intrusion detection syste1

8/6/2019 Intrusion Detection Syste1

1/32

INTRUSION DETECTION SYSTEM

SEMINAR REPORT

Submitted by

ARUN.P.KUMAR (18385)

In partial fulfillment for the award of the degree

Of

Bachelor of Computer Applications

UNION CHRISTIAN COLLEGE

ALUVA

M.G.UNIVERSITY, KOTTAYAM

2007-2010

Internal examiner External examiner

1


2/32

TABLE OF CONTENTS

Page no:

1. INTRODUCTION 4

2. INTRUSION 5

2.1 Signature Based

2.2 Anomaly Based

3. INTRUSION DETECTION SYSTEM 7

3.1 Types of IDS

3.1.1 Network-Based IDS

3.1.1.1 Strengths of Network Based IDS

3.1.2 Hostbased IDS

3.1.2.1 Strengths of Host Based IDS

3.1.3 The need for both types

3.2 Implementing an IDS

3.3 Characteristics of IDS

3.4 Security Policy and IDS

4. KEY IDS PROCESSES 17

5. INFRASTRUCTURE FOR IDS AND RESPONSE 21

5.1 IDIP Concept

5.2 IDIP Application Layer Protocol

5.3 Cryptographic Requirements

5.4 Software Architecture

6. INTEGRATED SERVICE CHECKER 26

6.1Network Intrusion Detection System

6.2 System Layout

6.3 Data Collection and Analysis

2


3/32

7. Other type of IDS 28

7.1 System Integrity verifiers

7.2 Log File Monitors

7.3 Honey Pots

8. Conclusion 30

9. Bibliography 31

3


4/32

1. INTRODUCTION

Intrusion detection is very important aspects of protecting the cyber

infrastructure from terrorist attack or from hackers. Intrusion prevention

technique such as firewall, filtering router policies fails to stop much type of

attacks. Therefore, no matter how secure you try to make your system.

Intrusion still happens and so they must be detected. Intrusion detection

systems are becoming an important part of your computer system, and

security. An intrusion detection system is used to detect several types of

malicious behaviors that can compromise the security and trust of a

computer system. This includes network attacks against vulnerable services,

data driven attacks on applications, host based attacks such as privilege

escalation, unauthorized logins and access to sensitive files, and malware

(viruses, trojan horses and worms). An IDS can be composed of several

components: Sensors which generate security events, a Console to monitor

events and alerts and control the sensors, and a central Engine that records

events logged by the sensors in a database and uses a system of rules to

generate alerts from security events received. There are several ways to

categorize an IDS depending on the type and location of the sensors and the

methodology used by the engine to generate alerts. In many simple IDS

implementations all three components are combined in a single device or

appliance. Intrusion detection can allow for the prevention of certainty,

attacks severity relative to different type of attack and vulnerability of

components under attack the response may be kill the connection, install

filtering rules, and disable user account.

4


5/32

2. INTRUSION

Any set of actions that attempts to compromise the integrity, confidentiality,

and availability of resources are that can damage your system and may

access the confidential data. Any abuse might have quite different view

related to attaching: what is the aim (objective) of attacking? What damages

or other consequences or likely to be done? Any intruder can take the

advantages of weak point of your system or vulnerabilities exist in targeted

(your) system. Intrusion means some one attempting to break or misuse the

system.

Detection Approaches.

Within these types of IDS, two approaches can be adopted for analyzing

malicious activities to detect attacks. There are advantages and

disadvantages for both the approaches but the most commonly used method

is signature based intrusion system.

2.1 Signature Based

Signature-based IDS work by monitoring packets in the network and

comparing them with pre-defined attack signatures in a database. The

signature detection records each pattern of events as a separate attack

signature.

They are used for detecting attacks whilst minimizing the number of false

alarms. Signature based detection systems also help security managers to

track security problems in their systems. Therefore, signature based

intrusion detection system detects malware the same way as antivirus

softwares detect viruses and worms.Identifies intrusions by

5


6/32

watching for patterns of traffic or application data presumed to be

malicious.

These type of systems are presumed to be able to detect only 'known'

attacks.

