Wax Seals For Secured Communications

Published Date: 02 Nov 2017

CHAPTER 2

LITERATURE SURVEY

2.1 INTRODUCTION

2.1.1 History

Hundreds of years ago people had used wax seals for secured communications. In the early 50 B.C., Julius Caesar had used - Caesar Cipher, which prevented secret messages from being read if the message falls into the wrong hands. In the 20th century and early 21st century have seen the advancements in telecommunications, computing and data encryption techniques. Information security is a perception that covers a wide variety of issues, such as the security of data and human resources (Whitman et al 2004).

2.1.2 What is Security?

Security is defined as "the quality or state of being secure to be free from danger". Security can be acquired by quite a few steps undertaken concurrently. Security can be from the areas of

Physical security: Includes material assets and the place of work from a range of threats such as fire, illegal access or force of nature.

Personal security: Deals with protection lost due to carelessness of the people.

Operations security: Carries out its equipped actions without disruption or concession.

Communications security: Includes the security of communications media and technology.

Network security: Which addresses the protection of networking devices and connections.

Information security: Consists of wide range of issues such as data and network security (Whitman et al 2004).

Where security could be used?

Governments, military, financial institutions, hospitals, and private businesses.

Protecting confidential information is a business requirement (Whitman et al 2004).

2.1.3 Critical Characteristics of Information was proposed by Whitman et al (2004).

Confidentiality: Confidentiality mean only those with sufficient privileges can access the data to authorized parties. A good example could be a credit card transaction on the Internet. Confidentiality is attempted by encoding the card number when transmitted.

Integrity: Integrity means data can only be modified by authorized parties. Example: Integrity is violated when an employee deletes vital information; a malicious code resides in a computer and so on.

Availability: Availability means data are available to authorized parties when required. Example: Web servers try to be available at all times 24*365 in spite of disruptions due to natural force, software failures and hardware advancement.

Authentication: Authenticity means host or service must be able to verify the identity of a user. In network communications it is required to check whether the user or the data is genuine.

Authorization: The uniqueness of a user is authenticated and gives authority to the user to add, view, modify and delete the information.

Privacy: Privacy means information being private and undisturbed. Information that is free from intrusion.

Identification: The main feature of identification is to distinguish individual users.

Accountability: The feature of accountability is that responsible, explicable and required to account for one's conduct. For example: To keep track of information activities such as log files and events.

Accuracy: Information should have accuracy. Accuracy deals with information that are accurate, exactness or careful precision that end users expect.

Utility: The value of information depends on its utility. The information obtained should be meaningful else it may not be useful.

Possession: The possession of Information security is the class or position of having rights or control of some object.

2.1.4 Components of an Information System was proposed by Whitman et al (2004) and Krause et al (2004)

The components of an information systems are software, hardware, data, people, procedures and networks.

Software: The software apparatus of information security comprises applications in commission systems and various dominate utilities. Software programs are the vessels that incorporate the lifeblood of information throughout an organization. These are often created beneath the demanding constraints of project management which checks time, cost and manpower.

Hardware: Hardware is the corporal tools that resides and executes the software, supplies and carries the data and provides interfaces for the entry and elimination of data from the system. Natural self-assurance policies exchange with hardware as a physical asset and secure these mean assets from harm or theft. Applying the traditional tools of mean security, such as locks and keys, restricts entry to and interaction with the hardware components of an information system. Securing the physical setting of computers and the computers themselves is important because a violation of physical protection can result in a injury of information. Unfortunately, large information systems are built on hardware platforms with the purpose of not guaranteeing any altitude of information security if free entrance to the hardware is possible.

Data: Information stored, processed, and transmitted through a computer system be obliged to be protected. Data is time and again the most valuable asset possessed by an establishment and is the main goal of intentional attacks. The untreated, unplanned, useful facts and figures are soon processed to produce information.

People: Here are lots of roles for people in information systems. Every day one takes the role of Systems Analyst, Programmer, Technician, Engineer, complex Manager, MIS, information entry operator and General Public.

