The Types Of Intrusion Detection System

Published Date: 02 Nov 2017

Intrusion Detection System (IDS) is a mechanism/software that its primary objective is to protect systems and resources from attackers that want to break into a system by identifying intrusions and reveal its source address. In order to accomplish this task, the ID system is monitoring all inbound and outbound network traffic by looking for any suspicion patterns which can lead to malicious or unauthorized activity. There are several categories that ID systems can be classified [1, 2]:

Signature based IDS: it is also known as Misuse detection and Knowledge detection systems. The ID system consults the information that it is stored in large databases populated with previous attack signature and compares them with the analyzed information that it gathered from a network activity. Essentially, the ID system is tiring to identify certain attacks that are already documented and stored in a data base. Therefore, even though signature based IDS is considered a fast and cheap way of detecting inductions with minor false alarms, it can be effective only if the signature databases are up-to-date with new attack signatures otherwise it cannot identify unique intrusions.

Anomaly based IDS: also known as behavior based, the IDS is monitoring the incoming network fragments and compares them with the normal baseline of the traffic which is predefined by the administrator in respect to his set of rules such as traffic load, packet size, log in habits and more, in order to detect any anomalies. If a different pattern other than the baseline is identified then is to be considered as intrusion and the ID system razes an alarm.

Network based NIDS: is responsible for monitoring and analyzing all packet traffic that receives through a network interface device before they are being distributed to their corresponding hosts [3]. Therefore, NIDS can detect malicious packet activities that cannot be identified by the filtering rules of a fire wall.

Host based HIDS: using software applications (agents) HIDS monitors the activity of each host or computer in the network. The main difference with NIDS is that HIDS cannot be used to monitor and analyze the activity on the whole network but rather the individual activity on the host that the HIDS is installed on. Host based systems are usually used to prevent intrusions attempts on critical serves [3].

Active ID System: also known as intrusion detection and prevention system, goes one step further than the normal IDS since it has the advantage of taking immediate action on its own will when it detects a potential security violation and respond back with a prevention or mitigation plan such as for example reprogramming the fire wall hence not to accept any packet traffic from the particular malicious source.

Passive ID System: in contrast with the active IDPS, passive IDS can only signal an alert when identifying a potential security violation and then is in the administrator hand to find a way to deal with it. Passive IDS cannot take protective measurements on its own.

[1] http://www.webopedia.com/TERM/I/intrusion_detection_system.html

[2] http://www.omnisecu.com/security/infrastructure-and-email-security/types-of-intrusion-detection-systems.htm

[3] http://www.centos.org/docs/4/4.5/Security_Guide/s2-ids-types.html

2) Background Material

This section introduces some basic explanations of certain network security attacks that will be mentioned later on throughout this report. In addition, tools used for evaluation and testing of this project as well as related terminology will also be analyzed here in order to provide the reader the relevant knowledge required in order to better understand the concept of this report.

2.1) Definitions:

2.1.1) Packet Information

Port:

Ports are Connection portals that are required in order for two individual computers to connect and communicate over a network [4]. In order for two hosts to establish a TCP/IP connection between them, the connection request should depart from the first host’s portal called source port and arrive at the second host though its portal called destination port.

Internet Protocol (IP):

The Internet protocol is the main protocol that is responsible for the distribution of information over the internet. An IP datagram contain important information of the IP packet such as the address that the packet came for (source IP address) and the address that is going to (destination IP address) [7].

Media Access Control address (MAC):

Media Access Control address, also known as Hardware or Physical address, is a 48 bit unique identify unit which is associated with every network device or adapter [10].

Transmission Control Protocol (TCP):

TCP protocol is based on IP protocol and it is used for communication between applications since it provides connection oriented and reliable stream communication. TCP establishes a virtual circuit communication between two applications by sending a communication request and after a "handsack" between the two applications, which basically is data exchange in order to verify each other, a "full duplex" communication will be established between the two hosts. Examples of applications that are required to use TCP communication are the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Telnet [9].

User Data Protocol (UDP):

Just like TCP, UDP protocol is also based on IP protocol. However, unlike TCP, UDP provides a connectionless and unreliable communication service, that does not guarantee the delivery or integrity of packets [9].

Address Resolution Protocol (ARP):

ARP is a protocol responsible for the mapping of an internet protocol address (IP) to a physical machine address (MAC). ARP broadcast a request packet to all available machines within the network and based on the response, it matches the IP address that the requested packet is send to with the MAC packet of the packet that got back from the same IP address as response.

