Professional Documents
Culture Documents
Litreture Survey of Trip PDF
Litreture Survey of Trip PDF
LITERATURE SURVEY
This chapter presents some of the existing intrusion detection techniques, which
could provide high accuracy, low false positive rate and reduced number of
detection tools available for detecting intrusions in WLAN. This work identifies a
2.1 Introduction
that analyzes what happens or has happened during an execution and tries to
find indications that the computer has been misused. There are abundant
literatures on Intrusion detection system, and several IDS approaches have been
Kabiri and Ghorbani [61] and in Abraham [1, 2,3,4]. Two highly relevant works
in this direction are given by Denning [27] and Verwoerd. [102]. Dorothy Denning
30
intrusion behavior involves abnormal usage of the system. Different techniques
and approaches have been used in later developments. Some of the techniques
keystroke monitoring, state transition analysis, pattern matching, and data mining
techniques. Since 1970, several people have reviewed the state of the art,
including: Anantvalee [7], Kabari [61], Bass [16], Jeyanthi and Michel [50, 51,
52 ], Yang [105], Adam [5], Lee [68], Mukherjee et al. [80], S. Kumar and
Lakhotia [96], and Lee. et al [103]. The best reviews are those that present an
unbiased, thorough review of the literature, and/or provide a good taxonomy for
include those by Axelsson [12], Debar [26], Almgren [6], and Hall, M., Jackson
No
subjects on objects.
over a network
Dorothy Behavioral analysis looks for deviations from the type
over a network
33
commercial and public sectors.
L., and systems employ the host operating system's audit trails
detection mechanism
34 by monitoring network traffic,
1995
intrusion detection
35 systems (IDS) and also intrusion
15. Lane and This paper introduces the applied instance based
16. Lee W. and In this paper, a data mining framework for adaptively
Dacier, M., systems that highlights the various aspects of this area.
2000
positives etc.
address. These
37 classifications are used predicatively,
pointing towards a number of areas of future research
22. Giovanni The mobile ad hoc network routing protocols that are
detection time
38is less than a few seconds. Furthermore,
this technique entails simple implementation, making it
24. Phillip This paper presents a new IDS framework for mobile
environments.
27. Magnus This paper investigated the procedure to use the alerts
40
28. Naeimeh This paper discussed the fraud that is growing
detection.
mechanisms.
41
2.3 Gaps in Existing Research Literature
Most of the research has been carried out on signature based techniques. The
WLAN.
detecting and responding to the various security breaches to the WLAN has
systems have been developed; host Based IDS and Network Based IDS [12, 57].
A host based IDS resides on the system being monitored and tracks changes
made to important files and directories [40]. It takes a snap shot of existing
system files and matches it to the previous snap shot. If the critical system files
i. Uses log files and or the system’s auditing agents as sources of data and also
42
ii. Checks the integrity of system files, and watches for suspicious processes,
traffic on its network segment to detect intrusion attempts. An IDS can be made
of many sensors, each sensor being in charge of monitoring the traffic passing
The sensors cannot monitor anything outside their own segment or switch.
ID system that monitors the traffic on its network segment as a data source.
Implementation requires:
network traffic that crosses its network segment; and packets traveling on
iii. There are three signatures that are particularly important: first the string
signatures that look for a text string that indicates a possible attack. Second
the port signatures simply watch for connection attempts to well known,
frequently attacked ports. Third the header signatures that watches for
43
2.5 Misuse and Anomaly Based Detection
They follow the same principle as most anti-virus software and rely on the
intrusion attempts [47, 65]. Misuse detection systems compare current activities
of the host or the network monitored with “signatures” of known attacks. If the
current activities match any of the known signatures, an alarm is triggered [96].
