Handout: http://www.scribd.com/doc/40730058/Handout-Intrusion-Detection-and-Intrusion-Prevention-SystemsSlides: http://www.scribd.com/doc/40731214/Slides-Intrusion-Detection-and-Intrusion-Prevention-SystemsIn modern interlinked computer based systems security is of utmost importance. The safeguarding of security is becoming increasingly difficult, because the possible technologies of attack are becoming ever more sophisticated; at the same time, less technical ability is required for the novice attacker, because proven past methods are easily accessed through the Web.Majority of security violations in systems occur due to malicious users or malicious code being able to penetrate through a system’ s security barriers, and affect the system either by changing the system behaviour, extracting the system’s information or both. Such malicious actions are identified as intrusions. Intrusion detection (ID) is a type of security management system for computers and networks.Aim: The aim of this document is to provide insight into Intrusion detection and prevention concepts and technologies, discussing their advantages and disadvantages.
Comments
Content
Intiusion Betection &
Intiusion Pievention
Systems
IBS & IPS
ShorLcomns of u1M ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ 17
Append ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
Wreless lnLruson ueLecLon ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
WluS luncLonalLv ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
ALLacks lundamenLals ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
Þlannn phase ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
8econnassance phase ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
ALLack phase ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
ÞosLŴaLLack phaseŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
1vpes of ALLacks ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
uenal of serce (uoS) ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
8emoLe eploLs ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
1ro[ans and 8ackdoor prorams ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
Msuse of LeLmaLe Access ŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ
8eferencesŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦŦ a
eywords
ID5ţ IÞ5ţ Intrus|onţ nost based ID5ţ Network based ID5ţ W|re|ess ID5ţ Components of ID5ţ 5|gnature
Detect|onţ Anoma|y Detect|onţ M|suse Detect|on ţ 5tea|th Þrobesţ 1arget Mon|tor|ngţ Den|a| of
5erv|ce Mon|tor|ngţ 5tate|ess ID5 ţ5tate fu|| ID5 ţ Deep Þacket Inspect|onţ Attack Iundamenta|sŦ
Abstract
ln modern nLerlnked compuLer based svsLems securLv s of uLmosL mporLanceŦ 1he safeuardn
of securLv s becomn ncreasnlv dffculLţ because Lhe possble Lechnoloes of aLLack are
becomn eer more sophsLcaLedŤ aL Lhe same Lmeţ less Lechncal ablLv s requred for Lhe noce
aLLackerţ because proen pasL meLhods are easlv accessed Lhrouh Lhe WebŦ
Ma[orLv of securLv olaLons n svsLems occur due Lo malcous users or malcous code ben able
Lo peneLraLe Lhrouh a svsLem' s securLv barrersţ and affecL Lhe svsLem eLher bv chann Lhe
svsLem behaourţ eLracLn Lhe svsLem's nformaLon or boLhŦ Such malcous acLons are denLfed
as nLrusonsŦ
lnLruson deLecLon (lu) s a Lvpe of securLv manaemenL svsLem for compuLers and neLworksŦ
4imť 1he a|m of th|s document |s to prov|de |ns|ght |nto Intrus|on detect|on and prevent|on
concepts and techno|og|esţ d|scuss|ng the|r advantages and d|sadvantagesŦ
1
Introduct|on
lnLrusons are ºAnv seL of acLons LhaL aLLempL Lo compromse Lhe nLerLvţ confdenLalLv or
aalablLv of a resource (SvsLem)" ż1Ž
An nLruson deLecLon svsLem collecLs and analvzes arous daLa wLhn a compuLer or a neLwork Lo
denLfv possble securLv olaLonsţ whch ncludes boLh nLrusons (aLLacks from ouLsde Lhe
oranzaLon) and msuse (aLLacks from wLhn Lhe oranzaLon)Ŧ
1he concepL of nLruson deLecLon has been around for nearlv LwenLv vearsţ buL Lhe popularLv and
usae of such svsLems ncreased eponenLallv n Lhe recenL vearsŦ
Cne of Lhe frsL publshed documenLs whch relaLes Lo nLruson deLecLon was publshed bv !ames
Anderson n 1980Ŧ 1he documenL nLroduced Lhe noLon LhaL audL Lrals conLaned Lal nformaLon
LhaL could be aluable n Lrackn msuse and undersLandn user behaourŦ 1he frsL model for
nLruson deLecLonţ Lhe lnLruson ueLecLon LperL SvsLem (luLS) was deeloped n 1983ż2ŽŦ
1he markeL share of nLruson deLecLon svsLems ncreased afLer 1997ţ and seeral companes whch
manlv focused on deelopn nLruson deLecLon svsLems were bornŦ 1he Lechnolocal
adancemenLs hae snce conLnued and ma[or deelopmenLs hae been acheedŦ
SecurLv proLocols mplemenLed Lo denLfv nLrusons can be broadlv caLeorzed nLoţ
O lnLruson deLecLon svsLems (luS) whch are hardware and/or sofLware mechansms LhaL
