(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2011
Performance Assessment of Tools of the IntrusionDetection/Prevention Systems
Yousef FARHAOUI
LabSiv, Equipe ESCAM
Faculty of sciences Ibn Zohr University B.P 80060, CityDakhla, Agadir, Morocco.youseffarhaoui@gmail.com
Ahmed ASIMI
LabSiv, Equipe ESCAMFaculty of sciences Ibn Zohr University B.P 80060, CityDakhla, Agadir, Morocco.asimiahmed2008@gmail.com
Abstract
—
This article aims at providing (i) a generalpresentation of the techniques and types of the intrusiondetection and prevention systems, (ii) an in-depth descriptionof the evaluation, comparison and classification features of the IDS and the IPS and (iii) the implications of such studyon how to determinate the features of some more effectiveIDS and IPS in the commercial domains and open source.
Keywords
—
Intrusion Detection, Intrusion Prevention,Characteristic, Tools.
I.
I
NTRODUCTION
The systems of detection and prevention of intrusion,IDS and IPS, are among the most recent tools of security.According to their features, we can classify them indifferent kinds, for example, their techniques of detectionand prevention, their architecture or the range of detection[3]. In spite of their utility, in practice most IDS/IPSexperience two problems: the important number of falsepositives and false negatives. The false positives, the falsealerts, are generated when the IDS/IPS identifies normalactivities as intrusions, whereas the false negativescorrespond to the attacks or intrusions that are notdetected, and then no alert is generated [4]. The IDS/IPSinventors try to surmount these limitations by developingnew algorithms and architectures.Therefore, it is important for them to value theimprovements brought by these new devices. In the sameway, for the network and systems administrators, it wouldbe interesting to assess the IDS/IPS to be able to choosethe best before installing it on their networks or systems,but also to continue to evaluate its efficiency inoperational method. Unfortunately, many false positivesand false negatives persist in the new versions of theIDS/IPS, then, the brought improvements are not worthyof the continuous efforts of research and development inthe domain of the detection and the prevention of intrusion. In general, it is essentially due to the absence of efficient methods of assessment of the security tools, andof the IDS/IPS in particular.II.
I
NTRUSION
D
ETECTION
S
YSTEMS
The IDS is a mechanism which watches over the trafficnetwork in a sneaky manner in order to mark abnormal orsuspected activities and permitting to have an action of prevention on the risks of intrusions.Mainly, there are three important distinct families of IDS:
The NIDS, Network Based Intrusion DetectionSystem which assures the security in the network.
The HIDS, Host Based Intrusion Detection Systemwhich assures the security in the hosts.
The hybrid IDS. An IDS hybrid is a combination of both the HIDS and the NIDS.
A.
Network Intrusion Detection System
The NIDS are also called passive IDS since this kind of systems inform the administrator system that an attack hasor had taken place, and it takes the adequate measures toassure the security of the system. The aim is to informabout an intrusion in order to look for the IDS capable toreact in the post. Report of the damages is not sufficient. Itis necessary that the IDS react and to be able to block thedetected doubtful traffics. These reaction techniques implythe active IDS.
B.
The Host Intrusion Detection System
According to the source of the data to examine, theHost Based Intrusion Detection System can be classifiedin two categories:
The HIDS Based Application. The IDS of this typereceive the data in application, for example, thelogs files generated by the management software of the database, the server web or the firewalls. Thevulnerability of this technique lies in the layerapplication.
The HIDS Based Host. The IDS of this type receivethe information of the activity of the supervisedsystem. This information is sometimes in the formof audit traces of the operating system. It can also
7http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2011
include the logs system of other logs generated bythe processes of the operating system and thecontents of the object system not reflected in thestandard audit of the operating system and themechanisms of logging. These types of IDS canalso use the results returned by another IDS of theBased Application type.
C.
The Systems Detection Intrusion Hybrids
The NIDS-HIDS combination or the so called hybridgathers the features of several different IDS. It allows, inonly one single tool, to supervise the network and theterminals. The probes are placed in strategic points, andact like NIDS and/or HIDS according to their sites. Allthese probes carry up the alerts then to a machine whichcentralize them all, and aggregate the information of multiple origins.III.
