Chapter-3 Intruder Detection and Intruder Identification

Chapter-3 Intruder Detection and Intruder Identification Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network

3.1 Introduction 3.1.1 1998 DARPA Intrusion Detection System Evaluation Heavy reliance on networked computer resources and the increasing connectivity of these networks has greatly increased the potential damage that can be caused by attacks launched against computers from remote sources. These attacks are difficult to prevent with firewalls, security policies, or other mechanisms because system and application software is changing at a rapid pace, and this rapid pace often leads to software that contains unknown weaknesses or bugs. Intrusion detection systems are designed to detect those attacks that inevitably occur despite security precautions. Some intrusion detection systems detect attacks in real time and can be used to stop an attack in progress. Others provide after-the-fact information about attacks that can be used to repair damage, understand the attack mechanism, and reduce the possibility of future attacks of the same type [105]. Many parties are working on the development of intrusion detection systems, including universities, commercial software companies, and organizations within the Department of Defence. As these groups explore different methods and develop various new systems for intrusion detection, it is clearly advantageous to have a means of evaluating the success of these systems in detecting attacks. The best environment for testing and evaluation of an intrusion detection system is the actual environment in which it will be used. However, research groups often do not have access to operational networks on which to test their systems, and these systems (especially while they are still in early development) are tested in a simulated environment. The ability to perform accurate testing and evaluation in a simulated environment requires high-quality data that is similar to the traffic (including attacks) that one finds on operational networks. In general, this data is difficult to acquire because it contains private information and reveals potential vulnerabilities of the networks from which the data is collected. These factors led to DARPA sponsorship of MIT Lincoln Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 67

Laboratory s 1998 intrusion detection evaluation, which created the first standard corpus for the evaluation of intrusion detection systems. The 1998 intrusion detection evaluation was the first of an ongoing series of yearly evaluations conducted by MIT Lincoln Laboratory under DARPA ITO and Air Force Research Laboratory sponsorship. These evaluations contribute significantly to the intrusion detection research field by providing direction for research efforts and calibration of current technical capabilities. The 1998 evaluation was designed to be simple, to focus on core technology issues, and to encourage the widest possible participation by eliminating security and privacy concerns and by providing data types that are used by the majority of intrusion detection systems. Data for the first evaluation was made available in the summer of 1998. The evaluation itself occurred towards the end of the summer. A follow-up meeting for evaluation participants and other interested parties was held in December 1998 to discuss the results of the evaluation. 3.1.2 The Development of Attacks for the 1998 DARPA Evaluation This section describes the computer attacks that were included in the 1998 DARPA intrusion detection evaluation. A large sample of actual computer attacks was needed to accurately test the performance of intrusion detection systems. These attacks needed to cover the different classes of attack types. Many of the attacks used in the evaluation were drawn from public sources, but some novel attacks were developed specifically for use in this evaluation. In all cases, these attacks had to be adapted to work reliably in the largely automated simulation network from which the 1998 DARPA evaluation data were collected. Later sections of this thesis discuss the methods that were developed to create realistic simulations of computer intrusion scenarios, and the methods that were developed to vary the degree of attack stealthiest. People who attack computer networks often have goals beyond simply gaining access to a system. Some attackers break into computers simply for the challenge, others are interested in collecting information and some are motivated by the desire to cause damage. Attackers are also vary in their Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 68

level of sophistication and an accurate evaluation of intrusion detection systems require testing how well the systems are able to detect attacks from all types of attackers from the relative novice who is not aware that an intrusion detection system is monitoring a network to the sophisticated, experienced cracker who knows about intrusion detection systems and takes steps to avoid being caught. 3.2 Background Details 3.2.1 Overview of Computer Attacks In its broadest definition, a computer attack is any malicious activity directed at a computer system or the services it provides. Examples of computer attacks are viruses, use of a system by an unauthorized individual, denial-of-service by exploitation of a bug or abuse of a feature, probing of a system to gather information, or a physical attack against computer hardware. Subsets of the possible types of computer attacks were included in the 1998. DARPA intrusion detection system evaluation including: i. Attacks that allow an intruder to operate on a system with more privileges than are allowed by the system security policy, ii. Attacks that deny someone else access to some service that a system provides, or iii. Attempts to probe a system to find potential weaknesses The following paragraphs provide some examples of the many ways that an attacker can either gain access to a system or deny legitimate access by others. Social Engineering: An attacker can gain access to a system by fooling an authorized user into providing information that can be used to break into a system. For example, an attacker can call an individual on the telephone impersonating a network administrator in an attempt to convince the individual to reveal confidential information (passwords, file names, details about security policies). Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 69