systems is their ability to detect known attacks and the relatively low false
alarm rate when rules are correctly defined. It is important to note that, as
said above, the signatures which are used in rules must be as specific as
Anomaly detection systems are also known as behavior-based systems. They rely
on the fact that intrusions can be detected by observing deviations from the
expected behaviors of the system monitored [32]. These “normal” behaviors can
44
either correspond to some observations made in the past or to some forecasts
made by various techniques. Everything that does not correspond to this “normal”
systems have not for main purpose to replace misuse detection systems. The
ii. High Rate of False Alarms: Two factors may lead to a very high rate of
popularity across the computer network market over the years. However, the
threats and security fears associated with them have caused some network
numerous benefits that they provide [82, 83]. Several manufacturers understand
45
the fears, uncertainties and doubts caused by the security problems of the
Wireless Local Area Network. Several measures of security have been proposed
by these manufacturers and some of them have been used by the IEEE
802.11[78].
This study focuses specifically on the existing industry standard for IEEE 802.11
RF has become the de-facto technology for the majority of today’s WLANs.
Radio signals can travel in all directions for distances ranging from a few meters
when the signal’s propagation needs to be limited. The fact that the destination of
radio signals cannot be precisely controlled makes this medium the most
traffic can be monitored with widely available radio equipment by anyone located
within the range of the transmitter; however it is important to note that amplifiers
and specialized antennas can also be used solely at the receiver site to increase
the effective range of radio signals, therefore simply controlling the transmitter
power is not sufficient to limit the propagation of signals [50, 51, 52].
46
2.7.2 Spread Spectrum
patterns that must also be known by the receiver so that it can recover the signal.
and is less vulnerable to jamming and casual interception. In the case of WLANs,
the hardware must be aware of the signal spreading parameters in order to receive
Several signal-spreading schemes have been developed but the methods that
802.11 WLANs.
47
2.7.3. IEEE 802.11 Standard
the Industrial, Scientific, and Medical (ISM) bands, operating at 902 to 928MHz,
2.4 to 2.483GHz, and 5.725 to 5.875GHz, for unlicensed public use [10]. This not
only fulfilled a demand for commercial communication, but it also sparked the
standardize wireless LAN products. This standard has since been adopted by the
Commission (ISO/IEC). The IEEE 802.11 core specification addresses both the
physical (PHY) and data link layers of the open systems interconnection (OSI)
compliant with the 802.11b standard. Both 802.11a and b amendments were
actually adopted at the same time, but because 802.11b was less complex than
802.11a, products compliant with the 802.11b standard rapidly materialized while
products under 802.11a only reached the market in 2002. Since that time, the
802.11g amendment which utilized the same 2.4 GHz band as 802.11b, but
delivered faster and more robust connections as well as greater range, has come
to dominate the market. The IEEE is responsible for developing the radio
48
technology standards to be used by wireless LANs. These standards pertain to the
802 wireless standards including 802.11, the first one that was developed, and
Each standard though developed for wireless LANs serves a different purpose for
the LANs, due in part to hackers, as well as others who might challenge its
vulnerabilities, or holes, are found they become public knowledge and the IEEE
implemented and the RF-based versions suffered from low transmission speed (2
Mbps). The IEEE later established several task groups to explore various
2.7.4i. 802.11a Amendment: Task Group A explored the unlicensed 5.0 GHz
was completed in 1999 and in 2002 vendors began releasing products compliant
to this extension. Because of the different operating band and modulation, the
802.11b/g) APs. The 802.11a is currently licensed for use in North America and
49
been quite limited. Recently, 802.11a has enjoyed somewhat of resurgence in
such networks, 802.11a is used for communications between APs, and 802.11b/g
2.7.4ii. 802.11b: Task Group B explored DSSS technology to boost data rates in
the original 2.4 GHz band. The 802.11b extension [8], published in September
1999, delivers raw data rates up to 11 Mbps, which gave data rate parity with the