deLecL and los nappropraLeţ ncorrecLţ or anomalous acLLv and reporL L for furLher
nesLaLon ż3ŽŦ
O lnLruson ÞreenLon SvsLems (lÞS) conLans luS funcLonalLv buL more sophsLcaLed svsLems
whch are capable of Lakn mmedaLe acLon n order Lo preenL or reduce Lhe malcous
behaour ż4ŽŦ
Some funcLonalLv of nLruson deLecLon svsLems are ż3Žţ
O MonLorn and analvzn boLh user and svsLem acLLes
O Analvzn svsLem confuraLons and ulnerablLes
O Assessn svsLem and fle nLerLv
O AblLv Lo reconze paLLerns Lvpcal of aLLacks
O Analvss of abnormal acLLv paLLerns
O 1rackn user polcv olaLons
2
ID5/IÞ5 Arch|tecture
8as|c assumpt|ons
luS/lÞS svsLems relv on Lwo fundamenLal assumpLons whch are Lal for Lher funcLonalLvŦ 1hev
are ż7Žţ
O SvsLem acLLes are obserable
O normal and nLruse acLLes hae dsLncL edence Ŷ Lhe oal of an luS/lÞS s Lo deLecL Lhe
dfferenceŦ
Components of an ID5/IÞ5
luS/lÞS svsLems Lvpcallv conssL of Lhe follown componenLs ż7Žţ
O Data preŴprocessorŴ CollecLs and formaLs Lhe daLa Lo be analvzed bv Lhe deLecLon
alorLhmŦ
O Detect|on a|gor|thmŴ 8ased on Lhe deLecLon model deLecLs Lhe dfference beLween
ºnormal" and nLruse audL recordsŦ
O A|ert f||terŴ8ased on Lhe decson crLera and Lhe deLecLed nLruse acLLesţ esLmaLes
Lher seerLv and alerLs Lhe operaLor/manaes response acLLes (usuallv blockn for
lÞS)Ŧ
lure 1 shows how Lhese componenLs nLeracL wLh each oLher n luS ż7Ž
ioure 1 ť components of on lu5/lP5
3
Attack Detect|on Methods
ALLack deLecLon can be performed usn dfferenL meLhodoloesŦ 1he follown are some enerc
ulnerablLv assessmenL meLhodoloesţ
5|gnature detect|on (or M|suse Detect|on)
SnaLure deLecLon noles maLchn nLruse behaour of malcous users/code or searchn
neLwork Lraffc for a seres of bvLes or packeL sequences known Lo be malcousŦ
A kev adanLae of Lhs deLecLon meLhod s LhaL snaLures are easv Lo deelop and undersLandŦ
SnaLure deLecLon reles on paLLern maLchn whch can be performed erv qucklv on modern
svsLems so Lhe amounL of power needed Lo perform Lhese checks s mnmal for a confned rule seLŦ
SnaLure ennes also hae Lher dsadanLaesŦ Whle snaLures work well aansL aLLacks wLh a
fed behaoural paLLernţ Lhev do noL work well aansL Lhe mulLLude of aLLack paLLerns creaLed bv
a human or a worm wLh selfŴmodfvn behaoural characLersLcsŦ 8ecause Lhev onlv deLecL
known aLLacksţ a snaLure musL be creaLed for eerv aLLackţ and noel aLLacks cannoL be deLecLedŦ
Snce a new snaLure musL be creaLed for each new nLrusonţ and as Lhe rule seL rowsţ Lhe enne
performance neLablv slows downŦ 1hs s Lhe erv reason LhaL mosL nLrusonŴdeLecLon applances
resde hardware LhaL runs from Lwo Lo as manv as ehL processors wLh mulLple CabL neLwork
cardsŦ
ueLecLon s furLher complcaLed bv adancn eploL Lechnolov LhaL permLs malcous users Lo
conceal Lher aLLacks behnd pavload encoders and encrvpLed daLa channelsŦ
SnaLure ennes are also prone Lo false posLes snce Lhev are commonlv based on reular
epressons and sLrn maLchnŦ ż10Ž
Anoma|y detect|on
Anomalv deLecLon operaLes bv buldn a model of ºnormal" svsLem behaourŦ normal svsLem
behaour s deLermned bv obsern Lhe sLandard operaLon of Lhe svsLem or neLworkŦ Anomalv
deLecLon Lhen Lakes Lhe normal obseraLon model and uses sLaLsLcal aranceţ or daLa mnn
Lechnques wLh arLfcal nLellenceţ Lo deLermne f Lhe svsLem or neLwork enronmenL behaour
s runnn normallv or abnormallvŦ
1he assumpLon n anomalv deLecLon s LhaL an nLruson can be deLecLed bv obsern a deaLon
from Lhe normal or epecLed behaour of Lhe svsLem or neLwork ż11ŽŦ
A drawback of anomalv deLecLon s LhaL malcous acLLv LhaL falls wLhn normal usae paLLerns s
noL deLecLedŦ An acLLv such as drecLorv Lraersal on a LareLed ulnerable sererţ whch comples
wLh neLwork proLocolţ easlv oes unnoLced snce L does noL Lrer anv ouLŴofŴproLocolţ pavload
or bandwdLh lmLaLon flasŦ
4
Poweerţ anomalv deLecLon has an adanLae oer snaLureŴbased ennes n LhaL a new aLLack for
whch a snaLure does noL esL can be deLecLed f L falls ouL of Lhe normal Lraffc paLLernsŦ ż10Ž
1arget Mon|tor|ng
1hese svsLems do noL acLelv search for anomales or snaLuresţ buL nsLead look for Lhe
modfcaLon of specfed flesŦ 1hs s more of a correcLe conLrolţ desned Lo uncoer an
unauLhorzed acLon afLer L occurs n order Lo reerse LŦ Cne wav Lo check for Lhe hdden edLn of
fles s bv compuLn a crvpLoraphc hash beforehand and comparn Lhs Lo new hashes of Lhe fle
aL reular nLeralsŦ 1hs Lvpe of svsLem s Lhe easesL Lo mplemenLţ because L does noL requre
consLanL monLorn bv Lhe admnsLraLorŦ lnLerLv checksum hashes can be compuLed aL whaLeer
nLerals vou wshţ and on eLher all fles or [usL Lhe msson/svsLem crLcal fles ż8ŽŦ
5tea|th Þrobes
1hs Lechnque aLLempLs Lo deLecL anv aLLackers LhaL choose Lo carrv ouL Lher msson oer
proloned perods of LmeŦ ALLackersţ for eampleţ wll check for svsLem ulnerablLes and open
porLs oer a LwoŴmonLh perodţ and waL anoLher Lwo monLhs Lo acLuallv launch Lhe aLLacksŦ SLealLh
