The Driving Factors Over Ids

Published Date: 02 Nov 2017

Abstract

Computer systems of today are subject to many attacks and it can be anticipated that these problems will increase in the future. One way of protecting the systems is to use better authentication and other categories of preventive security mechanisms. These mechanisms do not offer good enough protection in most cases and they should therefore be complemented with monitoring and detection mechanisms. Intrusion detection over the network is indeed an important field of the information security. Although many intrusion detection systems are widely available today, the technology is still young and the combat against threats from both internal and external sources seems to be an endless. Intrusion detection systems (IDS) have turn out to be a significant factor in the security toolbox. Nevertheless, numerous security specialists are still in the gloomy about IDS phenomena and hesitant about what IDS tools do; how to utilize them, or why they are a compulsory. In this article we will present a succinct overview of IDS systems, including: a sketch; the functionalities and the diverse techniques of intrusion detection that could provide work for.

Keywords

Availability; Authenticity; Attacks; Detection; Expansion; Intrusion; Security; Sensitive; Converging; Techniques; Threats; Legitimate

Introduction

Before we start to answer this important question asked from everyone in every network age that "Why we need network security?" we have to take a deep look about our current running systems. For the primary decades of their continuation, networks were primarily exercised by university / college researchers and scientists for sending e-mail and for sharing printers and other office recourses. On those occasions, protection was not a major concern. As Internet expanded, so did the opportunities for its misuse, the result of a host of security flaws. For instance, e-mail was easy to spoof, passwords were transmitted in clear and connections could be hijacked. Nevertheless, most users had no real interest in security failings until the 1980`s Internet worm case, which provided a glimpse of how damaging these defects Error: Reference source not found. At the moments, as billions of usual citizens are by means of networks for banking, shopping, and network security is intimidating on the perspective as a potentially massive dilemma. Computer crimes are common today and there are many indications of that the problem is going to increase. The concept of security is defined as a continuous process of protecting an object from attack. That object may be a person, an organization such as a business, or property such as a computer system or a file Error: Reference source not found. Network security can be defined as a process of securing network assets from internal and external threats. It also can be defined as protecting data that are stored on or that travel over a network against either accidental and intentional unauthorized disclosure or modification Error: Reference source not found. Many people view network security as having 3 main goals (Availability, Integrity and confidentiality) are described in figure 1, as a core trinity of a network security Error: Reference source not found], [Error: Reference source not found. Availability is a characteristic that ensures that our information, service or asset is accessible and can provide the service it is designed for, when it is needed. There are several processes in networking such as: redundancy, backups; that can offer a higher level of system availability. The denial of service attacks are aimed to harm availability of the system. Integrity is a characteristic about the insurance of software or data completeness and accuracy as well as its authenticity. When we talk about the network integrity it has the purpose to provide and ensure that data must be protected from unauthorized modification and destruction. It can be achieved by cryptography. Confidentiality is a characteristic of protecting sensitive information from manipulation in a form of disclosure and interception. Cryptography is also used here to provide confidentiality.

Figure ‎1. Network security trinity [2]

The importance of those characteristics varies depending on the company’s business. For example banks will be most concerned about the integrity of data in contrast of an ISP company that values the availability as the most important characteristic for their business. Furthermore, all characteristics are connected among themselves and cooperate to provide an adequate level of security. Based on everything we know, this truly seems to be the golden age of hacking Error: Reference source not foundthis statement is true for many reasons we will explain this as follows;

Easy to be cracked. The Internet grew so quickly that few gave any thought to security. Attackers have the upper hand and it will take a while before companies secure their systems. The best thing for companies to do is disconnect from the Internet until their systems are secure, but no one will do that. The other thing that makes matters worse is how companies have built their networks. In the past, every company’s network and systems were different. Late in 80`s, companies hired programmers to customize their applications and systems, so if an attacker wanted to break into your network, he had to learn a lot about your environment. The information did not help the attacker when he tried to break into another company’s network, because its systems were totally different. Now, every company uses the same equipment with the same software. If an attacker learns Cisco and he can break into practically any system on the Internet; because networks are so similar, and software and hardware are so standardized, the attacker’s job is much easier [7].

