VIEWS: 128 PAGES: 7 CATEGORY: Emerging Technologies POSTED ON: 2/17/2012
Vol. 10 No. 1 January 2012 International Journal of Computer Science and Information Security Publication January 2012, Volume 10 No. 1 . Copyright � IJCSIS. This is an open access journal distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 Performance Assessment of Tools of the Intrusion Detection/Prevention Systems Yousef FARHAOUI Ahmed ASIMI LabSiv, Equipe ESCAM LabSiv, Equipe ESCAM Faculty of sciences Ibn Zohr University B.P 80060, City Faculty of sciences Ibn Zohr University B.P 80060, City Dakhla, Agadir, Morocco. Dakhla, Agadir, Morocco. email@example.com firstname.lastname@example.org Abstract— This article aims at providing (i) a general presentation of the techniques and types of the intrusion II. INTRUSION DETECTION SYSTEMS detection and prevention systems, (ii) an in-depth description The IDS is a mechanism which watches over the traffic of the evaluation, comparison and classification features of network in a sneaky manner in order to mark abnormal or the IDS and the IPS and (iii) the implications of such study suspected activities and permitting to have an action of on how to determinate the features of some more effective prevention on the risks of intrusions. IDS and IPS in the commercial domains and open source. Mainly, there are three important distinct families of IDS: Keywords—Intrusion Detection, Intrusion Prevention, The NIDS, Network Based Intrusion Detection Characteristic, Tools. System which assures the security in the network. The HIDS, Host Based Intrusion Detection System I. INTRODUCTION which assures the security in the hosts. The systems of detection and prevention of intrusion, The hybrid IDS. An IDS hybrid is a combination of IDS and IPS, are among the most recent tools of security. both the HIDS and the NIDS. According to their features, we can classify them in different kinds, for example, their techniques of detection A. Network Intrusion Detection System and prevention, their architecture or the range of detection The NIDS are also called passive IDS since this kind of . In spite of their utility, in practice most IDS/IPS systems inform the administrator system that an attack has experience two problems: the important number of false or had taken place, and it takes the adequate measures to positives and false negatives. The false positives, the false assure the security of the system. The aim is to inform alerts, are generated when the IDS/IPS identifies normal about an intrusion in order to look for the IDS capable to activities as intrusions, whereas the false negatives react in the post. Report of the damages is not sufficient. It correspond to the attacks or intrusions that are not is necessary that the IDS react and to be able to block the detected, and then no alert is generated . The IDS/IPS detected doubtful traffics. These reaction techniques imply inventors try to surmount these limitations by developing the active IDS. new algorithms and architectures. Therefore, it is important for them to value the B. The Host Intrusion Detection System improvements brought by these new devices. In the same According to the source of the data to examine, the way, for the network and systems administrators, it would Host Based Intrusion Detection System can be classified be interesting to assess the IDS/IPS to be able to choose in two categories: the best before installing it on their networks or systems, The HIDS Based Application. The IDS of this type but also to continue to evaluate its efficiency in receive the data in application, for example, the operational method. Unfortunately, many false positives logs files generated by the management software of and false negatives persist in the new versions of the the database, the server web or the firewalls. The IDS/IPS, then, the brought improvements are not worthy vulnerability of this technique lies in the layer of the continuous efforts of research and development in application. the domain of the detection and the prevention of The HIDS Based Host. The IDS of this type receive intrusion. In general, it is essentially due to the absence of the information of the activity of the supervised efficient methods of assessment of the security tools, and system. This information is sometimes in the form of the IDS/IPS in particular. of audit traces of the operating system. It can also 7 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 include the logs system of other logs generated by The IPS are often considered as IDS of second the processes of the operating system and the generation; that is to say, the IPS replace the IDS contents of the object system not reflected in the gradually. In fact, the IPS are meant to make up for the standard audit of the operating system and the limitations of the IDS concerning attacks response. mechanisms of logging. These