Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Intrusion Detection

Intrusion Detection

Ratings: (0)|Views: 35|Likes:
Published by Manoj Kumar

More info:

Published by: Manoj Kumar on May 08, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less





INTRODUCTIONAn intrusion is an active sequence of related events that deliberately try to cause harm,such as rendering a system unusable, accessing unauthorized information or manipulating suchinformation. To record the information about both successful and unsuccessful attempts, the securityprofessionals place the devices that examine the network traffic, called sensors. These sensors are kept inboth front of the firewall (the unprotected area) and behind the firewall (the protected area) and valuesthrough comparing the information recorded by the two.An Intrusion Detection Systems(IDS) can be defined as the tool, methods and resourcesto help identity, access and report unauthorized activity. Intrusion Detection is typically one part of anoverall protection system that is installed around a system or device. IDS work at the network layer of theOSI model and sensors are placed at the choke points on the network. They analyze packets to findspecific patterns in the network traffic- if they find such a pattern in the traffic, an alert is logged and aresponse can be based on data recordedCLASSIFICATION OF INTRUSION DETECTION SYSTEMSIntrusion detection systems fall into one of three categories: Host Based IntrusionDetection Systems (HIDS), Network Based Intrusion Detection Systems (NIDS), and hybrids of the two.IDS HIDS NIDS HYBRIDA Host Intrusion Detection System will require some software that resides on the systemand can scan all host resources for activity; some just scan syslog and event logs for activity. It will logany activities it discovers to a secure database and check to see whether the events match any maliciousevent record listed in the knowledge base.A Network Intrusion Detection System is usually inline on the network, and it analyzesnetwork packets looking for attacks. NIDS receives all packets on a particular network segment, includingswitched networks. It carefully reconstructs the streams of traffic to analyze them for pattern of maliciousbehavior. Most NIDS are equipped with facilities to log their activities and report or alarm on questionableevents.A Hybrid Intrusion Detection System combines a HIDS, which monitors events occurringon the host system, with a NIDS which monitors network traffic.The basic process of an IDS is that a NIDS or HIDS passively collects data andpreprocesses and classifies them. Statistical analysis can be done to determine whether the informationfalls outside normal activity, and if so, it is then matched against a knowledge base. If a match found, analert is sent. Goal of the Intrusion Detection Systems is to improve an information system’s security. It’san organization of the consistent parts of data and their interrelationships to identify any analogousactivity of interest.This goal can be further broken down as follows:
Create records of relevant activity for follow up.
Criminal prosecution of intrusion attacks.
Act as a deterrent to malicious attack.Intrusion analysis process can be broken down into four phases and they are as follows:
PreprocessingAnalysisResponseRefinementPreprocessing:Is a key function once collected from an IDS or IPS sensors. In this step data, areorganized in some fashion for classification. This stage would help in determine the format the data areput into, which would be a canonical format or a structured database. Once the data are formatted theyare further classified, this classifications depends upon the analysis schemas being used.If it’s a rule-based detection, the classification will involve rules and pattern descriptors.And if it’s anomaly detection used, then we would have statistical profile based on difference algorithmsin which the user behavior is base lined overtime and any behavior that falls outside that classification isflagged as an anomaly.On completion of the classification process the data is concatenated and put into a defineddetection template of some object by replacing variables with values. These detection templatespopulate the Knowledge base, which are stored in the core analysis engine:
Detection of unexpected privilege escalation.
Detection of backdoor Net bus.
Detection of modification of system log files.
Detection of Backdoor Sub seven.
Oracle grant attempt.Analysis:Once the preprocessing is completed, the analysis stage begins. The data record iscompared with the Knowledge base. The data record will either be logged as an intrusion event or it willbe dropped and next data record is analyed.Response:Here, in the intrusion detection systems we get the information passively after the fact,so we would get an alert after the fact. The response can be set to be automatically performed, or canbe done manually after someone manually analyzed the situation.Refinement:This is the stage where fine tunings is done, based on the previous usage and detectedintrusions. This helps in reducing false positive levels and to have more security tool. These are tool likeCTR (Cisco Threat Response) that helps with the refining stage by actually making sure that an alert isvalid by checking whether you are vulnerable to the attack or not. Rule based detection, even known assignature detection, pattern matching and misuse detection.INTRUSION DETECTION ARCHIETECTUREThe roles performed by and relationships among machines, device, applications andprocesses, including the conventions used for communicating between them, define architecture. Theintrusion detection architecture is a designed structure on which every element fits. An effectivearchitecture is one in which each machine, device, component and process perform its role in aneffective and coordinated manner resulting in information processing and output.Different types of tired architectures are as follows:Single tired architectureMulti tired architectureSingle tired Architecture:A single tired architecture, the most basic of the architecture discussed here is one inwhich components in an IDS collect data and process data themselves, rather than passing the outputthey collect to another set of components. Example HIDS tool that takes the output system logs andcompares it to known patterns of attack.Multi tired Architecture:A multi-tired architecture involves multiple components that pass information to eachother. IDS mainly consists of three parts and they are as under:SensorsAnalyzers or agentsManager