Easy to be attacked and Exploit. Not only are systems easy to break into, but the tools for automating attacks are very easy to obtain on the Internet. Even though an attacker might have a minimal amount of sophistication, he can download tools that allow him to run very sophisticated attacks. The ease at which these tools and techniques can be obtained transforms anyone with access to the Internet into a possible attacker [7].

Boundless Nature of Internet. Another issue is the ease in which a user connected to the Internet can travel across local, state, and international boundaries. Accidentally typing one wrong number in an IP address can be the difference of connecting to a machine across the room and connecting to a machine across the world. When connecting to a machine outside this country, international cooperation is required to trace the connection. Based on the ease of connecting to a machine anywhere in the world, attackers can hide their path by hopping through several computers in several countries before attacking a target machine. In many cases, picking countries that are not allies can almost eliminate the possibility of a successful trace. So to trace this attacker couple of things is needed: First, it takes a lot of time, and second, it requires timely cooperation among all the regions, which would be difficult at best [7].

No policing. Currently, because there is no one policing the Internet, when problems occur, there are not clear lines over who should investigate and what crime has been committed. Most countries are trying to take conventional laws and apply them to the Internet. In some cases, they apply, but in other cases they do not adapt well. Even if there were an entity policing the Internet, it would still be difficult because people are committing the crimes virtually [7].

So the need to computer network is not an option during the present days, it became a must and the question should not be whether to secure your network or not; but it must be how to secure it. An intrusion detection system can be defined as the tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity. IDS as the name suggest have a primary mission of detecting intrusions. Moreover, an IDS tool aspires to range out computer attacks and to watchful proper detection. An IDS mounted on a network affords equivalent rationale as an alarm system mount inside house. With diverse techniques, both detect when a burglar is nearby, and both subsequently issue some type of alert. Although IDSs may use in conjunction with firewalls, which intend to regulate and organize the stream of information inside or out of a network therefore, two security instruments shouldn`t be deemed the similar entities.

Driving Factors over IDS

The concept of intrusion detection is not a new one, but it has been discussed more than thirty years ago and from that time many researchers addressed it. In this chapter we will take a look on the previous and current works in the field of IDS. Originally, the first step in intrusion detection was done by system administrators they performed intrusion detection by sitting in front of a console and monitoring user activities. They might detect intrusions by noticing, for example, that a vacationing user is logged in locally or that a seldom used printer is unusually active. Although effective enough at the time, this early form of intrusion detection was ad hoc and not scalable. The subsequently step in intrusion detection involved audit logs, which system administrators reviewed for evidence of unusual or malicious behavior. In late 80`s, administrators typically printed audit logs on fan-folded paper, which were often stacked four to five feet high by the end of an average week. Searching through such a stack was obviously very resource consuming. With this overabundance of information and only manual analysis, administrators mainly used audit logs as a forensic tool to determine the cause of a particular security incident after the fact. There was little hope of catching an attack in progress. As storage became cheaper, audit logs moved online and researchers developed programs to analyze the data. However, analysis was slow and often computationally intensive and, therefore, intrusion detection programs were usually run at night when the system’s user load was low. Therefore, most intrusions were still detected after they occurred. In early 90`s, researchers developed real time intrusion detection systems that reviewed audit data as it was produced. This enabled the detection of attacks and attempted attacks as they occurred, which in turn allowed for real time response, and, in some cases, attack preemption [1]. More recent intrusion detection efforts have centered on developing products that users can effectively deploy in large networks. This is no easy task, given increasing security concerns, countless novel attack techniques, and continuous changes in the surrounding computing environment.

Threat: A prospect of deliberate not permitted try to access / manipulate information, render a system unusable [19].

Risk: A violation of operations integrity due to malfunction of hardware [19].

Vulnerability: A flaw in hardware / software design or operation of a system that exposes information to accidental revelation [19].

Attack: A precise formulation of an arrangement to carry out a threat [19].

Penetration: An ability to get unauthorized access to control state of a system [19].