Procedures: A process is a progression of renowned actions in use to achieve something. A process is other than a single simple task. A process can be extremely phobia and involved, such as carry out the art of backup, closing down a system, patching software.

Networks: Local area networks are formed when information systems are connected to other networks and these networks are interlinked to other networks such as the Internet, new security disputes quickly appear. Network security is vital as alarm and intrusion detection systems to make system owners aware of ongoing effects.

2.1.5 Securing Components

The unauthorized users must be protected from misuse and abuse which is called securing components. Computer used as a vigorous device to conduct the attack is called a Subject of an attack. Computer used as a unit of being attacked is called an Object of an attack (Whitman et al 2004). The two different types of attacks are:

Direct attack

A direct attack is one when an attacker uses his private computer to hack into a system this also called subject of an attack (Whitman et al 2004).

Indirect attack

When a Remote system which is also known as an object of an attack is compromised and used to attack other system. The system has been attacked which in turn attacks other computers. Therefore a computer can be both the subject and object of an attack. For example: In the first the computer becomes an object of an attack and then used to attack other systems, at which in turn becomes the subject of an attack (Whitman et al 2004).

2.1.6 Key Terms in Information Security Terminology

Some of the key terms were proposed by (Whitman et al 2004; Krause et al 2004 and Bishop 2005)

Attack

An attack is a deliberate or accidental effort to cause damage to the systems that supports it. If someone in an informal way reads important data not intended for his use, this is considered a passive attack. A hacker deliberately breaking into an information system is called active attack.

Threats

A threat is a person or an additional entity that characterizes a constant risk to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences, while others are purposeful. For example, all hackers represent potential danger or threat to an unprotected information system.

Threat agent

The precise occasion or module of a threat is called a threat agent. For example: you can think of all hackers in the world as a collective threat and a specific person involved in hacking is a threat agent. Likewise a specific threat agent would be lightning strike, hailstorm, and tornado as a part of severe storms.

Vulnerability

Failures in system or security methods which leave unprotected information to attack are known as vulnerabilities. Vulnerabilities that have been examined, documented, and published are referred to as well-known vulnerabilities.

Exposure

A single occasion of unprotected information that is exposed to danger is called as exposure. Vulnerabilities can cause an exposure to potential damage or attack from a threat. Total exposure is the degree to which an organization’s assets are at risk of attack from a threat.

The DMZ (demilitarized zone) is a no-man’s land. The web servers of an organization are placed in between within and remote networks. Access to these web pages are provided to the association by these servers with holding the entry into the central network.

2.2 SECURITY INVESTIGATION

In today technological world there is a need to investigate security such as Threats and Attacks. To protect one’s own information, you must be familiar with the information to be protected and the systems that store, transport and process it.

2.2.1 Threats

To make sound decisions about information security, we must be informed about the various threats facing its application and information systems. A threat is a person or an additional entity that characterizes a constant risk to an asset. Whitman et al (2004) proposed different threats to information security.

Threats to Information Security

Table 2.1 Threats in information security

Types of threat

Examples

Human error or failure

Disasters, employee errors

Intellectual property

Hijacking, copyright infringement

Espionage or trespass

Illegal access

Information extortion

Blackmail or information leak

Sabotage or vandalism

Demolition of systems or data

Theft

Robbery, stealing

Software attacks

Trojan horses, Logic bombs

Forces of nature

Landslide, Tornado, Windstorm, typhoon

Variations in quality of service

Hardware and Software providers

Technological hardware failures or errors

Apparatus breakdown

Technological software failures or errors

Infections, malicious code

Technological obsolescence

Old fashioned technologies

Human Error or Failure: Acts performed without the intent or malicious purpose by an in experienced authorized user is called Human error or failure.

Intellectual Property: The possession rights of ideas and control over them are called Intellectual Property. Intellectual property includes trademarks, patents, trade secrets and copyrights. Most Common Intellectual Property violation is the illegal use or replication of software more commonly known as software Piracy.