types of IDS can Whereas the IDS cannot block an intrusion if it is not via also use the results returned by another IDS of the the use of active responses, the IPS are able to block an Based Application type. intrusion in the appropriate time. Indeed, the positioning of the cut, be it in a firewall or in a proxy, is the only C. The Systems Detection Intrusion Hybrids means which allows to analyze the input and output data The NIDS-HIDS combination or the so called hybrid and to destroy the intrusive packets dynamically before gathers the features of several different IDS. It allows, in they arrive to their destination. Moreover, the IPS enable only one single tool, to supervise the network and the to compensate the IDS inability to manage the high debits terminals. The probes are placed in strategic points, and because of a software architecture. act like NIDS and/or HIDS according to their sites. All The IPS allow the following functionalities : these probes carry up the alerts then to a machine which Supervising the behaviour of the application centralize them all, and aggregate the information of Creating rules for the application multiple origins. Issuing alerts in case of violations Correlating different sensors to guarantee a better III. INTRUSIONS PREVENTION SYSTEM protection against the attacks. The intrusion prevention is an amalgam of security Understanding of the IP networks technologies. Its goal is to anticipate and to stop the Having mastery over the network probes and the attacks . The intrusion prevention is applied by some logs analysis recent IDS. Instead of analyzing the traffic logs, which lies Defending the vital functions of the network in discovering the attacks after they took place, the intrusion prevention tries to warn against such attacks. Carrying out an analysis with high velocity. While the systems of intrusion detection try to give the A. The Network Intrusion Prevention System alert, the intrusion prevention systems block the traffic rated dangerous. When the attack is detected, the system reacts to modify Over many years, the philosophy of the intrusions the environment of the attacked system. This modification detection on the network amounted to detect as many as can be in the form blocking some fluxes and some ports or possible of attacks and possible intrusions and to consign in the form of insulating some network systems. Directly them so that others take the necessary measures. On the affected system traffic is the sensitive point of this kind of contrary, the systems of prevention of the intrusions on the prevention device especially when the false is positive. network have been developed in a new philosophy_ Therefore, the mistakes must be few because they have a "taking the necessary measures to counter attacks or direct impact on the availability of the systems. When detectable intrusions with precision ". dangerous traffic is detected, the IPS blocks this traffic In general terms, the IPS are always online on the like a firewall. Nevertheless, the same traffic, which takes network to supervise the traffic and intervene actively by place in a non dangerous configuration, won't be blocked. limiting or deleting the traffic judged hostile by An IPS can be seen as identical to an intelligent firewall interrupting the suspected sessions or by taking other with dynamic rules . reaction measures to an attack or an intrusion. The IPS B. The Host Intrusion Prevention System functions symmetrically to the IDS; in addition to that, Nowadays, the attacks evolve quickly and are targeted. they analyze the connection contexts, automatize the logs Also, it is necessary to have a protection capable to stop analysis and suspend the suspected connections. Contrary the malwares before the publication of an update of the to the classic IDS, the signature is not used to detect the specific detection. An intrusions prevention system based attacks. Before taking action, The IDS must make a on the Host Intrusion Prevention System or HIPS is decision about an action in an appropriate time. If the destined to stop the malwares before an update of the action is in conformity with the rules, the permission to specific detection is taken by supervising the code execute it will be granted and the action will be executed. behaviour. The majority of the HIPS solutions supervises But if the action is illegal an alarm is issued. In most the code at the time of its execution and intervenes if the cases, the other detectors of the network will be informed with the goal to stop the other computers from opening or code is considered suspected or malevolent . executing specific files. IV. FEATURES TO EVALUATE AND TO COMPARE FOR Unlike the other prevention techniques, the IPS is a THE IDS/IPS SYSTEMS relatively new technique. It is based on the principle of integrating the heterogeneous technologies: firebreak, VPN, IDS, anti-virus, anti-Spam, etc. The expression" system of detection and prevention of the intrusions" is used to describe multiple technologies 8 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 and solutions of security. This paper focuses on the the attacks that are not recognized anymore by the systems of prevention of the intrusions capable to take IDS/IPS immediate measures to tackle the attacks and intrusions The behavioural approach: it consists in detecting without manual intervention. The tools of the intrusions some anomalies. The implementation always detection and prevention systems display the following consists of a phase of training during which the features: IDS/IPS is going to discover the normal functioning of the supervised elements. They are a. Online machine capable to reliably and accurately able, thus, to signal the divergences in relation to detect the attacks and to block them with precision the working of the reference. The behavioural b. High online velocity without any effect on the models can be elaborated from statistical analyses. performance or the availability of the network They present the advantage to detect new types of c. Efficient integration within the environment of the attacks. However, frequent adjustments are security management necessary in order to evolve the reference model so d. Easy and quick adaptation with and anticipation of that it reflects the normal activity of the users and the unknown intrusions reduce the number of false alerts generated. e. Accurate and precise intervention Each of these two approaches can drive to false positives f. Good citizenship on the network or to false negatives. g. Efficient security-based management The intrusion detection and prevention systems become An IDS/IPS system must include flexible and indispensable at the time of the setting up of an transparent methods to update its data-base with regard to operational security infrastructure. Therefore, they always the new signatures of attack. Besides, the IDS/IPS systems integrate in a context and in an architecture imposing must have methods capable to react to new attacks without various constraints. updates of signature. The inverse exclusion, where all requests, except of The following criteria will be adopted in the classification those legitimate for a definite destination, are deleted, the of the IPS/IDS: validation of protocol, in which the methods of Reliability: The generated alerts must be justified and illegitimate requests are deleted, or the independent no intrusion to escape blockage of the attack, where the attackers are identified Reactivity: An IDS/IPS must be capable to detect and and the whole traffic that comes is deleted, whether the to prevent the new types of attacks as quickly as attacks are known or not. possible. Thus, it must constantly self-update. Capacities of automatic update are so indispensable V. THE FEATURES OF CLASSIFICATION OF THE IDS Facility of implementation and adaptability: An AND THE IPS. IDS/IPS must be easy to function and especially to There are a lot of products whose complexity of adapt to the context in which it must operate. It is implementation and degree of integration are varied. The useless to have an IDS/IPS giving out some alerts tools strictly based on behavioural models affect the in less than 10 seconds if the resources necessary to a velocity. But they are more and more integrated in IDS / reaction are not available to act in the same IPS initially based on a library of signatures, thanks to constraints of time their complementarily. The tools systems are worst facing Performance: the setting up of an IDS/IPS must not to the tools networks. The invention of the hybrid tools affect the performance of the supervised systems. that brings a less partial security in the protection of the Besides, it is necessary to have the certainty that the system of information can solve this dilemma. IDS/IPS has the capacity to treat all the information in The first criterion of classification of the IDS/IPS is the its disposition because in the reverse case it becomes method of analysis. It consists in two approaches. trivial to conceal the attacks while increasing the The approach by script: this approach consists in quantity of information. searching for in the activity of the element supervised the prints (or signatures) of known These criteria must be taken into consideration while attacks. This type of IDS/IPS is merely reactive; it classifying an IDS/IPS, as well: can only detect the attacks of which it possesses the The sources of the data to analyze, network, system signature. Therefore, it requires frequent updates. or application Besides, the efficiency of this detection system The behaviour of the product after intrusion depends strongly on the precision of its signature ,passive or active basis. This is why these systems are