In article [15] it is proposed that audit trials should be used to monitor threats and all security procedures were focused on denying access to sensitive data from an unauthorized source. Later in [2] it was proposed the concept of intrusion detection as a solution to the problem of providing a sense of security in computer systems. The basic idea is that intrusion behavior involves abnormal usage of the system. The model is a rule based pattern matching system. Some models of normal usage of the system could be constructed and verified against usage of the system and any significant deviation from the standard usage flagged as abnormal usage. Statistical approaches compare the recent behavior of a user of a computer system with observed behavior and any significant deviation is considered as intrusion. This approach requires construction of a model for normal user behavior. Predictive pattern generation uses a regulation base of user profiles defined as statistically weighted event sequencesError: Reference source not found. This method of intrusion detection attempts to predict future events based on events that have already occurred. State transition analysis approach construct the graphical representation of intrusion behavior as a series of state changes that lead from an initial secure state to a target compromised state. Using the audit trail as input, an analysis tool can be developed to compare the state changes produced by the user to state transition diagrams of known penetrations [4].

Keystroke monitoring technique utilizes a user’s keystrokes to determine the intrusion attempt. The main approach is to pattern match the sequence of keystrokes to some predefined sequences to detect the intrusion. A proper model based approach attempts to model intrusions at a higher level of abstraction than audit trail records. This permits administrator to generate their representation of the penetration abstractly, which shifts the burden of determining what audit records are part of a suspect sequence to the expert system. This technique differs from the rule based expert system technique, which simply attempt to pattern match audit records to expert rulesError: Reference source not found. The pattern matchingError: Reference source not found approach encodes known intrusion signatures as patterns that are then matched against the audit data. Intrusion signatures are classified using structural interrelationships among the elements of the signatures. The patterned signatures are matched against the audit trails and any matched pattern can be detected as an intrusion [5]. During recent years, several data mining approaches have been also used to construct IDS.

Also in Error: Reference source not found it was proposed a novel IDS structural design employing together anomaly & misuse detection. Hybrid IDS architecture compose of anomaly module, a misuse module and DSS support system mingling the effects of detection modules. The projected anomaly module applies a Self Organizing Mapping (SOM) structure to model standard performance. The proposed misuse detection module apply decision tree algorithm to catalog different forms of attacks. An imperative based DSS is also extended for interpreting the consequences of together anomaly & misuse detection modules. We have seen in Error: Reference source not found that the author has formulated intrusion detection as a binary classification problem, using SVM and additionally, some text processing techniques are also employed for intrusion detection, based on the characterization of the frequencies of the system calls executed by the privileged programs. Indeed in Error: Reference source not found demonstrate the modeling and analysis of IDS using the process algebra communicating sequential processes and its model checker FDR. Authors show that this analysis can be used to discover attack strategies that can be used to blind efficient IDS, even a hypothetically perfect one that knows all the weaknesses of its protected host. Current IDS examine all data features to detect intrusion or misuse patterns. Some of the features may be redundant or contribute little to the detection process. Also in Error: Reference source not found investigated the performance of two feature selection algorithms involving Bayesian networks (BN) and Classification and Regression Trees (CART). Empirical results indicate that significant input feature selection is important to design an IDS that is lightweight, efficient and effective for real world detection systems. Most IDS have a single level structure can only detect either misuse or anomaly attacks. Some IDSs with multi level structure or multi classifier are proposed to detect both attacks, but they are limited in adaptive learning [16], [17].

Traits of IDS

Our existing computer systems which are supposed to provide assurance against DOS, however, due to improved connectivity and vast scale of financial potential that are opening up; more systems are subject to attack by hackers. These treason attempts try to take advantage of defects in the operating system as well as inside main apps of system. This may rise another important question "How we can handle subversion attempts?". There are two possibilities of this subversion. One way is to prevent subversion itself by construction of a completely secure system (e.g., require all users to authenticate themselves). We could guard data by cryptographic methods and tight access control protocols. In practice, it is not possible to build a completely secure system because bug free system is still a dream.

Therefore, designing & implementing a bug free system is extremely difficult task. If there are attacks, we would like to detect them as soon as possible and take appropriate act. This is exactly what IDS based system job. An IDS does not usually take preventive measures, it is a reactive rather than proactive agent Error: Reference source not found. Intrusions could be divided in 6 main types;

Attempted break-ins which can be detected by violations of system constraints [16].

Masquerades are attacks which can be detected by violations of internal security limitations [16].

Penetration of security control which are detected by monitoring of specific activity [16].