Espionage or Trespass: Electronic and human activities that can break the confidentiality of information are called as Espionage or Trespass. An unauthorized person gaining access to the protected information of an organization is called espionage. Different techniques are used by the attackers to gain entry into the information system. The techniques could be Intelligence, spying and Shoulder Surfing. Trespass: Trespass means making an unlawful or unauthorized intrusion, unjustifiable claim or encroachment.

Information Extortion (obtain by force or threat): Trusted insider illegal extraction of information from a computer and blackmailing the owner for the return of the information.

Sabotage or Vandalism: Maliciously destroy or damage the asset, the image of the organization or person is called sabotage or vandalism.

Theft: The act of stealing another’s property, it may be within or outside the organization; the theft may be physical, electronic or intellectual.

Software Attacks: Malicious codes are software component that are designed to spoil, demolish or reject service to the end system. The More common instances are Virus, Worms, Trojan horses, Logic bombs and Backdoors. Antivirus Program are software tools which identifies viruses from the hard disk and removes them if found.

Forces of Nature: The force of nature such as fire, flood, Earthquake, Lightning, Landslide, Tornado, Windstorm, typhoon, Tsunami, Electrostatic Discharge (ESD) and Dust Contamination contingency plans should be made operational, such as disaster recovery plans, business continuity plans, and incident response plans, to limit losses in the face of these threats. Whitman et al[9].

Variation in Quality of Service: When an organization receives a product or service as expected. This degrades the service in a form of disruption.

Technological Hardware Failures or Errors: Sometimes the errors are unstoppable that may result in unrecoverable loss of equipment.

Technological software failures or errors: Threats that involves purchasing software from unknown vendors. These failures range from bugs to untested failure conditions.

Technological obsolescence: When technology becomes outdated it can lead to undependable and unreliable systems.

2.2.2 Attacks

An attack is an action that takes benefit of exposure and tries to control the system. Attacks exist when a specific act or action comes into play and possibly will cause a huge loss Whitman et al (2004).

Malicious code is a program with the intention, to destroy or steal information from a system by the means of executing worms, viruses, worms and Web scripts. These attack programs use variety of attack methods to detect vulnerabilities in a information system Whitman et al (2004).

Attack Replication Vectors was proposed by Whitman et al (2004); Krause et al (2004) and Bishop (2005).

IP scan & attack

Web browsing

Virus

Worms

Trojan Horses

Polymorphism

Blended threat

Hoaxes

Unprotected shares

Mass mail

SPAM

Mail Bombing

Simple Network Management Protocol(SNMP)

Back Door or Trap Door

Password Crack

Brute Force

Dictionary

Denial –of- Services(DOS) & Distributed Denial –of- Service(DDOS)

Spoofing or Man-in-the–Middle

Sniffers

Social Engineering

Buffer Overflow

Timing Attack

IP scan & attack: The IP addresses of local machines are scanned by infected systems which look out for vulnerabilities and attacks the systems.

Web browsing: Web pages which has given access to write to infected systems will make all web portal infected and moreover the users who browse the page will also be infected.

Virus: Virus is a program that can be loaded on to your computer, without your knowledge and run against your wishes. The virus may spread when opening on email attachment. Macros virus are embedded in the code and automatically executed. A good example could be word processor, spreadsheets and database applications. The good example to infect operating system files is the boot virus.

Worms: A software programs that replicates itself over and again in a network and usually performs malicious actions are called worms. Worms keep on replicating until they exhaust the resources such as memory, hard disk space and network bandwidth. Example is MS-Blaster.

Trojan Horses: A destructive code that hides itself in an application unlike viruses, Trojan horse does not replicate themself. Trojan horse is activated when the software or attachment is executed.The different types of Trojan horses are Data Sending Trojans, Proxy Trojans, FTP Trojans, Security software disabler Trojans and Denial of service attack Trojans (DOS).

