This action might not be possible to undo. Are you sure you want to continue?
By. P. Victer Paul
Dear, We planned to share our eBooks and project/seminar contents for free to all needed friends like u.. To get to know about more free computerscience ebooks and technology advancements in computer science. Please visit....
http://recent-computer-technology.blogspot.com/ http://computertechnologiesebooks.blogspot.com/ Please to keep provide many eBooks and technology news for FREE. Encourage us by Clicking on the advertisement in these Blog.
An IDS or Intrusion Detection System is a system designed to detect unauthorized access to secure systems, i.e. hacking, cracking or script based attacks.
Systems are generally composed of both sensors, such as snort, which watch network traffic and trigger security events, and a console interface – which shows and filters the security events, an example of which is sguil.
Definition : An intrusion can be defined as a subversion of security to gain access to a system. This intrusion can use multiple attack methods and can span long periods of time.
These unauthorized accesses to computer or network systems are often designed to study the system‘s weaknesses for future attacks. Other forms of intrusions are aimed at limiting access or even preventing access to computer systems or networks.
and both subsequently issue some type of warning or alert . IDS tools aim to detect computer attacks and/or computer misuse and alert the proper individuals upon detection. both the IDS and the burglar alarm use various methods to detect when an intruder/burglar is present. An IDS provides much of the same functionality as a burglar alarm installed in a house. Basically. More specifically. intrusion detection systems do exactly as the name implies: they detect possible intrusions. That is.
Hackers .Privacy Who are the intruders? .Availability .What are we protecting? .Data .Thieves .
of the following intrusion types: ◦ ◦ ◦ ◦ ◦ ◦ Distributed Denial of Service Trojan Horse Viruses and Worms Spoofing Network/Port Scans Buffer Overflow . The methods used by intruders can often contain any one. or even combinations.
Response/Alert . However. the majority of IDS systems contain the following 3 components: .Analysis Engine . There are many approaches that are used to implement IDS.Information Source . An in-depth look at these approaches will be presented in later sections.
host resource (CPU. user activity and file activity. The information source can include: network traffic (packets). . and log files). The information can be provided in real-time or in a delayed manner. etc. All IDS need an information source in which to monitor for intrusive behavior. I/O operations.
The majority of IDS implementations differ in the method of intrusion analysis. As mentioned previously. . there are many ways in which IDS analyze intrusive behavior. This is the actual functionality that is used to identify the intrusive behavior. The Analysis Engine is the ―brains‖ behind IDS.
Once an intrusive behavior is identified. logging off a user. . IDS need to be able to respond to the attack and alert the appropriate individuals of the occurrence. system shutdown. etc. disabling an account. host port blocking. Response activities can include: applying firewall rules to drop traffic from a particular source IP. security software activation.
Alerting measures are used to bring the attack to the attention of the proper individuals supporting the environment. or it could simply write a detailed log of the event. which may be sending an email or text page to the system administrator. an IDS alert can include an active measure. . which is a passive measure. For example.
. The ultimate desire of IDS functionality is the identification of all intrusive behavior within an environment. However. and the reporting of that behavior in a timely manner. there are some more characteristics that will be needed. in order for IDS to be successful in today‘s complex environments.
run continually with minimal human supervision withstand an attack and continue functioning monitor itself and resist local intrusion use minimal resources adapt and recognize "normal" behavior .
but the IDS did not identify it as intrusive behavior. Allow some anomalous events without flagging an emergency alert. essentially. Low rate of false positives alerts: A false positive is. a false alarm. . but it should be flexible/smart enough to allow for the occasional user mistake or communication blip. thus no alert was activated. No false negative instances: A false negative is an instance when the network or system was under attack. Scalability: The IDS system must be able to function in large (and fast) network architectures. This doesn't mean it should allow true malicious behavior.
Anomaly-Based Misuse-Based Host-Based Network-Based .
or as we shall see later. . Normal system behavior is determined by observing the standard operation of the system or network. Anomaly detection then takes the normal observation model and uses statistical variance. Data Mining techniques with artificial intelligence. The assumption in anomaly detection is that an intrusion can be detected by observing a deviation from the normal or expected behavior of the system or network. to determine if the system or network environment behavior is running normally or abnormally. Computer and network anomaly detection Intrusion Detection Systems models operate by building a model of ―normal‖ system behavior.
