NAME : Bidyut Kumar Malik STREAM:Computer Science & Engineering ROLL NO:23 UNIVERSITY ROLL NO:071650101030 COLLEGE:Calcutta Institute

of Engineering & Management SEMINAR TOPIC:Intrusion Detection System

Intrusion Definition:
In laymans view intrusion is an act of thrusting in or entering into a place without invitation,welcome or right. In technological view: An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse.

Intrusion Detection Definition:

Process of monitoring the events or a set of events occurring in a system or a computer network for the signs of intrusive activity manually or via software expert system is called Intrusion Detection.

Intrusion Detection System:

Intrusion Detection Systems (IDS) can be a useful way to monitor networks and critical computers for signs of unusual activity. They can provide early warning of security and other problems, allowing incidents to be dealt with quickly and their impact reduced. However an IDS that is not properly configured and maintained is likely to generate many spurious alerts, wasting staff time and possibly missing important new signs. Tuning an IDS to provide the appropriate level of alerts for a particular network or host is likely to take some time. IDS look for

unusual signs but they cannot determine whether activity is hostile or merely a change resulting from an unforeseen use of the network or system. Each alert will normally need to be checked by a system or network manager. An alert caused by normal activity is called a false positive, while hostile activity that does not generate an alert is a false negative. All IDS are likely to generate both types of error: tuning the system to reduce false negatives will almost always increase the number of false positives and vice versa. The appropriate sensitivity is a matter of local policy and should be governed by the risk to the systems being monitored and the resources that are available to respond to alerts.Network-based IDS, in particular, will normally detect attempts to breach security rather than whether the attempt was successful or not. Identifying successful intrusions is likely to require prompt investigation by a skilled human. If this is not done then the IDSs warning is likely to be wasted.

I have a firewall why do I need an IDS:

1.Firewalls are not always efficient in stopping the intruders once they have crossed the firewall. 2.To identify and detect the intruders 3.To check on the intruders transaction

Platform:
Some IDSs function from a dedicated (black box) appliance, meaning that there is no need for the customer to load the operating system, install the application software, and harden the operating system separately. Others are software based and have to be installed on top of a supported platform and operating system.

Component:
IDSs generally can be broken into two components: the sensor and the console. The sensor sits upon the network and acts as a sniffer, listening to network traffic in promiscuous mode. The console is the point of central management for an IDS system. By using the console, an administrator may take notice of any current attack alerts. In many cases, the console may be used to customize certain preferences for the IDS.

What Intrusion Detection System CAN and CAN NOT provide:

The IDS however is not an answer to all your Security related problems. You have to know what you CAN, and CAN NOT expect of your IDS. In the following subsections I will try to show a few examples of what an Intrusion Detection Systems are capable of, but each network environment varies and each system needs to be tailored to meet your enterprise environment needs.

The IDS CAN provide the following: CAN add a greater degree of integrity to the rest of You infrastructure CAN trace user activi ty from point of entry to point of impact CAN recognize and report alterations to data CAN automate a task of monitoring the Internet searching for the latest attacks CAN detect when your system is under attack CAN detect errors in your system configuration CAN guide system administrator in the vital step of establishing a policy for your computing assets CAN make the security management of your system possible by non-expert staff

The IDS CAN NOT provide: CAN NOT compensate for a weak identification and authentication mechanisms CAN NOT conduct investigations of attacks without human intervention CAN NOT compensate for weaknesses in network protocols CAN NOT compensate for problems in the quality or integrity of information the system provides CAN NOT analyze al l the traffic on a busy network

 CAN NOT always deal with problems involving packet-level attacks CAN NOT deal with some of the modern network hardware and features

ID TECHNOLOGY LANDSCAPE:

Placement on the Network:

IDS can be set up either inside or outside of a firewall, depending on the needs of an organization. An external IDS monitors attacks that occur on a firewall that are not allowed into a network; therefore potential attacks are discovered, but internal threats go undetected. Internal IDS configurations do not see attacks that

are repelled by the firewall, but monitor attacks that penetrate the firewall as well as internal attacks.