Polymorphism: A Polymorphic threat is one to facilitate changes in its apparent model above time, creating it undetectable by techniques that express for preconfigured signatures. These viruses and Worms truly change their size and development to flee judgment by antivirus software programs.

Blended threat: The combination and uniqueness of virus, worm, Trojan horses & malicious code with server and internet vulnerabilities are called Blended threats.

Hoaxes: A more tricky approach to attacking the information systems is the program of a virus deception with a real virus attached. Even though these users are trying to avoid infection, they end up sending the attack on to their co-workers.

Unprotected shares: The vulnerabilities in the information system and the method in which the organizations construct them, makes the viral element to spread copies across all parts of the system.

Mass Mail: Transferring infected E-mail to different addresses in the address book and infecting the machines and users, thus the mail automatically replicates itself and infects other computers.

SPAM: Spam is unsolicited bulk commercial email. It has been used to make malicious code attacks more effective. Spam is considered as a trivial nuisance rather than an attack. SPAM causes waste of both computer and human resources by the flow of unwanted E-mail.

Mail Bombing: The E-mail attack also known as distributed denial of service is used in mail bomb. The attacker sends large amount of e-mail to the target. The target of the attack receives unmanageably large volumes of unsolicited e-mail. By sending large e-mails, attackers can take advantage of poorly configured e-mail systems on the Internet and trick them into sending many e-mails to an address chosen by the attacker. The target e-mail address is buried under thousands or even millions of unwanted e-mails.

Simple Network Management Protocol (SNMP): By using the widely known and common passwords that were employed in early versions of this protocol, the attacking program can gain control of the device. Most vendors have closed these vulnerabilities with software upgrades.

Back Door or Trap Door: A software code that allows attackers back door entry into a system with special privileges is called back door or trap door. Example: Back Orifice.

Password Crack: An attempting to overturn a password is often called cracking. A password can be hacked using the same algorithm and compared to the hacked results, if they are same, the password has been cracked. The (SAM) Security Account Manager file contains the hashed representation of the user’s password.

Brute Force: The application of software computing and network possessions to try every possible blend of alternative password is called a Brute force attack. This is often an attempt to repeatedly guess passwords to commonly worn accounts; it is sometimes called a password attack.

Dictionary: This is another form of the brute force attack noted above for guessing passwords. The dictionary attack restricts the field by choosing precise accounts to attack and thereby uses a password database instead of casual combinations.

Denial of Services (DOS) & Distributed Denial of Service (DDOS): The attacker sends large amount of request to the target system. This may result in the crash of target system or the system becomes unable to respond. DDOS is the same as DOS but the request is launched from different locations to the target at the same time.

Spoofing: Spoofing attack is a program that successfully pretend to be as another by sending false data and thereby gaining an illegal advantage. It pretends as thou the messages are coming from a trusted sender.

Original IP packet From hacker’s system

Data: Payload

IP source:192.168.0.25

IP destination:100.0.0.75

Data: Payload

IP source:100.0.0.80

IP destination:100.0.0.75

Spoofed (modified) IP packet

Figure 2.1 Spoofed Packets

Man-in-the–Middle: Man in the middle is otherwise called as TCP hijacking attack. An attacker captures packets from the network, changes them and puts them back into the network. This type of attack uses IP spoofing. It allows the attacker to view, edit, delete, reroute, add, forge or divert data. TCP hijacking session, the spoofing involves the interception of an encryption key exchange.

Sniffers: A sniffer is a packet analyzer that is traveling over a network. Illegal sniffers could be tremendously dangerous in a network since it is impossible to detect and can intercept and log traffic passing over a digital network. Sniffer often works on TCP/IP networks, where they are sometimes called "packet Sniffers".

Social Engineering: The process of convincing people to reveal important information that is valuable to the attacker. An attacker gets more information by calling others in the company and asserting his/her authority by mentioning chief’s name.

Buffer Overflow: Buffer overflow is a program while writing data into a buffer the buffer overflows and overwrites neighboring memory, thus the memory is unable to handle the data.