vulnerable for the pirates who use some techniques “escape" that The frequency of use, periodic or continuous consists in making up the used attacks. These The operating system in which operate the tools, techniques have the trend to vary the signatures of Linux, Windows, etc. The source of the tools, open or private 9 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 VI. THE TOOL IDS / IPS In order to ensure an invulnerable security of data, various tools are available. They are mainly used altogether in order to secure the system as a whole. To avoid all sorts of inconveniences of the NIDS, NIPS, HIDS or HIPS it is very important to combine these different systems. The lack of information at the host level of the NIDS and NIPS in addition to the cost of installation-administration of the HIDS can be overcome through a good cohabitation of these systems on the network. There is no perfectly complete system. The optimum security is achieved as a result of the combination of several systems. Moreover, most of these solutions are developed by the leading companies of securities. These solutions are complete and can be easily put in work in a network, which is also true for the updates. The modular format used by these allows them to have several agents for a centralized interface. However, these solutions are particularly very expensive. Most of the existing solutions concerning intrusion detection are related to the setting up of NIDS in association with some HIDS and other software types of management. The table below shows a study of the most used solutions of detection and prevention in the domains of commerce and open sources. 10 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 Tools CA eTRUST Intrusion McAfee Intrushield série SonicWALL IPS Juniper IDP McAfee Entercept 5.0 Snort 2.1.3 Detection 3.0 I service Analysis of real- Yes Yes Yes Yes Yes Yes time traffic Detection of viruses Yes Yes Yes Yes Yes Yes / worms / Trojans Detecting external Yes Yes Yes Yes Yes Yes attacks Detection of Yes Yes Yes Yes Yes Yes internal attacks Ability to block Yes Yes Yes Yes Yes Yes attacks Detection of Yes Yes Yes Yes Yes Yes external probes Detection of Yes Yes Yes Yes Yes Yes internal Probes Probes Ability Yes Yes Yes Yes Yes Yes Signatures with state data, protocol anomaly detection, backdoors, abnormal Update, third-party Definitions of Updates, block lists and user- Updates, block lists and user- integration, user- Yes traffic, protection of layer Updates blocking defined customizable rules defined customizable rules 2, Syn Flood, Profiling customizable enterprise security E-mail, pager, application E-mail, syslog, SNMP, log Console, email, pager, SMS Console, email, pager, Log files, email, console, Log files, email, syslog, Real-time alert performance, SNMP, console file, external SMS email SNMP, generation of process third-party applications SGMS 11 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 Getting logs data Workspace, ODBC database Syslog, internal database Oracle, MySQL Microsoft SQL Server SS SS packets Search for content Yes Yes SS SS Yes Yes Content Filtering Yes Yes SS SS Yes Yes Blacklist, third, set by the Filtering methods URL database Set by the administrator SS SS Set by the administrator administrator Reporting tools Yes Yes Yes Yes SS (sold separately) SS (sold separately) Compatible Win 2000, Win 2000/2003/XP for Windows, Linux, Solaris Windows Windows, Solaris, HP/UX Linux, Windows All IP environment operating system the engine remotely 12 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No. 1, January 2011 attacks imposing to the IDS to be more complete and more VII. CONCLUSION powerful . The IDS/IPS bring an incontestable With the multiplication of the networks of enterprise and advantage to the networks in which they are placed. the importance of Internet for the consumer, the enterprises However, their limits don't permit to guarantee a security to try to make more and more present and visible on Internet. 100%, impossible to get. The future of these tools will This presence on Internet, that it is through Internet sites, of permit to fill these hiatuses by avoiding the "false the on line sale or even the mail often gets used to the positives" (for the IDS) and refining the restrictions of detriment of the security of the networks of the enterprise access (for the IPS) ". and the data of the enterprise. As we saw it, many systems This study has proved that both the intrusion detection permit to reinforce the security on the networks of systems and the intrusion prevention systems still need to enterprise. That it is the firewalls, which filters the entry of be improved to ensure an unfailing security for a network. the networks, the NIDS, that control through their probes, They are not reliable enough (especially in regard to false of the precise points of the networks, the HIDS, that