Intrusion Detection And Intrusion Prevention System

Published Date: 02 Nov 2017

An intrusion can be defined (Heady et al., 1990) as "any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource" for example gaining illegal access, attacking and rendering a system out of service, etc.

The 2011 Norton Cyber Crime Report was released which is based on the company's analysis of an online survey of 19,636 respondents from 24 countries.

Norton says that it calculates that a total of 431 million adults living in the surveyed 24 countries have been cybercrime victims within the past 12 months. This equates, it says, to 14 cybercrime victims every second; 820 cybercrime victims every minute; or almost 50,000 per hour.

The Norton report also says that the direct cost of this cybercrime activity was approximately $114 billion - with another $274 billion in indirect costs related to lost time/productivity.

Over the years till date the damage that has been done to individuals, organizations and even nations through the cybercrime has been enormous and the effects has been very destructive such as loos of revenue, waste of time, destroying reputation, etc.

Securing of computer systems and network resources is very important because of the increase in crime done over the internet crimes like phishing, masquerading, cybercrimes and many more. Some steps have been adopted by network administrator to combat this menace have done a lot, some of such steps is intrusion detection & intrusion prevention system.

Intrusion Detection System (IDS)

An intrusion detection system is a software or device that detects unwanted access to prevent attackers from gaining unauthorized access or even authorized users who misuse their privileges or try to gain more privileges they are not authorized. It is reactive rather than proactive; it plays a role of informant rather than a police officer, we can represent it like security cameras and burglar alarms in a house. The first major work in the area of intrusion detection was discussed by J.P Anderson (Anderson 1980). Anderson introduced the concept that certain types of threats to the security of computer systems could be identified through a review of information contained in the system’s audit trail. Then Dr. Dorothy Denning (1987) proposed an intrusion detection model that has become a foundation for intrusion detection.

2.1 Detection methods

An Intrusion Detection System is a specialized tool that knows how to parse and interpret traffic in a network and/or host activities. This data can range from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs and access calls, network flow data, and more. IDS also stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it's monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automated actions ranging from shutting down Internet links or specific servers to launching back-traces, and make other active attempts to identify attackers and collect evidence of their nefarious activities.

C:\Users\lakesoft\Desktop\brad\secur\intrusion.png

Fig. 1 Intrusion Detection System (Withfriendship.com).

IDS

Can trace user activity from the beginning to the point of impact

Can recognize and report alterations to data

Can detect when your system is under attack

Can detect errors in your system configuration

IDS can be placed between your firewall and your network to identify threats in case of firewall penetration.

The most popular way to detect intrusions has been using audit data generated by the operating system.

IDS Taxonomy

3.1 Signature based IDS monitor packets in the network and compares with the preconfigured and the predetermined attack patterns known as signatures. (Verma, 2008)

Maintains a database of attack signatures

Compares current activity to database

Database must be current and complete to be effective

Detect misuse intrusions.

3.2 Knowledge- based IDS is a repository of knowledge about the hosts present on the network and known vulnerabilities.

Builds profile of ‘normal’ system activity over time

Produces more false positives and requires more administration

Detects anomaly intrusions

Approaches to Intrusion Detection

The two major approaches in intrusion detection are anomaly detection and misuse detection; they also form the core of other techniques.

4.1 Anomaly Detection

Anomaly detection is the general category of intrusion detection which works by identifying activities which vary from established patterns for users, or groups of users, the non-conforming patterns is referred to as anomalies. Anomaly detection works on knowledge base.

Because lot of people pretend to be the legitimate user in order to gain access to the system resources this is called masquerading. Anomaly detection approach checks for variation in behaviors which then implies whether the individual is true or false. Anomaly detection typically involves the creation of database that contains the profiles of the monitored activities. Anomaly detection mechanisms are usually dependent on input from an operating system's audit record.

During this research, it was discovered that it is difficult to create and maintain user profiles because a user can change his pattern of activities over a length of time. So there must be a balance between short-term profiles which explain the pattern of recent activities and long-term profiles which explain the historic pattern of the user’s activities. Except this profiles are updated from time to time the user’s profile can lead to false alarm because the activities of the user can change over time. Also Anomaly detection is also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics

Applications of anomaly detection includes Credit card fraud detection, medical diagnostics, network intrusion detection, image processing etc. fraud detection refers to detection of criminal activities which occur in banks, credit card industries, insurance agencies, stock market companies etc. fraud occurs when users use the resources provided by organization in an unauthorized way.

Fawcett and Provost [1999] introduced the term activity monitoring as a general approach to fraud detection. Anomaly detection can be used to detect fraudulent card usage which is associated with credit card thefts.

A major benefit is that it can identify unforeseen attacks.

