Classification and Importance of Intrusion Detection System

Document Sample
Classification and Importance of Intrusion Detection System Powered By Docstoc
					                                                  (IJCSIS) International Journal of Computer Science and Information Security,
                                                  Vol. 10, No. 8, August 2012

            Classification and Importance of Intrusion
                       Detection System

                      K Rajasekaran                                                    Dr. K Nirmala
                 Research Scholar,                                    Associate Professor in Computer Science,
          Research & Development Centre,                          Quiad-E-Millath Govt. College for Women, Chennai,
         Bharathiar University, Coimbatore,                                             India.

Abstract:-      An intrusion detection system (IDS) is a             Commercial development of intrusion detection
device or software application that monitors network or          technologies began in the year of 1990s. Haystack
system activities for malicious activities or policy             Labs was the first commercial vendor of IDS tools,
violations and produces reports to a Management                  with its Stalker line of host-based products. SAIC
Station. Some systems may attempt to stop an intrusion           was also developing a form of host-based intrusion
attempt but this is neither required nor expected of a           detection; this system is called Computer Misuse
monitoring system. Due to a growing number of                    Detection system (CMDS).
intrusion events and also because the Internet and local
networks have become so ubiquitous, organizations are                Simultaneously, the Air Force's Crypto logic
increasingly implementing various systems that monitor           Support Center developed the Automated Security
IT security breaches. This includes an overview of the           Measurement System (ASIM) to monitor network
classification of intrusion detection systems and                traffic on the US Air Force's network. ASIM also
introduces the reader to some fundamental concepts of            made considerable progress in overcoming scalability
IDS methodology: audit trail analysis and on-the-fly             and portability issues that previously plagued NID
processing as well as anomaly detection and signature            products. Additionally, ASIM was the first solution
detection approaches. This research paper discusses the          to incorporate both a hardware and software solution
primary intrusion detection techniques and the                   to network intrusion detection technique. ASIM is
classification of intrusion Detection system.
                                                                 currently in use and managed by the Air Force's
         Keywords: Intrusion Detection,       signature,         Computer emergency Response Team (AFCERT) at
anomaly, specification, classification                           locations all over the world. As often happened, the
                                                                 development group on the ASIM project formed a
                 I.     INTRODUCTION                             commercial company in 1994, the Wheel Group.
                                                                 Their product, Net Ranger, was the first
     The main aim of intrusion detection is to monitor           commercially viable network intrusion detection
network assets to detect anomalous behaviour and                 device management system.
misuse in network. Intrusion Detection has been                      The intrusion detection market began to gain in
around for nearly twenty years but only recently has             popularity and truly generate revenues around 1997.
it seen a dramatic rise in popularity and incorporation          In that year, the security market leader, ISS,
into the overall information security Infrastructure.            developed a network intrusion detection system
Beginning in the year 1980’s James Anderson's                    called Real Secure. A year later, Cisco recognized the
seminal paper, was written for a government                      importance of network intrusion detection and
organization, introduced the notion that audit trails            purchased the Wheel Group, attaining a security
contained vital information that could be valuable in            solution they could provide to their customers.
tracking misuse and understanding of user behaviour.             Similarly, the first visible host-based intrusion
With the release of Anderson’s paper, the concept of             detection company, Centrex Corporation, emerged as
"detecting" misuse and specific user events emerged.             a result of a merger of the development staff from
His work was the start of host-based intrusion                   Haystack Labs and the departure of the CMDS team
detection technique and IDS in general.                          from SAIC. From there, the commercial IDS world
                                                                 expanded its market-base and a roller coaster ride of
                                                                 start-up companies, mergers, and acquisitions ensued.