positives and false negatives) and they are difficult to supervise the intrusions directly at the host, or even the administer. Yet, it is obvious that these systems are now NIPS that have the capacity not to react at the time of the essential for companies to ensure their security. To assure detection of activities dangerous, no system constitute the an effective computerized security, it is strongly miracle remedy to the threatens computer attack. recommended to combine several types of detection Because of the inherent limits to each of these systems or system. The IPS, which attempt to compensate in part for techniques known of bypassing of these systems, the best these problems, are not yet effective enough for use in a protection was constituted of a combination of all these production context. They are currently mainly used in test systems. environments in order to evaluate their reliability. They The versions of these protective systems are proposed also lack a normalized operating principle like for the IDS. commercially by different societies or organizations, under However, these technologies require to be developed in the shape owner or free. According to the size of the coming years due to the increasing security needs of enterprises and the means of these, there are some private businesses and changes in technology that allows more solutions very easy of installation and configuration but efficient operation detection systems and intrusion unfortunately very expensive, some free and little prevention. We are working on the implementation of a expensive solutions also exist but unfortunately more screening tool of attack and the characterization of test difficult to install and to configure. The definition of the data. We also focus on the collection of exploits and needs is therefore an indispensable preliminary stage attacks to classify and identify. Further work is under way before setting up these types of systems. and many ways remain to be explored. Besides, these systems can only act in the setting of a Then it would be interesting to conduct assessments of complement to a global security politics in all the existing IDS and IPS following the approaches we have enterprise, and constitute a small part of the security proposed and tools developed in this work. infrastructure. The formation of the users but also of the administrators is . also an indispensable point to this politics. In order to improve the capacities of control and REFERENCES protections of these systems, the research are always in  Crying wolf: False alarms hide Newman attacks, Snyder & Thayer Network World, 24/06/02, progress. These researches try to optimize the present http://www.nwfusion.com/techinsider/2002/0624security1.html systems or to find new solutions of detection, filtering or  F. Cikala, R. Lataix, S. Marmeche", The IDS/IPS. Intrusion reaction after alert. Detection/Prevention Systems ", Presentation, 2005. Some firewall or firewall integrating the IDS or the IPS  Hervé Debar and Jouni Viinikka, "Intrusion Detection,: appear, even for the general public level. The Introduction to Intrusion Detection Security and Information Management", Foundations of Security democratization of these types of systems permits, Analysis and Design III, Reading Notes in to Compute Science, gradually, to bring a beginning of security, that was not Volume 3655, 2005. pp. 207-236. often considered important by the decision-makers in the  Hervé Debar, Marc Dacier and Andreas Wespi, "IN Revised Taxonomy heart Intrusion Detection Systems", Annals of the past. In a general manner, the efficiency of a system of Telecommunications, Flight. 55, Number,: 7-8, pp. 361-378, 2000. intrusion detection depends on its "configurability"  Herve Schauer Consultants", The detection of intrusion…", (possibility to define and to add new specifications of Presentation: excerpt of the course TCP/IP security of the Cabinet attack), of its hardiness (resistance to the failings) and of HSC, March 2000.  ISS Internet Risk Impact Summary - June 2002. the quantity of false positives (false alerts) and of false  Janne Anttila", Intrusion Detection in Critical Ebusiness negatives (non detected attacks) that it generates. The Environment ", Presentation, 2004. paragraphs have at a time for objectives to illustrate the  D K. Müller", IDS - Systems of intrusion Detection, Left II ", July complexity of intrusion detection and to explain the limits 2003, of the present IDS. A struggle between techniques of http://www.linuxfocus.org/Francais/July2003/article294.shtml intrusion and IDS began, the IDS having for consequence a bigger technicality of the attacks on IP, and the present 13 http://sites.google.com/site/ijcsis/ ISSN 1947-5500
Pages to are hidden for
"Performance Assessment of Tools of the intrusion Detection/Prevention Systems"Please download to view full document