2.1.2) Network attacks and general terminology:

Port Scan Attack:

Port scan is considered as reconnaissance event hence it is not viewed as malicious activity on its own since many programs including web browsers tend to establish communication with certain ports, and in order to do so they need to scan the availability of the ports. However, in the case of an attacker, port scan can be used to reveal sensitive information and services in relation with the system running and also to observe which ports of the system are currently available in order to construct relevant security attacks [4, 5].

There are many types of port scans such as TCP and UDP scanning, where TCP scanning uses SYN flag in order to scan and identify open and closed ports. If there will be a SYN + ACK respond by the system, it means that the particular port is open otherwise, it receives a RST flag which indicates that the port is closed. TCP scan can be applied using similar techniques such as FIN scanning and XMAS scanning. UDP scan on the other hand, can be performed by using the Internet Control Message Protocol (ICMP) were it response with "host not reachable" when a port is closed [6].

IP Spoofing Attack:

IP spoofing is the act of modifying an IP packet’s information, usually changing the IP source address of the packet, hence to hide the location of the attacker using it. IP spoofing can be used for several purposes such as scanning attacks, were an attacker wants to obtain information about a target host without revealing his/her position, hijacking an authorized account, were an attacker impersonates other party’s IP address in order to deceive IP based authentications and login as a legitimate user or for the purposes of Denial of Service attacks [7].

Denial of Service Attack (DoS):

Denial of service attack’s main purpose is to harm the availability of a system or a service hence it will not be accessible by its users. This attack can be utilized in different type of systems such as software, network or operating system by exploiting each system’s vulnerabilities. Therefore, DoS attacks are used in order to consume and exhaust the resources that a system requires in order to function properly such as bandwidth, computational time and memory [8].

2.1.3) Tools

Nmap:

Nmap is a network security tool which is used to scan and I identify hosts and services that are running on a particular computer network. Within this project Nmap is used to simulate network security attacks such us port scan and IP spoofing.

WireShark

Wireshark is a network analyzer protocol which in combination with the Nmap tool, helped to capture and analyze crafted malicious packets.

Snort

Snort?

[4] http://www.dslreports.com/faq/3497

[5] http://iac.dtic.mil/csiac/download/intrusion_detection.pdf

[6] http://www.cse.iitb.ac.in/alumni/~nirav06/i/IDS_Report.pdf

[7] http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-spoofing.html

[8] Detecting.pdf

[9] http://docs.oracle.com/javase/tutorial/networking/overview/networking.html

[10] http://www.iplocation.net/tools/mac-address.php

3) Developing the program

As part of this project we had to develop software that simulates the functions of a Network Intrusion Detection System (NIDS) in order to be able to identify network attacks. As it has been mentioned NIDS system is designed to scan network packets at ether rooter or host level, be able to analyse those packets for malicious activity and log any suspicious packets thus to raze an alert notifying the administrator. In addition, NIDS can also scan external logs in order to ensure that ether the specific log is malicious free or contains activities that should be marked as malicious for future reference.

During the initial steps of the project, the programming language in which the software would be developed needed to be decided. Upon contacting a background research on programming languages in relation with building low-level network security products, C++ and java were the most popular languages among others. Therefore, java language has been chosen as the developing programming language of this project since the comfort and familiarity with the language were greater than C++’s.

3.1) The jPcap Library:

In order to be able to program and develop network security software which evolved analyzing, modifying and manipulating raw IP packets, the jPcap library needed to be installed and then included within the java project. The jPcap Library and installation software can be downloaded from here [11]. JPcap can be supported on both Windows and Linux Operating System since its library is based on both winpcap and libpcap libraries hence it should work in any system that supports either of these tow libraries [12]. JPcap is an open source library which has the capability of capturing in real time raw packets directly from the wire, save and read captured packets from an external log file and providing functionality such as identifying, filtering and distributing packets.

3.2) Developing phase:

In order to be able to capture packets from the network the first thing that needed to be done was to develop a simple method which retrieves the network interface devices of the system, therefore to allow the user of the software to select an interface to sniff packets from. The following figure illustrates the code snippet responsible for the above statements as well as an output sample of the interface devices at the time being.

(figure 1, snippet code and output of retrieving network interfaces [12].)

Firewall vs ids

Though they both relate to network security, an IDS differs from a firewall in that a firewall

looks outwardly for intrusions in order to stop them from happening. The firewall limits the

access between networks in order to prevent intrusion and does not signal an attack from inside

the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm.

An IDS also watches for attacks that originate from within a system.

[11] http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html

[12] http://www.eden.rutgers.edu/~muscarim/jpcap/tutorial/index.html