Timing Attack: The attacker takes advantage of Vulnerability during execution of logical operations in the computer. The computer takes time to do a logical operation, the execution time differ based on input, exact time to execute an operation could be known by the attacker and thereby take control of the execution.

Top 10 Information Security mistakes made by Individuals (Whitman et al 2004; Krause et al 2004 and Bishop 2005).

Passwords on Post-it-Notes

Leaving unattended computers on.

Opening e-mail attachments from strangers.

Poor Password etiquette

Laptops on the loose (unsecured laptops that are easily stolen)

Blabber mouths ( People who talk about passwords)

Plug & Play[Technology that enables hardware devices to be installed and configured without the protection provided by people who perform installations]

Unreported Security Violations

Always behind the times.

Not watching for dangers inside the organization (Whitman et al 2004; Krause et al 2004 and Bishop 2005).

2.3 INTRODUCTION TO PHYSICAL DESIGN

Physical design includes selection and implementation of technologies that reduce the risk from threats to the organization’s information assets (Whitman et al 2004).

2.4 SECURITY TECHNOLOGY

Security software that frightens users downloading worthless antivirus program for a payment topped the threat list in the year 2008 based on Microsoft study. The second threat was downloader comes with malicious code. There are various security technologies available today to overcome this fear. These are firewalls, IDS, and various scanning tools (Whitman et al 2004).

A firewall is a device that monitors and regulates incoming and outgoing traffic in an organization. Firewalls are usually placed on the security perimeter, just behind or as part of a gateway router. Firewalls can be packet filtering, stateful packet filtering, proxy, or at application level. A firewall can be a combination of subnet or a single device. The subnet firewall creates a buffer in between the inner and outer networks (Whitman et al 2004).

Proxy server or proxy firewall is an alternative method in the place of using a firewall subnet or a Dematerialized Zone (DMZ). Proxy server acts as a server when it receives request from the client and gets information from the true web server and then responds to the request as a proxy for the true Web server. For more frequently accessed web pages, proxy servers can cache or temporarily store the page, and thus are sometimes called cache servers (Whitman et al 2004).

2.4.1 Firewalls

A firewall in an information security program prevents precise category of data from moving between the trusted and untrusted network. The firewall can be implemented in a particular server, computers, routers or in a gateway (Whitman et al 2004).

Types of Firewalls

Firewalls can be classified by means of working mode, development age and future structure. The different types of firewalls are packet filtering, circuit gateways, application gateways, hybrids firewalls and media access control layer firewalls. Firewalls categorized by future structure are inhabited or profitable, hardware, software or appliance based devices (Whitman et al 2004).

Packet filtering firewall

Packet filtering firewall inspect header information of data packets that lands on the network for compliance with or violation of the rules of the firewall’s database. A packet filtering firewall installed on TCP/IP determines whether to deny or forward to the next network connection. If a device finds a packet that matches a restriction, it stops the packet from traveling. The restrictions implemented are mainly based on mixture of internet protocol source and destination address, transmission control protocol, user datagram protocol (UDP) source and destination port requests and direction inbound or outbound (Whitman et al 2004).

Application gateways / firewall

The application level firewall is normally established on a dedicated system known as a proxy server. These servers can store the most recently accessed pages in their cache and called as cache servers. Since proxy servers are not very secure and placed in unsecure area of the network, security can be added by establishing filtering routers behind the proxy server. The disadvantage is that they are typically restricted to a single application, since they work at the application layer. Figure 4.2 illustrates the different types of Firewalls compared to OSI model (Whitman et al 2004).

Figure 2.2 Firewall Types and OSI Model

Circuit gateways firewall

The circuit gateway firewall functions at transport layer of the OSI model. Unlike other firewalls they do not look at data transfer between two networks but check direct connections between one and another network. This is possible by building channels between exact method and scheme on either side of the firewall and allows only authorized traffic in the channels (Whitman et al 2004).

