Intrusion Detection Systems (DOC) by saurabh1mukhekar

VIEWS: 1,178 PAGES: 44

More Info
									Intrusion Detection System



Security Concerns

Despite nearly universal efforts to protect corporate networks, today’s distributed organizations are still susceptible to a multitude of attacks. IT executives are challenged to extend security beyond the corporate backbone to protect a variety of potential vulnerabilities, including Internet connections, communication channels between remote and corporate offices and links between trusted business partners. Unfortunately, the preventive measures employed to secure corporate resources and internal traffic don’t provide the breadth or depth of analysis needed to identify attempted attacks or uncover potential threats across the organization.


Network Security Management

Security is the process of staying informed. The goals of security include Confidentiality (ensuring only authorized users can read or copy a given file or object), Control (only authorized users can decide when to allow access to information), Integrity (only authorized users can alter or delete a given file or object), Authenticity (correctness of attribution or description), Availability (no unauthorized user can deny authorized users timely access to files or other system resources), and Utility (fitness for a specified purpose). Network Security Management is a process in which one establishes and maintains policies, procedures, and practices required for protecting

Intrusion Detection System

networked information system assets. The various tools & steps used today for maintaining corporate network security are indicated in Fig.1.

Fig.1 Information Security Market

Any security technology is based on a layered architecture called the Security Hierarchy. The security policy and standards form the foundation of this hierarchy over which other layers like security architecture & processes, security awareness & training, the technology & product and finally auditing, monitoring & investigation, which contribute to overall security.


Why firewalls are not enough?

Firewalls act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a


Intrusion Detection System

security policy. Thus, a firewall provides a good amount of security lest sufficient protection due to the following facts:

1. Not all access to the Internet occurs through the firewall. Users, for a variety of reasons ranging from naiveté to impatience, sometimes set up unauthorized modem connections between their systems connected to the internal network and outside Internet access providers or other avenues to the Internet. The firewall cannot mitigate risk associated with connections it never sees. 2. Not all threat originates outside the firewall. A vast majority of loss due to security incidents is traced to insiders. These include the users who misuse privileges or impersonate higher privileges. The firewall only sees traffic at the boundaries between the internal network and the Internet. If the traffic reflecting security breaches never flows past the firewall, it cannot see the problems. Organizations utilize strong encryption mechanisms to secure files and network connections. In securing the network from the outside threat, the threat from within the network is almost completely forgotten. Intrusion detection systems are the only part of the infrastructure that is privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve.

3. Firewalls are subject to attack themselves. Firewalls are not completely foolproof. A firewall generally makes pass-deny decision on the basis of allowable network addresses. Intelligent


Intrusion Detection System

firewalls may analyze the contents of packets of certain protocols but they may only identify the anomaly related to that protocol. A common attack strategy is to utilize tunneling to bypass firewall protections. Tunneling is the practice of encapsulating a message in one protocol (that might be blocked by firewall filters) inside a second message. Thus the inside message gets through as the firewall considers outer, encapsulating message harmless.

In order to strengthen the security, one cannot rely on any single tool. Hence a firewall must be complemented by Intrusion Detection Tools.


Intrusion Detection System


Intrusion Detection Systems

1.4.1 Definition

Intrusion Detection is the unrelenting active attempts in discovering or detecting the presence of intrusive activities. It refers to all processes used in discovering unauthorized uses of network or computer devices. This is achieved through specifically designed software with a sole purpose of detecting unusual or abnormal activity. Such software is called Intrusion Detection System.

1.4.2 History of IDS

The original idea behind automated ID is credited to James P. Anderson who, in 1980, published a study outlining ways to improve computer security auditing and surveillance at customer sites. This paper paved the way to development of misuse detection for mainframe systems. Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time ID. This prototype was named the Intrusion Detection Expert System (IDES). This IDES was initially a rule-based expert system trained to detect known malicious activity. This same system has been refined and enhanced to form what is known today as the Next-Generation Intrusion Detection Expert System (NIDES). During the last 2 decades, numerous projects like Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS),

Intrusion Detection System

Network Audit Director and Intrusion Reporter (NADIR) were all developed to detect intrusions.