4.2 Misuse Detection

The second general approach to intrusion detection is misuse detection. This technique involves the comparison of a user's activities with the known behaviors of attackers attempting to penetrate a system. Misuse detection also utilizes a knowledge base of information. The misuse knowledge bases include specific metrics on the various techniques employed by attackers when the knowledge base was created. The intrusion detection mechanism identifies a potential attack if a user's activities are found to be consistent with the established rules. The use of comprehensive rules is critical in the application of expert systems for intrusion detection.

The advantages of this system is that fewer false alarms than anomaly is generated, it is easy to implement, deploy and update. The disadvantage is that they cannot detect unknown attacks.

Like anomaly detection techniques, misuse detection systems suffer from the potential performance degradation which results from a dependency on audit trails for input.

Types of IDS

5.1 Network intrusion detection system (NIDS)

Network Intrusion Detection Systems (NIDS) analyzes network traffic for suspicious activities which could be an unauthorized activity or an attack. A NIDS server can be set up on a backbone network, to traffic or smaller systems can be set up to monitor traffic for particular server, switch or router.

The first step in delivering efficient and secure network intrusion protection strategy is accurately detecting all possible threats.

Some benefits of NIDS are that it can identify and prevent security threats from compromising secure networks to do these it uses misuse detection method and it may include anomaly detection technique too. NIDS are passive devices that listen on a network without interfering with the normal operations of the network, so its deployment does not disrupt the network performance.

NIDS can detect and prevent activities such as system scanning, denial of service, penetration and lots more.

NIDS does not replace the basic security such as firewalls and other methods.

Snort is open source IDS developed by Roesch (1999) of NIDS, a packet sniffer that monitors network traffic in real time scrutinizing each packet to detect suspicious anomalies

5.2 Host Intrusion detection system (HIDS)

A Host Intrusion Detection Systems (HIDS) requires a program or a software application (agents) to be installed on servers, workstations and notebook computers which are to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A host Intrusion detection system (HIDS) can only monitor the individual workstations on which the agents are installed and it cannot monitor the entire network

The event data is sent to logging services to record the events and possibly correlate them with other events. Examples of HIDS are Tripwire and OSSEC.

The drawbacks of Host Intrusion Detection Systems (HIDS) are

• Difficult to analyze the intrusion attempts on multiple computers.

• It can be very difficult to maintain in large networks with different operating systems and configurations

• It can be disabled by attackers after the system is compromised.

The major difference between Network based and Host based intrusion detection is that in terms of analysis, a host based system analyses logs and consists of information regarding the status of your system, whereas network based system analyses network traffic directly, checking all network event. In terms of protection while you are off your LAN, only a host- based system will offer protection. Host based is more affordable than the Network based intrusion detection.

Some commercial product may use the methodologies of both HIDS and NIDS; this kind of IDS is called Hybrid IDS.

5.3 Future of IDS

To develop IDS schemes for detecting novel attacks rather than individual instantiations

To integrate the network and host based IDS for better detection.

Intrusion Prevention System

Intrusion Prevention Systems are an important component of IT systems defense, and without this technology our network and data are more susceptible to attacks.

An Intrusion prevention system (IPS) is any device (hardware or software) that has the ability to detect attacks, both known and unknown, prevent the attack from being successful and report activity. IPS has a lot of benefits one of which it gives extra protection from denial of service and from critical exposures found in software such as Microsoft Windows. IPS is used in large organizations and in the future home users will be able to utilize a variation of IPS.

http://qph.is.quoracdn.net/main-qimg-a94586e2d3cf8c090d385d71dc46470d

Fig. 2. Intrusion Prevention System

The IPS often sits directly behind the firewall and this provides a complementary layer of analysis that negatively selects for dangerous content. Unlike Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. The functions of IPS include detection, prevention and reaction specifically, these actions include:

Sending an alarm to the administrator (as would be seen in an IDS)

Dropping the malicious packets

Blocking traffic from the source address

Resetting the connection

6.1 Example of IPS implementation

Most organizations want to protect their database and users on their major network, but their main challenge in doing this is the traffic of foreign computers that access their network this means that many computers connecting to their network already have infected software. This challenge can be solved by placing IPS in front of the firewall for incoming traffic from external sources and also placing another behind the firewall for outgoing traffic for from internal users, accessing their databases. This has proved very helpful tool in network security because without it infiltrations of malicious codes would have caused damages. IPS prevents a large amount of downtime that would occur if there were none; it also makes administrators aware of where attacks are coming from so that they can prevent further attack from that location.

Types of IPS

7.1 Network-based Intrusion Prevention Systems

Network-based IPS monitors network traffic analyzing the network and inspect for suspicious behavior and code, in order to identify and stop suspicious activity.