Alternatively, an attacker can deliver a piece of software to a user of a system which is actually a Trojan horse containing malicious code that gives the attacker system access. Implementation Bug: an attacker to gain unauthorized access to a computer system can exploit Bugs in trusted programs. Specific examples of implementation bugs are buffer overflows, race conditions and mishandled of temporary files. Abuse of Feature: There are legitimate actions that one can perform that when taken to the extreme can lead to system failure. Examples include opening hundreds of telnet connections to a machine to fill its process table, or filling up a mail spool with junk e-mail. System Misconfiguration: An attacker can gain access because of an error in the configuration of a system. For example, the default configuration of some systems includes a guest account that is not protected with a password. Masquerading: In some cases, it is possible to fool a system into giving access by misrepresenting oneself. An example is sending a TCP packet that has a forged source address that makes the packet appear to come from a trusted host. 3.2.2 Intrusion Detection Systems Intrusion detection systems gather information from a computer or network of computers and attempt to detect intruders or system abuse. Generally, an intrusion detection system will notify a human analyst of a possible intrusion and take no further action, but some newer systems take active steps to stop an intruder at the time of detection [136]. Although there are many possible sources of data an intrusion detection system can use, three types of data were provided to participants in the 1998 Lincoln Laboratory intrusion detection evaluation. Most intrusion Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 70

detection systems in existence today use one or more of these three types of data. The first of these data sources is traffic sent over the network. All data that is transmitted over an ethernet network is visible to any machine that is present on the local network segment. Because this data is visible to every machine on the network, one machine connected to this ethernet can be used to monitor traffic for all the hosts on the network. During the DARPA evaluation, network traffic was sniffed using a single machine running the tcpdump program [91] to save the network traffic. A second source of data for an intrusion detection system is system-level audit data. Most operating systems offer some level of auditing of operating system events. The amount of data that is collected could be as limited as logging failed attempts to log in, or as verbose as logging every system call. Basic Security Module (BSM) [159] data from a Solaris victim machine was collected and distributed as part of the DARPA evaluation data. A third source of data distributed to the evaluation participants was information about file system state. Daily file system dumps were collected from each of the machines used in the simulation. An intrusion detection system that examines this file system data can alert an administrator whenever a system binary file (such as the ps, login, or ls program) is modified. Normal users have no legitimate reason to alter these files, so a change to a system binary file indicates that the system has been compromised. Although there are many other potential sources of data that can be used by an intrusion detection system to find attacks (such as real-time process lists, logfiles, processor loads, etc.), these three sources (sniffed network traffic, host-level audit files, and file-system state) were provided to participants in the 1998. After the three types of data were collected and aggregated, the data was distributed to participants via CD-ROM. Once participants obtained this data, each group used its particular intrusion detection system to the find intrusions and abuses that were inserted into the collected traffic. Although the 1998 DARPA evaluation tested only the ability to find attacks offline, some intrusion detection systems can evaluate data in real-time, allowing Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 71

administrators (or the system itself) to take defensive action against the intruder. 3.2.3 Strategies for Intrusion Detection The different approaches that have been pursued to develop intrusion detection systems are described in many papers, including [30][106][160]. Figure 3-1 shows four major approaches to intrusion detection and the different characteristics of these approaches. The lower part of this figure shows approaches that detect only known attacks, while the upper part shows approaches that detect novel attacks. Simpler approaches are shown on the left and approaches that are both computationally more complex and have greater memory requirements are shown towards the right. The most common approach to intrusion detection, denoted as signature verification is shown on the bottom of Figure 3-1. Signature verification schemes look for an invariant sequence of events that match a known type of attack. For example, a signature verification system that is looking for a Ping of Death denial-of-service attack (an oversize ping packet that causes some machines to reboot) would have a simple rule that says, Any ping packet of length greater than 64 kilobytes is an attack. Attack signatures can be devised that detect attempts to exploit many possible system vulnerabilities, but a large drawback of this strategy is that it is difficult to establish rules that identify novel types of attacks. The Network Security Monitor (NSM) was an early signature-based intrusion detection system that found attacks by searching for keywords in network traffic captured using a sniffer. Early versions of the NSM [100][68] were the foundation of many government and commercial intrusion detection systems, including NetRanger [46] and NID [104]. Signature verification systems are popular because one sniffer can monitor traffic to many workstations, the computation required to reconstruct network sessions, and search for keywords is not excessive. In practice, these systems can have high falsealarm rates (e.g. 100 s of false alarms per day) because it is often difficult to select keywords by hands that successfully detect real attacks without Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 72

