tune, organize and comprehend often incomprehensible
operating system audit trails and other logs.
 ;an make the security management of systems by non3e!pert staff possible by
pro'iding nice user friendly interface.
 ;omes +ith e!tensi'e attack signature database against +hich information from
the customers system can be matched.
 ;an recognize and report alterations to data files.
 It pro'ides time to time information, it recognize attacker )intrusion* B report
alteration to data files.
 I$% generate alarm and report to administrator that security is breaches and also
react to intruders by blocking them or blocking ser'er.
1=
IDS i* &t % SILVER BULLET
 ;annot conduct in'estigations of attacks +ithout human inter'ention.
 ;annot intuit the contents of your organizational security policy.
 ;annot compensate for +eaknesses in net+ork protocols.
 ;annot compensate for +eak identification and authentication mechanisms.
 ;apable of monitoring net+ork traffic but to a certain e!tent of traffic le'el.
 It can neither tell you e!actly +ho and ho+ the attack occurred nor the intention
of the attacker.
1A
CONCLUSION
(s security incidents become more numerous, I$% tools are becoming increasingly
necessary. ,hey round out the security arsenal, +orking in con0unction +ith other
information security tools, such as fire+alls, and allo+ for the complete super'ision of all
net+ork acti'ity
 IDS 0%9e (me % -&. /%$
 Sti-- % -&. /%$ t .
 M%&$ di++e!e&t 4!du(t* & t0e m%!'et
 M%&$ di++e!e&t u*e*
 O4e& *u!(e *-uti&* %!e 9e!$ 44u-%!
 N e%*$ ! -&.-te!m *-uti& t &et/!' *e(u!it$
 Di.i-%&(e /i-- 0%9e t be m%i&t%i&ed
Intrusion detection systems add an early +arning capability to your defenses, alerting you
to any type of suspicious acti'ity that typically occurs before and during an attack. %ince
most cannot stop an attack, intrusion detection systems should not be considered an
alternati'e to traditional good security practices. ,here is no substitute for a carefully
thought out corporate security policy, backed up by effecti'e security procedures +hich
are carried out by skilled staff using the necessary tools. Instead, intrusion detection
systems should be 'ie+ed as an additional tool in the continuing battle against hackers
and crackers.
18
REFERENCES
♦ ///"*e(u!it$+(u*&-i&e"(m BIDS
♦ ///"-i&u>*e(u!it$"(m B10,0Bt4i(BIDS
♦ ///"&et*e(u!it$"%but"(m
♦ ///"%(m"(mBi&t!u*i& dete(ti& *$*temB
♦ ///"*e(u!it$d(*"(m
19