Intrusion Detection Systems vs. Intrusion Prevention Systems. Sohkyoung (Michelle) Cho ACC 626

Transcription

1 Intrusion Detection Systems vs. Intrusion Prevention Systems Sohkyoung (Michelle) Cho ACC 626

2 1.0 INTRODUCTION An increasing number of organizations use information systems to conduct their core business activities. As a result, the frequency and magnitude of intrusion incidents have increased significantly. Intrusion attacks have many causes, such as malware (e.g., worms, spyware), unauthorized access to systems and misuse of privileges or attempt to gain additional privileges 1. While some incidents are malicious in nature, others are not. To reduce the exposure to both types of intrusion threats, organizations need intrusion detection systems (IDS) and intrusion prevention systems (IPS). Although 72 percent of companies already use IDS and IPS, the number of entities experiencing intrusion incidents has grown from 58 percent in 2000 to 65 percent in This indicates that it is important to know the different types of security technologies that are available and the effectiveness of each type in reducing the risk of intrusion threats to implement a security system that best suits the needs of the organization. This report discusses the need for intrusion detection and prevention; different types of IDS and IPS; and implementation of IDS and IPS. 2.0 ANALYSIS 2.1 Emerging Need for Intrusion Detection and Prevention The number of information security incidents and the magnitude of computer crime losses due to intrusion incidents have increased significantly. In addition, there are various business, regulatory and information technology (IT) drivers that trigger entities to pay close attention to their network intrusion detection and prevention. The drivers include the following: 1) Strategic business changes many organizations have initiatives to further their competitiveness in the market through increased web presence, e-commerce, integration with business partners, mergers and acquisitions, etc. 2) Legal and regulatory requirements various legal and regulatory requirements have evolved in today s electronic environment and yet, more are anticipated to be developed as use of information systems increases. The regulations that were introduced recently are 1 Mell, P., & Scarfone, K. Guide to Intrusion Detection and Prevention Systems. NIST Special Publication NIST. 9 June < 2 Birdi, T., & Jansen, K. Network Intrusion Detection: Know What You Do (Not) Need. Information Systems Control Journal June < (JOnline).htm>. 1 of 10

3 Sarbanes-Oxley and Bill 198 (accounting regulations), the Health Insurance Portability and Accountability Act and the Personal Information Protection and Electronic Documents Act (privacy legislations). 3) Managing public and stakeholder expectations computer incidents have resulted in exposure of confidential information, unavailability of systems and unreliable information. 4) Dependency on information systems as organizations dependence on information systems have increased, the cost of an outage has also increased. Thus, timely detection of and response to an outage are needed to save considerable amounts of money. 5) The increased number and sophistication of network threats network-based threats have increased significantly due to system vulnerabilities or human errors. Such threats include viruses, hacking, Trojan horses, unauthorized system changes, denial of service, brute force, social engineering, spyware and spam 3. Since these drivers have dramatically increased the risk exposure, organizations should re-evaluate their control environment to adapt to the new electronic environment. They should also develop an intrusion detection and prevention strategy that best meets their needs. In order to avoid a strategy that is too narrowly focused or that will not result in effective monitoring, the organizations should first have a thorough understanding of different types of IDS and IPS. A comprehensive intrusion detection and prevention program encompasses a wide variety of threats that may leverage weaknesses in different technology layers (e.g., business applications, operating systems and network), people (e.g., awareness regarding social engineering) and processes (e.g., incident identification and response processes) Intrusion Detection Systems An intrusion detection system is software that automates the process of monitoring the events occurring in a computer system or network analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use 3 Birdi, T., & Jansen, K. Network Intrusion Detection: Know What You Do (Not) Need. Information Systems Control Journal June < (JOnline).htm>. 4 Idem. 2 of 10