                                                                                             ISSN 1947-5500
                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                       Vol. 10, No. 8, August 2012

                                                                      vulnerable to DoS attacks. Some of the IDS evasion
                                                                      tools use this vulnerability and flood the signature
                                                                      signature-based IDS systems with too many packets
                                                                      to the point that the IDS cannot keep up with the
                                                                      traffic, thus making the
                                                                          IDS time out and drop packets and as a result,
                                                                      possibly miss attacks. Further, this type of IDS is still
                                                                      vulnerable against unknown attacks as it relies on the
                                                                      signatures currently in the database to detect attacks.
                                                                          B.    Anomaly based detection system
                                                                          This type of detection depends on the
                                                                      classification of the network to the normal and
                                                                      anomalous, as this classification is based on rules or
                                                                      heuristics rather than patterns or signatures and the
                                                                      implementation of this system we first need to know
                                                                      the normal behaviour of the network. Anomaly based
   Figure 1: Number of incidents reported
                                                                      detection system unlike the misuse based detection
   The above chart from US-CERT shows how the                         system because it can detect previous unknown
cyber incidents rose in current internet network                      threats, but the false positive to rise more probably.
environment; this gives requirement of IDS
                                                                           The signature of a new attack is not known before
deployment in network security system.
                                                                      it is detected and carefully analyzed. So it is difficult
        II. INTRUSION DETECTION SYSTEM                                to draw conclusions based on a small number of
                     TECHNIQUES                                       packets. In this case, anomaly-based systems detect
                                                                      abnormal behaviors and generate alarms based on the
    Intuitively, intrusions in an information system                  abnormal patterns in network traffic or application
are the activities that violate the security policy of the            behaviors. Typical anomalous behaviors that may be
system, and intrusion detection is the process used to                captured include
identify intrusions. Intrusion detection has been
studied for approximately 20 years. It is based on the                   1)     Misuse of network protocols such as
beliefs that an intruder’s behavior will be noticeably                overlapped IP fragments and running a standard
different from that of a legitimate user and that many                protocol on a stealthy port;
unauthorized actions will be detectable. Intrusion
                                                                        2) Uncharacteristic traffic patterns, such as more
detection system is classified into three categories.
                                                                      UDP packets compared to TCP ones,
The different types of intrusion Detection techniques
are listed below.                                                          3) Suspicious patterns in application payload.
              A. Signature based detection systems,                       The big challenges of anomaly based detection
                                                                      systems are defining what a normal network behavior
              B. Anomaly based intrusion detection
                                                                      is, deciding the threshold to trigger the alarm, and
                                                                      preventing false alarms. The users of the network
              C. Specification              based   detection         are normally human, and people are hard to
                 systems.                                             predict.      If the normal model is not defined
                                                                      carefully, there will be lots of false alarms and the
   A.     Signature based detection systems                           detection system will suffer from degraded
    Signature based detection system (also called                     performance.
misuse based), this type of detection is very effective                   C.    Specification based detection system
against known attacks, and it depends on the
receiving of regular updates of patterns and will be                     This type of detection systems is responsible for
unable to detect unknown previous threats or new                      monitoring the processes and matching the actual
releases.                                                             data with the program and in case of any abnormal
                                                                      behaviour will be issued an alert and must be
   One big challenge of signature-based IDS is that                   maintained and updated whenever a change was
every signature requires an entry in the database, and                made on the surveillance programs in order to be able
so a complete database might contain hundreds or                      to detect the previous attacks the unknown and the
even thousands of entries. Each packet is to be                       number of false positives what can be less than the
compared with all the entries in the database. This                   anomaly detection system approach.
can be very resource- consuming and doing so will
slow down the throughput and making the IDS

                                                                                                  ISSN 1947-5500
                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                Vol. 10, No. 8, August 2012