Sensors perform data collection. Example Network sensors are often programs thatcapture data from network interfaces, even they collect data from system logs and other sources suchas personal firewalls and TCP wrapper. Sensors pass information to agents which monitor the intrusiveactivity on their individual hosts. Each sensor and agent is configured to run on the particular operatingenvironment in which it is placed. Agents are specialized to perform one and only one function.Example One agent might, examine nothing but TCP while the other agent would examine only FTPconnections.When an agent has determined that an attack has occurred or is going to occur then itsends information to the manager components which can perform a variety of function including:
Collecting and displaying alerts on a console.
Triggering a pager or calling a cellular phone number.
Strong the information regarding the incident in the database.
Sending information to the host that stops it from executing certain instructions inmemory.
Sending commands to firewall.A central collection point allows for grater ease in analyzing logs because all the loginformation is available at one location. Additionally, writing log data to a different system (the one inwhich the manager resides) from the one that produced is advisable, because if attackers destroy logdata on the original system, the database would be still available in the central server. Some of theadvantages of the multi tired architecture include greater efficiency and depth of analysis and some of the downsides include increased cost and complexity.architecture consists of three components and these three components are as follows:SensorsAgents or AnalyzersManager ComponentSensors:Sensors are critical in intrusion detection architectures. Sensors are critical in intrusion-detection architectures; they are the beginning point of intrusion detection and prevention because theysupply the initial data about potentially malicious activity. A deeper look at sensor functionality,deployment, and security will provide insight into exactly what sensors are and how they work.Sensor Functions:Considering all the possible intrusion-detection components within a particulararchitecture, sensors are usually (but not always) the lowest end components. In other words, sensorstypically do not have very sophisticated functionality. They are usually designed only to obtain certaindata and pass them on. There are two basic types of sensors: network-based and host-based sensors.Network Based Sensor:Network-based sensors, the more frequently deployed of the two types, are programs ornetwork devices (such as physical devices) that capture data in packets traversing a local Ethernet ortoken ring or a network switching point. One of the greatest advantages of network-based sensors is thesheer number of hosts for which they can provide data. In an extreme case, one sensor might be used tomonitor all traffic coming into and out of a network. If the network has a thousand hosts, the sensor can,in theory, gather data about misuse and anomalies in all thousand hosts. The cost-effectiveness of thisapproach is huge (although critics justifiably point out that a single sensor is also likely to miss aconsiderable amount of data that may be critical to an intrusion-detection effort if the sensor does nothappen to be recording traffic on the particular network route over which packets containing the data aresent). Additionally, if configured properly, sensors do not burden the network with much additional traffic,especially if two network interfaces—one for monitoring and the other for management—are used. Amonitoring interface has no TCP/IP stack whatsoever, nor does it have any linkage to any IP address, bothof which make it an almost entirely transparent entity on the network.The programs that intrusion-detection tools most frequently use as sensors are tcpdumpand libpcap. To reiterate, tcpdump captures data from packets and prints packet headers of packets thatmatch a particular filter (or Boolean) expression. Packet parameters that are particularly useful inintrusion detection and prevention are time, source and destination addresses, source and destinationports, TCP flags, initial sequence number from the source IP for the initial connection, ending sequencenumber, number of bytes, and window size. tcpdump is an application, but libpcap is a library called by anapplication. libpcap is designed to gather packet data from the kernel of the operating system and thenmove it to one or more applications—in this particular case, to intrusion-detection applications. Forexample, an Ethernet card may obtain packet data from a network. The underlying operating system overwhich libpcap runs will process each packet in many ways, starting with determining what kind of packet itis by removing the

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->