creating false alarms for normal traffic. In addition, signature verification schemes must be updated frequently to detect new attacks as they are discovered. Recent research on systems, which rely on signature verification, includes BRO[128] and NSTAT[90]. (Figure 3-1: Approaches to Intrusion Detection) The approaches shown in the upper half of Figure 3-1 can be used to find novel attacks. This capability is essential to protect critical hosts because new attacks and attack variants are constantly being developed. Anomaly detection, shown in the upper right of Figure 3-1, is one of the most frequently suggested approaches to detect novel new attacks. Anomaly detection schemes construct statistical models of the typical behaviour of a system and issue warnings when they observe actions that deviate significantly from those models. NIDES were one of the first statistical-based anomaly detection systems used to detect unusual user [131] and unusual program [23] behaviour. The statistical component of NIDES forms a model of a user, system, or network activity during an initial training phase. After training, anomalies are detected and flagged as attacks. Of course, anomalous behaviour does not always signal that an attack is taking place, so anomaly detection systems need to be carefully tuned to avoid high false alarm rates. This level of tuning is only possible if normal user or system activity is stable over time and does not overlap with attacker activity. A user with very regular habits will be easy to model, and any intruder attempting to masquerade as such a user would likely exhibit behaviour Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 73

that deviated significantly from the user s normal activity. The actions of a system administrator, however, might be more irregular and harder to distinguish from the actions of an attacker. In addition, a hacker may be able to slowly change the characteristics that an anomaly detection system considers normal by deviating only slightly from normal behaviour over a long period. After the anomaly detection system had been trained to consider more actions normal the attacker could mount an attack and avoid detection. A second disadvantage of anomaly detection schemes is the large computation and memory resources required to maintain the statistical model. Recent research on anomaly detection includes the development of EMERALD [127], which combines statistical anomaly detection from NIDES with signature verification. Specification-based intrusion detection [91] is a second approach that can be used to detect new attacks. It detects attacks that make improper use of system or application programs. This approach involves first writing security specifications that describe the normal intended behaviour of programs. Host-based audit records are then monitored to detect behaviour that violates the security specifications. This approach was applied to UNIX system programs and successfully found many attacks [91]. Specificationbased intrusion detection has the potential to provide very low false alarm rates and detect a wide range of attacks including many forms of malicious code such as Trojan horses, viruses, attacks that take advantage of race conditions, and attacks that take advantage of improperly synchronized distributed programs. Unfortunately, it is difficult to apply because security specifications must be written for all monitored programs. This is difficult because system and application programs are constantly updated. Specification based intrusion detection is thus best applied to a small number of critical user or system programs that might be considered prime targets for an attack. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 74

The final strategy shown in Figure 3-1 is bottleneck verification. The bottleneck verification approach applies to situations where there are only a few, well-defined ways to transition between two groups of states. 3.3 Intrusion Detection and Prevention Principles Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Although many incidents are malicious in nature, many others are not; for example, a person might mistype the address of a computer and accidentally attempt to connect to a different system without authorization. An Intrusion Detection System (IDS) is software that automates the intrusion detection process. An Intrusion Prevention System (IPS) is software that has all the capabilities of an intrusion detection system and can attempt to stop possible incidents. This section provides an overview of IDS and IPS technologies as a foundation for the rest of the publication. It first explains how IDS and IPS technologies can be used. Next, it describes the key functions that IDS and IPS technologies perform and the detection methodologies that they use. Finally, it provides an overview of the major classes of IDS and IPS technologies. IDS and IPS technologies offer many of the same capabilities, and administrators can usually disable prevention features in IPS products, causing them to function as IDSs. Accordingly, for brevity the term Intrusion Detection and Prevention Systems (IDPS) is used throughout the rest of this thesis to refer to both IDS and IPS technologies. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 75