probes collecL a wdeŴareLv of daLa LhrouhouL Lhe svsLemţ checkn for anv meLhodcal aLLacks
oer a lon perod of LmeŦ 1hev Lake a wdeŴarea sampln and aLLempL Lo dscoer anv correlaLn
aLLacksŦ ln effecLţ Lhs meLhod combnes anomalv deLecLon and msuse deLecLon n an aLLempL Lo
uncoer suspcous acLLv ż8ŽŦ
Den|a| of 5erv|ce (Do5) Detect|on
uoS deLecLon compares currenL Lraffc behaour wLh accepLable normal behaour Lo deLecL uoS
aLLacksţ where normal Lraffc s characLerzed bv a seL of preŴprorammed LhresholdsŦ 1hs can lead
Lo false alarms or aLLacks ben mssed because Lhe aLLack Lraffc s below Lhe confured Lhreshold
ż17ŽŦ
1he follown s a lsL of kev Lechnoloes used for aLLack deLecLonţ whch prodes a sLream of daLa
LhaL s Lhen analvzed bv Lhe aboe menLoned meLhodsţ
5tateŴ|ess ID5 / IÞ5
MosL of Lhe lÞS currenLlv aalable are sLaLelessŦ 1hev Lvpcallv uLlze a neLwork adapLer confured
n promscuous mode Lo monLor and analvze all Lraffc n realŴLme as L Lraels across Lhe neLworkŦ
1he Lraffc s analvzed on a packeLŴbvŴpackeL bassŦ Lach packeL s compared aansL a daLabase of
known paLLers for a maLchŦ 1he dsadanLae of such an approach s LhaLţ L fals Lo deLecL some
aLLack paLLers whch are spread across a number of packeLsţ each of whch when eamned
ndduallv mav be harmless ż13ŽŦ
5tateŴfu|| ID5 / IÞ5
A SLaLeŴfull luS can be defned as a packeL flLern and analvss mechansm whch makes decson on
wheLher Lhe securLv of a neLwork s breached bv analvzn nformaLon conLaned n Lhe currenL
packeL Anu nformaLon from preous packeLsŦ ln addLon Lo deLecLn Lhose aLLacksţ whch a
sLaLeless luS can deLecLţ Lhs svsLem can also deLecL Lhose aLLacksţ whch are launched from more
Lhan one hosLţ and Lhose aLLacks n whch more Lhan one packeL s used n Lhe aLLack ż13ŽŦ
Deep Þacket Inspect|on
ueep ÞackeL lnspecLon s a Lerm used Lo descrbe Lhe capablLes of a lnLruson ueLecLon SvsLem Lo
look wLhn Lhe applcaLon pavload of a packeL or Lraffc sLream and make decsons on Lhe
snfcance of LhaL daLaţ based on Lhe conLenL of LhaL daLaŦ 1he enne LhaL dres deep packeL
nspecLon Lvpcallv ncludes a combnaLon of snaLureŴmaLchn Lechnolov alon wLh anomalv
analvss n order Lo deLermne Lhe mpacL of LhaL communcaLon sLream ż14ŽŦ lure 3 llusLraLes Lhe
messae and Lhe accumulaLon of headers for deep packeL nspecLonŦ
Analvss of packeL headers can be done economcallv snce Lhe locaLons of packeL header felds are
resLrcLed bv proLocol sLandardsŦ Poweerţ Lhe pavload conLenLs areţ for Lhe mosL parLţ
unconsLranedŦ 1hereforeţ searchn Lhrouh Lhe pavload for mulLple sLrn paLLerns wLhn Lhe daLa
sLream s a compuLaLonallv epense LaskŦ 1he requremenL LhaL Lhese searches be performed aL
wre speed adds Lo Lhe cosLŦ AddLonallvţ because Lhe snaLure daLabase s dvnamcţ L musL be
easlv updaLeableŦ
Þromsn approaches Lo Lhese problems nclude a sofLwareŴbased approach (SnorL mplemenLn
Lhe 8overŴMoore alorLhm)ţ and a hardwareŴbased approach (lÞCAƌs runnn a 8loom flLer
alorLhm)Ŧ
uÞl Lechnolov can be effecLe aansL buffer oerflow aLLacksţ denal of serce (uoS) aLLacksţ
sophsLcaLed nLrusonsţ and a small percenLae of worms LhaL fL wLhn a snle packeLŦ Poweerţ
Lhe compleLv and mmaLurLv of Lhese svsLems hae resulLed n a number of recenL eploLs ż16ŽŦ
6
D|fferent|at|on between ID5 and IÞ5
An lnLruson ueLecLon SvsLem (luS) dece s passeţ waLchn packeLs of daLa Lraerse Lhe neLwork
from a monLorn porLţ comparn Lhe Lraffc Lo confured rulesţ and seLLn off an alarm f L
deLecLs anvLhn suspcousŦ
An lnLruson ÞreenLon SvsLem (lÞS) has all Lhe feaLures of a ood luSţ buL can also sLop malcous
Lraffc from nadn Lhe enLerprseŦ unlke luSţ an lÞS sLs n lne wLh Lraffc flows on a neLworkţ
acLelv shuLLn down aLLempLed aLLacks as Lhev're senL oer Lhe wreŦ lL can sLop Lhe aLLack bv
LermnaLn Lhe neLwork connecLon or user sesson ornaLn Lhe aLLackţ bv blockn access Lo Lhe
LareL from Lhe user accounLţ lÞ addressţ or oLher aLLrbuLe assocaLed wLh LhaL aLLackerţ or bv
blockn all access Lo Lhe LareLed hosLţ serceţ or applcaLonŦ
ln addLonţ an lÞS can respond Lo a deLecLed LhreaL n Lwo oLher wavsŦ lL can reconfure oLher
securLv conLrolsţ such as a frewall or rouLerţ Lo block an aLLackŦ Some lÞS deces can een applv
paLches f Lhe hosL has parLcular ulnerablLesŦ ln addLonţ some lÞS can remoe Lhe malcous
conLenLs of an aLLack Lo mLaLe Lhe packeLsţ perhaps deleLn an nfecLed aLLachmenL from an
emal before forwardn Lhe emal Lo Lhe userŦ
lnLruson deLecLon svsLems are Lvpcallv of Lwo Lvpesţ whch areţ PosLŴbased nLruson deLecLon
svsLems / nLruson preenLon (PluS / PlÞS) and neLworkŴbased nLruson deLecLon svsLems /
nLruson preenLon (nluS /nlÞS)Ŧ
ioure lť 1he Messooe ond the 4ccumu/otion of neoders for ueep Pocket
lnspection
7
nostŴbased |ntrus|on detect|on and prevent|on systems (nID5 /
nIÞ5)
PosLŴbased luS are enerallv consdered as passe componenLs buL n some cases Lhev also nclude
