IDS : Intrusion Detection System the Survey of Information Security

Transcription

1 IDS : Intrusion Detection System the Survey of Information Security Sheetal Thakare 1, Pankaj Ingle 2, Dr. B.B. Meshram 3 1,2 Computer Technology Department, VJTI, Matunga,Mumbai 3 Head Of Computer TechnologyDepartment, VJTI, Matunga, Mumbai Abstract With the increased use of computerized / online transactions it is very much of the importance to secure the information from intruders. Intrusion detection is the process of monitoring the activities or events occurring in the computer system or network and analyzing them to find out suspicious events intruding the system or network. Such events will be reported to the administrator of Intrusion Detection System(IDS) who will decide the further action. This Paper surveys different types of IDS and lists preventive methods.an intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Keywords Intruder, Intrusion, anomaly, IDS, NIDS, HIDS I. INTRODUCTION Intrusions are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion detection systems (IDS) are primarily focused on 1) Identifying possible incidents by monitoring both user and system 2) Logging information about them 3) Analyzing system configuration and vulnerability 4) Assessing file and system integrity 5) Recognizing abnormal activities and patterns typical of attacks. 6) Reporting them to security administrator. In addition, organizations use IDSs for other purposes, such as 1) Identifying problems with security policies 2) Documenting existing threats 3) Deterring individuals from violating security policies. IDSs have become a necessary addition to the security infrastructure of nearly every organization. Following terms give idea about possible threats to security Risk : Accidental or unpredictable exposure of information or violation of operations integrity due to the malfunction of hardware or incomplete or incorrect software design. Vulnerability: A known or suspected flaw in the hardware or software or operation of a system that exposes the system to penetration or its information to accidental disclosure. Attack : A specific formulation or execution of a plan to carry out a threat. Penetration : A successful attack -- the ability to obtain unauthorized (undetected) access to files and programs or the control state of a computer system. Intruders are of two types, the external intruders who are unauthorized users of the machines they attack, and internal intruders, who have permission to access the system, but not some portions of it. Further internal intruders are divided into intruders who masquerade as another user, those with legitimate access to sensitive data, and the most dangerous type, the clandestine intruders who have the power to turn off audit control for themselves. Different types of threats include : Attempted break in : generates large number of password failure events. Masquerading : logging into system using unauthorized account and password. So event has different login time, location or connection type than legitimate user. Penetration by legitimate user : user will execute different programs or trigger more protection violations. Leakage by legitimate user : user might route data to remote unused printer. Interference by legitimate user : user might attempt to retrieve unauthorized data from database through aggregation and inference might retrieve more record than usual. Trojan Horse : program planted in system, its behavior differs from legitimate program in terms of CPU utilization or I/O activity. Virus : Event causes increase in frequency of executable files rewritten, storage used by executable files or particular program executed as the virus spread. 86

2 Denial of Service : event will monopolizes a resource. So resource will be unavailable to other activities. Fig 1 Typical locations for an IDS II. TYPES OF INTRUSION DETECTION METHODS A. Anomaly Detection This method finds normal activity profile for the system. Using it as a measure, all activites carried out in system are cross checked with this profile to find anamolous behaviour of the activity. If found alarm is raised against the event, which indicates it is a intruding event. Fig 2 Typical anomaly detection system B. Misuse Detection/ Signature based Detection This method stores the pattern / signature of the attacks. Any event occurring in system has its own pattern, which is matched with the data stored. As soon as the match found alarm is raised. It cannot detect an unknown event(signature not known). Fig 3 Typical misuse detection system C. Stateful Protocol Analysis Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. Unlike anomalybased detection, which uses host or network-specific profiles, stateful protocol analysis relies on vendordeveloped universal profiles that specify how particular protocols should and should not be used. The stateful in stateful protocol analysis means that the IDS is capable of understanding and tracking the state of network, transport, and application protocols that have a notion of state. For example, when a user starts a File Transfer Protocol (FTP) session, the session is initially in the unauthenticated state. Unauthenticated users should only perform a few commands in this state, such as viewing help information or providing usernames and passwords. An important part of understanding state is pairing requests with responses, so when an FTP authentication attempt occurs, the IDS can determine if it was successful by finding the status code in the corresponding response. Once the user has authenticated successfully, the session is in the authenticated state, and users are expected to perform any of several dozen commands. Performing most of these commands while in the unauthenticated state would be considered suspicious, but in the authenticated state performing most of them is considered benign. Stateful protocol analysis can identify unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command without first issuing a command upon which it is dependent. Another state tracking feature of stateful protocol analysis is that for protocols that perform authentication, the IDS can keep track of the authenticator used for each session, and record the authenticator used for suspicious activity. 87