3.3.1 Uses of IDPS Technologies IDPSs are primarily focused on identifying possible incidents. For example, an IDPS could detect when an attacker has successfully compromised a system by exploiting vulnerability in the system. The IDPS could then report the incident to security administrators, who could quickly initiate incident response actions to minimize the damage caused by the incident. The IDPS could also log information that could be used by the incident handlers [121]. Many IDPSs can also be configured to recognize violations of security policies. For example, some IDPSs can be configured with firewall rule set like settings, allowing them to identify network traffic that violates the organization s security or acceptable use policies. In addition, some IDPSs can monitor file transfers and identify ones that might be suspicious, such as copying a large database onto a user s laptop. Many IDPSs can also identify reconnaissance activity, which may indicate that an attack is imminent. For example, some attack tools and forms of malware, particularly worms, perform reconnaissance activities such as host and port scans to identify targets for subsequent attacks. An IDPS might be able to block reconnaissance and notify security administrators, who can take actions if needed to alter other security controls to prevent related incidents. Because reconnaissance activity is so frequent on the Internet, reconnaissance detection is often performed primarily on protected internal networks. In addition to identifying incidents and supporting incident response efforts, organizations have found other uses for IDPSs, including the following: Identifying security policy problems. An IDPS can provide some degree of quality control for security policy implementation, such as duplicating firewall rule sets and alerting when it sees network traffic that should have been blocked by the firewall but was not because of a firewall configuration error. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 76

Documenting the existing threat to an organization. IDPSs log information about the threats that they detect. Understanding the frequency and characteristics of attacks against an organization s computing resources is helpful in identifying the appropriate security measures for protecting the resources. The information can also be used to educate management about the threats that the organization faces. Deterring individuals from violating security policies. If individuals are aware that their actions are being monitored by IDPS technologies for security policy violations, they may be less likely to commit such violations because of the risk of detection. Because of the increasing dependence on information systems and the prevalence and potential impact of intrusions against those systems, IDPSs have become a necessary addition to the security infrastructure of nearly every organization. 3.3.2 Key Functions of IDPS technologies There are many types of IDPS technologies, which are differentiated primarily by the types of events that they can recognize and the methodologies that they use to identify incidents. In addition to monitoring and analyzing events to identify undesirable activity, all types of IDPS technologies typically perform the following functions: Recording information related to observed events. Information is usually recorded locally, and might be sent to separate systems such as centralized logging servers, Security Information and Event Management (SIEM) solutions, and enterprise management systems. Notifying security administrators of important observed events. This notification, known as an alert, occurs through any of several methods, including the following: e-mails, pages, messages on the IDPS user interface, Simple Network Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A notification Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 77

message typically includes only basic information regarding an event; administrators need to access the IDPS for additional information. Producing reports. Reports summarize the monitored events or provide details on particular events of interest. Some IDPSs are also able to change their security profile when a new threat is detected. For example, an IDPS might be able to collect more detailed information for a particular session after malicious activity is detected within that session. An IDPS might also alter the settings for when certain alerts are triggered or what priority should be assigned to subsequent alerts after a particular threat is detected. IPS technologies are differentiated from IDS technologies by one characteristic: IPS technologies can respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which can be divided into the following groups: The IPS stops the attack itself. Examples of how this could be done are as follows: Terminate the network connection or user session that is being used for the attack Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute Block all access to the targeted host, service, application, or other resource. The IPS changes the security environment. The IPS could change the configuration of other security controls to disrupt an attack. Common examples are reconfiguring a network device (e.g. firewall, router, switch) to block access from the attacker or to the target, and altering a hostbased firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 78