I
NTRUSIONS
P
REVENTION
S
YSTEM
The intrusion prevention is an amalgam of securitytechnologies. Its goal is to anticipate and to stop theattacks [2]. The intrusion prevention is applied by somerecent IDS. Instead of analyzing the traffic logs, which liesin discovering the attacks after they took place, theintrusion prevention tries to warn against such attacks.While the systems of intrusion detection try to give thealert, the intrusion prevention systems block the trafficrated dangerous.Over many years, the philosophy of the intrusionsdetection on the network amounted to detect as many aspossible of attacks and possible intrusions and to consignthem so that others take the necessary measures. On thecontrary, the systems of prevention of the intrusions on thenetwork have been developed in a new philosophy_"taking the necessary measures to counter attacks ordetectable intrusions with precision ".In general terms, the IPS are always online on thenetwork to supervise the traffic and intervene actively bylimiting or deleting the traffic judged hostile byinterrupting the suspected sessions or by taking otherreaction measures to an attack or an intrusion. The IPSfunctions symmetrically to the IDS; in addition to that,they analyze the connection contexts, automatize the logsanalysis and suspend the suspected connections. Contraryto the classic IDS, the signature is not used to detect theattacks. Before taking action, The IDS must make adecision about an action in an appropriate time. If theaction is in conformity with the rules, the permission toexecute it will be granted and the action will be executed.But if the action is illegal an alarm is issued. In mostcases, the other detectors of the network will be informedwith the goal to stop the other computers from opening orexecuting specific files.Unlike the other prevention techniques, the IPS is arelatively new technique. It is based on the principle of integrating the heterogeneous technologies: firebreak,VPN, IDS, anti-virus, anti-Spam, etc.The IPS are often considered as IDS of secondgeneration; that is to say, the IPS replace the IDSgradually. In fact, the IPS are meant to make up for thelimitations of the IDS concerning attacks response.Whereas the IDS cannot block an intrusion if it is not viathe use of active responses, the IPS are able to block anintrusion in the appropriate time. Indeed, the positioningof the cut, be it in a firewall or in a proxy, is the onlymeans which allows to analyze the input and output dataand to destroy the intrusive packets dynamically beforethey arrive to their destination. Moreover, the IPS enableto compensate the IDS inability to manage the high debitsbecause of a software architecture.The IPS allow the following functionalities [8]:
Supervising the behaviour of the application
Creating rules for the application
Issuing alerts in case of violations
Correlating different sensors to guarantee a betterprotection against the attacks.
Understanding of the IP networks
Having mastery over the network probes and thelogs analysis
Defending the vital functions of the network
Carrying out an analysis with high velocity.
A.
The Network Intrusion Prevention System
When the attack is detected, the system reacts to modifythe environment of the attacked system. This modificationcan be in the form blocking some fluxes and some ports orin the form of insulating some network systems. Directlyaffected system traffic is the sensitive point of this kind of prevention device especially when the false is positive.Therefore, the mistakes must be few because they have adirect impact on the availability of the systems. Whendangerous traffic is detected, the IPS blocks this trafficlike a firewall. Nevertheless, the same traffic, which takesplace in a non dangerous configuration, won't be blocked.An IPS can be seen as identical to an intelligent firewallwith dynamic rules [7].
B.
The Host Intrusion Prevention System
Nowadays, the attacks evolve quickly and are targeted.Also, it is necessary to have a protection capable to stopthe malwares before the publication of an update of thespecific detection. An intrusions prevention system basedon the Host Intrusion Prevention System or HIPS isdestined to stop the malwares before an update of thespecific detection is taken by supervising the codebehaviour. The majority of the HIPS solutions supervisesthe code at the time of its execution and intervenes if thecode is considered suspected or malevolent [7].IV.
F
EATURES TO EVALUATE AND TO COMPARE FORTHE
IDS/IPS
SYSTEMS
The expression" system of detection and preventionof the intrusions" is used to describe multiple technologies
8http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2011
and solutions of security. This paper focuses on thesystems of prevention of the intrusions capable to takeimmediate measures to tackle the attacks and intrusionswithout manual intervention. The tools of the intrusionsdetection and prevention systems display the followingfeatures:a.