Catch the intrusions in terms of the characteristics of known attacks or

system vulnerabilities.

2.2Anomaly Based

Anomaly-based IDS work by analyzing any unusual behavior of the host in

the network. The traffic patterns for a normal activity are different from thepatterns of an attack. The anomaly-based category of IDS monitors the

traffic and compares it with a known baseline. This approach is to measure a

"baseline" of such stats as CPU utilization, disk activity, user logins, file

activity, and so forth. Then, the system can trigger when there is a deviation

from this baseline. The benefit of this approach is that it can detect the

anomalies without having to understand the underlying

cause behind the anomalies.

Can detect insider attacks or account theft very easily.

Difficult for an attacker to know with certainty what activity he

can do without setting off an alarm.

6


7/32

3. INTRUSION DETECTION SYSTEM

In order to properly response to an asset-attack it must first be detected and

then all of its characteristics uncovered and documented. Once the attack or

misuse recognized the response can be automatic or manual and can be

include termination of connection, or host of response aimed at

apprehending the attacker. Any technique such as firewalls, identification,

authentication procedures and encryption are not design with any of above

security issues. This particular security issues are the province of Intrusion

Detection System.

3.1 Types of IDS

For general purpose, the Intrusion Detection System (IDS) has evolved into

two major architectures. According to Anomaly or signature, scope:

3.1.1 Network-based intrusion detection system

Network-based of intrusion detection systems work by analyzing and

capturing the packets in a network. This type of IDS monitors traffic

patterns and alert the system administrator about potential malicious

activity. The sensors used in this type of IDS usually run in stealth mode,

hiding their

7


8/32

presence and avoiding discovery of their presence by attackers. Network

intrusion detection system monitors all the inbound and outbound packets to

and from the devices in the network.

3.1.1.1 Strengths of Networked Based IDS

The network-based IDS has many strengths due to its real-time

packet capture and analysis functionality that cannot easily performed with a

host-based IDS alone.

Below are some its strengths that make network-based IDS clearly a needed

component to any security systems and policy.

1. Cost of Ownership

The network-based IDS allow strategic deployment at critical access points

to view network traffic destined to numerous systems that need to be

protected. It does not require software to be loaded and managed on a

variety of hosts as does the host-based IDS. Being fewer detection

points are required, it makes the cost of management more effective for an

enterprise environment.

2. Packet Analysis

The network-based IDS examine all packet headers for signs of malicious

and suspicious activity. Many of todays IP based denial of service (DOS)

attacks are detected by looking at the packet headers as they travel across a

network.For example; a

8


9/32

LAND attack is a forged packet that has both source and destination IP

addresses and source and destination ports being the same as the target host

machine. The forged packet which tells the target to open a connection with

itself and can cause target to operate slowly or crash. This type of attack can

quickly be identified and responded to by a Network-based IDS being it is

looking packet stream in real-time. Also, attacks that use fragmented packets

like Teardrop can also be detected with packet level analysis. A host based

IDS cannot detect these types of attacks. In addition to looking at the packet

headers, network-based IDS can also investigate the content of the payload

looking for specific commands or syntax used with a variety of attacks.

Many of these commands are indicative of an attack, whether successful or

not. Example: An attacker probing for the new Back Orifice exploit on

systems that are not infected with the Back Orifice software can be detected

by examining the packet payload. Host-based IDS would not be able to

detect these types of payload embedded attacks.

3. Evidence Removal

The network-based IDS uses live network traffic for its attack detection in

real-time and a hacker cannot remove this evidence once captured. This

captured data not only has the attack in it but information that may help lead

to his/her identification. This captured network traffic may also be needed as

evidence leading to prosecution. One problem sometimes experienced with

host-based IDS is that hackers understand most of the audit log files and that

is usually the first place they go to cover their tracks and remove or damage

this information.

4. Real-Time Detection and Response

9


10/32

The network-based IDS detects malicious and suspicious attacks as they are

occurring in true real-time and provides faster response and notification to

the attack at hand. Example: A hacker initiating a network based denial of

service (DOS) based on TCP can be instantly stopped by having the IDS

send a TCP reset to terminate the attack before it crashes or damages a

targeted host. Many times with host-based IDS, the notification from a

particular log or event may be detected after the damage is already done or

not at all if the systems have crashed. Having real-time notification allows

you to quickly react in a desired fashion. Some may want to allow further

penetration so they can gather more information in a surveillance mode

while other may opt for immediate termination of the attack.

5. Malicious Intent Detection

A network-based IDS can also be very valuable in determining malicious

intent. If network-based IDS is placed outside of detection Firewall it can

detect attacks intended for resources behind the Firewall, although the

firewall may be rejecting these attack attempts. A host-based IDS could not

show these rejected attacks because they never hit the Host but are important

to know the frequency and types of attacks being thrown at your network.

6. Complement and Verification

The network-based IDS can also complement existing components of your

implemented security policy. In the case of encryption, the network-based

IDS although it may not be able to read all encrypted traffic, it can be used

to detect any not encrypted traffic that may be present of on your network.

In

10


11/32

the case of a Firewall, the network-based IDS can help verify if it is truly

keeping out certain types of traffic and addresses that it should be rejecting

required components will greatly enhance your resistance to attack. Below is

a quick graphical representation that helps represent the independent

network and host-based IDS scenarios and the benefit of implementing both

a Network and a Host Based Solution.

7. Operating System Independence

The network-based IDS is not dependent on the host operating system for its

detection source, as is the host-based IDS solution. All of the log

information used with a host- based solution requires the operating system

functioning properly and not compromised in any way.

3.1.2Host-based intrusion detection system

Host-based intrusion detection works by collecting information from

individual computers by detecting and monitoring the activities of an attack

on an operating system by collecting data from the host computer. Host

based detection only monitors inbound and outbound packets from the

system device. They use two sources of information obtained from operating

system audit trails and system logs. Operating system audit trails are

obtained from the kernel of the operating system and system logs give a

description about the system activities on the network.

3.1.2.1Strengths of Host-Based IDS

11


12/32

Being the Host Based IDS resides on specific Hosts and uses the

information

provided by the operating system; it adds capabilities not found in the

Network Based IDS. Some of the major strengths include:

1. Attack Verification

Being the Host Based IDS uses logs containing events that have actually

occurred, it has the advantage of knowing if the actual attack or exploit was

successful. This type of detection has been deemed as more accurate and

less prone to false positives. Many Network Based attacks can trigger

numerous false positives because of normal traffic looking very close to

malicious

traffic. In addition it is hard for a Network Based IDS to know whether or

not an attack was successful or not.

2. System Specific Activity

The Host Based IDS can quickly monitor user and file access activity.

Anytime a Login or Logoff procedure is executed it is logged and the host-

based IDS can monitor this based on its current policy. In addition it can

also monitor various file access and also be notified when specific files are

open or closed. This type of system activity cannot be monitored or detected

by Network Based IDS being it may not necessarily propagate traffic on the

network. Example: Someone walking up to a Keyboard and open a non-

shared file. The host-based IDS can also monitor activities that should and

can only be executed from an administrator. Anytime user accounts are

added, deleted, or modified this information is logged and can be detected as

12


13/32

soon as the change is executed. Also if any audit policy changes are made

affecting what the systems logs and does not log the Host Based Ids will

immediately pick up this activity. A network-based ID also could not detect

these types of administrator changes.

3. Encrypted and Switched Environments

Being the host-based IDS software resides on various hosts throughout an

enterprise it can overcome some of the challenges faced by network-based

IDS. In a purely switched environment it can be challenging to deploy a

network- based IDS due to the nature of switched networks having

numerous separate collision domains or segments. It is sometimes hard to

get the required coverage being the network-based IDS can only reside on

segment at a time and numerous ones need to be protected. Traffic

mirroring and Span ports on switches have helped but still present

challenges getting enough coverage and have limitations. The host-based

IDS can provide greater visibility into a purely switched environment by

residing on as many critical hosts as needed. As for Encryption, there are

certain types of encryption that can also present a challenge to the network-

based IDS depending where the encryption resides within the protocol stack

it may leave the network IDS blind to certain attacks. The host-based IDS do

not have this problem. If the host in question has log-based analysis the

encryption will have no impact on what goes in to the log files. Stack-Based

IDS allows us to monitor the packets as they traverse the TCP/IP stack, this

allows the IDS to examine the packets before the OS or the Application see

the packets, but after the TCP/IP stack has decrypted the packets.