The IPS changes the attack s content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e- mail and then permitting the cleaned email to reach its recipient. A more complex example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information. This might cause certain attacks to be discarded as part of the normalization process. Another common attribute of IDPS technologies is that they cannot provide completely accurate detection. When an IDPS incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives and negatives; in most cases, reducing the occurrences of one increases the occurrences of the other. Many organizations choose to decrease false negatives at the cost of increasing false positives, which means that events that are more malicious are detected but more analysis resources are needed to differentiate false positives from true malicious events. Altering the configuration of an IDPS to improve its detection accuracy is known as tuning. Most IDPS technologies also offer features that compensate for the use of common evasion techniques. Evasion is modifying the format or timing of malicious activity so that its appearance changes but its effect is the same. Attackers use evasion techniques to try to prevent IDPS technologies from detecting their attacks. For example, an attacker could encode text characters in a particular way, knowing that the target understands the encoding and hoping that any monitoring IDPSs do not. Most IDPS technologies can overcome common evasion techniques by duplicating special processing performed by the targets. If the IDPS can see the activity in the same way that the target would, then evasion techniques will generally be unsuccessful at hiding attacks. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 79

3.3.3 Types of IDPS Technologies There are many types of IDPS technologies. For the purposes of this document, they are divided into the following four groups based on the type of events that they monitor and the ways in which they are deployed: Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity. It can identify many different types of events of interest. It is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, Virtual Private Network (VPN) servers, remote access servers, and wireless networks. Section 4 contains extensive information on network-based IDPS technologies. Wireless that monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization s wireless network to monitor it, but can also be deployed to locations where unauthorized wireless networking could be occurring. Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as Distributed Denial of Service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization s internal networks, and are also sometimes deployed where they can monitor flows between an organization s networks and external networks (e.g., the Internet, business partners networks). Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 80

the types of characteristics a host-based IDPS might monitor are network traffic (only for that host), system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDPSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information. Some forms of IDPS are more mature than others because they have been in use much longer. Network-based IDPS and some forms of host-based IDPS have been commercially available for over ten years. Network behavior analysis software is a somewhat newer form of IDPS that evolved in part from products created primarily to detect DDoS attacks, and in part from products developed to monitor traffic flows on internal networks. Wireless technologies are a relatively new type of IDPS, developed in response to the popularity of Wireless Local Area Networks (WLAN) and the growing threats against WLANs and WLAN clients. 3.4 Introduction to Intrusion in MANET Mobile ad hoc networks are complex distributed systems that comprise wireless mobile nodes that can freely and dynamically self-organise into arbitrary and temporary, ad hoc network topologies. They allow people and devices to seamlessly internet work with no pre-existing communication infrastructure and central administration [191]. Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. The military tactical and other security-sensitive operations are still the main applications of ad hoc networks, although there is a trend to adopt ad hoc networks for commercial uses due to their unique properties. One main challenge in design of these networks is their vulnerability to security attacks. The goal is to investigate the development of a suite of protocols and algorithm that enables to securely collaborate Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 81

over mobile ad hoc networks as well as the wired backbone. Collaboration requires secure information sharing and communication among a large number of academic, governmental, and military sites. A series of experiments in key management, malicious intruder identification, and detection of denial of service attacks will be conducted to provide the secure networking. Ubiquitous access to information anywhere, anywhere, and anytime, will characterize completely new kinds of information systems in the 21st Century. These are being enabled by rapidly emerging wireless communication systems, based on radio and infrared transmission mechanisms, and utilizing such technologies as cellular telephony, personal communication systems, wireless PBXs, and wireless local area networks. These systems have the potential to dramatically change society as workers become untethered from their information sources and communication mechanisms. While there is a rich body of knowledge associated with radio system engineering, the needed expertise must build upon this to encompass network management, integration of wireless and wire line networks, system support for mobility, computing system architectures for wireless nodes/base stations/servers. User interface appropriate for small handheld portable devices and new application that can exploit mobility and location information. Enormous amounts of data are collected from the network for network based intrusion detection. This poses a great challenge. Raw network traffic needs to be summarized into higher-level events, described by some features, such as connection records before feeding the data to a machinelearning algorithm. Selecting relevant features is a crucial activity and requires extensive domain knowledge. 3.4.1 Intrusion Detection The concept behind intrusion detection is a surprisingly simple one: Inspect all network activity (both inbound and outbound) and identify suspicious Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 82

