SURVEY OF INTRUSION DETECTION SYSTEM

Transcription

1 SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT ABSTRACT Intrusion Detection system is one of the widely used tools for defence in depth (DiD). We can t prevent tall break-ins. There will always be new holes, new attacks, and new attackers. We need some way to cope. More generically, most single defences can fail. We always need defence in depth multiple layers, of different designs and philosophies. One such technology: Intrusion Detection Systems. In this paper we present a survey of Intrusion Detection System. We survey the existing types, techniques and approaches of IDS. KEYWORD: IDS, HIDS, NIDS, WLAN, IP INTRODUCTION Intrusion Detection Systems (IDS) serve three essential security functions; monitor, detect and respond to unauthorized activity. The purpose of IDS is to detect and prevent electronic threat to computer system. In today s world everyone is connected over networks, and many services provided over the internet. This global reach increases the risk of intrusion threat from unknown sources. Approaches for Intrusion Detection Systems (IDS) 1) Anomaly detection 2) Signature based misuse 3) Host based 4) Network based 1) Anomaly Detection Approach: An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormal is called anomaly-based detection. This method is useful for detecting unwanted traffic that is not specifically known. For instance, anomaly-based IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous. There are two types of anomaly detectors: 1. Static anomaly detectors: It is based on the assumptions that there is a portion of the system being monitored that should remain constant. 2. Dynamic anomaly detectors: To characterize normal and acceptable behavior, a base profile is created by Dynamic anomaly intrusion system. Building the sufficiently accurate base profile is the main difficulty with the dynamic anomaly detection system. 1

2 Fig : Anomaly Detection IDS It is possible to detect unknown attacks. These generate many false alarms and hence compromise the effectiveness of the IDS. 2) Signature Based Approach: Signature Based approach is also known as Misuse detection approach. Signature analysis systems are based off of simple pattern matching algorithms. In most cases, the IDS simply looks for a sub string within a stream of data carried by network packets. When it finds this sub string (for example, the ``phf'' in ``GET /cgi-bin/phf?''), it identifies those network packets as vehicles of an attack.techniques: 1. PATTERN MATCHING 2. STATEFUL PATTERN MATCHING 3. PROTOCOL DECODE BASED ANALYSIS 4. HEURISTIC BASED ANALYSIS 2

3 Fig : Signature Based IDS Accurately and generate much fewer false alarm Cannot detect novel or unknown attacks. Has been programmed again for every new pattern to be detected. 3) Host Based Approach : The host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.), file opens and program executions, admin activities etc. This audit is then analyzed to detect trails of intrusion. Drawbacks of the host based IDS The kind of information needed to be logged in is a matter of experience. Unselective logging of messages may greatly increase the audit and analysis burdens. Selective logging runs the risk that attack manifestations could be missed. Strengths of the host based IDS Attack verification System specific activity 3

4 Encrypted and switch environments Monitoring key components Near Real-Time detection and response. No additional hardware Fig : Host Based IDS Monitor in term of who access what Operates in switched networks Can operate in encrypted environment System can track behavior changes associated with misused Cannot see all network activities Audit Trails can take lots of storage Greater deployment and maintenance cost 4) Network Based Approach: This IDS looks for attack signatures in network traffic via a promiscuous interface. A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic. Strengths of Network based IDS Cost of ownership reduced Packet analysis Evidence removal Real time detection and response Malicious intent detection Complement and verification Operating system independence 4

5 Figure : Network Based IDS Does not affect network or Data sources Can get information quickly without any reconfiguration of computer or need to redirect login mechanisms Monitor and detects in real time networks, attacks or misuses Hard to implement on fully switched networks Cannot scan protocol if the data is encrypted Has difficulties sustaining network with a very large bandwidth Ideas for improving Intrusion Detection Idea 1: Association Pattern Detecting Using the pattern matching algorithm to match the pattern in sequent data for detecting intrusion. No necessary to construct the measure. But its time cost is depend on the number of association patterns. It possible constructs a pattern tree to improve the pattern matching time cost to linear time Idea 2: Discover Pattern from Rules The exist rules are the knowledge from experts knowledge or other system. The different methods will measure different aspects of intrusions. Combine these rules may find other new patterns of unknown attack. For example: Snort has a set of rule which come from different people. The rules may have different aspects of intrusions. We can use the data mining or machine learning method to discover the pattern from these rules. 5

6 M a c h i n e L e a r n i n g & D a t a m i n in g & S t a t i s t ic s m e t h o d s T r a n i n g A u d i t D a t a F e a t u r e E x t r a c t i o n T r a in i n g D a t a & K n o w l e d g e P a t t e r n E x t r a c t io n E x p e r t K n o w l e d g e & R u l e c o l le c t i o n & R u l e a b s t r a c t io n P a t t e r n & D e c is i o n R u le A l a r m s P a t t e r n M a t c h in g D is c r i m i n a t e f u n c t i o n In t r u s io n D e t e c t io n S y s t e m R e a l- T i m e A d u it d a t a P a s s P a t t e r n R e c o g n i t io n Problems with Current IDSs Cannot recognize unknown anomalies/intrusions Inaccuracy for exploit based signatures Cannot provide quality info for forensics or situational-aware analysis Hard to differentiate malicious events with unintentional anomalies o Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc. Conclusion and future scope This paper reviews and tried to summarize important parts of a well-rounded security infrastructure as an Intrusion Detection System. IDSs are used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., log reviews), and help enforce policies. Each of the IDS technologies NIDS, WLAN IDS, NBAD, and HIDS are used together, correlating data from each device and making decisions based on what each type of IDS can monitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone. Other techniques, procedures, and policies should be used to protect the network. IDSs have made significant improvements in the past decade, but some concerns still plague our security administrators. These problems will continue to be addressed as IDS technologies improve. 6

7 REFERENCES A. Tzeyoung Max WU, Information Assurance Technology analysis Center (IATAC), Information Assurance Tools report-intrusion Detection Systems, Sixth edition B. National Journal of system and Information Technology, Volume 3, December 2010 C. D. E. 7