popular 10 Mbps “10Base” wired LAN systems of the day. The majority of
WLAN systems in the market today follow the 802.11b standard and it is
2.7.4iii. 802.11g: Task Group G approved the development of the new extension
to the 802.11 standard in November 2001; the resultant amendment was approved
development of the higher data rate extensions to the 802.11 standard. As with
802.11b and g, the 802.11n standard will operate at 2.4 GHz with mandatory
248 Mbps. The OFDM+MIMO utilize the same basic modulation as 802.11g [8].
50
for both the spatial and temporal variations of the RF channel as well as the
practice of “channel bonding” in order to greatly increase the range and raw data
rate. The 802.11n is still in the draft stage with an expected final approval in
2010, however many “Pre-N” or “Draft-N” products have already been emerging
in the market. Consumers are cautioned when purchasing such products because,
as draft-based products, they are not subject to the same interoperability testing as
secure state during their lifetime and utilization. Sometimes, legacy or operational
constraints do not even allow the definition of a fully secure information system
[32]. Therefore, intrusion detection systems have the task of monitoring the usage
of such systems to detect any apparition of insecure states. They detect attempts
external parties to abuse their privileges or exploit security vulnerabilities [2, 65].
and other material available for public review. As this report is an analysis of
51
design specifications rather than a test of implementations, we have not
Parameter Definitions
consignments, at some regular interval. The most of the system are working on
Real-time i.e. ad infinitum and few systems are working on manual by grouping
batches or consignments.
ii.Audit source location: It refers to the location of the Intrusion detection system
the kind of input information they analyze. The input information can be audit
are usually read directly off some multicast network (Ethernet). Host-based data
(security logs) are collected from hosts distributed all over the network and can
include operating system kernel logs, application program logs and network
52
iii.Management Console: This parameter refers to management console i.e. the
provides. It is the user interface and "control room" view of the network. A
terminal or workstation used to monitor and control a network. There are the
user interface and the Intricate that is complicated for the user to view the
network.
to attacks. On the basis of their response to Intrusion, IDS can be either Active
or Passive. An active IDS actively reacts to the attack by taking either corrective
53
2.8.2 Tools Analyzed
Detection
System
IDS
Santa Barbara
International Corporation
54 (SAIC)
International Corporation
(SAIC)
Inc
Detection, Inc.)
Recorder Inc.
INSA
(ISS)
55
20 CyberCop Network Associates, Inc.
Suite
The intrusion detection tools are analyzed the results are categorized using the
Almost all of the vendors allow intrusions to be detected in real-time. In the host
based ID tools the audit logs are collected in batches before they are processed or
analyzed, with an even longer delay as a result. These delays may or may not be a
problem, depending on the security of the intrusion detection system and its
sessions and processes. T-Sight form Engarde, Inc. has adopted a somewhat
presenting data to the security officer, who then in turn tries to identify intrusions.
56
Systems using manual intrusion detection schemes can certainly not be classified
audit data. Only six systems are purely host-based and four systems support both
today rely upon network audit data. Some vendors claim that switched networks
can easily be analyzed using dedicated management ports on the switches. This
Inc. They incorporate ID (provided by ISS Inc.) into their product line of
most important system like Dragon is unique in the industry based on its ability to
deliver both host-based and network-based functionality i.e. it can be used both as
a NIDS as well as HIDS. Thus it provides complete security for a network. The
The most of the system analyzed are provide console based user interface few are
also provide the graphical user interface to view the activities. Snort provides
good management Console. It provides this feature with the help of ACID plug-in
module. Plug-in are very important feature of Snort IDS. These are programs that
are written to conform to Snort’s plug-in API. These programs used to be part of
the core Snort code, but were separated out to make modifications to the core
57
source code more reliable and easier to accomplish. ACID stands for The
Analysis Console for Intrusion Databases. It provides logging analysis for Snort.
