Professional Documents
Culture Documents
Intrusion
Intrusion
Intrusion Definition:
In laymans view intrusion is an act of thrusting in or entering into a place without invitation,welcome or right. In technological view: An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse.
unusual signs but they cannot determine whether activity is hostile or merely a change resulting from an unforeseen use of the network or system. Each alert will normally need to be checked by a system or network manager. An alert caused by normal activity is called a false positive, while hostile activity that does not generate an alert is a false negative. All IDS are likely to generate both types of error: tuning the system to reduce false negatives will almost always increase the number of false positives and vice versa. The appropriate sensitivity is a matter of local policy and should be governed by the risk to the systems being monitored and the resources that are available to respond to alerts.Network-based IDS, in particular, will normally detect attempts to breach security rather than whether the attempt was successful or not. Identifying successful intrusions is likely to require prompt investigation by a skilled human. If this is not done then the IDSs warning is likely to be wasted.
Platform:
Some IDSs function from a dedicated (black box) appliance, meaning that there is no need for the customer to load the operating system, install the application software, and harden the operating system separately. Others are software based and have to be installed on top of a supported platform and operating system.
Component:
IDSs generally can be broken into two components: the sensor and the console. The sensor sits upon the network and acts as a sniffer, listening to network traffic in promiscuous mode. The console is the point of central management for an IDS system. By using the console, an administrator may take notice of any current attack alerts. In many cases, the console may be used to customize certain preferences for the IDS.
The IDS CAN provide the following: CAN add a greater degree of integrity to the rest of You infrastructure CAN trace user activi ty from point of entry to point of impact CAN recognize and report alterations to data CAN automate a task of monitoring the Internet searching for the latest attacks CAN detect when your system is under attack CAN detect errors in your system configuration CAN guide system administrator in the vital step of establishing a policy for your computing assets CAN make the security management of your system possible by non-expert staff
The IDS CAN NOT provide: CAN NOT compensate for a weak identification and authentication mechanisms CAN NOT conduct investigations of attacks without human intervention CAN NOT compensate for weaknesses in network protocols CAN NOT compensate for problems in the quality or integrity of information the system provides CAN NOT analyze al l the traffic on a busy network
CAN NOT always deal with problems involving packet-level attacks CAN NOT deal with some of the modern network hardware and features
ID TECHNOLOGY LANDSCAPE:
are repelled by the firewall, but monitor attacks that penetrate the firewall as well as internal attacks.
Triggering Mechanisms:
To protect your network, your IDS must generate alarms when it detects intrusive activity on your network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:
Anomaly Detection:Identify abnormal unusual behavior (anomalies) on a host or network. They function on the assumption that attacks are different from normal (legitimate) activity and can therefore be detected by systems that identify these differences. Static and dynamic: Static: Static means a portion of the system remain constant, e.g. data integrity, tripwire, virus checkers. Dynamic: profile. A profile consists of a set of observed measures of behavior for each of a set of dimensions. Frequently used dimensions include: Preferred choices, e.g., log-in time, log-in location, and favorite editor. Resources consumed cumulatively or per unit time.
Representative sequences of actions. Program profiles: system call sequence. Methods:Threshold detection: certain attributes of user and system behavior are expressed in terms of counts, with some level established as permissible. Such behavior attributes can include the number of files accessed by a user in a given period of time, the number of failed attempts to login to the system, the amount of CPU utilized by a process, etc. Statistical measures Parametric: The distribution of the profiled attributes is assumed to fit a particular pattern Non-parametric: The distribution of the profiled attributes is learned from a set of historical values, observed over time. Rule-based measures: similar to non-parametric statistical measures in that ooberved data defines acceptable usage patterns, but differs in that those patterns are specified as rules, not numeric quantities. Other methods: Machine learning Data mining Neural networks, genetic algorithms, etc.
Misuse Detection (signature-based ID):Looking for events or sets of events that match a predefined pattern of events that describe a known attack. The patterns are called signatures. Rule-based systems: encoding intrusion scenarios as a set of rules. State-based intrusion scenario representations. Advantages: Very effective at detecting attacks without generating an overwhelming number of false alarms. Disadvantages : Can only detect those attacks they know abouttherefore they must be constanly updated with signatures of new attacks. Many misuse detectors are designed to use tighly defined signatures that prevent them from detecting variants of common attacks.
Monitoring Locations:
To examine network traffic and trigger alarms when your network is under attack, your IDS must somehow monitor your network at specific points. The two common monitoring locations are as follows:
Host-based Network-based
Host-based IDS:= Using OS auditing mechanisms: e.g. BSM in Solaris logs all direct and indirect events generated by a user; strace monitors system calls made by a program. Monitoring user activities: analyzing shell commands. Monitoring executions of system programs, e.g. sendmail's system calls. Advantages: Can detect attacks that cannot be seen by NIDS. Can operate in an environment in which network traffic is encrypted. Unaffected by switched networks . Can help detect Trojan horse or other attacks that involve software integrity breaches. Disadvantages : Since at least the information sources reside on the host targeted by attacks, the IDS may be attacked and disabled as port of the attack . Are not well suited by detecting network scans or other such surveillance that targets an entire network. Since they use the computing resources of the hosts they are monitoring, therefore inflicting a performance cost on the monitored systems.
Network Intrusion Detection Systems (NIDS):= Using packet sniffing. Looking at IP header as well as data parts. Disadvantages of Network-Based IDSs: NIDS may have difficult processing all packets in a large or busy network and therefore, may fail to recognize an attack launched during periods of high traffic. Modern switch-based networks make NIDS more difficult: Switches subdivide networks into many small segments and provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring ports. NIDS cannot analyze encrypted information. Most NIDS cannot tell whether or not an attack was successful.
much stronger IDS, these hybrid systems are not always better systems. Different IDS technologies examine traffic and look for intrusive activity in different ways. The major drawback to a hybrid IDS is getting these different technologies to interoperate successfully and efficiently. Getting multiple IDS approaches to coexist in a single system can be a very challenging task
Summary:
You use an IDS to monitor your network for signs of intrusive activity. An IDS triggers alarms when it detects intrusive activity. The triggering mechanism is probably based on one of the following two techniques:
To implement its triggering mechanism, your IDS needs to monitor your network for intrusive activity at specific points in your network. The two common monitoring locations are as follows:
Host-based Network-based
Because each of these characteristics has benefits and drawbacks, many intrusion detection systems are beginning to incorporate multiple characteristics into hybrid IDSs. These systems attempt to maximize the capability of the IDS while minimizing their drawbacks.