Leakages which are could use the system resources if an attack is launched [16].

Denial of service which is detected by use of system supplies [16].

Malicious services use which is detected by violations of special privileges [16].

Intrusion detection systems can be classified according to different criteria such as information sources, detection techniques, and Response Options. A common means to classify IDS is to cluster them by an information sources. Various IDS analyze network packets. A number of commercial IDS`s are network-based system. These IDS`s detect attacks by capturing and analyzing network packets.

Snooping on a network switch, one network-based IDS can monitor network traffic affecting multiple hosts that are connected to that specific switch, thereby protecting these hosts. Network-based IDS`s often consists of a set of hosts placed at various points in a network. These divisions monitor network traffic, performing local analysis of the traffic and exposure attacks to a central management console Error: Reference source not found. The main objective of network security is to ensure that protected applications and information used as input and generated as output by these applications are not compromised by malicious security breaches. As a result, it is possible to define the major basic network security functional elements that are needed to build a network security system, in terms of the following well known security services needed for secure message exchanges: privacy, authentication, authorization, message integrity, and non-repudiation Error: Reference source not found.

Associated security views with IDS

Commonly known, host based IDS (HIDS) and network based IDS (NIDS) are two types of IDS as defined in table 2, fluctuate considerably from each other.

The architecture of host-based is actually an agent-based, which means that a software agent resides on each of the hosts. In addition, IDS are capable of collecting system audit trails in real time, thus distributing both CPU utilization provides a flexible means of security administration.

It would be beneficial to integrate IDS network, such that it would filter alerts in an identical manner to host-based portion of the system. This provides an effective means of supervising both types of intrusion detection.

NIDS

HIDS

Broad scope (watches all network activities)

Narrow scope (watches specific host activities)

Easier setup

Complex setup

Enhanced for detecting attacks outside

Enhanced for detecting attacks inside

Low-cost to implement

Expensive to implement

Detection is based on recorded system on entire network

Detection is based on what single host can record

Determination of packet headers

No determination of packet headers

Real-time response

Responds after suspicious log entry

OS-independent

OS-specific

Detects network attacks as payload is analyzed

Detects local attacks before they hit the network

Detects unsuccessful attack attempts

Verifies success or failure of attacks

Table ‎2. Differences in NIDS and HIIDS

Most internal threats come from two sources: employees and accidents. Employee threats may be intentional or accidental as well. We will not stress on threats occurred by accidents. In most cases, employees know more about a network and the computers on it than any outsider. At the very least, they have legitimate access to user accounts. IT personnel, of course, have various levels of increased access. Intentional employee security threats include the following;

Person who employ hacking techniques to upgrade their legitimate access to root/administrator access, allowing them to reveal trade secrets, steal money, and so on for personal or political gain.

Person who take advantage of legitimate access to reveal trade secrets, steal money, and so on for personal or political gain.

Family members of employees who are visiting the office and have been given access to company computers to occupy them while waiting.

Person who breaks into secure machine rooms to gain physical access to mainframe and other large system consoles.

Hackers and crackers are the sources of external threats to any existing system. So we will take a deep tour to investigate who are them and why they do that. A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Most often, hackers are programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They may know of holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data. A cracker is a person who breaks into or otherwise violates the system integrity of remote machines, with malicious intent. Crackers, having gained unauthorized access, destroy vital data, deny legitimate users service, or basically cause problems for their targets. Crackers can easily be identified because their actions are malicious.

Detection Techniques and further response options

We can classify IDSs according the detection techniques to misuse detection and anomaly detection. Misuse detection, in which the analysis targets something known to be "bad", is the technique used by most commercial systems. While in anomaly detection the analysis looks for abnormal patterns of activity. Although anomaly detection is used in limited IDSs today, it stills the subject of a great deal research.

Misuse Detection

Misuse detectors analyze system activity, looking for events that match predefined pattern of events describe a known attack. Since the pattern corresponding to known attack is called signature, misuse detection is commonly called signature-based detection. It is also known in literature as Rule-based detection. This method is similar to method of detection new viruses where an appropriate signature or pattern should be known in advance. A lump diagram of typical misuse detection is shown in Figure 2.