patterns that could be evidence of a network or system attack. Nowadays, network based computer plays an important role in society. There are many advantages of network: one can easily connect anyone on the network, one can share and use the files, folders, and data, and they can call their loved once on the net. At the same time, there are many disadvantages of it too. One welcomes one s enemy, hackers, criminals. There may be chance of misuse of the data. When an intrusion (defined as any set of actions that attempt to compromise the integrity, confidentially, or availability of a resource [190]) takes place, intrusion prevention technique such as encryption and authentication (e.g., using passwords or biometrics) are usually the first line of defence [55]. An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. 3.4.2 Wireless v/s Wired Intrusion Wired Physically attached: Intruder/attacker needs to plug directly into the network Wireless Intruder can stay anywhere and intrude unseen No exact border between internal and external network-losing exact classification to insider and outsider attacks Sometimes people assume that host based systems prevent insider attacks where as network based system invites outsider attacks. We may not agree with this practice, but as soon as you add a Wi-Fi signal, the border of defence becomes unclear and not sharply defined. The primary assumptions of intrusion detection are: user and program activities are observable, for example via system auditing mechanism; and more importantly, normal and intrusion detection activities have distinct behaviour. In the network based IDS, normally, it runs on the gateway of a network packets that go through the network hardware interface. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 83

In misuse detection, the IDS analyze the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS look for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies [156]. 3.4.3 Problems of Current IDS Techniques There are two different types of networks - wireless and wired network. There has always been having problem of security, collaboration, management and integration. Thus, there is a need of intrusion detection system as there may be chances of misusing of data while communicating between these two. There is a big problem to fix IDS between Wired and Wireless network as the wireless network perhaps may not have fix infrastructure. There is a big difference between how the data transfer in Wireless Ad-Hoc network and wired network. There is always some limitation while communicating through wireless Ad hoc network. One may face the problem of bandwidth; data may be loss, high cost, slower links etc. Intrusion detection in MANETs, however, is challenging for a number of reasons [116, 158, 135]. The major limitations with the current Intrusion Detection Systems are [84] Noise can severely limit Intrusion detection systems effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate. It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 84

Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies. 3.4.4 NIDS Performance Issues An independent platform identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems NIDS [34,134,89] gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In an NIDS as shown in Figure 3-2, sensors are located at choke points in the network to be monitored, often in the Demilitarized Zone (DMZ) or at network borders. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic [31]. An example of an NIDS is Snort. Network Intrusion Detection Systems are usually deployed as a dedicated component on a network segment. There is some debate as to where to place a single NIDS (inside or outside of a firewall), but most agree that multiple NIDS are better. It will then compare captured network data to a file of known malicious signatures. If there is a match, the IDS will log and send an alert according to how it was configured by the network or security administrator [32]. (Figure 3-2: A Network Based IDS) A major difficulty is that true performance statistics are very hard to obtain, especially in a lab. However, a recent test by NSS Labs is probably one of the Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 85

best [33]. The issue is not how many attacks that an NIDS can detect that is the most important factor (and often the only bench mark used in lab tests), but how effectively the NIDS can pick out one attack in a mass of normal background traffic. It is often not the mass of attacks that an NIDS has problems dealing with, but the proverbial finding a needle in a haystack. This becomes especially difficult when SSL (Secure Socket Layer) traffic is involved, because the NIDS cannot read encrypted traffic. It wastes valuable CPU cycles realizing that it cannot do anything with the traffic and then discards it! A second core performance element to consider is the size of packets. In tests, NIDS vendors usually look at an average packet size of 1024 bytes, however if the packet sizes are smaller, the NIDS will run a lot slower (e.g. consider the negative impact when monitoring a large DNS server). A third key driver in how fast an NIDS can run is the actual policy that is running on the NIDS. Typically, NIDS have hundreds of attack signatures that they are looking for at any given time. The more signatures they are looking for in a stream of data, the longer it will take to look at the next stream. This is more critical for pattern matching based systems than those that utilize protocol analysis. The nature of mobile computing environment makes it very vulnerable to an adversary's malicious attacks. First, the use of wireless links renders the network susceptible to attacks ranging from passive eavesdropping to active interfering. Unlike wired networks where an adversary must gain physical access to the network wires or pass through several lines of defence at firewalls and gateways, attacks on a wireless network can come from all directions and target at any node. Damages can include leaking secret information, message contamination, and node impersonation. All these mean that a wireless ad-hoc network will not have a clear line of defence, and every node must be prepared for encounters with an adversary directly or indirectly. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 86

3.4.5 New Architecture Though many IDS architecture have been designed for infrastructure-based networks, they are not applicable in Mobile Environment. Motivated by this consideration, we propose the modified architecture based on a conceptual model for an IDS agent proposed by Yongguang Zang and Wenke Lee [55]. The model is extended by introducing two novel ideas, the Data collection is divided in two parts and one Global Data Collection Module is introduced as the outer most layer of the model. IDS should be both cooperative and distributed to satisfy the need of the wireless Ad-Hoc network. In the proposed architecture, every node in the wireless Ad-Hoc network participates in intrusion detection and response. Each of these nodes is responsible for signalling the intrusion locally and independently. In addition, this IDS model identifies the black list and white list requests. The internal of an IDS agent can be complex, but conceptually it can be structured in eight pieces as shown in Figure 3-3. The data collection module is responsible for gathering local audit trace and activity logs. Next, the Identifier will use this data to identify the detection; notification will take the appropriate action if the intrusion occurs. The Global Data Collection will store all the calls, which have been occurred. A. Data Collection Module This has been further divided into black list and white list. It gathers all the necessary streams of the data that has been arrive at a time of request. The black list Module stores all the details of the source that may lead to misuse. That is there may be chance of intrusion. Whereas the white list module will store all the details of the most frequently calls and which are authentic. Depending on the intrusion detection algorithms, these useful data streams can include system and user activity within the mobile node. Multiple data collection modules cab consists in one IDS agent to provide Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 87

multiple audit streams for a multi-layer integrated intrusion detection method. Global Data Collection Module Local Notification Universal Notification Local Identifier Group detection Data Collection Secure Communication Black listed White listed System calls Neighboring IDS Agent (Figure 3-3: A conceptual model for IDS Agent) B. Identifiers Identifiers can be a local Identifier or Group detection. The local Identifier uses the data from the Data Collection module and identifies whether the intrusion is occurred or not. If yes, then, it sends the signal to the Notification module where it will be proceed. As the days going, there will always been created a newer attacks for the system and to secure a system is not an easy task even more and more devices become wireless so security must be increased accordingly. To establish a new and best security for the mobile Ad-Hoc network is not so easy. Therefore, IDS model should be used different statistical and mathematical model to solve the problems. C. Notification Notification can be local notification or universal notification. According to the type of network, the notification has been made to the system. When the system is in the network at that time it will notified universally i.e. it will broadcast the message to its neighbour along with the details of the intrusion description and the address of that particular system which initiates the intrusion. In this case, all the system updates their data Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 88

collection module and put this description in the black list of that module. In addition, they can refer it in the future to identify the intrusion. In the Local Notification, it will notify itself that the intrusion has occur then it will terminate the connection with that particular system and update the black list data collection module. When an intrusion occurs, at that time, it will send the intrusion state information to its neighbouring node. Then each node can update the Data Collection module and can initiate appropriate action against that Intruder. D. Global Data Collection Module The core and the heart of the new Intrusion detection system as it is centralized and stores all the streams and actions carried out by the system in the network. When any system initiates, the request, at that time, first it will store in this module, which can be further used to identify the intrusion by the Data collection module. This module also implements the cache concepts as it is updated at every interval by itself. The cross checking will be done for every instance of the node to secure the Ad-hoc network and to identify the unauthorized user. 3.5 Conclusion Here the argument is that any system on the network may find intrusion and their privacy may be exploited. This is especially true for wireless Adhoc network. Intrusion detection can help intrusion prevention technique to improve intrusion technique. So that new technique must be developed to solve this problem. By the continuous investigation, it is shown that how a new model can be developed and how a Global Data Collection module will help IDS Agent to identify the occurrences of the intrusion. Firstly when any system initiates the request, it will be checked in the Global Data Collection Module if it will not found in that it will be put in the Black list and the broadcast of the Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 89

message is made thus all the neighbouring node can know the intrusion point, and can take appropriate action. At present time, the investigation of the architecture issues is still going on to solve it, implementing it practically and studying its performance issues. In short we are focuses more on the issues that rise in the IDS and try to identify the best solution among all. In future, the algorithm, which supports the model, will be developed to identify the Intrusion in cost effective way. Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 90