Classification and Importance of Intrusion Detection System

Shared by: ijcsiseditor

Tags

Intrusion Detection, signature, anomaly, specification, classification

Stats

views:: 120
posted:: 9/11/2012
language:: English
pages:: 4

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 8, August 2012

Classification and Importance of Intrusion
Detection System

K Rajasekaran Dr. K Nirmala
Research Scholar, Associate Professor in Computer Science,
Research & Development Centre, Quiad-E-Millath Govt. College for Women, Chennai,
Bharathiar University, Coimbatore, India.
India nimimca@gmail.com
krs.salem@gmail.com

Abstract:- An intrusion detection system (IDS) is a Commercial development of intrusion detection
device or software application that monitors network or technologies began in the year of 1990s. Haystack
system activities for malicious activities or policy Labs was the first commercial vendor of IDS tools,
violations and produces reports to a Management with its Stalker line of host-based products. SAIC
Station. Some systems may attempt to stop an intrusion was also developing a form of host-based intrusion
attempt but this is neither required nor expected of a detection; this system is called Computer Misuse
monitoring system. Due to a growing number of Detection system (CMDS).
intrusion events and also because the Internet and local
networks have become so ubiquitous, organizations are Simultaneously, the Air Force's Crypto logic
increasingly implementing various systems that monitor Support Center developed the Automated Security
IT security breaches. This includes an overview of the Measurement System (ASIM) to monitor network
classification of intrusion detection systems and traffic on the US Air Force's network. ASIM also
introduces the reader to some fundamental concepts of made considerable progress in overcoming scalability
IDS methodology: audit trail analysis and on-the-fly and portability issues that previously plagued NID
processing as well as anomaly detection and signature products. Additionally, ASIM was the first solution
detection approaches. This research paper discusses the to incorporate both a hardware and software solution
primary intrusion detection techniques and the to network intrusion detection technique. ASIM is
classification of intrusion Detection system.
currently in use and managed by the Air Force's
Keywords: Intrusion Detection, signature, Computer emergency Response Team (AFCERT) at
anomaly, specification, classification locations all over the world. As often happened, the
development group on the ASIM project formed a
I. INTRODUCTION commercial company in 1994, the Wheel Group.
Their product, Net Ranger, was the first
The main aim of intrusion detection is to monitor commercially viable network intrusion detection
network assets to detect anomalous behaviour and device management system.
misuse in network. Intrusion Detection has been The intrusion detection market began to gain in
around for nearly twenty years but only recently has popularity and truly generate revenues around 1997.
it seen a dramatic rise in popularity and incorporation In that year, the security market leader, ISS,
into the overall information security Infrastructure. developed a network intrusion detection system
Beginning in the year 1980’s James Anderson's called Real Secure. A year later, Cisco recognized the
seminal paper, was written for a government importance of network intrusion detection and
organization, introduced the notion that audit trails purchased the Wheel Group, attaining a security
contained vital information that could be valuable in solution they could provide to their customers.
tracking misuse and understanding of user behaviour. Similarly, the first visible host-based intrusion
With the release of Anderson’s paper, the concept of detection company, Centrex Corporation, emerged as
"detecting" misuse and specific user events emerged. a result of a merger of the development staff from
His work was the start of host-based intrusion Haystack Labs and the departure of the CMDS team
detection technique and IDS in general. from SAIC. From there, the commercial IDS world
expanded its market-base and a roller coaster ride of
start-up companies, mergers, and acquisitions ensued.

44 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 8, August 2012

vulnerable to DoS attacks. Some of the IDS evasion
tools use this vulnerability and flood the signature
signature-based IDS systems with too many packets
to the point that the IDS cannot keep up with the
traffic, thus making the
IDS time out and drop packets and as a result,
possibly miss attacks. Further, this type of IDS is still
vulnerable against unknown attacks as it relies on the
signatures currently in the database to detect attacks.
B. Anomaly based detection system
This type of detection depends on the
classification of the network to the normal and
anomalous, as this classification is based on rules or
heuristics rather than patterns or signatures and the
implementation of this system we first need to know
the normal behaviour of the network. Anomaly based
Figure 1: Number of incidents reported
detection system unlike the misuse based detection
The above chart from US-CERT shows how the system because it can detect previous unknown
cyber incidents rose in current internet network threats, but the false positive to rise more probably.
environment; this gives requirement of IDS
The signature of a new attack is not known before
deployment in network security system.
it is detected and carefully analyzed. So it is difficult
II. INTRUSION DETECTION SYSTEM to draw conclusions based on a small number of
TECHNIQUES packets. In this case, anomaly-based systems detect
abnormal behaviors and generate alarms based on the
Intuitively, intrusions in an information system abnormal patterns in network traffic or application
are the activities that violate the security policy of the behaviors. Typical anomalous behaviors that may be
system, and intrusion detection is the process used to captured include
identify intrusions. Intrusion detection has been
studied for approximately 20 years. It is based on the 1) Misuse of network protocols such as
beliefs that an intruder’s behavior will be noticeably overlapped IP fragments and running a standard
different from that of a legitimate user and that many protocol on a stealthy port;
unauthorized actions will be detectable. Intrusion
2) Uncharacteristic traffic patterns, such as more
detection system is classified into three categories.
UDP packets compared to TCP ones,
The different types of intrusion Detection techniques
are listed below. 3) Suspicious patterns in application payload.
A. Signature based detection systems, The big challenges of anomaly based detection
systems are defining what a normal network behavior
B. Anomaly based intrusion detection
is, deciding the threshold to trigger the alarm, and
systems
preventing false alarms. The users of the network
C. Specification based detection are normally human, and people are hard to
systems. predict. If the normal model is not defined
carefully, there will be lots of false alarms and the
A. Signature based detection systems detection system will suffer from degraded
Signature based detection system (also called performance.
misuse based), this type of detection is very effective C. Specification based detection system
against known attacks, and it depends on the
receiving of regular updates of patterns and will be This type of detection systems is responsible for
unable to detect unknown previous threats or new monitoring the processes and matching the actual
releases. data with the program and in case of any abnormal
behaviour will be issued an alert and must be
One big challenge of signature-based IDS is that maintained and updated whenever a change was
every signature requires an entry in the database, and made on the surveillance programs in order to be able
so a complete database might contain hundreds or to detect the previous attacks the unknown and the
even thousands of entries. Each packet is to be number of false positives what can be less than the
compared with all the entries in the database. This anomaly detection system approach.
can be very resource- consuming and doing so will
slow down the throughput and making the IDS