4 policies or standard security practices 5. The primary purpose of IDS is to help prevent the consequences of undetected intrusions by monitoring network and system activities in real time and identifying and responding to unauthorized activities 6. The real-time detection requires a watchdog system that sits in the background and monitors all activities, distinguishes various types of incidents and diagnoses actual attacks 7. IDS also allow analysis of current activity in comparison to past activity to identify unusual trends and problems. Most IDS take one of the two principal approaches: network-based approach and host-based approach. Both types look for attack signatures, specific patterns that usually indicate malicious intent or suspicious activity 8. In addition, intrusion detection system with identification capability was recently introduced Network-based Intrusion Detection Systems Network-based IDS are directed toward network-based attacks that come from outside and inside the organization 9 and use network adapters running in promiscuous mode to monitor network activities in real time. Promiscuous mode makes it very difficult for attackers to detect and locate it. The advantages of network-based IDS are: 1) they provide stealth; 2) they can be implemented with no impact on existing systems and infrastructure; and 3) they can be used by anyone, independent of their operating system type. The disadvantages of network-based IDS include: 1) network-based IDS are not scalable; 2) they are based on predefined attack signatures that will always be a step behind; and 3) signatures are not updated as frequently as antivirus; IDS vendors are not caught up with all attacks 10. There are two common techniques employed by network-based IDS to recognize attack signatures: anomaly-based and pattern-matching (signature-based). In addition, recently introduced techniques include hybrid IDS and received-signal-strength-based IDS. 5 Mell, P., & Scarfone, K. Guide to Intrusion Detection and Prevention Systems. NIST Special Publication NIST. 9 June < 6 Information Systems Audit and Control Association. IS Auditing Procedure Intrusion Detection System (IDS) Review June < sion_detection_system_(ids)_review.htm>. 7 Idem. 8 Idem. 9 Birdi, T., & Jansen, K. Network Intrusion Detection: Know What You Do (Not) Need. Information Systems Control Journal June < (JOnline).htm>. 10 Information Systems Audit and Control Association. IS Auditing Procedure Intrusion Detection System (IDS) Review June < sion_detection_system_(ids)_review.htm>. 3 of 10

5 Anomaly-based Intrusion Detection Systems Statistical anomaly detection model identifies intrusions by monitoring for activities that deviate from a user's normal behaviour. Baselines of normal behaviour are established through profiling particular users or network connections and then the IDS looks for activities that are different from the baseline. The primary advantage of such IDS is that they can detect attacks that have never been seen before because they look for unusual behaviour. Anomaly IDS disadvantages include: 1) they generate a large volume of false positives as a result of unpredictable nature of behaviour of users and networks; 2) they often require extensive training systems and event records to identify normal behaviour patterns; and 3) careful hackers can disable such detection systems Pattern-matching (or Signature-based) Intrusion Detection Systems Pattern-matching (or signature-based) IDS examine network traffic and look for documented patters of attack. The system examines every packet on the network segment for a defined pattern of activity that indicates an attempt to access a vulnerable script on a web server 12. The advantages of pattern-matching IDS are: 1) implementation of patter-matching IDS takes a shorter period of time than anomaly IDS, provided that there is a pattern-matching engine; 2) it is easy to implement, deploy, update and understand pattern-matching IDS; and 3) they produce less false positives than do anomaly-based IDS. The disadvantages include: 1) they are vulnerable to hacking; 2) they cannot detect unknown attacks; 3) constant updating is required; and 4) they are easier to fool by sending fragmented packets across the network Hybrid Intrusion Detection Systems A new hybrid intrusion detection system combines the advantages of low false-positive rate of a signature-based IDS and the ability of an anomaly-based IDS to detect novel unknown attacks 14. The hybrid system extracts signatures from the output of the anomaly-based system and adds them to the signature database for accurate and efficient intrusion detection. It was shown that the hybrid IDS had a 60 percent detection rate in comparison to 30 percent and Information Systems Audit and Control Association. IS Auditing Procedure Intrusion Detection System (IDS) Review June < sion_detection_system_(ids)_review.htm>. 12 Idem. 13 Idem. 14 Cai, M., Chen, M. Q., Chen, Y., & Hwang, K. Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. IEEE Transactions on Dependable and Secure Computing. 4(1) (2007): of 10