        III. CLASSIFICATION OF INTRUSION                       protect the host by intercepting suspicious packets
                   DETECTION SYSTEM                            and looking for aberrant payloads (packet
    When considering the area being the source of
data used for intrusion detection, another                        Systems that monitor login activity onto the
classification of intrusion detection systems can be           networking layer of their protected host (HostSentry).
used in terms of the type of the protected system.             Their role is to monitor log-in and log-out attempts,
There is a family of IDS tools that use information            looking for unusual activity on a system occurring at
derived      from a    single    host (system) — host          unexpected times, particular network locations or
based IDS (HIDS) and those IDSs that exploit                   detecting multiple login attempts (particularly failed
information obtained from a whole segment of a local           ones).
network (network based IDS, i.e. NIDS) and the
combined Hybrid based Intrusion Detection system.                  The HIDS that look only at their host traffic can
Intrusion detection system is mainly classified into           easily detect local-to-local attacks or local-to-root
three types. The classification of intrusion Detection         attacks, since they have a clear concept of locally
systems are listed below:                                      available information, for example they can exploit
                                                               user IDS. Also, anomaly detection tools feature a
                 a.   Host based IDS                           better coverage of internal problems since their
                                                               detection ability is based on the normal behavior
                 b.   Network based IDS                        patterns of the user.
                 c.   Hybrid based IDS                             The HIDS reside on a particular computer and
   A.    Host based IDS (HIDS)                                 provide protection for a specific computer system.
                                                               They are not only equipped with system monitoring
    This type is placed on one device such as server           facilities but also include other modules of a typical
or workstation, where the data is analyzed locally to          IDS.
the machine and are collecting this data from
different sources. HIDS can use both anomaly and                  HIDS products such as Snort, Dragon Squire,
misuse detection system.                                       Emerald eXpert-BSM, NFR HID, Intruder Alert all
                                                               perform this type of monitoring.
    A Host Intrusion Detection Systems (HIDS) and
software      application     (agents) installed   on              B.    Network based IDS (NIDS)
workstations which are to be monitored. The agents                 Network Intrusion Detection Systems (NIDS)
monitor the operating system and write data to                 usually consists of a network appliance (or sensor)
log files and/or    trigger     alarms.      A   host          with a Network Interface Card (NIC) operating in
Intrusion detection    systems (HIDS)       can  only          promiscuous mode and a separate management
monitors the individual workstations on which the              interface. The IDS is placed along a network segment
agents are installed and it cannot monitor the entire          or boundary and monitors all traffic on that segment.
network. Host based IDS systems are used to monitor
any intrusion attempts on critical servers.                        NIDS are deployed on strategic point in network
                                                               infrastructure. The NIDS can capture and analyze
   The drawbacks of Host Intrusion Detection                   data to detect known attacks by comparing patterns
Systems (HIDS) are                                             or signatures of the database or detection of illegal
   • Difficult to analyse the intrusion attempts on            activities by scanning traffic for anomalous activity.
multiple computers.                                            NIDS are also referred as “packet-sniffers”, Because
                                                               it captures the packets passing through the of
    • Host Intrusion Detection Systems (HIDS) can be           communication mediums.
very difficult to maintain in large networks with
different operating systems and configurations                     The network-based type of IDS (NIDS) produces
                                                               data about local network usage. The NIDS
    • Host Intrusion Detection Systems (HIDS) can be           reassemble and analyze all network packets that
disabled by attackers after the system is                      reach the network interface card operating
compromised.                                                   in promiscuous mode. They do not only deal with
    Systems that monitor incoming connection                   packets going to a specific host – since all the
attempts (RealSecure Agent, PortSentry). These                 machines in a network segment benefit from the
examine host-based incoming and outgoing network               protection of the NIDS. Network-based IDS can also
connections. These are particularly related to the             be installed on active network elements, for example
unauthorized connection attempts to TCP or UDP                 on routers.
ports and can also detect incoming portscans.                      Since intrusion detection (for example flood-type
    Systems that examine network traffic (packets)             attack) employs statistical data on the network load, a
that attempts to access the host. These systems                certain type of dedicated NIDS can be separately

                                                                                           ISSN 1947-5500
                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                   Vol. 10, No. 8, August 2012

