STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

Transcription

1 STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS SACHIN MALVIYA Student, Department of Information Technology, Medicaps Institute of Science & Technology, INDORE (M.P.) SUNEET JOSHI Assistant Professor, Department of Information Technology, Medicaps Institute of Science & Technology, INDORE (M.P.) ABSTRACT Digital communication over the network is becoming an essential part in the area of communication. As the advancement of computer technology the information is now becomes digital & this digital information is flows from one to another via some secure or unsecure medium. The communication is via some sort of wired or wireless connection in which protocols such as TCP or UDP is used. This protocol is a set of rules which defines rules or procedures by which the communication propagates. This type of communication is possible due to the advancement in the technology on both computer as well as communication field. This gives us flexibility for communication over a large distance with very accuracy & ease. But this advancement in technology gives rise to a new type of problem related to the security of the information. When our data is travelled across a network there is a chance that someone is trying to capture this information & use this knowledge for illegitimate use or his/her personal gain. Also it is possible that the data stored over a server is vulnerable to attack over the network to gain access with intensions to harm the information. The problem become more serious as the information exchange is more over the network. Now a day as the computer or digital communication become the most necessary part over the internet this problem become more sever. This process of sniffing or capturing the information over the network is given a term intrusion. An Intrusion is a deliberate unauthorized attempt successful or not, to break into, access, manipulate, or misuse some valuable property in our case knowledge or information is the property which we want to protect. Due to the problem of intrusion we need some type of system which helps us to detect the intrusion or some illegitimate attempt to access or capture communication. This gives rise to the system which is known as intrusion detection system (IDS). An intrusion detection system (IDS) is a system used to detect unauthorized intrusions into computer systems and networks. The person who attempts to intrude a system or try to attempt some illegitimate access over the system Or network is known as intruder. An intrusion detection system (IDS) is the system used for detecting intrusion by intruders. GENERAL TERMS Network Security- Security is a continuous process of protecting an object from attack. When we consider computers over a network the security required is network security. Hacking- The term Hacking used to mean expert writing and modification of computer programs. Hackers- Hacker is someone who seeks & exploits weakness in a computer system or computer network. Intrusion- An intrusion is a deliberate unauthorized attempt successful or unsuccessful, to break into, access, manipulate, or misuse some valuable property. Intrusion Detection- The process of detecting intrusion in a system by intruders is intrusion detection. The intrusion detection is done by predefined rules. Intrusion Detection System- An intrusion detection system is a device or software application that monitors network or system behavior for malicious activities or policy violations & produces reports to a management station. Security Attacks- Security Attacks is the term used to represent any type of illegal attempt to break into the system of any process used to harm the system. KEYWORDS Intrusion Detection system, Application of IDS, web security, network security, hacking, hackers, IDS Architecture. 1. INTRODUCTION 2013, IJOURNALS All Rights Reserved Page 88

2 Integrity, confidentiality or availability of resource is the main concern of security which is handled by Intrusion Detection System (IDS) [8].From last few years Intrusion detection has a deep impact on the study of security over the network. An Intrusion Detection & prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, & repeating attempts of any type of intrusion [7]. An intrusion detection system (IDS) is able to detect the intrusive activities & inform the administrator for any type of illegitimate attempt & try to resolve it [9]. In 1987 Dorothy E. Denning proposed intrusion detection as an approach which is used to counter the computer & networking attacks & its misuse [5]. Generally intrusion detection systems are used and are commercially available for the intrusion detection purpose [3]. An intrusion is defined as any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource [9]. Intrusion Detection System (IDS) is needed to solve such security issues; they can be categorized into two models: Signature - based intrusion detection and anomaly - based intrusion detection [6]. Some previously detected patron or signature are stored into the data base of the IDS in Signature-based intrusion detection if any disturbance is found in the network by IDS it matches it with the previously saved signature and if it is matched than IDS found attack [6]. But if signature of attack is not in the database the IDS is not able to detect any intrusive activity. For this periodically updating of database is compulsory. To solve this problem firstly the IDS makes the normal profile of the network and put this normal profile as a base profile compare it with the monitored network profile this model is known as anomaly based IDS [6]. The benefit of this anomaly based IDS technique is that without any prior knowledge of attack it can be able to detect attack or any intrusive activity [6]. Intrusion Prevention cannot be guaranteed all the time; this clearly represents the need for intrusion detection as an important security research area of network security. If an intrusion is detected earlier in the system, the intruder can be identified and ejected from the system before any damage is done or any data are compromised [6]. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility [2]. The techniques available for the prevention of intrusion detection and prevention form an intrusion detection system (IDS) [6]. The need of an effective intrusion detection system (IDS) is arises after the digitalization of the information over the network via some wired or wireless medium. An Intrusive activity is detected & prevented via some system which we call intrusion detection system [8]. Intruders are the persons who try to attempt some intrusive activity over the system [1]. 2. APPROACHES TO IMPLEMENT AN IDS Intrusion Detection System is implemented by two basic approaches:- 2.1 Anomaly Detection The anomaly based systems are the learning system which is that they run continuously creating logs of actions & activities. These logs are later than uses to identify malicious activities that might results an intrusion [1]. 2.2 Misuse Detection The misuse detection assumes that each intrusive activity is represented by its unique pattern or signature & the slight variation of the same activity produce new signature & therefore it can also be detected. Therefore, it can also be known as signature system [1]. 3. TYPES OF IDS An intrusion detection system is basically of two types & the third type is the combination of this two types:- 3.1 Network-Based IDS (NIDSs) The NIDSs is differing from other in the sense that it can take whole network as monitoring scope for intrusion detection. The NIDSs monitor the traffic on the network for the detection of any type of intrusive activities. NIDSs are responsible to detect anomalous, inappropriate, or other data that may be considered unauthorized & harmful occurring on a network [5][10]. 3.2 Host-Based IDS (HIDS) The HIDS take an individual or single system as the monitoring scope for the detection of intrusion on this single computer. The HIDS uses software that monitors operator system specific loss including system, event & security logs [5][10]. 3.3 Hybrid Intrusion Detection System Features which are present in both the networkbased intrusion detection system & the host-based intrusion detection system are needed for the realistic applications of intrusion detection system, the combination of both the intrusion detection system forms hybrid intrusion detection system [1]. 2013, IJOURNALS All Rights Reserved Page 89