MAC layer firewalls

Media access control (MAC) layer firewalls functions at data link layer of the OSI model. This gives special host systems identity in its filtering decisions. The media access control addresses are linked with access control list (ACL) which identifies precise packets that can be sent to different host and the remaining packets are blocked (Whitman et al 2004).

Hybrid firewalls

Hybrid Firewalls is a combination of Packet filtering, Application gateways, Circuit gateways and MAC layer firewalls. The firewall produced may combine two different firewall devices; each forming a different firewall but are connected to work in tandem. Without completely replacing the existing firewalls, an organization can make a security improvement by this approach (Whitman et al 2004).

2.5 IDS

IDS are intended to discover intrusions or attacks against a computer system. Those that work online can counteract an intrusion that is underway and possibly help to identify the perpetrator. Those that work offline can be used to initiate recovery procedures and/or to identify vulnerabilities for repair. Intrusion detection systems analyze network packets, event logs, or other types of execution profiles. They generate alarms and may also initiate countermeasures (Jones et al 2000).

Intrusion means attempting to break into or misuse ones system. An Intrusion can be a physical, system or remote intrusion. Intruders may be from outside the network or legitimate users of the network. IDS are software that automates the intrusion detection process. The primary responsibility of IDS is to detect unwanted and malicious activities. An intrusion is a deliberate, unauthorized attempt to access or manipulate information or system and to render them unreliable or unusable. When suspicious activity is from your internal network it can also be classified as misuse.

2.5.1 Passive system vs. Reactive system

The intrusion detection system (IDS) is one which detects a security breach, by checking the logs of the system and indicates an alarm to the user is called a passive system. Intrusion prevention system (IPS) responds to doubtful actions by reorganizing the link or by restructuring the firewall to stop suspicious activities. The administrator does the action command or it is done automatically (Whitman et al 2004).

2.5.2 Why Use an IDS?

IDS stop intruders from creating problem by increasing the risk of being caught and punished. Detect attacks and other security violations. Detect and deal with preambles to attacks. Document the existing threat to an organization. Work as quality controller for large organizations to deal with security design and management and provide useful information about intrusions that take place.

The following are the reasons for an organization to install an IDS

They can serve as straightforward deterrent measures.

They cover the organization when its network fails to protect against known vulnerabilities.

They can help administrators detect the preambles to attacks.

They serve to document the scope of the threat that an organization faces.

They help in quality assurance and continuous improvements of the organization (Whitman et al 2004).

Key Terms in Intrusion Detections

Alarm: An indication that a system has just been attacked.

Noise: The ongoing activity alarm events.

Site Policy: The rules and guidelines governing the implementation and operation of IDS in an organization.

False Negative: The failure of an IDS system to react to an actual attack event. An event that the IDS fail to identify as an intrusion when one has in fact occurred [B26-b].

False Positive: An alarm that indicates an attack in progress. False positive is an event incorrectly identified by the IDS as being an intrusion when none has occurred [B26-b].

False Attack Stimulus: An event that triggers alarms when no actual attacks are in progress.

True Attack Stimulus: An event that triggers alarms when a real attack is in progress.

Exploit: The process of using a vulnerability to violate a security policy. A tool or defined method that could be used to violate a security policy is often referred to as an exploit script.

Incident: A collection of data representing one or more related attacks. Attacks may be related by attacker, type of attack, objectives, sites, or timing.

Intruder: The person who carries out an attack. Attacker is a common synonym for intruder. The words attacker and intruder apply only after an attack has occurred. A potential intruder may be referred to as an adversary. Since the label of intruder is assigned by the victim of the intrusion and is therefore contingent on the victim's definition of encroachment, there can be no ubiquitous categorization of actions as being intrusive or not. Intruders may be from outside the network or legitimate users of the network.

COMPONENTS OF INTRUSION DETECTION SYSTEM

The functionality of an IDS can be logically distributed into three components: sensors, analyzers, and a user interface (Allen et al 2002).