Requires PHP, Apache, and the Snort database plug-in. Dragon provides
of the Dragon Network and Host Sensors, while Alarm tool offers centralized
alarm and notification management. Cisco provides management console but it’s
not so good in comparison to that of Snort and Dragon. It is responsible for the
agents and the server take place at intervals set in the console. The
communication port for the console and the agent must be the same for them to
The behavior of the system is either passive or active. Passive response means
Many systems provide some support for passive response mechanisms. Active
response; All but three systems (Stake Out, Kane Security Monitor and TSight)
active response include actions like terminating transport level sessions, which
most active response systems claim they support. Some systems, such as
58
SecureNet Pro, even allow the SSO to hijack a TCP session. This provides a
manner. Host-based ID systems have the advantage that they can also control
hostile processes on the host on which they reside. Most host-based systems
not have this feature. Entrax offers only the possibility to log out a user, disable a
users account or shut down the entire computer, which can be seen as a drastic
also benefit from being shut down to prevent further contamination. One should
keep in mind that ID systems that have the capability to shut down processes or
The most important system like Snort can be used for Active as well as passive
network traffic and log it. Active monitoring involves the ability to either to
monitor traffic and then send alerts concerning the traffic that is discovered or to
actually intercept and block this traffic. Snort is primarily used for active
block the would-be intruder. Cisco can behave actively or passively on the choice
of the user.
59
The detection capabilities between products vary quite extensively. In general, a
network- based IDS has greater capabilities owing to its ability to capture and
audit-logs provided by the operating system or application logs. Due to the large
of the types of attacks each product can detect. Some of the products, such as
signatures out of the box. Table below shows the detection capabilities mapped
onto a simple protocol stack. Cisco performs real time attack detection using
analysis. Dragon provides real time attack reporting. Dragon Host Sensor
administrator in real time. This way no one has to monitor the Snort output all
60
Table 2.3: Analysis of Intrusion Detection Tools
Monitor
FlightRecorder
Suite
61
2.8.3 Detection Method
It is the capability of the IDS to detect various types of attacks. This depends on the
number of signatures defined in the knowledge base of the IDS [65, 72].
1 Snort *
2 Dragon * *
3 Cisco Secure *
4 Emerald *
5 Net Ranger *
6 Tripwire *
7 Intruder Alert *
8 Netstat * *
9 CMDS * *
10 Entrax *
11 Bro *
13 SecureNet *
14 Kane Security * *
15 NetProwler *
16 Session Wall-3 *
17 Network Flight *
62
18 INTOUCH I * *
19 RealSecure *
20 CyberCop *
21 ID-Trak *
22 NIDES * *
23 T-Sight *
24 Shadow *
25 SecureCom Suite *
host or network segment. Intruder Alert (IA) is partly distributed. While the
technology of the operating system requirements for the manager and agent
side for each IDS. It is worth mentioning that Axent supports an impressive
63
iii. Protocol. As expected, TCP/IP is the dominating protocol suite supported.
product.
Detection System
System Support
1 Snort MS TCP/IP
Windows,
LINUX
2 Dragon MS TCP/IP
Windows,
LINUX,
Solaris
IDS Windows,
UNIX
4 Emerald MS TCP/IP
Windows,
UNIX
6 Tripwire UNIX
OS
64
8 Netstat UNIX
9 CMDS Solaris, NT _
11 Bro UNIX
PRO LINUX
Monitor
15 Net Prowler MS
Windows,
UNIX
Recorder LINUX,
INSA Applicable
21 ID-Trak NT TCP/IP
24 Shadow UNIX
Suite
65
2.9 CHAPTER SUMMARY
In this chapter the number of existing Intrusion detection tools that are capable of
monitoring wireless traffic are analyzed. The detailed analysis of twenty five
commercially, educational and research intrusion detection tools was given on the basis
The summary of the educational, research and commercial systems are evaluated and
their results are predicted that will help the administrators to install suitable tool in the
(IDS) is utilized to compare and evaluate different functions, features and aspects of the
systems. This analysis will be helpful in future research. A practical and effective
---------------
66