distinguished, for example, those that monitor the                                         REFERENCE
traffic (Novell Analyzer, Microsoft Network
Monitor). These capture all packets that they see on              [1]   Anderson D, Lunt TF, Javitz H, Tamaru A, Valdes A.
the network segment without analyzing them and just                     Detecting unusual program behaviour using the
                                                                        statistical component of the next-generation intrusion
focusing on creating network traffic statistics.                        detection expert system (NIDES). Menlo Park, CA,
                                                                        USA: Computer Science Laboratory, SRI            International;
   Typical network-based intrusion systems are:                         1995. SRIO-CSL-95-06.
Cisco Secure IDS (formerly NetRanger), Hogwash,
                                                                  [2]   Ghosh, A.K., Wanken, J., & Charron, F.               Detecting
Dragon, E-Trust IDS.                                                    anomalous and unknown intrusions against programs. In K.
                                                                        Keus (Ed), Proceedings of the 14th annual computer security
   C.     Hybrid based IDS                                              applications conference , 1998, (pp. 259--267). IEEE
    The management and alerting from both network                       Computer Society, Los Alamitos,CA.
and host based intrusion detection devices, and                   [3]   G. Macia Fernandez and E. Vazquez, “Anomaly-based
                                                                        Network intrusion detection: Techniques, systems and
provide the logical complement to NID and HID -                         Challenges”, Computers & Security, Vol. 28, No. 1-2,
central intrusion detection management. Both                            pp. 18-28, February-March 2009.
Network and Host based IDS have their own unique                  [4]   Harley Kozushko, “Intrusion Detection: Host-Based and
advantages and disadvantages. Network based IDS                         Network-Based Intrusion Detection Systems”, on September
are easier to deploy and are less expensive to                          11, 2003.
purchase and maintain. However, their performance                 [5]   Paul Innella Tetrad, “The Evolution of Intrusion
depends on known security exploits and signatures. If                    Detection Systems”, Digital Integrity,LLC on November 16,
a new exploit is used that the IDS is unaware of, the                   2001.
system could easily fail to detect the attack. A host             [6]   Rasha G. Mohammed Helali, “Data Mining Based
based IDS is only as good as the security                               Network Intrusion Detection System: A Survey”, In
administrator who maintains and monitors it.                            Novel        Algorithms         and      Techniques          in
                                                                        Telecommunications and Networking, pp. 501-505, 2010.
Becoming skilled at, maintaining and monitoring this
                                                                  [7]   Pakkurthi Srinivasu, P.S. Avadhani, Vishal Korimilli,
software can be a daunting task. Therefore, the best                    Prudhvi Ravipati, “Approaches and Data Processing
approach is to use a combination of the best features                   Techniques for Intrusion Detection Systems”, Vol. 9, No.
of Network based and Host based IDS to improve                          12, pp. 181-186, 2009.
resistance to attacks and to provide greater flexibility.         [8]   Sekar R., Gupta A., Frullo J., Shanbhag T., Tiwari A.,
This approach is commonly referred to as Hybrid                         Yang H., et al. Specification-based anomaly detection: a new
IDS.                                                                    approach     for    detecting    network     intrusions.    In:
                                                                        Proceedings of the Ninth ACM Conference on           Computer
                   IV. CONCLUSION                                       and Communications Security; 2002. p. 265–74.

    Intrusion detection continues to be an active
research field .An intrusion detection system is a part           Authors Profile:
of the defensive operations that complements the
defences such as firewalls, UTM etc. The intrusion                                        K.Rajasekaran received his B.Sc.
detection system basically detects attack signs and                                       Degree in computer Science from Vysya
then alerts. According to the detection methodology,                                      College, Salem,India and M.C.A.
intrusion detection systems are typically categorized                                     Degree form K.S.R. College of
                                                                                          Technology, Tiruchengode, India. He
as misuse detection and anomaly detection systems.                                        also received his M.Phil Degree in
The deployment perspective, they are be classified in                                     computer     science    from     Periyar
network based or host based IDS. In current intrusion                                     University. He is now doing his Ph.D. in
detection systems where information is collected                                          computer science at Research and
from both network and host resources. Moreover,                   Development Centre, Bhrathiar University, Coimbatore, India. His
                                                                  field of interest is Networks, Data Mining and computer
reconstructing attack scenarios from intrusion alerts             Architecture.
and integration of IDSs will improve both the
usability and the performance of IDSs. Many
researchers and practitioners are actively addressing                                   Dr. K.Nirmala received her Ph.D. Degree in
these problems In terms of performance; an intrusion                                    Computer Science from NITTTR, Taramani,
detection system becomes more accurate as it detects                                    University of Madras, Chennai, India. She
                                                                                        has fifteen years of teaching experience in
more attacks and raises fewer false positive alarms.                                    the field of Computer Science at college
                                                                                        level education. Since 1997 she has been
                                                                                        working in various levels in the department
                                                                                        of higher education, Tamilnadu, India. She is
                                                                  now working as Associate Professor of Computer Science, Quaid-
                                                                  E-millath Govt. College for Women, Chennai, India. Her field of
                                                                  interest is Data mining, Networks and Operating System. She has
                                                                  presented and published many technical papers at various national
                                                                  and international conferences and journals.

                                                                                                  ISSN 1947-5500

Shared By: