Classification and Importance of IntrusionDetection System
K Rajasekaran
Research Scholar, Research & Development Centre,
Bharathiar University, Coimbatore, India
Dr. K Nirmala
Associate Professor in Computer Science,Quiad-E-Millath Govt. College for Women, Chennai, India.
Abstract:- A
n intrusion detection system (IDS) is adevice orsoftware applicationthat monitors network orsystem activities for malicious activities or policyviolations and produces reports to a ManagementStation. Some systems may attempt to stop an intrusionattempt but this is neither required nor expected of amonitoring system. Due to a growing number of intrusion events and also because the Internet and localnetworks have become so ubiquitous, organizations are
increasingly implementing various systems that monitorIT security breaches. This includes an overview of theclassification of intrusion detection systems andintroduces the reader to some fundamental concepts of
IDS methodology: audit trail analysis and on-the-flyprocessing as well as anomaly detection and signaturedetection approaches. This research paper discusses theprimary intrusion detection techniques and the
classification of intrusion Detection system.
Keywords: Intrusion Detection, signature,anomaly, specification, classification
I.
INTRODUCTION
The main aim of intrusion detection is to monitor network assets to detect anomalous behaviour andmisuse in network. Intrusion Detection has beenaround for nearly twenty years but only recently hasit seen a dramatic rise in popularity and incorporationinto the overall information security Infrastructure.Beginning in the year 1980’s James Anderson'sseminal paper, was written for a governmentorganization, introduced the notion that audit trailscontained vital information that could be valuable intracking misuse and understanding of user behaviour.With the release of Anderson’s paper, the concept of "detecting" misuse and specific user events emerged.His work was the start of host-based intrusiondetection technique and IDS in general.Commercial development of intrusion detectiontechnologies began in the year of 1990s. Haystack Labs was the first commercial vendor of IDS tools,with its Stalker line of host-based products. SAICwas also developing a form of host-based intrusiondetection; this system is called Computer MisuseDetection system (CMDS).Simultaneously, the Air Force's Crypto logicSupport Center developed the Automated SecurityMeasurement System (ASIM) to monitor network traffic on the US Air Force's network. ASIM alsomade considerable progress in overcoming scalabilityand portability issues that previously plagued NID products. Additionally, ASIM was the first solutionto incorporate both a hardware and software solutionto network intrusion detection technique. ASIM iscurrently in use and managed by the Air Force'sComputer emergency Response Team (AFCERT) atlocations all over the world. As often happened, thedevelopment group on the ASIM project formed acommercial company in 1994, the Wheel Group.Their product, Net Ranger, was the firstcommercially viable network intrusion detectiondevice management system.The intrusion detection market began to gain in popularity and truly generate revenues around 1997.In that year, the security market leader, ISS,developed a network intrusion detection systemcalled Real Secure. A year later, Cisco recognized theimportance of network intrusion detection and purchased the Wheel Group, attaining a securitysolution they could provide to their customers.Similarly, the first visible host-based intrusiondetection company, Centrex Corporation, emerged asa result of a merger of the development staff fromHaystack Labs and the departure of the CMDS teamfrom SAIC. From there, the commercial IDS worldexpanded its market-base and a roller coaster ride of start-up companies, mergers, and acquisitions ensued.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201244http://sites.google.com/site/ijcsis/ISSN 1947-5500
Figure 1: Number of incidents reported
The above chart from US-CERT shows how thecyber incidents rose in current internet network environment; this gives requirement of IDSdeployment in network security system.II.
INTRUSION DETECTION SYSTEMTECHNIQUESIntuitively, intrusions in an information systemare the activities that violate the security policy of thesystem, and intrusion detection is the process used toidentify intrusions. Intrusion detection has beenstudied for approximately 20 years. It is based on the beliefs that an intruder’s behavior will be noticeablydifferent from that of a legitimate user and that manyunauthorized actions will be detectable. Intrusiondetection system is classified into three categories.The different types of intrusion Detection techniquesare listed below.A.
Signature based detection systems,B.
Anomaly based intrusion detectionsystemsC.
Specification based detectionsystems.
A.
Signature based detection systems
Signature based detection system (also calledmisuse based), this type of detection is very effectiveagainst known attacks, and it depends on thereceiving of regular updates of patterns and will beunable to detect unknown previous threats or newreleases.One big challenge of signature-based IDS is thatevery signature requires an entry in the database, andso a complete database might contain hundreds or even thousands of entries. Each packet is to becompared with all the entries in the database. Thiscan be very resource- consuming and doing so willslow down the throughput and making the IDSvulnerable to DoS attacks. Some of the IDS evasiontools use this vulnerability and flood the signaturesignature-based IDS systems with too many packetsto the point that the IDS cannot keep up with thetraffic, thus making theIDS time out and drop packets and as a result, possibly miss attacks. Further, this type of IDS is stillvulnerable against unknown attacks as it relies on thesignatures currently in the database to detect attacks.
B.
Anomaly based detection system
This type of detection depends on theclassification of the network to the normal andanomalous, as this classification is based on rules or heuristics rather than patterns or signatures and theimplementation of this system we first need to knowthe normal behaviour of the network. Anomaly baseddetection system unlike the misuse based detectionsystem because it can detect previous unknownthreats, but the false positive to rise more probably.The signature of a new attack is not known beforeit is detected and carefully analyzed. So it is difficultto draw conclusions based on a small number of packets. In this case, anomaly-based systems detectabnormal behaviors and generate alarms based on theabnormal patterns in network traffic or application behaviors. Typical anomalous behaviors that may becaptured include1) Misuse of network protocols such asoverlapped IP fragments and running a standard protocol on a stealthy port;2) Uncharacteristic traffic patterns, such as moreUDP packets compared to TCP ones,3) Suspicious patterns in application payload.The big challenges of anomaly based detectionsystems are defining what a normal network behavior is, deciding the threshold to trigger the alarm, and preventing false alarms. The users of the network are normally human, and people are hard to predict. If the normal model is not definedcarefully, there will be lots of false alarms and thedetection system will suffer from degraded performance.
C.
Specification based detection system
This type of detection systems is responsible for monitoring the processes and matching the actualdata with the program and in case of any abnormal behaviour will be issued an alert and must bemaintained and updated whenever a change wasmade on the surveillance programs in order to be ableto detect the previous attacks the unknown and thenumber of false positives what can be less than theanomaly detection system approach.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201245http://sites.google.com/site/ijcsis/ISSN 1947-5500
III.
CLASSIFICATION OF INTRUSIONDETECTION SYSTEMWhen considering the area being the source of data used for intrusion detection, another classification of intrusion detection systems can beused in terms of the type of the protected system.There is a family of IDS tools that use informationderived from a single host (system) — host based IDS (HIDS) and those IDSs that exploitinformation obtained from a whole segment of a localnetwork (network based IDS, i.e. NIDS) and thecombined Hybrid based Intrusion Detection system.Intrusion detection system is mainly classified intothree types. The classification of intrusion Detectionsystems are listed below:a.
Host based IDS b.
Network based IDSc.
Hybrid based IDSA.
Host based IDS (HIDS)
This type is placed on one device such as server or workstation, where the data is analyzed locally tothe machine and are collecting this data fromdifferent sources. HIDS can use both anomaly andmisuse detection system.A Host Intrusion Detection Systems (HIDS) andsoftware application (agents) installed onworkstations which are to be monitored. The agentsmonitor the operating system and write data tolog files and/or trigger alarms. A hostIntrusion detection systems (HIDS) can onlymonitors the individual workstations on which theagents are installed and it cannot monitor the entirenetwork. Host based IDS systems are used to monitor any intrusion attempts on critical servers.The drawbacks of Host Intrusion DetectionSystems (HIDS) are• Difficult to analyse the intrusion attempts onmultiple computers.• Host Intrusion Detection Systems (HIDS) can bevery difficult to maintain in large networks withdifferent operating systems and configurations• Host Intrusion Detection Systems (HIDS) can bedisabled by attackers after the system iscompromised.Systems that monitor incoming connectionattempts (RealSecure Agent, PortSentry). Theseexamine host-based incoming and outgoing network connections. These are particularly related to theunauthorized connection attempts to TCP or UDP ports and can also detect incoming portscans.Systems that examine network traffic (packets)that attempts to access the host. These systems protect the host by intercepting suspicious packetsand looking for aberrant payloads (packetinspection).Systems that monitor login activity onto thenetworking layer of their protected host (HostSentry).Their role is to monitor log-in and log-out attempts,looking for unusual activity on a system occurring atunexpected times, particular network locations or detecting multiple login attempts (particularly failedones).The HIDS that look only at their host traffic caneasily detect local-to-local attacks or local-to-rootattacks, since they have a clear concept of locallyavailable information, for example they can exploituser IDS. Also, anomaly detection tools feature a better coverage of internal problems since their detection ability is based on the normal behavior patterns of the user.The HIDS reside on a particular computer and provide protection for a specific computer system.They are not only equipped with system monitoringfacilities but also include other modules of a typicalIDS.HIDS products such as Snort, Dragon Squire,Emerald eXpert-BSM, NFR HID, Intruder Alert all perform this type of monitoring.
B.
Network based IDS (NIDS)
Network Intrusion Detection Systems (NIDS)usually consists of a network appliance (or sensor)with a Network Interface Card (NIC) operating in promiscuous mode and a separate managementinterface. The IDS is placed along a network segmentor boundary and monitors all traffic on that segment.
NIDS are deployed on strategic point in network infrastructure. The NIDS can capture and analyzedata to detect known attacks by comparing patternsor signatures of the database or detection of illegalactivities by scanning traffic for anomalous activity. NIDS are also referred as “packet-sniffers”, Becauseit captures the packets passing through the of communication mediums.The network-based type of IDS (NIDS) producesdata about local network usage. The NIDSreassemble and analyze all network packets thatreach the network interface card operatingin promiscuous mode. They do not only deal with packets going to a specific host – since all themachines in a network segment benefit from the protection of the NIDS. Network-based IDS can also be installed on active network elements, for exampleon routers.Since intrusion detection (for example flood-typeattack) employs statistical data on the network load, acertain type of dedicated NIDS can be separately
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201246http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Classification and Importance of Intrusion Detection System
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop…
(More)
241
Reads
0
Readcasts
0
Embed Views
More From This User
Notes
Load more