45 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 8, August 2012

III. CLASSIFICATION OF INTRUSION protect the host by intercepting suspicious packets
DETECTION SYSTEM and looking for aberrant payloads (packet
inspection).
When considering the area being the source of
data used for intrusion detection, another Systems that monitor login activity onto the
classification of intrusion detection systems can be networking layer of their protected host (HostSentry).
used in terms of the type of the protected system. Their role is to monitor log-in and log-out attempts,
There is a family of IDS tools that use information looking for unusual activity on a system occurring at
derived from a single host (system) — host unexpected times, particular network locations or
based IDS (HIDS) and those IDSs that exploit detecting multiple login attempts (particularly failed
information obtained from a whole segment of a local ones).
network (network based IDS, i.e. NIDS) and the
combined Hybrid based Intrusion Detection system. The HIDS that look only at their host traffic can
Intrusion detection system is mainly classified into easily detect local-to-local attacks or local-to-root
three types. The classification of intrusion Detection attacks, since they have a clear concept of locally
systems are listed below: available information, for example they can exploit
user IDS. Also, anomaly detection tools feature a
a. Host based IDS better coverage of internal problems since their
detection ability is based on the normal behavior
b. Network based IDS patterns of the user.
c. Hybrid based IDS The HIDS reside on a particular computer and
A. Host based IDS (HIDS) provide protection for a specific computer system.
They are not only equipped with system monitoring
This type is placed on one device such as server facilities but also include other modules of a typical
or workstation, where the data is analyzed locally to IDS.
the machine and are collecting this data from
different sources. HIDS can use both anomaly and HIDS products such as Snort, Dragon Squire,
misuse detection system. Emerald eXpert-BSM, NFR HID, Intruder Alert all
perform this type of monitoring.
A Host Intrusion Detection Systems (HIDS) and
software application (agents) installed on B. Network based IDS (NIDS)
workstations which are to be monitored. The agents Network Intrusion Detection Systems (NIDS)
monitor the operating system and write data to usually consists of a network appliance (or sensor)
log files and/or trigger alarms. A host with a Network Interface Card (NIC) operating in
Intrusion detection systems (HIDS) can only promiscuous mode and a separate management
monitors the individual workstations on which the interface. The IDS is placed along a network segment
agents are installed and it cannot monitor the entire or boundary and monitors all traffic on that segment.
network. Host based IDS systems are used to monitor
any intrusion attempts on critical servers. NIDS are deployed on strategic point in network
infrastructure. The NIDS can capture and analyze
The drawbacks of Host Intrusion Detection data to detect known attacks by comparing patterns
Systems (HIDS) are or signatures of the database or detection of illegal
• Difficult to analyse the intrusion attempts on activities by scanning traffic for anomalous activity.
multiple computers. NIDS are also referred as “packet-sniffers”, Because
it captures the packets passing through the of
• Host Intrusion Detection Systems (HIDS) can be communication mediums.
very difficult to maintain in large networks with
different operating systems and configurations The network-based type of IDS (NIDS) produces
data about local network usage. The NIDS
• Host Intrusion Detection Systems (HIDS) can be reassemble and analyze all network packets that
disabled by attackers after the system is reach the network interface card operating
compromised. in promiscuous mode. They do not only deal with
Systems that monitor incoming connection packets going to a specific host – since all the
attempts (RealSecure Agent, PortSentry). These machines in a network segment benefit from the
examine host-based incoming and outgoing network protection of the NIDS. Network-based IDS can also
connections. These are particularly related to the be installed on active network elements, for example
unauthorized connection attempts to TCP or UDP on routers.
ports and can also detect incoming portscans. Since intrusion detection (for example flood-type
Systems that examine network traffic (packets) attack) employs statistical data on the network load, a
that attempts to access the host. These systems certain type of dedicated NIDS can be separately