4. Monitoring Key Components

13


14/32


15/32


16/32

Fig 3.1 Intruder and Victim

3.2Implementing an Intrusion Detection System

An effective IDS does not stand alone. It must be supported by a number

of other systems. Among the things to consider, in addition to the IDS, in

setting up a good IDS for the company network are:

Operating Systems: A good operating system that has logging and auditing

features. Most of the modern operating systems including Windows, UNIX,

and other variants of Unix have these features. These features can be used to

monitor security critical resources.

Services: All applications on servers such as Web servers, e-mail servers,

and databases should include logging/auditing features as well.

Firewalls: A good firewall should have some network intrusion detection

capabilities.

Network management platform: Whenever network management services

such as Open View are used, make sure that they do have tools to help in

setting up alerts on suspicious activity.

3.3Characteristics of IDS

16


17/32

It must be able to detect the intruder in your system and legitimate user

misusing system resources. It must run continually and fault tolerant. It must

resist subversion of intruder and use self-diagnosis to determine if intrusion

detection system has been compromised. Every system has different has

different usage patterns and defense mechanism should adapt easily to these

patterns.

3.4 Security policy and IDS

What is permitted and what is denied on system it must be defined. System

must be available for use and data must be available in readable form.

IDS must be able to verify the identity of user and user should be able to

verify the identity of system. Private data should be known only to owner or

chosen few.

4.KEY IDS PROCESSES

17


18/32

Process model for efficient intrusion detection systems

The IDS process model (Figure 1) is underpinned by the data sources it has

access to. The data sources are important because this data is used to detect

intrusions into the network. These data sources can be obtained from

different levels of the system. Some of the data sources from which

intrusions can be found are (Bace &Mell, 2007):

Auditing the system resources by checking the audit log file of the

operating system which includes system events and activities. Some of the

information such as file access and method of access attempts may also be

useful.

Recording some of the information such as system parameters, memory

use and network connections are useful for detecting intrusions.

Network management logs give information about device status and

transition.

18


19/32

In order to implement, and more importantly maintain, an effective IDS it is

necessary to identify and describe the key processes involved. Ten key

processes are described here.

1.Activity monitoring and automation. This is the process for monitoring all

user and system activities in a network. The system and network

configuration are checked for any intrusions. The main two tasks of active

monitoring are to detect system and network intrusions, and to detect

abnormal attack patterns and user policy violations (White, 2003). The main

purpose of activity monitoring is to alert the administrator of the problems

caused by crashed servers, overload, malware infection and failed

connections.

2. Configuration check. This check is done to identify the system and

network configuration. It checks whether the systems and network have any

detectable vulnerabilities. Configuration checking also looks for hosts that

do not belong to the network. All machines in the network should be

checked periodically for malware attack. There are also different types of

sniffing tools that can be used in this configuration checking process.

3. File authorizations. File authorization checking identifies file, user and

group authorizations modifications. One possible attack vector is to modify

the user and group authorization allowing various attacks on the network.

One way of checking the file settings is to place an expected file setting

outside the network and then comparing it with the original file settings.

4. Log file examination. Log files record actions and events that take place

on a network. Log files can be obtained from various devices such as servers

and routers. They are mainly used for checking who has accessed the

network and at what time and from which location.

19


20/32


21/32

9. Response. Response is the action that a system takes when detecting

intrusions on a network. It is most usefully employed when presenting the

event analysis results using a graphical user interface. There are

several methods to alert administrators of events such as via email or pagers

(Saiglobal, 2004). A system administrator can then ascertain the severity of

the response and make decisions on the most appropriate countermeasures.

In some IDS, the reaction-response is also able to perform preventive

actions such as locking the account that was attacked and therefore reducing

additional potential damage to the system.

