Network Intrusion Detection Systems

Published Date: 02 Nov 2017

[Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.]

I D S

Table of contents

What is an Intrusion Detection System?

Ids components

Responsibilities of ids

Terminology

Type of attacks

IDS types:

Detection techniques

Top intrusion detection Systems

DISADVANTAGES

Abstract

This research, focuses on analysis of the intrusion detection systems, and the tools being used, and is very popular in computer systems security. Increase in use of computer increases the threats and vulnerabilities, creating new types of attacks. Tcp/ip protocol that is responsible for computer communication has many vulnerabilities that people use to attack on a network, and malicious activity. This research analyzes the different type of ids’s, describing ids’s tasks and their architecture. Also describes significant disadvantages that these systems have, despite the complicated architecture.

Introduction

Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. People are getting often confused with IDS, as they consider that it is a functionality of a firewall security system, but its way more than that.

A firewall is presented as a big fence that will protect all the information flow and with prevent intrusions from happening, where IDS detects if the network is been under attack or if the security that firewall offers has been violated.

IDS have the advantage to be automatically configured, in order to block any suspected threads or attacks, but it’s the combination of firewall and IDS that enhances the security of the network.

With more simple words, an Intrusion detection system will basically identify and attack any possible thread and every time will generate an alert.

This document will unveil and present in-depth what an intrusion detection system(IDS) is, and evaluate its functionality, the components of which it consists and the various types of id’s.

Next step will be the examination of some basic terminology which is necessary in order to analyze the IDS’s.

After the analysis of what intrusion detection system is the document proceeds with the determination of the different types of attacks which are detectable by the IDS.

Next stop is to identify what an IDS is responsible to do, examining a flow diagram.

Then we proceed to the various classes of ids’s and the detection techniques are used in order to recognize an intrusion.

Last but not least, we analyze the main disadvantages, classified by the technique, or the type of the ids.

What is an Intrusion Detection System?

An intrusion detection system is a defense system which recognizes hostile activities like hacking attempts, data collection, or unauthorized access to the system. It could be hardware or software.According to Amoroso:

"Intrusion detection is a process of identifying and responding to malicious activity targeted at computing and networking resources".

Ids components

http://www.windowsecurity.com/img/upl/ids_rys31049723735904.gif

An IDS normally consists of the following components:

an analysis engine

event generator

response module

Structure and architecture

The core element of ids is a sensor, the analysis engine that uses decision making mechanisms to detect intrusions. Sensors receive data from three sources:

Ids knowledge base

Syslog: may include configuration files, or user authorizations

Audit trails

The event generator which is integrated with the sensor is responsible for data collection. An event generator policy is responsible for the filtering mode or the event notification information.

3.4.1 Responsibilities of ids

http://htmlimg4.scribdassets.com/43gc6ereo176ttr/images/21-b21e278c37.jpg

Prevention

Prevent an Intrusion with firewall systems, network port security authentication and systrace which enforces system policies for applications by constraining the application’s access to the system. Systrace improves the cyber security by providing intrusion prevention.

Simulation

Simulation software, which focus on solving some of the hardest, most interesting problems in delivering high quality enterprise software

Intrusion monitoring

Monitoring data, security logs or actions on the network 

Analysis

 Analyze to ascertain whether it is an attack.

Intrusion detection

Detect the possible attack or intruder using some scheme.

Notification

Report Intrusion to System Administrator.

Response

Act on or defend the computer system and possibly repel attacks

3.3 Terminology

Before we proceed to the ids analysis we will analyze some basic terms of ids systems.

Intrusion is a series of activities which might be a treat for it resources, for example unauthorized access to a computer or a domain.

Incident is a "violation of the system policy rules" which may be a successfully intrusion.

Attack is a failed attempt to violate the system policy rules, or to enter to the system.

Modeling of intrusions "a time-based modeling of activities that compose an intrusion" The intrusion starts with an action, followed by other auxiliary or evasions, in order to gain access to the system.

3.4  Type of attacks

The attacks are classified depending on the relation of the intruder-victim (internal or external). Ids systems have tools that can distinguish an internal from an external attacker.

Internal attacks: the attackers are from inside. (Own employees, customers etc...)

External attacks: the attacker come from outside (from the internet). External attackers frequently are hackers.

There is also a distinction between a passive and an active attack.

Passive attack: the intruder searching for network information’s, to use them to target to a particular system. A passive attack can lead to an active attack. Some examples of passive attacks are:

Network Analysis

Eavesdropping

Traffic Analysis

Active attack: after the intruder has a lot of information about the network, will proceed to an active attack, against a targeted system. Some types of active attacks are:

Unauthorized access, modify data, dos.. etc

Types of attacks and abuses that are detectable by IDS tools are:

unauthorized access to the resources

(Steps for more sophisticated behaviors):

Password cracking and access violation

Trojan horses stealing and interceptions

Spoofing

Scanning ports and services

Remote OS Fingerprinting

Network packet listening

Stealing information

Authority abuse

Unauthorized network connections

Usage of IT resources for private purposes

Unauthorized alteration of resources (active attack):

Falsification of identity,

Information altering and deletion,

Unauthorized transmission and creation of data (sets)

Unauthorized configuration changes to systems and network services (servers).