3 4. Networking Attacks The attacks on the network can be grouped into one of the following categories:- 4.1 Denial of Service (DoS) In DoS attack the hacker makes a computing or memory resources too busy or too full to serve legitimate networking requests and hence the system denying users access to a machine e.g. apache, smurf, neptune, ping of death, back, mail bomb, UDP storm etc. are all DoS attacks [5][11]. 4.2 Remote to User Attacks (R2L) In this attack user sends packets to a machine over the internet, which he does not have access to with the intention to expose the machines vulnerabilities e.g. xlock, guest, xnsnoop, phf, sendmail dictionary etc [5][11]. In Listing 2 population is being created for a test data and going through some evaluation processes (selection, crossover, mutation) the type of the test data is predicted. The pre-calculated set of chromosome is used in this phase to find out fitness of each chromosome of the population [5]. 4.3 User to Root Attacks (U2R) These attacks are exploitations in which the hacker starts off on the system with a normal user account and attempts to abuse vulnerabilities in the system in order to gain super user privileges e.g. perl, xterm [5][11]. 4.4 Probing In Probing the hacker scans a machine or a networking device in order to determine weaknesses or vulnerabilities. This technique is commonly used in data mining e.g. saint, portsweep, mscan, nmap etc [5][11]. 5. Implementation of IDS Using Different Approaches An IDS is now implemented using numerous approaches some of them are discussed:- 5.1 IDS Using Genetic Algorithm 5.2 Secure IDS for MANETs In this section, we described EAACK scheme in details. EAACK is consisted of three major parts, namely, ACK, secure ACK (S-ACK), and misbehavior report authentication (MRA). In order to distinguish different packet types in different schemes 2-b packet header is used in EAACK [4]. Digital Signatures is also used in this scheme to prevent the attacker from forging acknowledgment packets. Figure shows a flowchart describing the EAACK scheme. Our system can be divided into two main phases: (a) Pre-calculation phase (b) Detection phase. In Listing 1 a set of chromosome is created using training data. This chromosome set then is used in the next phase for comparison [5]. Fig. System Control Flow (A). ACK ACK is basically an end-to-end acknowledgment scheme. It acts as a part of the hybrid scheme in EAACK, aiming to reduce network overhead when no network misbehavior is detected [4]. 2013, IJOURNALS All Rights Reserved Page 90