Threshold detection is the process in which certain attributes of user and computer system behavior are expressed in terms of counts. such behavior attributes can include the number of files accessed by a given user over a certain period of time. etc. the amount of CPU utilized by a process. . with some level established as permissible. the number of failed attempts to login to the system. For example.
◦ Parametric measures are used when a distribution of the profiled attributes is assumed to fit a particular pattern. . Statistical measures: These measures can be parametric or non-parametric. ◦ Non-parametric measures are used when the distribution of the profiled attribute is gathered from a set of historical values observed over time.
It can detect attempts to exploit new and unforeseen vulnerabilities. This is a very powerful advantage. etc). It can produce information from the intrusive attack that can be used to define signatures for misuse detectors. source IP. It is for this reason alone that a majority of the research of future IDS models includes some sort of anomaly detection. which generally do not involve exploiting any security vulnerabilities. An IDS based on the detection of anomalies can detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details. It can also be used to detect ‗abuse-of-privilege‘ types of attacks. time. It can recognize unusual network traffic based on network packet characteristics (payload. .
"Misuse detection-based IDS function in much the same way as computer anti-virus applications.“ Misuse detection IDS models function in very much the same sense as high-end computer anti-virus applications. much like computer anti-virus applications. That is. These signatures must be updated over time to include the latest attack patterns. . misuse detection IDS models analyze the system or network environment and compare the activity against signatures (or patterns) of known intrusive computer and network behavior.
If the signatures of attacks used by the misuse detection system are reliable. which makes the determination of corrective measures easier. then attacks that match those signatures are very quickly identified. . There isn‘t a need for the IDS to ―learn‖ the network behavior before it can be of use. Computer administrators can write their own signatures in accordance with the organizations security policy. Misuse-based IDS can be used very quickly. The signature matching also provides fewer false alarms (false positives) than other IDS methods.
Like anti-virus software. These patterns can be modified to decrease the chances of raising any red flags. Good computer and network hackers are well aware of the patterns of known exploits. . the signatures containing the attack patterns are constantly changing. Intrusion detection systems that follow the misuse detection model need to be constant updated to stay a step ahead of the hackers.
Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks. Therefore. requiring the constant rewrite of signatures. they must be constantly be updated with attack signatures that represent newly discovered attacks or modified existing attacks. Since misuse detection operates by comparing known intrusive signatures against the observed log. several other iterations of ―copycat‖ exploitations usually surface to take advantage of the same security hole. misuse detectors suffer from the limitation of only being able to detect attacks that are known. it usually goes undetected by the original vulnerability signature. Vulnerable to evasion. Once a security hole has been discovered and a signature has been written to capture it. . Since the attack method is a variant of the original attack method.
processes. or local object (files. Host-based Intrusion Detection Systems are confined to monitoring activity on the local host computer. This monitoring can include network traffic to the host. a HIDS implementation can be used to analyze all the network traffic transmitted to the computer and pass only the packets deemed safe onto the computer. A HIDS could also be a service running on the local machine that periodically examines the system security logs for suspicious activity. . For example. services) access on the host.
suspicious activity in one environment may not equate to suspicious activity in another environment. . So rules that define what suspicious activity need to be created. Keep in mind. several unauthorized logon attempts. deletion of logs. Some examples of possible suspicious activities include. etc. confidential file access.
Can associate users with local computer processes. Low resource utilization: HIDS only deal with the inspection of traffic and events local to the host. a HIDS can provide detailed information on the state of the system during the attack. Since a host is part of the target. . Direct system information access. software installations. etc). files. registry. Since HIDS exist directly on the host system. it can directly access local system resources (operating system configurations.
the host may cease to function resulting in a stop on all logging activity. if the IDS system is compromised and the logging still continues to function. If the IDS system is compromised. the trust of such log data is severely diminished. . collecting and auditing the generated log files from each node can be a daunting task. The implementation of HIDS can get very complex in large networking environments. Secondly. With several thousand possible endpoints in a large network.
A network-based intrusion detection system uses a firewall approach to examine the network traffic (packets) at the router or host level for intrusive activity. The need to scan the voluminous amounts of network activity and successfully recognize and tag network-wide intrusive behavior is well received within the security industry. . NIDS have become the most popular form of Intrusion Detection. With the explosive growth of networking and data sharing. NIDS scans any traffic that is transmitted over the segment of the network and only permits through the packets that are not identified as intrusive.