3 III. TYPES OF IDS TECHNOLOGIES There are many types of IDS technologies. They are divided into the following mainly four groups based on the type of events that they monitor and the ways in which they are deployed: A. Network-Based IDS It monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity. It can identify many different types of events of interest. It is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks. B. Host-Based IDS It monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDS might monitor are network traffic (only for that host), system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. C. Wireless IDS It monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. It cannot identify suspicious activity in the application or higherlayer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization s wireless network to monitor it, but can also be deployed to locations where unauthorized wireless networking could be occurring. Distribution System AP2 STA1 AP1 STA2 STA3 STA4 Fig 5Wireless LAN Architecture Example D. Network Behavior Analysis (NBA) It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization s internal networks, and are also sometimes deployed where they can monitor flows between an organization s networks and external networks (e.g., the Internet, business partners networks). Fig 4HIDS Architecture IV. KEY FUNCTIONS OF IDS TECHNOLOGIES There are many types of IDS technologies, which are differentiated primarily by the types of events that they can recognize and the methodologies that they use to identify incidents. 88

4 In addition to monitoring and analyzing events to identify undesirable activity, all types of IDS technologies typically perform the following functions: Recording information related to observed events. Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers, security information and event management (SIEM) solutions, and enterprise management systems. Notifying security administrators of important observed events. This notification, known as an alert, occurs through any of several methods, including the following: s, pages, messages on the IDS user interface, Simple Network Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A notification message typically includes only basic information regarding an event; administrators need to access the IDS for additional information. Producing reports. Reports summarize the monitored events or provide details on particular events of interest. Some IDSs are also able to change their security profile when a new threat is detected. For example, an IDS might be able to collect more detailed information for a particular session after malicious activity is detected within that session. An IDS might also alter the settings for when certain alerts are triggered or what priority should be assigned to subsequent alerts after a particular threat is detected. V. HOW TO PROTECT IDS ITSELF One major issue is how to protect the system on which your intrusion detection software is running. If security of the IDS is compromised, you may start getting false alarms or no alarms at all. The intruder may disable IDS before actually performing any attack. There are different ways to protect your system, starting from very general recommendations to some sophisticated methods. Some of these are mentioned below. The first thing that you can do is not to run any service on your IDS sensor itself. Network servers are the most common method of exploiting a system. New threats are discovered and patches are released by vendors. This is almost a continuous and non-stop process. The platform on which you are running IDS should be patched with the latest releases from your vendor. For example, if Snort # is running on a Microsoft Windows machine, you should have all the latest security patches from Microsoft installed. Configure the IDS machine so that it does not respond to ping (ICMP Echotype) packets. If you are running Snort on a Linux machine, use netfilter/iptable to block any unwanted data. Snort will still be able to see all of the data. You should use IDS only for the purpose of intrusion detection. It should not be used for other activities and user accounts should not be created except those that are absolutely necessary. In addition to these common measures, Snort can be used in special cases as well. Following are two special techniques that can be used with Snort to protect it from being attacked. Following are two special techniques that can be used with Snort to protect it from being attacked. a. Snort on Stealth Interface You can run Snort on a stealth interface which only listens to the incoming traffic but does not send any data packets out. A special cable is used on the stealth interface. On the host where Snort is running, you have to short pins 1 and 2. Pins 3 and 6 are connected to same pins on the other side. b. Snort with no IP Address Interface You can also use Snort on an interface where no IP address is assigned. For example, on a Linux machine, you can bring up interface eth0 using command ifconfig eth0 up without assigning an actual IP address. The advantage is that when the Snort host doesn t have an IP address itself, nobody can access it # Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection. VI. CONCLUSION An IDS is a part of the defensive operations that complements the defenses such as firewalls, UTM etc. The IDS basically detects attack signs and then alerts. In terms of performance, an IDS becomes more accurate as it detects more attacks and raises fewer false positive alarms.intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. 89

5 Intrusion detection and prevention systems (IDS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDSs have become a necessary addition to the security infrastructure of nearly every organization. REFERENCES [1 ] Importance of Intrusion Detection System(IDS), Asmaa Shaker AsjoorInternational Journal of scientific and engineering research, volume 2,issue 1, jan 2011, ISSN [2 ] An Intrusion Detection Model, Dorothy E Dennin, IEEE transaction on software engineering 1987 [3 ] Guide to Intrusion Detection and Prevention System, NIST, Technology Administration US Department of commerce [4 ] A Computationally Efficient Engine forflexible Intrusion Detection Zachary K. Baker, Student Member, IEEE, and Viktor K. Prasanna, Fellow, IEEEIEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 13, NO. 10, OCTOBER [5 ] Immune Model Based ApproachFor Network Intrusion Detection Vadim D. Kotov Ufa State Aviation Technical UniversityRussian Federation Kotov.v.d@gmail.com Vladimir I. Vasilyev Ufa State Aviation Technical UniversityRussian FederationVasilyev@ugatu.ac.ru [6 ] Network Intrusion Detection Based on SupportVector Machine Xiaohui Bao, Tianqi Xu, Hui Hou [7 ] Intrusion Detection In Wireless Ad Hoc Networks, Amitabh Mishra, Ketan Nadkarni, And Animesh Patcha, Virginia Tech, /04/$ Ieee Ieee Wireless Communications February 2004 [8 ] 90