Online machine capable to reliably and accuratelydetect the attacks and to block them with precisionb.
High online velocity without any effect on theperformance or the availability of the network c.
Efficient integration within the environment of thesecurity managementd.
Easy and quick adaptation with and anticipation of the unknown intrusionse.
Accurate and precise interventionf.
Good citizenship on the network g.
Efficient security-based managementAn IDS/IPS system must include flexible andtransparent methods to update its data-base with regard tothe new signatures of attack. Besides, the IDS/IPS systemsmust have methods capable to react to new attacks withoutupdates of signature.The inverse exclusion, where all requests, except of those legitimate for a definite destination, are deleted, thevalidation of protocol, in which the methods of illegitimate requests are deleted, or the independentblockage of the attack, where the attackers are identifiedand the whole traffic that comes is deleted, whether theattacks are known or not.V.
T
HE FEATURES OF CLASSIFICATION OF THE
IDS
AND THE
IPS.There are a lot of products whose complexity of implementation and degree of integration are varied. Thetools strictly based on behavioural models affect thevelocity. But they are more and more integrated in IDS / IPS initially based on a library of signatures, thanks totheir complementarily. The tools systems are worst facingto the tools networks. The invention of the hybrid toolsthat brings a less partial security in the protection of thesystem of information can solve this dilemma.The first criterion of classification of the IDS/IPS is themethod of analysis. It consists in two approaches.
The approach by script: this approach consists insearching for in the activity of the elementsupervised the prints (or signatures) of knownattacks. This type of IDS/IPS is merely reactive; itcan only detect the attacks of which it possesses thesignature. Therefore, it requires frequent updates.Besides, the efficiency of this detection systemdepends strongly on the precision of its signaturebasis. This is why these systems are vulnerable forthe pirates who use some techniques “escape" thatconsists in making up the used attacks. Thesetechniques have the trend to vary the signatures of the attacks that are not recognized anymore by theIDS/IPS
The behavioural approach: it consists in detectingsome anomalies. The implementation alwaysconsists of a phase of training during which theIDS/IPS is going
to
discover
the
normal
functioning of the supervised elements. They areable, thus, to signal the divergences in relation tothe working of the reference. The behaviouralmodels can be elaborated from statistical analyses.They present the advantage to detect new types of attacks. However, frequent adjustments arenecessary in order to evolve the reference model sothat it reflects the normal activity of the users andreduce the number of false alerts generated.Each of these two approaches can drive to
false
positives
or to
false
negatives
.The intrusion detection and prevention systems becomeindispensable at the time of the setting up of anoperational security infrastructure. Therefore, they alwaysintegrate in a context and in an architecture imposingvarious constraints.The following criteria will be adopted in the classificationof the IPS/IDS:
Reliability
: The generated alerts must be justified andno intrusion to escape
Reactivity
: An IDS/IPS must be capable to detect andto prevent the new types of attacks as quickly aspossible. Thus, it must constantly self-update.Capacities of automatic update are so indispensable
Facility
of
implementation
and
adaptability
: AnIDS/IPS must be easy to function and especially toadapt to the context in which it must operate. It isuseless to have an
IDS/IPS giving out
some alertsin less than 10 seconds if the resources necessary to areaction are not available to act in the sameconstraints of time
Performance
: the setting up of an IDS/IPS must notaffect the performance of the supervised systems.Besides, it is necessary to have the certainty that theIDS/IPS has the capacity to treat all the information inits disposition because in the reverse case it becomestrivial to conceal the attacks while increasing thequantity of information.These criteria must be taken into consideration whileclassifying an IDS/IPS, as well:
The sources of the data to analyze,
network
,
system
or
application
The behaviour of the product after intrusion,
passive
or
active
The frequency of use,
periodic
or
continuous
The operating system in which operate the tools,
Linux
,
Windows
,
etc
.
The source of the tools,
open
or
private
9http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
More From This User
Notes
Load more