. Provides greater detail into the nature of network traffic. Deployment to 50 servers may only require 1 network-based intrusion detection system installation. A NIDS can be configured to be invisible to the attacker. Relatively easy deployment . NIDS can interact with firewall technologies to dynamically block recognized intrusion behavior.NIDS are installed per network segment. Can view intrusive activity that is targeting several hosts.
However. Modern day enterprise network environments amplify this disadvantage due to the massive amounts of dynamic and diverse data that needs to be analyzed. the main problem with implementing a NIDS with the techniques described in the previous sections is the high rate of false alarms. . Network-based intrusion detection seems to offer the most detection coverage while minimizing the IDS deployment and maintenance overhead.
However. There just isn't a single IDS model that offers 100% intrusion detection with a 0% false alarm rate that can be applied in today's complex networking environment. All the previously defined IDS techniques have their share of disadvantages. . incorporating multiple IDS techniques can. minimize many of the disadvantages illustrated in the previous section. to a certain extent.
The combination of these techniques reduces the limitations that are associated with a single-method IDS implementation. For example. misuse-based HIDS and anomaly-based NIDS are usually implemented together to form a hybrid Host/Network IDS architecture. Common implementations of IDS use a combination of the IDS approaches that have been discussed so far. This hybrid IDS allows the correlation between the events on the network and events of the target host(s). .
Since host-based misuse IDS can‘t detect a signature if the attack is new. Minimization of anomaly-based false alerts. . Correlating the alerts generated in both IDS provide a much greater likelihood that an actual intrusion is occurring. This type of example minimizes the inherent disadvantage of anomalybased IDS – which is the excessive false alerts. hence the signature doesn‘t exist. there is an additional benefit to misuse detection IDS environments by applying a network-based anomaly IDS that has the ability to capture new attacks and evasive patterns techniques.
there are some major problems that these HIDS and NIDS systems. The study used synthesized network traffic to replicate normal traffic as well as traffic that contained intrusive patterns. The network traffic was generated to represent the following types of services: FTP. POP3. SMTP. IRC. a study was conducted to highlight the strengths and weaknesses of current research approaches to anomaly and misuse intrusion detection. The advantages of the combination of HIDS and NIDS applied to an enterprise network and system architecture may seem to offer sufficient protection against intrusive behavior. even when combined. . SQL. In 1998. and time. telnet. don‘t resolve. DNS. However. HTTP. SNMP.
User-to-root attacks .Denial-of-service attacks .Remote-to-local attacks . Attack on the test systems were divided into four categories: .Probing/surveillance attacks .
Probing/surveillance attacks attempt to map out system vulnerabilities and usually serve as a launching point for future attacks. User to root attacks attempt to elevate the privilege of a local user to root (or super user) privilege. The denial of service attacks attempt to render a system or service unusable to legitimate users. Remote to local attacks attempt to gain local account privilege from a remote and unauthorized account or system. .
Often the data is insufficient. This result shows that the best of today's IDS have a problem detecting new denial-of-service and remote-to-local attacks -arguably two of the most concerning types of attacks against computer systems and networks today. However. the performance of the top three IDS had a roughly 20% detection rate for new denial-of-service and less than 10% detection rate for new remote-to-local attacks. . The data present in the network packets or system calls may not be complete. Other areas in which common HIDS and NIDS implementations fall short are in the amount of data that is provided the IDS. making it difficult to determine conclusively whether an intrusion is taking place.
which often lack sufficient throughput to examine all data. Today‘s networking equipment often runs at speeds of 100Mbps or greater and can overwhelm the processing capability of IDS products. . Another pitfall has to do with throughput issues—both hostbased and network-based IDS are required to filter or examine large quantities of data. The findings from the study resulted in the conclusion that a fundamental paradigm shift in intrusion detection research is necessary to provide reasonable levels of detection against new attacks and even variations of known attacks.
. Future IDS will also have to address scalability and distributed data collection issues in order to achieve the level of effectiveness that is required. Central to this goal is the ability to generalize from previously observed behavior to recognize future unseen. but similar behavior.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.