4 (B). S-ACK The S-ACK scheme is an improved version of the TWOACK scheme proposed by Liu et al. The principle is to let every three consecutive nodes work in a group to detect misbehaving nodes. For every three consecutive nodes in the route, the third node is required to send an S-ACK acknowledgment packet to the first node. The intention of introducing S-ACK mode is to detect misbehaving nodes in the presence of receiver collision or limited transmission power [4]. (C). MRA The MRA scheme is designed to resolve the weakness of Watchdog when it fails to detect misbehaving nodes with the presence of false misbehavior report. The core of MRA scheme is to authenticate whether the destination node has received the reported missing packet through a different route [4]. (D). Digital Signature EAACK is an acknowledgment-based IDS. All three parts of EAACK, namely, ACK, S-ACK, and MRA, are acknowledgment-based detection schemes. They all rely on acknowledgment packets to detect misbehaviors in the network. Thus, it is extremely important to ensure that all acknowledgment packets in EAACK are authentic and untainted [4]. With regard to this concern digital signature is used in this scheme. 5.3 SPAID A system for power-aware agent-based intrusion detection in wireless adhoc networks. In SPAID, we deal with multi-hop network monitoring clustered node selection. This type of a node selection has its inherent advantages in allowing complete coverage of all nodes and links in a network, but with a factor of redundancy incorporated in the collection of intrusion detection data. Additionally, by varying the hop radius of the algorithm and the PLANE/Topology constraints, sufficient redundancy in overlap of monitored nodes can be achieved, which allows us to prune the set of nodes selected for network monitoring. Considering that we are dealing with minimally mobile wireless ad hoc networks, topological changes shall not be considered in PLANE evaluation, and deemed to be constant during the process of selection of a network monitoring node [9]. 5.4 Intrusion Detection for Adhoc Networks with Cellular Automata In IDFADNWCA, we deal with multi-hop network monitoring clustered node selection. This type of a node selection has its inherent advantages in allowing complete coverage of all nodes and links in a network, but with an added factor of redundancy in the collection of intrusion detection data. This approach considers each of the initially allocated monitors and the nodes they monitor to be a single tree, with the monitoring node as a root and the nodes being monitored as its child [7]. The IDFADNWCA algorithm has following general steps for processing:- (a) Set CA parameter threshold (b) CA parameter Calculation and CA parameter Ordered List (POL) (c) Hop Radius (d) Expand Working Set of Nodes (e) Voting (f) Check acceptability of nodes (g) Cellular Cluster Setup (h) Re-run with CA 5.5 IDS using Genetic Algorithm with Support Vector Machine In this scheme the approach employed by Kayaciket. al. in finding the most discriminating features for classification for each attack type is being modified for some flaw. In his scheme he only considers features in their singularity. However, it is quite possible that the combined effect of 2 or more features would have a more discriminatory effect on classification than features in singular [12]. In this several tools such as Principal Component Analysis (PCA) and Genetic Algorithm (GA) is used in order to find out the most relevant features of the KDD CUP 99 data. However, using PCA involved the overhead of losing the original data in order to get our data into lesser dimensions. So, data needs to be transformed into new, less dimensional data while using PCA. But it did not want to be happened, because in the future, we might want to add new features in the KDD dataset and see whether the new feature comes up as a discriminatory feature. So, modifying the data was out of the question. Hence, we opted to use a genetic algorithm in order to find out the most discriminating subset of features. In order to classify the data, support vector machine based classification technique is used. Thus developed a new technique based on GA coupled with SVM to identify relevant features for any intrusion detection system [12]. It consists of following processes:- (a) Proposed GA Based Feature Selection Technique 2013, IJOURNALS All Rights Reserved Page 91

5 (b) Chromosome Representation and Population Initialization (c) Fitness Computation (d) Genetic Operators (e) Termination Condition 6. Possibilities in Future As we have studied some of the approaches & implementation of an intrusion detection system, it is clear that this problem is becoming far more serious day by day. The digitization of information becomes the necessity of the communication and as the communication takes place over the unsecure medium the information become vulnerable. The approaches used become invalid as the technology arises so there is always a need to come up with new techniques to work it all the time. So the future work related to this area is newer ending problem the flaws in previous techniques have to be removed when needed. 7. Conclusion In this paper we had studied various methods & implementations of intrusion detection system. An intrusion detection system is needed for prevention or detection of communication over the network from intruders. The intrusion detection system is a software application or a program that monitors the network or targeted system for any type of malicious activity & detects an intrusion. [6] A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network International Journal of Computer Applications, Volume 41 No.21, March 2012 [7] Towards Cellular Automata Based Network Intrusion Detection System with Power Level Metric in Wireless Ad hoc Networks (IDFADNWCA) International Conference on Advanced Computer Theory and Engineering [8] INTRUSION DETECTION IN WIRELESS AD HOC NETWORKS. IEEE Wireless Communications February 2004 [9] A System for Power-aware Agent-based Intrusion Detection (SPAID) in wireless Ad Hoc Networks. [10] Cryptography and Network Security: Principles and Practice William Stalling. [11] Cryptography and Network Security by Atul Kahate (2 nd Ed.). [12] Genetic Algorithm Combined with Support Vector Machine for Building an Intrusion Detection System. International Conference on Advances in Computing, Communications and Informatics (ICACCI-2012) 8. REFERENCES [1] INTRUSION DETECTION BY INTRUSION DETECTION SYSTEM (IDS) International Journal of software & Hardware Research in Engineering Volume 1 Issue 2, October 2013 [2] HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENSOR NETWORK International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.3, July 2010 [3] An Intrusion Detection System for Security Protocol Traffic Florida State University Tallahassee, Florida [4] EAACK A Secure Intrusion-Detection System for MANETs IEEE TRANSACTIONS ON INDUSTRIAL ELECTRONICS, VOL. 60, NO. 3, MARCH 2013 [5] AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March , IJOURNALS All Rights Reserved Page 92