Intrusion Detection System

1.4.3 Why do we require IDS?

To answer this question, we need to understand why intruders can get into the system. There are various reasons of which the prominent ones are:  Software bugs – they can be buffer overflows, unexpected combinations, unhandled inputs, race conditions etc. Software has bugs because programmers cannot track down and eliminate all possible holes.  Password Cracking – hackers have over the time developed numerous ways to break into systems by knowing passwords that were really weak, or by making dictionary & brute force attacks.  Design flaws – many systems that were developed early were never designed to handle the wide scale intrusion that is there today. These include TCP/IP protocol flaws, operating system flaws etc.  Sniffing unsecured traffic – traffic on the Internet is not encrypted. Hackers can use programs that can get sensitive information from packets over the network. These include the packet sniffers, port scanners etc.

A firewall cannot always handle attacks directed to exploit these flaws. Hence we require IDS which can logically complement the firewall.


Intrusion Detection System


There are two ways to classify Intrusion Detection Systems.


Classification by Monitoring Approach

2.1.1 Application based IDS

Application-based intrusion detection sensors collect information at the application level. Examples of application-level include logs generated by database management software, web servers, or firewalls. With the proliferation of Web-based electric commerce, security will increasingly focus on interactions between users and application programs and data.

Advantages: • This approach allows targeting of finer grained activities on the system (e.g. one can monitor for a user utilizing a particular application feature.)

Disadvantages: • Applications-layer vulnerabilities can undermine the integrity of application-based monitoring and detection approaches.

2.1.2 Host based IDS


Intrusion Detection System

A host based IDS resides on the system being monitored and tracks changes made to important files and directories. It takes a snap shot of existing system files and matches it to the previous snap shot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. The example of the host based IDS can be seen on the mission critical machines, that are not expected to change their configuration. Host-based intrusion detection started in the early 1980s before networks were as prevalent, complex and interconnected as they are today. In this simpler environment, it was common practice to review audit logs for suspicious activity. Intrusions were sufficiently rare that after-the-fact analysis proved adequate to prevent future attacks. Host based intrusion detection tools normally employ agents that must to be installed on the key systems that are to be protected. These agents must be custom built for each platform’s hardware and software version, and their function is to continuously monitor host-generated logs. The agents monitor the state of the system and various kernel structures to verify the integrity of the system. Today’s host-based intrusion detection systems remain a powerful tool for understanding previous attacks and determining proper methods to defeat their future application. Host-based IDS still use audit logs, but they are much more automated, having evolved sophisticated and responsive detection techniques. Host based IDS typically monitor user and file activity, file accesses, changes to file permissions, attempts to install new executables (including Trojan horses) and attempt to access privileged services. Log files like security logs on Windows NT and syslog in UNIX environments are

Intrusion Detection System

monitored. When any of these files change, the IDS compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action.

Host-based IDS have grown to include other technologies. One popular method for detecting intrusions is to check key system files and executables via checksums at regular intervals for unexpected changes. The timeliness of the response is in direct relation to the frequency of the polling interval. Some products listen to port activity and alert administrators when specific ports are accessed. This type of detection brings an elementary level of network-based intrusion detection into the host-based environment. One of the main benefits of host based IDS is that it does not have to look for patterns. It only checks for changes within a specified set of rules. Most intrusion detection systems include default policies for specific operating systems. These policies vary with the design of the system being monitored. An administrator can use this information upon initial installation to learn the behaviors of files and directories under normal system activity and enable him or her to fine-tune the policy through trial and error. Advantages: • Systems can map problem activities to a specific user id • Systems can track behavior changes associated with misuse • Systems can operate in encrypted environments • Systems can operate in switched network environments • Systems can distribute the load associated with monitoring across available hosts on large networks, thereby cutting deployment costs. • Systems require no additional hardware.
- 10 -

Intrusion Detection System

Disadvantages: • Network activity is not visible to host-based detectors • Running audit mechanisms can incur additional resource overhead • When audit trails are used as data sources, they can take up significant storage • Operating system vulnerabilities can undermine the integrity of host-based agents and analyzers • Host-based agents must be more platforms specific, which adds to deployment costs • Management and deployment costs associated with host-based systems are usually greater than in other approaches. Example of host based IDS are Symantec’s Intruder Alert and Purdue University’s Tripwire (developed by Dr. Eugene Spafford and Gene Kim).