46 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 8, August 2012

distinguished, for example, those that monitor the REFERENCE
traffic (Novell Analyzer, Microsoft Network
Monitor). These capture all packets that they see on [1] Anderson D, Lunt TF, Javitz H, Tamaru A, Valdes A.
the network segment without analyzing them and just Detecting unusual program behaviour using the
statistical component of the next-generation intrusion
focusing on creating network traffic statistics. detection expert system (NIDES). Menlo Park, CA,
USA: Computer Science Laboratory, SRI International;
Typical network-based intrusion systems are: 1995. SRIO-CSL-95-06.
Cisco Secure IDS (formerly NetRanger), Hogwash,
[2] Ghosh, A.K., Wanken, J., & Charron, F. Detecting
Dragon, E-Trust IDS. anomalous and unknown intrusions against programs. In K.
Keus (Ed), Proceedings of the 14th annual computer security
C. Hybrid based IDS applications conference , 1998, (pp. 259--267). IEEE
The management and alerting from both network Computer Society, Los Alamitos,CA.
and host based intrusion detection devices, and [3] G. Macia Fernandez and E. Vazquez, “Anomaly-based
Network intrusion detection: Techniques, systems and
provide the logical complement to NID and HID - Challenges”, Computers & Security, Vol. 28, No. 1-2,
central intrusion detection management. Both pp. 18-28, February-March 2009.
Network and Host based IDS have their own unique [4] Harley Kozushko, “Intrusion Detection: Host-Based and
advantages and disadvantages. Network based IDS Network-Based Intrusion Detection Systems”, on September
are easier to deploy and are less expensive to 11, 2003.
purchase and maintain. However, their performance [5] Paul Innella Tetrad, “The Evolution of Intrusion
depends on known security exploits and signatures. If Detection Systems”, Digital Integrity,LLC on November 16,
a new exploit is used that the IDS is unaware of, the 2001.
system could easily fail to detect the attack. A host [6] Rasha G. Mohammed Helali, “Data Mining Based
based IDS is only as good as the security Network Intrusion Detection System: A Survey”, In
administrator who maintains and monitors it. Novel Algorithms and Techniques in
Telecommunications and Networking, pp. 501-505, 2010.
Becoming skilled at, maintaining and monitoring this
[7] Pakkurthi Srinivasu, P.S. Avadhani, Vishal Korimilli,
software can be a daunting task. Therefore, the best Prudhvi Ravipati, “Approaches and Data Processing
approach is to use a combination of the best features Techniques for Intrusion Detection Systems”, Vol. 9, No.
of Network based and Host based IDS to improve 12, pp. 181-186, 2009.
resistance to attacks and to provide greater flexibility. [8] Sekar R., Gupta A., Frullo J., Shanbhag T., Tiwari A.,
This approach is commonly referred to as Hybrid Yang H., et al. Specification-based anomaly detection: a new
IDS. approach for detecting network intrusions. In:
Proceedings of the Ninth ACM Conference on Computer
IV. CONCLUSION and Communications Security; 2002. p. 265–74.

Intrusion detection continues to be an active
research field .An intrusion detection system is a part Authors Profile:
of the defensive operations that complements the
defences such as firewalls, UTM etc. The intrusion K.Rajasekaran received his B.Sc.
detection system basically detects attack signs and Degree in computer Science from Vysya
then alerts. According to the detection methodology, College, Salem,India and M.C.A.
intrusion detection systems are typically categorized Degree form K.S.R. College of
Technology, Tiruchengode, India. He
as misuse detection and anomaly detection systems. also received his M.Phil Degree in
The deployment perspective, they are be classified in computer science from Periyar
network based or host based IDS. In current intrusion University. He is now doing his Ph.D. in
detection systems where information is collected computer science at Research and
from both network and host resources. Moreover, Development Centre, Bhrathiar University, Coimbatore, India. His
field of interest is Networks, Data Mining and computer
reconstructing attack scenarios from intrusion alerts Architecture.
and integration of IDSs will improve both the
usability and the performance of IDSs. Many
researchers and practitioners are actively addressing Dr. K.Nirmala received her Ph.D. Degree in
these problems In terms of performance; an intrusion Computer Science from NITTTR, Taramani,
detection system becomes more accurate as it detects University of Madras, Chennai, India. She
has fifteen years of teaching experience in
more attacks and raises fewer false positive alarms. the field of Computer Science at college
level education. Since 1997 she has been
working in various levels in the department
of higher education, Tamilnadu, India. She is
now working as Associate Professor of Computer Science, Quaid-
E-millath Govt. College for Women, Chennai, India. Her field of
interest is Data mining, Networks and Operating System. She has
presented and published many technical papers at various national
and international conferences and journals.

47 http://sites.google.com/site/ijcsis/
ISSN 1947-5500