Denial of Service (DoS):

Flooding – compromising a system by sending huge amounts of useless information to deny services:

Ping flood (Smurf)

mail flood

SYN flood

Distributed Denial of Service (DDoS); coming from a multiple source,

Web Application attacks are attacks that take advantage of application bugs may cause the same problems as described above.

Attacks are almost never a single action, but a series of exclusive events in order when combined they generate the final attack.

IDS types:

There are three main types of Intrusion Detection Systems:

Host Based Intrusion Detection Systems:

http://htmlimg3.scribdassets.com/43gc6ereo176ttr/images/11-5c3004184d.jpg

In the host based ids the system is installed on a host in the network, and analyzes the traffic that is intended to the specific host. HIDS make use of the access to the host to monitor specific components, which are not accessible to other systems, like specific <<key >>files of the operating system (password files, or registry files). Hids are detecting suspicious activities like an attempt to overwrite the file) only for the specific host and not for the entire network.

Network Intrusion Detection Systems (NIDS)

http://htmlimg3.scribdassets.com/43gc6ereo176ttr/images/12-1ca70f7c92.jpg

NIDS can identify security threat, and analyze network traffic. It can detect attacks (or suspicious patterns) such as scans, denial of service attacks and unauthorized access, through examination of the inbound packets. NIDS are installed at strategic points on the network and can monitor traffic from and to all hosts, than a single host. Network-based IDS uses techniques like "packet-sniffing" to pull data from TCP/IP or other protocol packets.

The main difference between a HIDS and a NIDS is that a host based IDS Analyzes activity on a host, in COMPARISSON to a NIDS which analyzes packet traffic directed to computer systems on a network.

Detection techniques:

These techniques are used in both software IDS and hardware IDS

Signature Detection

In this technique known representations of intrusions are stored in a database and are then compared to the system events. When an intrusion matches a signature then an alert is triggered. This technique is used for detecting known attacks e.g. DoS attack.

Anomaly Detection

Anomaly-Based IDS is a system entity for observing computer interruptions and corruptions by observing the system activities and categorizing them in two groups, normal and anomalous.

This categorization is based on the behaviors and the rules and not on the design and signatures. This way it is possible to identify any kind of corruption that may occur and wouldn’t be caused on normal system use.

The detection of an anomaly is been done by measuring the average overtime and then bringing an alert design has differences from the average that has been measured and calculated. For this to be accomplice, a set of data is grouped from the system activity and this data set is base lined.

The biggest issue we facing with anomaly detection is the difficulty of determining each protocol’s rules. The rule development method is synthesized by differences in types of implementations of the miscellaneous protocols.

Target Monitoring

Target monitoring compares periodically a cryptographic hash, for every file on the system, to ensure that the files have no changed. This type of detection is easy to be implemented because there is no need for a constant monitoring from an administrator.

Stealth Probes

This technique collects a great amount of data, since it checks for methodical attacks, for month’s period.it can detect attackers that trying to intrude over a long period of time, checking for system vulnerabilities, open ports etc, and waiting to for the <<right>> time.

Top intrusion detection Systems

http://nst.sourceforge.net/nst/docs/wepquest/snort.png

Open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire

Snort

http://static.usenix.org/event/usenix05/tech/freenix/full_papers/kreibich/kreibich_html/img1.png

The Bro Network Security Monitor

http://ftparmy.com/images/ossec-hids-02.jpg

OSSEC is an Open Source Host-based Intrusion Detection System

http://www.windowsecurity.com/img/upl/fragrouter31176898710406.JPG

fragrouter - network intrusion detection evasion toolkit

C:\Users\Iias\Desktop\New folder (6)\snort-base1.png

Basic Analysis and Security Engine (BASE) project  

C:\Users\Iias\Desktop\New folder (6)\Security_Onion_20110118_Sguil_SOTM19.PNG

Sguil is built by network security analysts for network security analysts

DISADVANTAGES

While intrusion detection systems can help with network security, there are many disadvantages which should be taken into account. Ids’s are based on the ip address of the ip packet, which was sent to the network, in order to provide information. Sometimes this address could be faked or scrambled. Another issue is the encrypted packets which cannot be processed by the ids, allowing an alleged intrusion take place, through a virus or a software bug. While they are able to detect suspicious behavior, sometimes an alarm may be false. In order to have a more analytical aspect we will discuss the main disadvantages of the various ids types ,and the methods being used.

Ndis type

One main disadvantage of the network intrusion detection system is that it cannot scan protocols if data is encrypted. Another disadvantage is that is hard to implement on fully switched networks, and is also very difficult to be implemented on a network with a very large bandwidth.

Hdis type

Host intrusion detection system cannot see all network activities.

Also the Audit Trails can take lots of storage

Greater deployment and maintenance cost

Anomaly detection

Even if Its possible to detect unknown attacks, this type of detection generate many false alarms exposing the effectiveness of the IDS.

Signature based detection

This technique is based on a signature engine detecting only known attacks stored in the database, and cannot detect new or unknown attacks. It has also high rate of false positives, since the mechanism which is use is searching for strings within packets.