- 11 -

Intrusion Detection System

2.1.3 Network based IDS

Network based intrusion detection systems use raw network packets as the data source. A network based IDS typically utilize a packet sniffer, using network interfaces or adapter running in promiscuous mode to monitor and analyze all traffic in real-time as it travels across the network.

There are two main forms of NIDS which are common in commercial products which are in use today. The first is the ‘Raw’ pattern matching NIDS which are designed to do a comparison to the packets they capture and match attacks based on the data captured. This style of NIDS can be considered a ‘packet grep1’ NIDS, examples being Snort or Dragon. Alternatively, a ‘Smart’ NIDS can interpret the packet, and attempt to understand the protocol that is being captured in order to identify. ISS RealSecure is an example of a Smart NIDS.

Another variant of NIDS is Network Node Intrusion detection system (NNIDS) – it performs the analysis of the traffic that is passed from the network to a specific host. The difference between NIDS and NNIDS is that the traffic is monitored on the single host only and not for the entire subnet.

Advantages: • The data come without any special requirements for auditing or logging mechanisms; in most cases collection of network data occurs with the configuration of a network interface card.

A "packet grep" system is based around raw packet capture pumped through a "regular expression" parser that finds patterns in the network traffic.

- 12 -

Intrusion Detection System

• The insertion of a network-level agent does not affect existing data sources. • Network-level agents can monitor and detect network attacks. (e.g., SYN flood and packet storm attacks) by checking the content of both the packet header and payload. • Network based IDS use live network traffic for real-time attack detection. Hence attacker cannot remove the evidence, as against host based IDS, where hackers know very well how to manipulate audit logs to remove their evidence. • They are not dependent on host operating systems as detection sources. • Real time detection and response can terminate any malicious activity, as against host based IDS, where an attack is not recognized until a suspicious log entry is written.

Disadvantages: • Although some network-based systems can infer from network traffic what is happening on hosts, they cannot tell the outcome of commands executed on the host. This is an issue in detection, when distinguishing between user error and malfeasance. • Network-based agents cannot scan protocols or content if network traffic is encrypted. • Network-based monitoring and intrusion detection becomes more difficult on modern switched networks. Switched networks establish a network segment for each host; therefore, network-based monitors are reduced to monitoring a single host. Network switches that support a monitoring or scanning port can at least partially mitigate this issue. • Current network-based monitoring approaches cannot handle high-speed networks.
- 13 -

Intrusion Detection System


Classification by Timing of Information Collection & Analysis

2.2.1 Batch or Interval Oriented IDS







operating-system audit mechanisms or other host-based agents log event information to files and the intrusion detection system periodically analyzes these files for signs of intrusion or misuse.

Advantages: • They are well suited to environments in which threat levels are low and single-attack loss potentials high (e.g., financial institutions). • Batch mode analysis schemes impose less processing load on systems than real-time analysis, especially when collection intervals are short and data volumes are therefore low. • Batch-oriented collection and analysis of information are particularly well suited to organizations in which system and personnel resources are limited. • Attacks on computer systems often involve repetitive attacks on the same targets.

Disadvantages: • Users will seldom see incidents before they are complete. • Aggregation of information may consume more disk storage on the analysis system.
- 14 -

Intrusion Detection System

2.2.2 Real time IDS

Real time systems provide information collection, analysis, and reporting (with possible responses) on a continuous basis. The detection process happens quickly enough to hinder the attack. Real-time systems provide a variety of real-time alarms (many support off-site alarming mechanisms such as e-mail, pagers, and telephone messaging), as well as automatic responses to attacks. Typical responses range from simple notification to increasing the sensitivity of the monitoring, terminating the network connection from the source of the attack or changing system settings to limit damage.

Advantages: • Depending on the speed of the analysis, attacks may be detected quickly enough to allow system administrators to interrupt them. • Depending on the speed and sensitivity of the analysis, system administrators may be able to perform incident handling (leading to recovery of system operations) more quickly.

Disadvantages: • They tend to consume more memory and processing resource on the analysis system than post facto systems. • Configuration of real-time systems is critical; a badly formed signature can generate so many false alarms that a real attack goes unnoticed.