nLruson preenLon meLhodoloesŦ ÞeLer eL alŦ reconzes four dfferenL meLhods of hosLŴbased
nLruson deLecLonţ ż6Ž
O lle svsLem monLors Ŵ SvsLems checkn Lhe nLerLv of fles and drecLoresŦ
O Lo fle analvzers Ŵ SvsLems analvzn lo fles for paLLerns ndcaLn suspcous acLLvŦ
O ConnecLon analvzers Ŵ SvsLems LhaL monLor connecLon aLLempLs Lo and from a hosLŦ
O kernel based luSs Ŵ SvsLems LhaL deLecL malcous acLLv on a kernel leelŦ
lmplemenLaLons of nLruson deLecLon svsLems enerallv use one of Lhese four meLhods Lo deLecL
nLrusonsŦ
I||e 5ystem Mon|tors
lle svsLem monLor PluS help deLecL a breakŴn on a svsLem afLer L has occurredŦ Such monLors can
check fles on a lare number of dfferenL characLersLcsŦ 1he lsL below shows some Lvpes of
arablLv assessmenL performed bv Lhs Lvpe of PluSţ whch can be enerallv caLeorzed nLo
SnaLure deLecLon and 1areL monLornŦ
O Þerm|ss|ons Ŵ Chanes n Lhe permssons of a fle or drecLorv are deLecLedŦ
O wner/group Ŵ lf Lhe owner or roup of a fle or drecLorv s chaned Lhs s deLecLedŦ
O 5|ze Ŵ lf a fle rows or shrnks n sze Lhs s reporLedŦ
O D|rectory s|ze Ŵ Addn or deleLn of fles n a drecLorv s deLecLedŦ
O Mt|meţ at|me Ǝ ct|me Ŵ 8oLh fle svsLem monLors check for chanes n Lhe ¯¯ (lasL
modfcaLon Lme)ţ f¯ (lasL access Lme)ţ and n¯ (lasL Lme Lhe ownerţ permssonsţ
eLcŦ where chaned) of a fle or drecLorvŦ
O Checksums Ŵ 1he nLerLv of a fle or drecLorv can be checked usn a crvpLoraphc hashŦ
1hs Lvpe of checkn s based on Lhe facL LhaL L s erv dffculL (Lo near mpossble) Lo
chane a fle's conLenLs wLhouL affecLn Lhe unque hash of Lhe fleŦ 1he mosL commonlv
used alorLhms are md3 (Lhe deŴfacLo sLandard)ţ and SPAŴ1 (nlS1 sLandard)Ŧ
O 1ype Ŵ lfţ for eampleţ a fle s replaced wLh a drecLorv or dece of Lhe same name Lhs s
deLecLedŦ
8
lle svsLem monLor PluS has number of dsadanLaesŦ 8ecause fle svsLems Lend Lo be erv
dvnamc n naLure L s hard Lo creaLe a confuraLon LhaL caLches all nLrusonsţ whle noL producn
manv false posLesŦ
SomeLhn mnor as nsLalln a new applcaLon can creaLe a hue number of alarms on luS of Lhs
LvpeŦ AnoLher dsadanLae s LhaL Lhs Lvpe of luS enerallv doesn'L work realŴLmeŦ lL s Lherefore
possble for an aLLacker Lo coer up hs Lracks before ben deLecLed ż6ŽŦ
Log f||e ana|yzers
Lo fles can be analvzed n order Lo deLermne f anv nLrusons hae Laken placeŦ Lo fle analvsers
are Lools LhaL performţ
O Þattern match|ng Ŵ Applvn (eLended) reular epressons Lo lo fles based on pror
knowledeŦ
O Þattern match|ng w|th corre|at|on between events Ŷ Consdern a lare number of eenLs
and pnponLn Lhe few eenLs LhaL are reallv mporLanL as well as on Lmn nformaLonŦ
Snce daLa n LeLual form s maLched n paLLern maLchn lo fle analvzersţ aLLackers can
use all knds of encodn Lechnques Lo aod maLchn Lhe rules defnedŦ
ÞaLLern maLchn lo fle analvzer s useful when for maLchn sLrns n a more sLaLc
conLeLŦ Poweerţ manLenance ncreases f used Lo deLecL new eploLs as Lhev are
releasedŦ
O Anoma|y detect|on Ŵ AfLer learnn how Lhe normal lolnes should look lkeţ anomalv
deLecLon svsLems can deLecL anomalous lolnes and reporL abouL LhemŦ 1he aboe
problem of encodn does noL occur wLh Anomalv deLecLon based lo fle analvzersţ snce
Lhev do noL depend on pror knowledeŦ
1he problem wLh lo fle analvzers s LhaL Lhev depend on eenLs ben loed on lo flesŦ lf an
aLLacker manaes Lo preenL lon of malcous acLLesţ Lhen lo fle analvzers wll noL be
successful ż6ŽŦ
9
Connect|on ana|ys|s
ConnecLon analvss PluS mplemenLaLons deLecL ncomn neLwork connecLons onlv Lo Lhe hosL
Lhev run onŦ ConnecLon analvsers do noL perform monLorn of connecLons Lo oLher hosLsţ whch
s Lhe kev feaLure of neLwork based nLruson deLecLon svsLemsŦ
ConnecLon analvsers Lvpcallv scan for follown olaLonsţ
O Dnauthor|zed 1CÞ and DDÞ connect|ons Ŵ ueLecL unauLhorzed connecLons on boLh 1CÞ
and uuÞ porLs
O Þort scan detect|on Ŷ ueLecL scannn of open porLs on a hosLţ bv a malcous user or
auLomaLed LoolŦ
AparL from Lhe passe deLecLon behaoursţ some ConnecLon analvzers are also capable Lakn
ease acLon aansL aboe lsLed nLrusons whch characLerzes lnLruson preenLon svsLems
behaour (lÞS)Ŧ
Some oLher preenLon measures mplemenLed wLh ConnecLon analvzers areţ
O nost b|ock|ng Ŵ allows for acLe blockn of an offendn hosL
O 8anner d|sp|ay Ŵ dsplav an nformaLonal banner Lo Lhe offenderţ nsLead of blockn Lhem
ConnecLon analvzers hae Lher far share of weak ponLs alsoŦ 1hev are Lvpcallv poor aL deLecLn
aLLacks whch useţ
O Dnsupported protoco|s
O Large poo| of attacker IÞ's
O Attacker s|ow|y scans the ports
8uL Lhese weak ponLs depend on Lhe connecLon analvzer mplemenLaLon whch can be fed buL
complcaLes Lhe analvzer mplemenLaLon ż6ŽŦ
10
erne| based ID5s
kernel based luS s an addLon Lo or adapLon of a kernel Lo hae Lhe kernel Lself deLecLs nLrusonsŦ
Such luS are capable of deLecLnţ
O Anomalv deLecLon based on a user's svsLem usaeŦ
O Lon possblv malcouslv used svsLem callsŦ
O Anomalv deLecLon on Lhe order of svsLem calls n processesŦ
O Anomalv deLecLon on Lhe arumenLs of svsLem calls n processesŦ
O Lon chanes made Lo svsLem bnaresŦ
O Lon porL scans or probes
O lle and drecLorv proLecLonţ preenLn alLeraLons een bv rooLŦ
O Pdn of fles and drecLoresŦ
O SeLLn capablLes on a per process bass
O ÞroLecL processesţ blockn snals from possblv unauLhorzed usersŦ
O 8lockn neLwork relaLed Lampernţ lke chann frewall seLLnsŦ
O ÞreenLn kernel module loadn or unloadnŦ
O ÞreenLn raw dsk l/C
ueLecLn ecesse calls from Lhe sLack or Lhe daLa semenL of processes wll enable Lhe luS Lo
deLecL mosL eploLs for Lodav's sofLwareŦ
lnsLalln a new applcaLonţ or updaLe an alreadv runnn oneţ Lhe kernel based luS would requred
Lo be dsabled parLallv or LoLallvŦ uurn LhaL sesson Lhe admnsLraLor can perform admnsLraLe
duLesţ lke nsLalln applcaLons or confurn kernel based luS LselfŦ AfLer updaLn or nsLalln
an applcaLonţ kernel based luS mav need Lo reload Lhe confuraLon fle Lo proLecL anv newlv
nsLalled fles ż6ŽŦ
11
NetworkŴbased |ntrus|on detect|on and prevent|on systems (NID5 /
NIÞ5)
neLworkŴbased nLruson deLecLon analvzes daLa packeLs LhaL Lrael oer Lhe acLual neLworkŦ 1hese
packeLs are eamned Lo erfv Lher naLureŦ 1hs surellance of Lhe connecLons beLween compuLers
makes neLworkŴbased luS reaL aL deLecLn access aLLempLs from ouLsde Lhe LrusLed neLwork ż8ŽŦ
8v far Lhe mosL common securLv measure for neLwork securLv s a frewallŦ 1houh Lhev boLh relaLe
Lo neLwork securLvţ nluS / nlÞS dffers from a frewall n LhaL a frewall looks ouLwardlv for
nLrusons n order Lo sLop Lhem from happennŦ A nluS also waLches for aLLacks LhaL ornaLe from
nsde Lhe neLwork ż9ŽŦ
neLworkŴbased nLruson deLecLon svsLems (nluS) Lend Lo be more dsLrbuLed Lhan hosLŴbased luSŦ
SofLwareţ or applance hardware n some casesţ resdes n one or more svsLems connecLed Lo a
neLworkţ and are used Lo analvze daLa such as neLwork packeLsŦ
ln eneralţ neLworkŴbased svsLems are besL aL deLecLn Lhe follown acLLesť
O Dnauthor|zed outs|der accessť When an unauLhorzed user los n successfullvţ or aLLempLs
Lo lo nţ Lhev are besL Lracked wLh hosLŴbased luSŦ Poweerţ deLecLn Lhe unauLhorzed
user before Lher lo on aLLempL s besL accomplshed wLh neLworkŴbased luSŦ
O 8andw|dth theft/den|a| of serv|ceť 1hese aLLacks from ouLsde Lhe neLwork snle ouL
neLwork resources for abuse or oerloadŦ 1he packeLs LhaL nLaLe/carrv Lhese aLLacks can
be noLced wLh use of neLworkŴbased luSŦ
neLwork based svsLems relv on deplovn sensors aL sLraLec locaLons and nspecLn neLwork
Lraffc for possble olaLonsŦ
lor nluS/nlÞS sensor placemenLţ Lhe LareL neLwork should be analvzed and choke ponLs denLfedŦ
A choke ponL would be anv ponL n a neLwork where Lraffc s lmLed Lo a small number of
connecLonsŦ An eample s usuallv a companvƌs lnLerneL boundarvţ where Lraffc crosses onlv a
rouLer and a frewallŦ 1he lnks beLween Lhe rouLer and frewall are perfecL choke ponLs and ood
places Lo consder placn sensorsŦ ln Lhe case of vÞn neLworksţ care musL be Laken Lo nspecL Lhe
unencrvpLed sde of Lhe vÞn Lunnel ż13ŽŦ
Adhern Lo Lhe enerc ulnerablLv crLera denLfed aboeţ neLwork based svsLem enerallv hae
Lhe follown deLecLon meLhodoloes ż12Žţ
O ÞaLLernţ epresson or bvLecode maLchn (SnaLure maLchn)
O lrequencv or Lhreshold crossn (Anomalv and SLealLh probe deLecLon)
O CorrelaLon of lesser eenLs ( SLealLh probe deLecLon)
O SLaLsLcal anomalv deLecLon
12
Arch|tecture of Network based ID5/IÞ5
1he follown daram depcLs Lhe archLecLure of neLwork based luS
1o uaranLee a precse deLecLon Lhe nluS musL deLecL packeLs aL a wre speedŦ Poweerţ wLh Lhe
recenL Lrend of hhŴspeed neLworksţ Lhe capablLv of a snle nluS cannoL meeL Lhe speed's
demand ż18ŽŦ
CurrenLlv SofLware based nluS /nlÞS svsLems are rouhlv capable of achen 60 Mbps LhrouhpuLŦ
8uL a hardware based soluLon such as Lhe McAfee lnLruSheld lÞS applances can achee a raLe of 2
Cbps aL mosL ż19ŽŦ
lurLhermore Lo promoLe Lhe nluS performance and effcencvţ presenL sLudes on luSs for hhŴ
speed neLwork monLorn hae beun Lo choose Lhe dsLrbuLed archLecLure as an alLernaLeŦ ln
such a desnţ Lhe ncomn neLwork Lraffc s dssemnaLed Lo a pool of sensorsţ whch process a
fracLon of Lhe whole Lraffcţ reducn Lhe possblLv of packeL loss caused bv oerload ż18ŽŦ
ioure 4 ť 4rchitecture of Network lu5
13
1roub|eshoot|ng ID5
Ia|se Þos|t|ves and Ia|se Negat|ves
Ia|se Þos|t|ves or Ia|se A|arms
1he Lerm false posLe s a broad and somewhaL aue Lerm LhaL descrbes a sLuaLon n whch an
luS dece Lrer an alarm n a when Lhere s malcous acLLv or aLLack occurrnŦ CLher common
Lerms used Lo descrbe Lhs condLon are ƍfalse alarmsƍ and ƍbenn LrerƍŦ lalse alarms can be
subdded nLo seeral more meannful and specfc caLeoresŦ Common caLeores nLo whch
false alarms can be dded nclude ż24Žť
O keact|onary 1raff|c a|armsť 1raffc LhaL s caused bv anoLher neLwork eenLţ ofLen non malcousŦ
An eample of Lhs would be a nluS dece Lrern an lCMÞ flood alarm when L s reallv
seeral desLnaLon unreachable packeLs caused bv equpmenL falure somewhere n Lhe lnLerneL
cloudŦ
O u|pmentŴre|ated a|armsť ALLack alerLs LhaL are Lrered bv oddţ unreconzed packeLs
eneraLed bv cerLan neLwork equpmenLŦ Load balancers ofLen Lrer Lhese Lvpes of alarmsŦ
O Þrotoco| V|o|at|onsť AlerLs LhaL are caused bv unreconzed neLwork Lraffc ofLen caused bv
poorlv or oddlv wrLLen clenL sofLwareŦ
O 1rue Ia|se Þos|t|vesť Alarms LhaL are eneraLed bv an luS for no apparenL reasonŦ 1hese are
ofLen caused bv luS sofLware bus
O Non Ma||c|ous a|armsť CeneraLed Lhrouh some real occurrence LhaL s non malcous n naLureţ
possblv lke our Code 8ed web pae eample aboeŦ
uependn on neLwork Lraffc and Lhe luS desn LhaL s deplovedţ a normal luS sensor wLhouL anv
cusLomzaLon mav hae onlv 10Ʒ of Ls alarms assocaLed wLh a Lrue securLv eenLŦ 1he remann
90Ʒ of nose s noL an accepLable percenLaeŦ Whle L mav be debaLable whaL can be consdered an
accepLable percenLae of false alarmsţ wLh correcL Lunn (dependn on Lhe Lechnolov n use) an
aerae real alarm raLe of 60Ʒ or beLLer s possble under normal condLonsŦ l hae seen real alarm
raLes aboe 90Ʒţ dependn on Lhe leel of Lunn and Lhe Lvpe of Lraffc on a neLworkŦ
Ia|se Negat|ves
lalse neaLe s Lhe Lerm used Lo descrbe a neLwork nLruson deceƌs nablLv Lo deLecL Lrue
securLv eenLs under cerLan crcumsLancesŦ ln oLher wordsţ malcous acLLv s noL deLecLed and
alerLedŦ lorLunaLelvţ Lhere are acLons LhaL can be Laken Lo reduce Lhe chance of false neaLe
condLons wLhouL ncreasn Lhe number of false posLesŦ
14
Some causes for false neaLes are ż24Žţ
O Network des|gn |ssuesť neLwork desn flaws such as mproper porL spannn on swLches and
Lraffc eceedn Lhe ablLv of a swLch or hub conLrbuLe Lo Lhese problemsŦ CLher problems
nclude mulLple enLrv ponL neLworks where Lhe nluS dece cannoL see all ncomn and
ouLon LraffcŦ
O ncrypted traff|c des|gn f|awsť 1hese problems arse because Lhe luS s unable Lo undersLand
encrvpLed LraffcŦ Þlacn Lhe nluS behnd vÞn LermnaLon ponLs and use of SSL acceleraLors
are ood wavs Lo ensure Lhe nluS s undersLands all LraffcŦ
O Lack of change contro|ť Manv Lmes false neaLe condLons are creaLed bv a lack of
communcaLon beLween lS deparLmenLsţ neLworknţ and securLv sLaffŦ MosL of Lhe Lme Lhs s
n Lhe form of neLwork or serer chanes LhaL are noL properlv communcaLed Lo securLv sLaffŦ
As a resulLţ securLv s noL able Lo mplemenL measures Lo mLaLe Lhe rsk assocaLed wLh
chanes n securLv posLureŦ
O Improper|y wr|tten s|gnaturesť AlLhouh Lhe aLLack s known and Lhe snaLure s deelopedţ Lhe
snaLure does noL properlv caLch Lhe aLLack or muLaLons of Lhe aLLack because L has noL been
wrLLen properlvŦ
O Dnpub||c|zed attackť 1he aLLack s noL publclv knownţ Lherefore endors hae no knowlede
and no snaLure s deelopedŦ
O Þoor NID5 dev|ce managementť lor a areLv of reasonsţ Lhe nluS dece mav noL be properlv
confuredŦ ConLrbuLn facLors ncludeť
4 Lclusonarv rules Lo reduce false alarms LhaL are Loo eneralŤ
4 1he dece s under Loo much load and cannoL properlv process all daLaŤ
4 Alarmn s noL confured properlvŤ andţ
4 1he svsLem admnsLraLor has a poor undersLandn of Lhe ulnerablLes and LhreaLs
assocaLed wLh specfc aLLacksŦ
O NID5 des|gn f|awť 1he nluS dece smplv does noL caLch Lhe aLLack due Lo poor desn or
snaLure mplemenLaLonŦ
13
1he Iuture of Intrus|on Detect|on and Þrevent|on
1he fuLursLc Lrend of luS/lÞS svsLems s conere luS/lÞS capablLes wLh oLher securLv soluLonsŦ
1he Lechnolov has unfed wLh each oLher Lo form unfed LhreaL manaemenLŦ
Dn|f|ed 1hreat Management
1he ulLmaLe oal of u1M s nLeraLon ŴŴ Lo prode a comprehense seL of securLv feaLures n a
snle producL LhaL can be deploved n a snle locaLon and manaed Lhrouh a snle consoleŦ 1he
smplfcaLon and consoldaLon offered bv a unfed securLv producL can poLenLallv mproe
securLv because polces and rules can be deeloped cenLrallvţ ofLen resulLn n fewer rule errors
LhaL mav lead Lo securLv oershLsŦ A snle securLv producL also reduces securLv manaemenL
demandsţ easn manaemenL labour ż20ŽŦ
D1M Ieatures
u1M ofLen ncorporaLes Lhe follown feaLuresţ
O Adanced frewalls wLh deep packeL nspecLon
O CaLewav anLrus and anLspvware AnLspam
O lnLruson deLecLon/preenLon funcLonalLes
Some u1M plaLforms nclude addLonal feaLures such asţ
O Web conLenL flLern Lo block nappropraLe or malcous websLes
O vrLual praLe neLwork (vÞn) supporL for secure remoLe access and secure wreless access
for user moblLv wLhn Lhe enLerprseŦ
A lmLed number of u1M plaLforms add adanced feaLures such as WAn acceleraLonţ raLe shapn
or een nLerŴzone securLv Lo uard aansL LhreaLs ornaLn wLhn Lhe local neLwork LselfŦ
ulLmaLelvţ Lhe acLual feaLure seL depends on Lhe parLcular producLţ so soluLon proders are
challened Lo recommend u1M svsLems wLh appropraLe feaLure seLsŦ lLƌs mporLanL Lo noLe LhaL
u1M feaLures can be enabled ndependenLlv allown clenLs Lo sLarL wLh cerLan feaLures lke
anLrusţ and Lhen add oLher feaLures lke vÞn funcLonalLv oer Lme ż20ŽŦ
ioure 5 ť unified 1hreot Monooement Overview
16
1ypes of D1M
nardware based D1M'sť 1hese applances come wLh specalzed ASlC chpŴseLs whch are Lalor
made Lo handle Lhe processn LhaL s requred Lo scan for mulLple LhreaLs smulLaneouslvŦ AparL
from Lhe hardwareţ Lhev feaLure a neLwork securLv operaLn svsLem whch s hhlv robusL and
nLeraLes wLh all Lhe nddual componenLs of Lhe u1MŦ 1he nddual componenLs Lhemseles
are lcense basedŶ Lhe componenLs could be selecLed and purchased ndduallvŦ
5oftware based D1M'sť 1he lcensn s smlar Lo Lhe hardware based u1M'sţ buL Lhe neLwork
securLv operaLn svsLem and Lhe nddual u1M componenLs (lke anLŴspamţ lÞS eLc) are hosLed
on sLandard compuLer serers wLh a cerLan mnmum confuraLon based on Lhe number of users
and Lhe applcaLons LhaL are run smulLaneouslvŦ
D|str|buted D1M'sť 1hev do noL comprse of a snle applance Lo combaL Lhe arous neLwork
securLv LhreaLsţ buL mulLple hardware boes from Lhe same endorţ each specalzed n Ls own
funcLonalLv (lke separaLe boes for lÞSţ WebŴllLern eLc) buL sLll han a common manaemenL
nLerface whch makes Lhem rLuallv a snle applance LhaL can be conLrolled on a snle plaLformŦ
8enef|ts of D1M
Some of Lhe benefLs of u1M are ż21ţ 22Žţ
O 1he ablLv Lo obLan manaemenL leerae bv combnn mulLple funcLons nLo a common
nLerface Lhere bv prodn smplcLv n operaLonsŦ
O 1he ablLv of a u1M dece Lo consoldaLe all of Lhe alerLs and onlv noLfv Lhe admnsLraLor
once s Lme san and cosL effecLeŦ
O u1M aods repeLLon of processes and hence saes LmeŦ Common processes (lke scannn
packeLs) are done once and used for all Lhe applcable modulesŦ
O Snle manaemenL nLerface Lo creaLe unform polcv across Lhe enLerprse and across Lhe
dfferenL modulesŦ
O MulLple paLchesţ mulLple uprades and hence mulLple manLenance conLracLs for each
securLv module can be aoded usn u1M's
17
5hortcom|ngs of D1M
Some of Lhe dsadanLaes of u1M are ż22Žţ
O u1M nLroduces a snle ponL of falure for all Lhe neLwork securLv elemenLsţ unless a hh
aalablLv confuraLon s deplovedŦ
O 1here s alwavs a possblLv of performance consLranL as Lhere are lmLaLons n hardware
processn capablLes Lo handle so manv applcaLons/users smulLaneouslvŦ
O Some u1M deces mav noL hae Lhe ranular feaLures supporLed bv sLand alone
Lechnoloes and hence Lhose funcLonalLes are eLher nored or addLonal nesLmenLs n
Lerms of addŴon's needs Lo be madeŦ
O 1here s alwavs challene from cloud compuLn nLaLes and u1M's mhL hae Lo be
deploved n a rLual manner (Cne u1M dded n Lo seeral local unLsţ each sern
dfferenL locaLons eLcŦ) n Lhe fuLureţ whch s noL possble currenLlvŦ
ioure õ ť Processino Power vsŦ 1ime
(D1M)
Append|x
W|re|ess Intrus|on Detect|on
Lke Lher wred counLerparLsţ wreless nLruson deLecLon svsLems (WluS) are desned Lo monLor
neLwork LraffcŦ AlLhouh producL archLecLures arvţ WluS Lvpcallv depend upon remoLe sensorsţ
dsLrbuLed LhrouhouL Lhe monLored neLworkŦ Sensors passelv obsere wreless acLLvţ reporLn
back Lo a cenLral luS sererŦ 1haL serer s responsble for analvzn reporLed acLLvţ eneraLn
nLruson alarms and a hsLorv daLabaseŦ 8esulLs mav be presenLed on Lhe serer Lselfţ or remoLelv
Lhrouh some Lvpe of luS clenL ż23ŽŦ
WID5 Iunct|ona||ty
O ÞreenLon capablLes Lo Lemporarlv or permanenLlv nhbL a wreless aLLackerƌs ablLv Lo
communcaLe wLh vour WLAn or anv ad[acenL wred neLworkŦ 1emporarv wreless blockn can
dscourae an aLLackerţ [usL as an alarm sren can scare awav a burlarŦ ÞerssLenL blockn can
e vou Lme Lo fnd and elmnaLe a roueţ wLhouL conLnun Lo [eopardze vour neLwork
durn nesLaLonŦ
O Confurable dece lsLs Lo dfferenLaLe beLween auLhorzed ML (Moble equpmenL)ţ nehbour
MLţ and all oLhersŦ 8uL such lsLs requre onŴon manLenanceŦ ln denselvŴpopulaLed urban
areasţ nesLaLn eerv new dece s aL besL labourŴnLenseţ aL worsL mpossbleŦ Manv
WLAn owners prefer Lo be alerLed onlv when an unknown dece has acLuallv peneLraLed Lher
neLworkţ and Lhen Lake wredŴsde sLeps Lo neuLralze LhaL LhreaLŦ
O Capable of nspecLn lÞ pavload Lo analvze Lraffc sLreams and behaour oer Lme Lo
deLermne wheLher a sLaLon or AÞ s communcaLn wLh an upsLream neLworkŦ As n Lhe wred
worldţ pavload encrvpLon can make Lhs Lask more dffculLŦ
O lncorporaLe locaLon deLecLon Lo some dereeŦ Cne meLhod s Lo manuallv search around Lhe
sensor recen Lhe sLronesL snal from Lhe LransmLLerŦ AnoLher meLhod s LranulaLon ŴŴ
comparn Lhe snal receed bv Lhree or more sensors Lo beLLer pnponL a LransmLLerƌs
probable locaLonŦ A Lhrd meLhod s 8l fnerprnLn ŴŴ modelln 8l characLersLcs wLhn a