Triggering Mechanisms:
To protect your network, your IDS must generate alarms when it detects intrusive activity on your network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:

Anomaly detection Misuse detection

Anomaly Detection:Identify abnormal unusual behavior (anomalies) on a host or network. They function on the assumption that attacks are different from normal (legitimate) activity and can therefore be detected by systems that identify these differences. Static and dynamic: Static: Static means a portion of the system remain constant, e.g. data integrity, tripwire, virus checkers. Dynamic: profile. A profile consists of a set of observed measures of behavior for each of a set of dimensions. Frequently used dimensions include: Preferred choices, e.g., log-in time, log-in location, and favorite editor. Resources consumed cumulatively or per unit time.

 Representative sequences of actions. Program profiles: system call sequence. Methods:Threshold detection: certain attributes of user and system behavior are expressed in terms of counts, with some level established as permissible. Such behavior attributes can include the number of files accessed by a user in a given period of time, the number of failed attempts to login to the system, the amount of CPU utilized by a process, etc. Statistical measures Parametric: The distribution of the profiled attributes is assumed to fit a particular pattern Non-parametric: The distribution of the profiled attributes is learned from a set of historical values, observed over time. Rule-based measures: similar to non-parametric statistical measures in that ooberved data defines acceptable usage patterns, but differs in that those patterns are specified as rules, not numeric quantities. Other methods: Machine learning Data mining Neural networks, genetic algorithms, etc.

Misuse Detection (signature-based ID):Looking for events or sets of events that match a predefined pattern of events that describe a known attack. The patterns are called signatures. Rule-based systems: encoding intrusion scenarios as a set of rules. State-based intrusion scenario representations. Advantages: Very effective at detecting attacks without generating an overwhelming number of false alarms. Disadvantages : Can only detect those attacks they know abouttherefore they must be constanly updated with signatures of new attacks. Many misuse detectors are designed to use tighly defined signatures that prevent them from detecting variants of common attacks.

Monitoring Locations:
To examine network traffic and trigger alarms when your network is under attack, your IDS must somehow monitor your network at specific points. The two common monitoring locations are as follows:

Host-based Network-based

Host-based IDS:= Using OS auditing mechanisms: e.g. BSM in Solaris logs all direct and indirect events generated by a user; strace monitors system calls made by a program. Monitoring user activities: analyzing shell commands. Monitoring executions of system programs, e.g. sendmail's system calls. Advantages: Can detect attacks that cannot be seen by NIDS. Can operate in an environment in which network traffic is encrypted. Unaffected by switched networks . Can help detect Trojan horse or other attacks that involve software integrity breaches. Disadvantages : Since at least the information sources reside on the host targeted by attacks, the IDS may be attacked and disabled as port of the attack . Are not well suited by detecting network scans or other such surveillance that targets an entire network. Since they use the computing resources of the hosts they are monitoring, therefore inflicting a performance cost on the monitored systems.

Network Intrusion Detection Systems (NIDS):= Using packet sniffing. Looking at IP header as well as data parts. Disadvantages of Network-Based IDSs: NIDS may have difficult processing all packets in a large or busy network and therefore, may fail to recognize an attack launched during periods of high traffic. Modern switch-based networks make NIDS more difficult: Switches subdivide networks into many small segments and provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring ports. NIDS cannot analyze encrypted information. Most NIDS cannot tell whether or not an attack was successful.

Hybrid Intrusion Detection Systems:

We have examined the different mechanisms that different IDSs use to signal or trigger alarms on your network. We have also examined two locations that IDSs use to search for intrusive activity. Each of these approaches has benefits and drawbacks. By combining multiple techniques into a single hybrid system, however, it is possible to create an IDS that possesses the benefits of multiple approaches, while overcoming many of the drawbacks. Although it is true that combining multiple different IDS technologies into a single system can theoretically produce a

much stronger IDS, these hybrid systems are not always better systems. Different IDS technologies examine traffic and look for intrusive activity in different ways. The major drawback to a hybrid IDS is getting these different technologies to interoperate successfully and efficiently. Getting multiple IDS approaches to coexist in a single system can be a very challenging task

Summary:
You use an IDS to monitor your network for signs of intrusive activity. An IDS triggers alarms when it detects intrusive activity. The triggering mechanism is probably based on one of the following two techniques:

Anomaly detection Misuse detection

To implement its triggering mechanism, your IDS needs to monitor your network for intrusive activity at specific points in your network. The two common monitoring locations are as follows:

Host-based Network-based

Because each of these characteristics has benefits and drawbacks, many intrusion detection systems are beginning to incorporate multiple characteristics into hybrid IDSs. These systems attempt to maximize the capability of the IDS while minimizing their drawbacks.