- 15 -

Intrusion Detection System



Signature Analysis (Misuse detection model)

Signatures are patterns corresponding to known attacks or misuses of systems. They may be simple (character string matching looking for a single term or command) or complex (security state transition written as a formal mathematical expression). In general a signature can be concerned with a process (the execution of a particular command) or an outcome (the acquisition of a root shell.) Signature analysis is pattern matching of system settings and user activities against a database of known attacks. The database of known attacks (pattern file of attack signatures) is analogous to the virus definitions’ file of a virus scanner.

Most commercial intrusion detection products perform signature analysis against a vendor-supplied database of known attacks. Additional signatures specified by the customer can also be added as part of the intrusion detection system configuration process. Most vendors also include periodic updates of signature databases as part of software maintenance agreements. One advantage of signature analysis is that it allows sensors to collect a more tightly targeted set of system data, thereby reducing system overhead.

The strength of signature analysis depends upon the quality, comprehensiveness, and timeliness of the attack signature housed in the IDS’s search engine. Poorly defined signature can cause false positives

- 16 -

Intrusion Detection System

(false alarms), good packets are labeled as bad packets and transmission could be interrupted.

Pattern matching tools are excellent at detecting known attacks, but perform poorly when confronted with a fresh assault, or a modified old one.


Statistical Analysis (Anomaly detection model)

Statistical analysis finds deviations from normal patterns of behavior. Statistical profiles are created for system objects (e.g., users, files, directories, devices, etc.) by measuring various attributes of normal use (e.g., number of accesses, number of times an operation fails, time of day, etc.). Mean frequencies and measures of variability are calculated for each type of normal usage. Possible intrusions are signaled when observed values fall outside the normal range. For example, statistical analysis might signal an unusual event if an accountant who had never previously logged into the network outside the hours of 8 AM to 6 PM were to access the system at 2 AM.

Anomaly Detection in Network-based or Host-based IDS includes:

threshold detection detecting abnormal activity on the server or network, for example abnormal consumption of the CPU for one server, or abnormal saturation of the network

 

statistical measures, learned from historical values rule-based measures, with expert systems
- 17 -

Intrusion Detection System

non-linear algorithms such as Neural Networks or Genetic algorithms The major limitation of this approach is to find a correct threshold

without frequent false-alarm detection. Researchers have been working on this model for intrusion detection systems for a long time, without achieving what could be called a major breakthrough. In principle an Anomaly Detection IDS "learns" what constitutes "normal" network traffic, developing sets of models that are updated over time. These models are then applied against new traffic, and traffic that doesn't match the model of "normal" is flagged as suspicious. Anomaly Detection IDS are attractive conceptually, but they require training, and the sad reality of networking is that it's very hard to classify "normal" traffic. As networks get sufficiently large, the applications’ mix they carry becomes so complex that it looks effectively random. An attacker may even generate traffic to generate a distorted model of "normal" so that sooner or later, an attack may look "normal" and get past the IDS. If the IDS is conservative about what may constitute an attack, it will tend to generate large numbers of "false positives" – false alarms – which become the electronic equivalent of the boy who cried "wolf!” Sooner or later the IDS is ignored. Advantages: • The system may detect heretofore unknown attacks; • Statistical methods may allow one to detect more complex attacks, such as those that occur over extended periods.


- 18 -

Intrusion Detection System

• It is relatively easy for an adversary to trick the detector into accepting attack activity as normal by gradually varying behavior over time; • The possibility of false alarms is much greater in statistical detectors; • Statistical detectors do not deal well with changes in user activities.


Integrity Analysis

Integrity analysis focuses on whether some aspect of a file or object has been altered. This often includes file and directory attributes, content and data streams. Integrity analysis often utilizes strong cryptographic mechanisms, called message digest (or hash) algorithms, which can recognize even subtle changes.

Message-digest algorithms are based on hash functions, which possess the property that extremely subtle changes in the input to the function produce large differences in the result. This means that a change in a data stream fed to a message digest algorithm produces a huge change in the checksum generated by the algorithm. These algorithms are

cryptographically strong; i.e., given a particular output value, it is practically impossible to come up with another input to the algorithm that will produce an identical output. This eliminates a common attack against relatively simple CRC (cyclic redundancy code) checksums in which hackers mask alterations to files by altering the content of the file so that the same checksum is generated for both the original and the tampered file.


- 19 -

Intrusion Detection System

• Any successful attack where files were altered, network packet grabbers were left behind, or root kits were deployed will be detected regardless of whether or not the attack was detected by signature or statistical analysis.