10. Data storage. Data storage is required for storing all detected activities,

audit logs and other relevant information in a database. This database will

contain collection of attacks, unusual behaviour patterns and other attacks

that can be used for future detection of intrusions. It can also store the

detected malicious activity for subsequent use as evidence.

5.INFRASTRUCTURE FOR IDS AND RESPONSE

When Intrusion detection system is applied to the large Internet worked

environments or information infrastructures, in such case it has some

important limitations

1) IDS detect local intrusion symptoms and can only react locally (e.g. by

reconfiguring local boundary controller and hosts). Because attacks may

cross many network boundaries, and response local to the target cant

identify or mitigate the source of attack, which may be several network

removed.

21


22/32

2) Even if IDS were capable of communicating with remote boundary

counter near attacker, there is no common language for remotely instructing

them to block selected

traffic. It is also unlikely that Intrusion detection system would know

enough about all such device to be able reconfigure them remotely using

low level, device-specific commands.

3) If Intrusion is detected or its symptoms is detected in different areas of an

internetworked environment by different Intrusion detection system, the

current technologies lacks the infrastructure and protocol for

1. Pooling this information to allow correlation and

2. Developments and promulgation of coordinated uniform response through

environment. The technology Intruder Detection and Isolation Protocol

(IDIP) overcomes this drawback.

This protocol is integrated with some variety of boundary control devices,

host and Intrusion detection system for blocking and tracing of Intrusion

across Network boundaries.

5.1 IDIP Concept

IDIP is an application layer protocol that coordinates Intrusion tracking and

Isolation IDP system are organized into IDIP communities. Each IDIP

community is an administrative domain, with intrusion detection and

response functions managed by component called Discovery coordinator

communities are further organized into IDIP neighborhoods. These

neighborhood are collection of components between them Boundary control

device are members of multiple IDIP neighborhoods. See Fig 5.1

Objective of IDIP is to share the information necessary to enable intrusion

tracking and containment.

22


23/32

When attack traverse IDIP protected network each IDIP node along

the path is responsible for auditory data based system. When

intrusion system is detected then all neighbors are reported.

Each IDIP node makes local decision as to what type of response is

given is depends on the attack type, attack certainty, attacks severity

relative to two type of attack and vulnerability of components under

attack the response may be kill the connection, install filtering rules,

disable user account.

23


24/32

Fig 5.1 IDIP Communities

Each IDIP nodes send copy of attack report along with local response the

Discovery coordinator collect all report gain better over all picture of

situation and also issue response directive back to individual nodes to either

remove an unnecessary response (e.g. Firewall filtering rule) Or odd

response like firewall filtering with alternate attack path.Host mainly also participate in IDIP system, Host can provide more fine

grained responses. As they can trace Intrusion back to the process and the

user initiating Intrusion from local hosts.

If intruder-performing attack after hopping through multiple Hosts IDIP

enabled hosts allow the Intrusion to be traced back through these hosts,

which is not possible if only boundary controller participate in IDIP system.

5.2 IDIP Application Layer Protocol

IDIP is organized into two primary protocol layers: The IDIP application

layer and IDIP message layer.

The application layer protocol accomplishes intrusion tracking and

containment through three major messages type 1.Trace 2.Report

3.Discovery coordinator directive

IDIP trace request message is sent, when events sequence is detected that is

determined to be sufficient intrusive to response which may be trace and

block lutes. This message includes description of event and connection that

24


25/32

used by intruder. This information is used by each IDIP node that receive

the trace request to determine if the attack passed through node. The

description may be needed to modify for this protocol supports translation

record to end of trace message. In trace message, Blocking can be inserted

for limited time or until system administrator reverse the action. For this

IDIP monitor the clock to determine when to remove the blocking. An IDIP

report is simply

copy of trace message that is sent to the Discovery coordinator by each

component that receive message. Once the Discovery coordinator has

determined an optimal response to sends directive to node thats require

altering response. Discovery coordinator directive has two types

1. Undo message- which request that reverse the previously taken action by

IDIP, which may be open service for blocked at firewall.

2. Do message- To take another action like extend duration of blocking rule

to support communication between the varied IDIP components require

flexible and extensible long.

The IDIP uses common Intrusion specification language (CISL) developed

by common Intrusion between framework (CIDF).

5.3 Cryptographic Requirements

Basic requirement for IDIP cryptographies are:

1. Minimal impact on IDIP message size, as each IDIP message must fit

within one UDP data gram, which is 64 Kilobytes.

2. Availability on multiple platforms, including salaries, os/2, Linux,

Windows NT and integration of each.

25


26/32

5.4 Software Architecture

To primary objectives for IDIP software architecture is

1. Easy of integration with various components.

2. Flexibility in modifying the generic component behavior.

6. INTEGRATED SERVICE CHECKER

6.1 Network Intrusion Detection System

There are several ways to do filtering for NIDS alerts which is needed due to

that NIDS produce lot of false positive alerts as it can not have usually no

way of knowing if they attack actually succeeded or failed. So additional

elements should be added on the top of NIDS system to check the targeted

host, which is integrated service checker (ISC) many current NIDS system

26


27/32

are unable to test the remote operating system due to which more false

positive alerts are produced

6.2 System Layout

Sensors are running on operating system (Red hat LINUX system) and

NID element is the short system. Sensors are placed in such a way that it can

see all outgoing and incoming traffic from network

6.3 Data Collection and Analysis

Data collection set up so that it cannot interface with data collected. This is

achieved by setting the interface is such mode with operating system that

O.S. cannot send any packet. For collecting data fiber link on gigabyte speed

is used.

However, this short system rule can still lead to false.A possibility, when it

records OFF site web traffic and the string is matched for some reason. The

checker system is needed especially when it is identified what attacker is

looking for and record IP address of the hackers. After that we may see

some IP address doing buffer overflow attack again certain ports and

services at this point Vulnerability checker is to check hosts which are

intruder tried to exploit.NIDS system integrated with automatic checking

could be included in our security operations and can be used as basis for

follow up. This set up

enables the IDS to smarter and reduced number of false positive alerts.

27


28/32

7.Other Types of Intrusion Detection Systems

Although NIDS and HIDS are the most widely used tools in intrusion

detection, there are others that are less used but more targeting and,

therefore, more specialized.

Because many of these tools are so specialized, many are still not considered

as being intrusion detection systems but rather intrusion detection add-ons or

tools.

28


29/32

7.1System Integrity Verifiers (SIVs)

SIVs monitor critical files in a system, such as system files, to find whether

an intruder has changed them. They can also detect other system

components data; for example, they detect when a normal user somehow

acquires root/administrator level privileges. In addition, they also monitor

system registries in order to find well known signatures.

7.2Log File Monitors (LFM)

LFMs first create a record of log files generated by network services. Then

they monitor this record, just like NIDS, looking for system trends,

tendencies, and patterns in the log files that would suggest an intruder is

attacking.

7.3Honey pots

A honeypot is a system designed to look like something that an intruder can

hack. They are built for many purposes but the overriding one is to deceive

attackers and learn about their tools and methods.

Honeypots are also add-on/tools that are not strictly sniffer-based intrusion

detection systems like HIDS and NIDS. However, they are good deception

systems that protect the network in much the same way as HIDS and

NIDS.

29


30/32


31/32

by logging events, gathering information about network activity, detecting

potential unauthorized intrusions and attacks, preventing actions using

blocking and alerting the systems administrator of potential adverse

intrusion events.it is beginning to assume enormous Importance in todays

computing environment. Enormous growth of Internet and the lack of truly

secure system makes it an important and pertinent field of research

9. BIBILIOGRAPHY

1. Adams, D. G. (1996, 2-4 Oct. 1996). Operational tips for improving

intrusion detection system performance.

Paper presented at the Security Technology, 1996. 30th Annual 1996

International Carnahan Conference, Lexington, KY.

2. Axelsson, S,Research in Intrusion-Detection Systems: A Survey, 1999

3. Pietraszek, T. and Tanner A.(2005), Data mining and machine learning -

31


32/32

Towards reducing false positives in intrusion detection Information

security technical report [1363-4127] 10(3) pp. 169-183

intrusion detection syste1

Documents