Sensors: Sensors are responsible for collecting data. The input for a sensor may be any part of a system that could contain evidence of an intrusion. Example types of input to a sensor are network packets, log files, and system call traces. Sensors collect and forward this information to the analyzer.

Analyzers: Analyzers receive input from one or more sensors or from other analyzers. The analyzer is responsible for determining if an intrusion has occurred. The output of this component is an indication that an intrusion has occurred. The output may include evidence supporting the conclusion that an intrusion occurred. The analyzer may provide guidance about what actions to take as a result of the intrusion.

User interface: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a "manager," "director," or "console" component.

In addition to these three essential components, an IDS may be supported by a "honeypot," i.e., a system designed and configured to be visible to an intruder and to appear to have known vulnerabilities. A honeypot provides an environment and additional information that can be used to support intrusion analysis. The honeypot serves as a sensor for an IDS by waiting for intruders to attack the apparently vulnerable system. Having a honeypot serve as a sensor provides indications and warnings of an attack. Honeypots have the ability to detect intrusions in a controlled environment and preserve a known state.

2.6 DETECTION METHODS IN IDS

IDSs typically perform extensive logging of data that is related to detected events. The confirmation of authority of alerts, exploring and correlating events between the IDS and other sources is done by these data (Scarfone et al 2007). Intrusion detection system function as network based, host based or as application based systems and focuses on protecting network information assets. Intrusion detection systems use any one of the methods such as signature based, statistical anomaly based, compound based and Stateful protocol analysis (Whitman et al 2004).

2.6.1 Signature-Based IDS / Knowledge–based IDS / Misuse Based

Patterns with identified signatures are matched with incoming data traffic in the network are called Signature Based IDS. It is broadly put in use since it has individual signatures. The disadvantage with this method is that IDS database has to be updated regularly due to the identification of new attacks (Whitman et al 2004). The main aim of misuse detection is to focus on the use of expert system and to recognize intrusions based on predefined set of knowledge database (Brown et al 2002).

Misuse detection systems look for behavior that is characteristic of a known attack type. Example: oversized string argument sent to particular port and The phf exploit involves the following HTTP request:GET /cgi-bin/phf? (Jones et al 2000). Misuse detection systems can detect known attacks with few false alarms (false positives). They are poorly suited to detect novel attacks. Major approaches to misuse detection are Signature analysis, Rule Based, State-transition analysis and Data mining (Jones et al 2000).

Signature analysis

Signature based IDS match’s available signatures in its database with collected database from activities for identifying intrusions (Scarfone et al 2007). An IDS that does signature analysis maintains a database of known attack signatures.

Example: Snort signature for phf exploit [Peikari and Chuvakin] alert tcp $EXTERNAL any -> $HTTP_SERVERS $HTTP_PORTS (msg: "WEB-CGI phf access"; flow:to_server, established; uricontent: "\phf"; nocase; reference: bugtraq, 629; reference: arachnids, 128; reference: cve, CVE-1999-0067; classtype: web-application-activity; sid: 886; rev: 8;)

Some research has been done on generalizing or abstracting intrusion signatures to catch a wider class of attacks (Jones et al 2000).

Rule based

Rule-based IDSs encode intrusion scenarios as a set of rules. The rule based system is signified in a knowledge base composed with fact and rule base. A fact based is a set of claims based on stored information from audit records or from monitoring activities in the system. The rule base consists of rules that describe known intrusion scenarios. When the pattern of a rule’s antecedent (precondition) matches asserted facts, the rule fires, which initiate an alarm or countermeasure (Jones et al 2000). Rule based: rule based system uses a set of "if-then" implication rules to characterize computer attacks (Lazarevic et al 2002).

Example: Illegal privileged account access rule (Jones et al 2000): (if there exists a failed_login_item such that name is ("root" or "superuser" or "maintenance" or "system) and time is ?time_stamp and channel is ?channel then (print " WARNING DANGEROUS ") .