6 percent for SNORT and Bro systems, respectively. This was obtained with less than 3 percent false alarms. This method thus achieves a higher detection accuracy, lower false alarms, and, thus, a raised level of cybertrust through the automated data mining and signature generation process over Internet connection episodes Received-signal-strength-based Intrusion Detection Systems A wireless network is not as secure as a wired network due to unprotected medium access control (MAC) management messages. Li (2008) designed a received signal strength (RSS)-based network-based IDS framework for MAC layer attack detection because RSS value of a received packet is strongly related to the sender s location 16. To reduce the error rate, an enhancement method was designed based on signal prints which are vectors containing RSS values reported by multiple monitors 17. A primary advantage of RRS-based IDS is that they are sensitive for all identity-based attacks in WiFi/ and WiFi/802.11i networks since they detect suspicious activities based on physical location of network nodes. Moreover, signalprints are hard to manipulate since they are built on the RSS values that are measured by multiple monitors and the factors determining RSS values are unique for each monitor. With the localization model, the user can localize the authorized clients and pinpoint where an attack occurred. This capability can assist in developing an effective disaster recovery mechanism Host-Based Intrusion Detection Systems Host-based IDS use automated audit logs to monitor systems, events and security logs for changes in files. When changes are detected, the IDS compare the new log with attack signatures. If there are any matches, the system triggers administrator alerts. Although host-based IDS are generally slower than network-based IDS, they offer a number of advantages. The advantages include: 1) they verify whether an attack was successful or not whereas network-based IDS provide an early warning; 2) they monitor specific system activities in such detail that cannot be provided by a network-based system; 3) they can detect attacks that cannot be identified by network-based IDS such as attacks from a keyboard inside a network; 4) they are more suitable for encrypted and switched environments than are network-based systems; 5) they have near 15 Cai, M., Chen, M. Q., Chen, Y., & Hwang, K. Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes. IEEE Transactions on Dependable and Secure Computing. 4(1) (2007): Li, Chen Guang. A framework for signal strength based intrusion detection system for link layer attacks in wireless network M.Sc. dissertation, Carleton University. 9 June Idem. 5 of 10

7 real-time attack detection and response; 6) they reside on existing network and no additional hardware is required; and 7) they have a lower entry-level costs. Despite all these advantages, host-based IDS have limitations such as: 1) their capabilities are compromised as soon as the host machine becomes compromised; 2) they are specific to application; 3) they must be able to translate between Windows NT, UNIX, VMS and other mainframe operating system languages; 4) since a portion of the system resides on the host, the IDS may be attacked and disabled by an attacker when the host is attacked; 5) they are not suitable for detecting scans of all hosts on a network because the IDS on a host only see the network packets that its host receives; 6) they often cannot detect and operate during denial-of-service attacks; and 7) they utilize the computing resources of the host Kernel-based Intrusion Detection Systems Paliwal, Pujari and Sharma (2007) discussed a host-based IDS that is kernel-based using a classification scheme, knn 19. This utilizes the text processing techniques method; it treats each system call as a word and a collection of system calls during process execution as a document. It was found that the kernel-based IDS generate a significantly low false positive rate Intrusion Detection System with Identification Capability Most IDS do not consider the role of security auditors who perform test methods with hacking tools that are similar to those used by hackers. This causes IDS to produce many false alarms. Chen and Laih (2008) introduced an intrusion detection system with identification capability (IDSIC) which separates security auditors and hackers through use of fingerprints 20. The system consists of two components: the fingerprint adder and the fingerprint checker. The fingerprint adder generates fingerprints and the fingerprint checker validates them. Since the identification capability is independent of the application platform, it can be extended to both network- and host-based IDS. With this identification capability, IDS will be able to distinguish auditors from hackers as well as detect computer abuse. Although the generation of fingerprints add additional costs, there costs are minimal and IDSIC require lower overall consequential costs than current 18 Information Systems Audit and Control Association. IS Auditing Procedure Intrusion Detection System (IDS) Review June < sion_detection_system_(ids)_review.htm>. 19 Paliwal K. K., Pujari, A.K., & Sharma, A. Intrusion detection using text processing techniques with a kernel based similarity measure. Computers & Security. 26(7/8). (2007): Chen, P., & Laih, C. IDSIC: an intrusion detection system with identification Capability. International Journal of Information Security. 7(3) (2008): of 10

8 IDS 21. Therefore, IDSIC appear more suitable for an organization that requires security testing on a continuous basis. 2.3 Intrusion Prevention Systems An intrusion prevention system is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents 1. IPS have the same two major categories as IDS: network-based and host-based systems Network-based Intrusion Prevention Systems Network-based IPS perform packet sniffing and analyze network traffic to identify and stop suspicious activity 22. They add to the functions of network-based IDS with the capability to block packets that match a particular signature or behaviour 23. To make this more effective, network-based IPS sit inline and act like a network firewall. They use both attack signatures and analysis of network and application protocols in comparing network activity of frequently attacked applications against expected behaviour to identify suspicious activity. They are designed to detect attacks on the network before they reach their intended targets. Network-based systems are highly customizable, making it very easy for administrators to simultaneously implement attack signature for new malware threats; they can block new malware threats much before antivirus signatures become available. While network-based IPS are effective at blocking specific known threats, such as network service worms, and borne worms and viruses with easily recognizable characteristics, they are usually incapable of stopping malicious mobile code or Trojan horses 24. However, network-based IPS may be able to block some unknown threats using application protocol analysis Host-based Intrusion Prevention Systems Host-based IPS are similar to network-based IPS in principle and purpose, except that host-based IPS monitor the characteristics of a single host and the events occurring within that host Chen, P., & Laih, C. IDSIC: an intrusion detection system with identification Capability. International Journal of Information Security. 7(3) (2008): Kent, K., Mell, P., & Nusbaum, J. Guide to Malware Incident Prevention and Handling NIST Special Publication June < 23 Berge, Matthew. What are the differences between Network Intrusion Detection and Network Intrusion Prevention? June < 24 Kent, K., Mell, P., & Nusbaum, J. Guide to Malware Incident Prevention and Handling NIST Special Publication June < 25 Idem. 7 of 10

9 They are also different from host-based IDS in that they can block or reject specific applications, behaviours and changes to the local system configuration 26. Host-based IPS monitor activities such as network traffic, system logs, running processes, file access and modification and system and application configuration changes How to Implement Intrusion Detection and Prevention Systems IDS and IPS have different pros and cons. The advantages of intrusion detection include the following: 1) it can detect external hackers and internal network-based attacks; 2) it scales easily to provide protection for the entire network; 3) it offers centralized management for correlation of distributed attacks; 4) it provides defence in depth; 5) it gives systems administrators the ability to quantify attacks; and 5) it provides and additional layer of protection. Its drawbacks include: 1) it generates false positives and negatives; 2) it reacts to attacks rather than preventing them; 3) it requires full-time monitoring; 4) it requires a complex incident-response process; 5) it cannot monitor traffic at higher transmission rates; 6) it generates an enormous amount of data to be analyzed; 7) it is susceptible to low and slow attacks; 8) it requires highly skilled staff dedicated to interpreting the data; 9) it cannot deal with encrypted network traffic; and 10) it is expensive. On the other hand, IPS have the following benefits: 1) they protect at the application layer; 2) they prevent attacks rather than simply reacting to them; 3) they can use a behavioural approach; 4) they provide defence in depth; 5) they permit real-time event correlation; and 6) they permit real-time event correlation. The cons of IPS are: 1) they generate false positives that can create serious problems if automated responses are used; 2) they create network bottlenecks; and 3) IPS is a new technology and is expensive 28. Since IPS and IDS have different advantages and disadvantages, an entity should use both systems so that they would complement each other. Similarly, an entity should consider using multiple types of both IPS and IDS since each type offers advantages over the other, such as detecting some events that the others cannot, or detecting with significantly greater accuracy than the other technologies. Then, the entity will achieve more comprehensive and accurate detection and prevention of malicious activity, with 26 Berge, Matthew. What are the differences between Network Intrusion Detection and Network Intrusion Prevention? June < 27 Kent, K., Mell, P., & Nusbaum, J. Guide to Malware Incident Prevention and Handling NIST Special Publication June < 28 Endorf, C., Schultz, E., & Mellander, J. Intrusion Detection & Prevention. Emeryville: McGraw-Hill/Osborne, of 10

10 lower rates of false positives and false negatives Selection of Intrusion Detection and Prevention Products Before selecting products, the organization should first define the general requirements that the products should meet: The organization should: 1) understand the characteristics of its system, network environments and plans for near-term changes to choose the products that will be compatible with them; 2) articulate its goals and objectives; 3) review its existing security and other IT policies; and 4) understand resource constraints. Then, the entity should define specific requirements criteria: 1) security capabilities, including information gathering, logging, detection, and prevention; 2) performance including maximum capacity and performance features; 3) management, including design and implementation, operation and maintenance, and training, documentation, and technical support; 4) life cycle costs, both initial and maintenance costs 30. After collecting requirements and selecting criteria, the organization should obtain information about the products to make a more informed decision. They can obtain information from lab or real-world product testing, vendor-provided information, third-party product reviews, or previous experience from individuals within the organization and trusted individuals at other organizations Integration of Intrusion Detection and Prevention Products When using different products, integration is very important to maximize effectiveness. If the products are not integrated properly, data cannot be shared by different products, and it will take more effort for the users and administrators to monitor and manage multiple sets of products. The organization should decide whether to integrate multiple IDS and IPS products directly or indirectly Direct Integration IDS and IPS can be directly integrated so that one product feeds alert data to another. This type of integration is most suitable if the products are from one vendor. The vendor may provide a single console to manage and monitor different types of products, which provides significant time savings to users and administrators and users by streamlining their work. Some products also share data, speeding up the analysis process. However, when a fully integrated solution is 29 Mell, P., & Scarfone, K. Guide to Intrusion Detection and Prevention Systems. NIST Special Publication NIST. 9 June < 30 Idem. 9 of 10

11 used, a failure could jeopardize all the intrusion detection and prevention technologies that are part of the integrated solution Indirect Integration IPS and IDS can be integrated indirectly so that all the products feed alert data into a security information and event management (SIEM) system which imports information from various security-related logs and correlates events among them 32. SIEM software can identify misuse and inappropriate use of systems and networks as well as malicious activities. SIEM can complement IDS and IPS in the following manner: 1) it can identify certain types of activities that an individual product cannot because it can correlate events; 2) users can access data from many sources through one interface; 3) it can link each alert to supporting data so that users can easily verify the accuracy of alerts. On the other hand, SIEM software has the following limitations: 1) there is a lag between the time that an event occurs and the time that the SIEM sees the log data so that prevention is less timely; 2) SIEM only transfers some data fields from the original logs and errors can occur during the log normalization process that converts data fields to a standard format; 3) the administrator may have to write custom agents to transfer IPS and IDS data to the SIEM servers since SIEM does not offer agents for all products CONCLUSIONS As most organizations use complex information systems that are vulnerable to intrusion, the need for proper intrusion detection and prevention has increased significantly. To implement effective intrusion detection and prevention systems, it is important for the organization to know what types of systems are available. The major two technology types are network-based and hostbased although a number of new technologies have been introduced recently. An example of such a new system is intrusion detection system with identification capability. Comparing each type s advantages and disadvantages and assessing its suitability to its current and future needs, the organization can design the optimal intrusion detection and prevention infrastructure. The organization should not forget to consider utilizing multiple types to complement one another and properly integrate them to maximize effectiveness. 31 Mell, P., & Scarfone, K. Guide to Intrusion Detection and Prevention Systems. NIST Special Publication NIST. 9 June < 32 Idem. 33 Idem. 10 of 10