Figure 2. A misuse detection system [16]

Anomaly Detection

Anomaly detectors are designed to uncover abnormal patterns of behavior, the IDS establishes a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion as illustrate in figure 3. What is considered to be an anomaly can vary, but normally, any incident that occurs on frequency greater than or less than two standard deviations from the statistical norm raise an eyebrow. An example of this would be if a user logs on and off of a machine 20 times a day instead of the normal 1 or 2. At another level, anomaly detection can investigate user patterns, such as profiling the programs executed daily. If a user in the graphics department suddenly starts accessing accounting programs or compiling code, the system can properly alert its administrators.

Figure 3. An Anomaly detection system [18]

Response Options for IDSs

Once IDS have obtained event information and analyzed it to find symptoms of attacks, they generate responses. Some of these responses involve reporting results and findings to a pre-specified location. Others involve more active automated responses. Though researchers are tempted to undervalue the importance of good response functions in IDS, they are actually very important. Commercial IDS support a wide range of response options, often categorized as active responses, passive responses. Active IDS responses are automated actions taken when certain types of intrusions are detected. There are three categories of active responses.

Feats against Intruder by assembling information

The most innocuous, but at times most productive, active response is to collect additional information about a suspected attack. Each one of us has probably done the equivalent of this when awakened by a strange noise at night. The first thing one does in such a situation is to listen more closely, searching for additional information that allows you to decide whether you should take action. In the IDS case, this might involve increasing the level of sensitivity of information sources as shown in figure 4. Collecting additional information is helpful for several reasons. The additional information collected can help resolve the detection of the attack. Another active response is to halt an attack in progress and then block subsequent access by the attacker. Typically, IDSs do not have the ability to block a specific person’s access, but instead block IP addresses from which the attacker appears to be coming. Passive IDS responses provide information to system users, relying on humans to take subsequent actions based on that information. Many commercial IDSs rely solely on passive responses. Some who follow intrusion detection discussions, especially in information warfare circles, believe that the first option in active response is to take action against the intruder. The most aggressive form of this response involves launching attacks against or attempting to actively gain information about the attacker’s host or site. However tempting it might be, this response is ill advised. Due to legal ambiguities about civil liability, this option can represent a greater risk that the attack it is intended to block. The first reason for approaching this option with a great deal of caution is that it may be illegal. Furthermore, as many attackers use false network addresses when attacking systems, it carries with it a high risk of causing damage to innocent Internet sites and users. Finally, strike back can escalate the attack, provoking an attacker who originally intended only to browse a site to take more aggressive action.

Alarms and Notifications

Alarms and notifications are generated by IDSs to inform users when attacks are detected. Most commercial IDSs allow users a great deal of latitude in determining how and when alarms are generated and to whom they are displayed.

Figure 4. Distinctive misuse detection system [5]

Mainly a common form of alarm is an onscreen alert on current operating system. This is displayed on the IDS console as specified by the user during the configuration of IDS. The information provided in the alarm message varies from a notification that an intrusion has taken place to detailed messages outlining the IP addresses of the source, the specific attack tool used to gain access. Another set of options that are of utility to large or distributed organizations are those involving remote notification of alarms or alerts. These allow organizations to configure the IDS so that it sends alerts to cellular phones and pagers carried by incident response teams or system security personnel. Some products also offer email as another notification channel. This is ill advised, as attackers often routinely monitor email and might even block the message.

Conclusion

As system security threats become more frequent, IDS tools are becoming increasingly essential. They round out the working in conjunction with other security tools (e.g. Firewalls and Gateways for the supervision of network activity). These security tools use various techniques to determine what verifies an intrusion versus a normal traffic of network. Whether a system uses (i.e. anomaly or misuse detection, switch monitoring, or stealth probes) they generally fall into one of two categories described in this article. Each one of a category has its strong & weak points that should be counter measure against the requirements for each targeted setting. Preferably, the best IDS tool combines mutual approaches under one system management console. That`s the purpose that a user gets comprehensive coverage against as countless threats as possible, whether it`s host-based or network-based, it`s obvious that using IDS is a required tool in the security manager's arsenal. Intrusion detection supported on computational intelligence is recently attracting considerable interest from the network research community & industries. Its uniqueness, such as fault tolerance, towering computational speed and fits the requirement of building a good IDS platform.