State transition analysis

The state transition analysis depicts the attribute value pairs; illustrate the importance of system states. The status of a system is the role of all the users, system processes, and data present at a given point of time. Actions that contribute to intrusion scenarios are characterized as conversion among states. The attribute value is changed for every action. Intrusion situations are represented by diagrams. Nodes represent system states and arcs represent actions. Some states are compromised (Jones et al 2000).

State transition is an approach that try to indentify intrusion by using a finite state machine that deduced from network. IDS states correspond to different states of the network and an event make transit in this finite state machine. An activity identifies intrusion if state transitions in the finite state machine of network reflect to sequel state (Scarfone et al 2007).

Data mining

Data Mining Approach to Misuse Detection involves training a pattern classifier to recognize known attacks. The classifier may be statistical, neural, or based on association rules. It requires a training set consisting of attack instances mixed with normal executions (Jones et al 2000).

3.6.2 Statistical Anomaly Based IDS / Behavior Based IDS

The statistical anomaly based IDS or sometimes called as behavior based IDS trial network action to compare it with normal traffic. IDS will activate an alert to the administrator when the activities are outside the limit. IDS can detect new types of attacks. This needs higher cost and working capacity than signature based IDS. This may generate many false positives and hence is less commonly used than the signature based type (Whitman et al 2004).

This method works by using the definition "anomalies are not normal". There are many anomaly detection that proposed algorithms with differences in the information used for analysis and according to methods that are employed to detect deviations from normal behavior. But the most important object is the anomaly detector is that it should be able to differentiate among the abnormal and normal behavior (Lazarevic et al 2002).

Statistical based methods: Statistical methods monitor the user/network behavior by measuring certain variables statistics over time (White paper et al 2002).

Distance based methods: These methods try to overcome limitations of statistical outlier detection approach when the data are difficult to estimate in the multidimensional distributions (Scarfone et al 2007).

Rule based: In rule based systems, IDSs have defined the knowledge of normal behavior of user/network and identified intrusion by comparing this predefined normal behavior with user/network current activities (Scarfone et al 2007).

Profile based methods: This method is similar to rule based method but in this type, profile of normal behavior is built for different types of network traffics, users, and all devices and deviance from these profiles means intrusion (Scarfone et al 2007).

Model based methods: Other approaches based on deviance normal and abnormal behavior is modeling them but without creating several profile for them (Scarfone et al 2007).

2.6.3 Compound Detection

A combination of anomaly based and signature based detection.

2.6.4 Stateful protocol analysis

Stateful protocol compares fixed profiles of protocol action with each protocol state against experimental events to find deviations (Scarfone et al 2007).

2.7 TYPES OF IDS

2.7.1 Network Based IDS (NIDS)

A NIDS dwells on a system or network linked to a part of an organization’s network and looks for traces of attacks. While investigating packets NIDS searches for known pattern attacks. NIDS are established at particular locations in the network where it can monitor incoming and outgoing traffic in a network and identify suspicious activity. It can detect many more types of attacks, but requires more complex configuration and maintenance program (Whitman et al 2004). Network-based IDSes typically scan network packets at multiple machines (Jones et al 2000).

Signature Matching in NIDS

NIDS attack patterns are detected by execution of TCP/IP stack. NIDS search for invalid data packets in the course of verifying protocol stack. In the verification of application protocol the superior protocols are inspected for unpredicted packet behavior or misuse (Whitman et al 2004).

Advantages of NIDS: A good NIDS implementation and network plan could result in use of lesser NIDS devices to monitor huge networks. NIDS are passive in state and hence little trouble to implement it into the present network. NIDS may not be detected by attacker since it is not vulnerable to direct attack (Whitman et al 2004). Disadvantages of NIDS: As the network volume increases NIDS fails to detect attacks. It Needs privileges to monitor traffic. NIDS cannot scan encrypted packets. It cannot determine whether the attack had succeeded or not. NIDS cannot guide fragmented packets (Whitman et al 2004).