To make this more effective, network-based IPS sit inline and act like a network firewall. They use both attack signatures and analysis of network and application protocols in comparing network activity of frequently attacked applications against expected behavior to identify suspicious activity. The Network Based IPS (NIPS) is usually purpose-built, just like switches and routers. They are designed to detect attacks on the network before they reach their intended targets. Network-based systems are highly customizable, making it very easy for administrators to simultaneously implement attack signature for new malware threats; they can block new malware threats much before antivirus signatures become available. While network-based IPS are effective at blocking specific known threats, such as network service worms, and e-mail borne worms and viruses with easily recognizable characteristics, they are usually incapable of stopping malicious mobile code or Trojan horses. However, network-based IPS may be able to block some unknown threats using application protocol analysis.

7.2 Host-based IPS

Host-based IPSs monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Unlike network-based IPS, host – based IPS monitors the.

Examples of the types of characteristics a host-based IPS might monitor are wired and wireless network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Most host-based IPSs have detection software known as agents installed on the hosts of interest. Each agent monitors activity on a single host and also performs prevention actions. The agents transmit data to management servers. Each agent is typically designed to protect a server, a desktop or laptop, or an application service. Host-based IPSs run sensors on the hosts being monitored, they can impact host performance because of the resources the sensors consume.

Advantages of IPS

IPS provides security that other security methods cannot provide, it has the ability to act like the antivirus software by detecting malicious signatures, stopping them and then auditing (showing the capacity of a honeypot) where they are coming from and going to. IPS also prevents exposures in many software programs that normally allow hackers to damage data on a user’s system or cause an overflow of network traffic.

8.1 Downside

One of the most common problems with IPS is the detection of false positive or false negatives, this occurs when the system blocks a activity on the network because it is out of normal and assumes it as malicious hereby causing denial of service to a valid user who is trying to do a valid operation, in the case of false negative, it allows for malicious activity to go by. One of the goals of every network administrator and IPS manufacturers should be to minimize false positive. False positives are dependent on systems that rely on a single detection method and by those that can’t be configured at different levels to fit into the operational environment.

An IPS device must utilize Stateful Inspection to perform advanced protection against new types of attacks as well as defend against the growing frequency and scale of distributed denial of service attacks.

For IDS the problem is that they produce a large number of alerts, this issue is been addressed but cannot be completely eliminated.

8.2 Future of IPS

IPS is going to become a dominant choice in intrusion system in years to come and seems to be replacing IDS which still is in use with combination of IPSs.

Work done by Ollmann(2003) describes the future trends of IPS functionality such as: perimeter defense application, gateway appliance, network packet inspection and prevention.

A lot of people have predicted that IPS has a bright future; Schultz (2004) predicted its future technology as (i) better underlying intrusion detection, (ii) advancement in application-level analysis, (iii) more sophisticated response capabilities, (iv) integration of intrusion prevention into other security devices.

Differences between IDS and IPS

Much type of IPS avoid the weakness of signature based intrusion detection systems and it can learn classes of harmful system behavior and the types of events that they attempt to produce in targeted system. Therefore, it is better suited to response to attacks making it a zero attack system.

Intrusion Detection System

Intrusion Prevention System

IDS detects network intrusion

IPS prevents network intrusion

IDS does not receive traffic flow directly

IPS sits in the middle of traffic flow

IDS is a passive security solution even though attacks might be identified, they remain unblocked

IPS is a reactive response security solution

IDS Detect attack only after they have entered the network, and do nothing to stop attacks traffic and send alert to trigger

Early detection, proactive technique, early prevents the attack, when an attack is identified then blocks the offending data

Cannot expect to detect all malicious activity at all times

Can detect new signatures or attack behaviors

IDS can be a less powerful, less resilient, have lower support SLA's and thus be an overall cheaper choice.

Setting up and maintain an IPS is more expensive as compared with IDS

So basically all traffic is directed through the IPS, which can then block or allow the packets based on policy. It can also perform a level of correction or modification if required.

One of the most common problems with IDS is that it generates so many alerts and the prioritization buckets are too large or not appropriate that the SOC simply cannot investigate all alerts.

Another challenge with an IPS is that because all packets go through it, the IPS also needs to be as resilient as the services that sit behind it, in a denial of service attack the IPS can be an easier target than the servers, because you can exhaust its CPU, memory etc.

IDS does not block suspicious traffic, which helps sustain high network performance and reduces faults.

The efficacy on IDS is reliant upon the competencies of the network administrator.

Conclusion

This work describes an overview of the technologies used for detecting attacks against computer systems and also been able to look at techniques which can effectively protect computer systems.

The security of information in computer-based systems and networks continues to be a major concern to researchers. The work in intrusion detection prevention techniques and methodologies which has been a major focus of information security-related research in the past two decades is certain to continue. The area of intrusion detection prevention is continuing to evolve. While a number of methodologies and tools have been designed to assist in the identification of intruders, no definable standard has been developed which could serve as the basis for a deployable intrusion detection tool. However, as the processing capabilities of computer systems improve and the innovative approaches to intrusion detection prevention system continue to be developed, the creation of an effective intrusion detection standard is inevitable.