coerae area for comparson Lo receed snal sLrenLh Lo predcL Lhe LransmLLerƌs locaLonŦ
1here are four phases n aLLacks carred oer svsLems Lhev areţ
Þ|ann|ng phase
1he aLLacker ofLen makes use of Lhe svsLem n Ls nLended manner before makn Lhe aLLackŦ Þublc
aalablLv for leLmaLe access helps Lhe aLLacker defne Lhe scope and oals of Lhe aLLackŦ AfLer
Lhe nLal preparaLon s compleLeţ Lhe aLLacker decdes on Lhe scope of Lhe aLLackŦ Lampleť Lhe
aLLacker mav sn up for an accounL on an onlne eŴcommerce svsLem or lo onLo a publc sererŦ
keconna|ssance phase
1he aLLacker neL aLhers nformaLon or performs reconnassance on Lhe LareLed neLworkŦ 1he
aLLacker carres ouL a areLv of dfferenL nqures wLh Lhe oal of pnponLn a specfc meLhod of
aLLack (porL scannn eLcŦ) 1he oal of Lhe aLLacker n Lhs phase s Lo narrow down Lhe feld of
Lhousands of possble eploLs Lo a small number of ulnerablLes LhaL are specfc Lo Lhe LareLed
hosL/neLworkŦ 1he aLLacker aLLempLs Lo make Lhs reconnassance as hard Lo noLce as possbleŦ Len
soţ Lhere are manv dfferenL means of reconnassance and some of Lhem can be deLecLed bv an
nLruson deLecLon svsLemŦ
Attack phase
1he nLruder carres ouL Lhe aLLackŦ 1he Lvpes of aLLacks wll be dscussed n Lhe neL secLonŦ
ÞostŴattack phase
AfLer an aLLacker has successfullv peneLraLed nLo a hosL on Lhe LareLed neLwork Lhe aLLacker
carres ouL hs/her plan and makes use of nformaLon resources as he/she consders appropraLeŦ
Þossble posLŴaLLack acLLes areţ
O Coern Lracks
O ÞeneLraLn deeper nLo neLwork nfrasLrucLure
O usn Lhe hosL Lo aLLack oLher neLworks
O CaLhernţ manpulaLnţ or desLrovn daLa
O Pandn oer Lhe hosL Lo a frend or a hacker roup
O Walkn or runnn awav wLhouL don anvLhn
ioure 7 ť Phoses of 4ttocks
1ypes of Attacks
Den|a| of serv|ce (Do5)
uoS aLLack s anv aLLack LhaL dsrupLs Lhe funcLon of a svsLem so LhaL leLmaLe users can no loner
access LŦ Can be specfc Lo a serce (eŦŦ l1Þ aLLack)ţ or an enLre machneŦ uoS aLLacks commonlv
uLlze spoofed lÞ addresses because Lhe aLLack s successful een f Lhe response s msdrecLedŦ 1he
aLLacker requres no responseţ and n cases lke Lhe Smurf aLLackţ wanLs aL all cosLs Lo aod a
responseŦ 1hs can make uoS aLLacks dffculL Lo defend fromţ and een more dffculL Lo deLecLŦ
O kesource dep|et|on Do5 attackť luncLons bv floodn a serce wLh so much normal Lraffc LhaL
leLmaLe users cannoL access Lhe serceŦ An aLLacker nundaLn a serce wLh normal Lraffc
can ehausL fnLe resources such as bandwdLhţ memorv and processor cvclesŦ Lamplesť S?n
floodţ Smurfţ eLcŦ
O Ma||c|ous packet Do5 attacksť luncLon bv sendn abnormal Lraffc Lo a hosL Lo cause Lhe
serce or Lhe hosL Lself Lo crashŦ Cccur when sofLware s noL properlv coded Lo handle
abnormal or unusual LraffcŦ Such Lraffc can cause sofLware Lo reacL unepecLedlv and crashŦ
ALLackers can use Lhese aLLacks Lo brn down een luSŦ Lamplesť McrosofL l1Þ uoSţ SnC81
lCMÞ uoSţ eLcŦ
kemote exp|o|ts
ALLacks desned Lo Lake adanLae of mproperlv coded sofLware Lo compromse and Lake conLrol
of a ulnerable hosL and can funcLon n Lhe same manner as Lhe malcous pavload Lraffc uoS
aLLacksŦ 1hese aLLacks Lake adanLae of mproperlv checked npuL or confuraLon errorsŦ
Lamplesť 8uffer oerflowsţ uncode eploLţ Cooke posonnţ SCL n[ecLonţ eLcŦ
1ro[ans and 8ackdoor programs
8v nsLalln a backdoor proram or a 1ro[anţ an aLLacker can bvpass normal securLv conLrols and
an prleed unauLhorzed access Lo a hosLŦ A backdoor proram can be deploved on a svsLem n a
areLv of dfferenL wavsŦ LŦŦ a malcous sofLware enneer can add a backdoor proram nLo
leLmaLe sofLware codeŦ 8ackdoor prorams mhL be added for leLmaLe manLenance reasons n
Lhe sofLware deelopmenL lfe cvcleţ buL laLer foroLLenŦ A 1ro[an s defned as sofLware LhaL s
dsused as a benn applcaLonŦ 8emoLe conLrol 1ro[ans Lvpcallv lsLen on a porL lke a enune
applcaLonŦ 1hrouh Lhs open porLţ an aLLacker conLrols Lhem remoLelvŦ 1ro[ans can be used Lo
perform anv number of funcLons on Lhe hosLŦ Some 1ro[ans nclude porLscannn and uoS feaLuresŦ
CLhers can Lake screen and Webcam capLures and send Lhem back Lo Lhe aLLackerŦ 1ro[ans and
backdoor prorams hae LradLonallv lsLened on a 1CÞ or uuÞ porLţ makn L easv Lo deLecL Lhem
and underLake counLermeasuresŦ8ecause of LhaLţ 1ro[ans hae eoled so Lhev no loner need Lo
lsLen on a 1CÞ or uuÞ porLŦ now nsLeadţ Lhev lsLen for a specfc sequence of eenLsŦ
M|suse of Leg|t|mate Access
ALLackers ofLen aLLempL Lo an unauLhorzed use of leLmaLe accounLs bv eLLn auLhenLcaLon
nformaLonŦ 1hs can be performed bv means of Lechncal and/or socal enneern meLhodsŦ luSţ
especallv Lhe anomalv deLecLon onesţ mav be used Lo deLecL such acLLesŦ
a
ż24ŽSLraLees Lo 8educe lalse ÞosLes and lalse neaLes n nluS Ŵ ken 1mm
hLLpť//wwwŦsvmanLecŦcom/connecL/arLcles/sLraLeesŴreduceŴfalseŴposLesŴandŴfalseŴneaLesŴnds
Accessed onť 12/10/2010