Disadvantages: • Because current implementations tend to work in batch mode, they are not conducive to real-time response.

- 20 -

Intrusion Detection System


When deploying IDS, a crucial step is to determine where the traffic sensor should be inserted in the network. Packets are transgressing a shorter distance all the time due to smart hubs and the increased use of switches. The correct deployment of the sensors at strategic locations decides the efficiency of the IDS. Let’s look at the following diagram:

Fig.2 Deployment of sensors in corporate network Several strategic locations are shown; let’s discuss the importance of each probe point:
- 21 -

Intrusion Detection System

Sensor 1: A sensor on the untrusted side of a firewall will detect attempted intrusions. This will also generate alerts that may not be of interest to the security staff. These are generally termed doorknob rattling, and produce an enormous amount of alarms. Recording possible threats may help justify the need for an IDS, but for a properly configured firewall, they are not a serious problem. It’s the assaults that reach the sub-net that may cause damage.

Sensor 2: Many sites choose to place services that require external access on a separate sub network, often called a demilitarized zone (DMZ). Placing a sensor there is important because many of the services provided are popular points of attack, additionally, these systems may be providing a marketing presence that could cause negative publicity if intruders gain access.

Sensor 3: This is probably the most critical point for an enterprise to place an intruder detection sensor. Scanning network traffic that passes through the perimeter defense point for suspicious behavior generates alarms that represent potentially serious security compromises. Sensors 4 & 5: While of lesser importance then sensor 3’s location, watching internal activity should not be discounted. Large Intranets have many access points that can be exploited. Modems, compromised accounts, disloyal or disgruntled employees, and socially engineered access are a sample of the ways intruders can bypass a perimeter-based firewall.

- 22 -

Intrusion Detection System


Presently, there are around 90-100 intrusion detection systems available in the information security market. I discuss here few of the prominent IDS.



5.1.1 Introduction

Snort is a cross-platform, lightweight network intrusion detection tool that can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks. It is ‘lightweight’ because it can easily be deployed on almost any node of a network; it has a small footprint and can easily be configured by system administrators. Snort is a libpcap2-based packet sniffer and logger that can be used as a lightweight network intrusion detection system (NIDS). It features rules based logging to perform content pattern matching and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, etc. Snort has real-time alerting capability, with alerts being sent to syslog, Server Message Block (SMB) "WinPopup" messages, or a separate "alert" file. Snort is configured using command line switches and

"Libpcap" (library for packet capture) is a common library available for UNIX systems that "sniffs" packets off a wire. Most UNIX-based intrusion detection systems (of any kind) use libpcap.

- 23 -

Intrusion Detection System

optional Berkeley Packet Filter commands. The detection engine is programmed using a simple language that describes per packet tests and actions. Ease of use simplifies and accelerates the development of new exploit detection rules.

5.1.2 Architecture

Snort's architecture is focused on performance, simplicity, and flexibility. There are three primary subsystems that make up Snort: the packet decoder, the detection engine, and the logging and alerting subsystem. These subsystems ride on top of the libpcap promiscuous packet sniffing library, which provides a portable packet sniffing and filtering capability.

The Packet Decoder

The decode engine is organized around the layers of the protocol stack present in the supported data-link and TCP/IP protocol definitions. Each subroutine in the decoder imposes order on the packet data by overlaying data structures on the raw network traffic. These decoding routines are called in order through the protocol stack, from the data link layer up through the transport layer, finally ending at the application layer. Speed is emphasized in this section, and the majority of the functionality of the decoder consists of setting pointers into the packet data for later analysis by the detection engine.

- 24 -

Intrusion Detection System

Snort provides decoding capabilities for Ethernet, SLIP, and raw (PPP) data-link protocols. ATM support is under development.

The Detection Engine

Snort maintains its detection rules in a two dimensional linked list of what are termed Chain Headers and Chain Options. These are lists of rules that have been condensed down to a list of common attributes in the Chain Headers, with the detection modifier options contained in the Chain Options. For example, if forty five CGI-BIN probe-detection rules are specified in a given Snort detection library file, they generally all share common source and destination IP addresses and ports. To speed the detection processing, these commonalities are condensed into a single Chain Header and then individual detection signatures are kept in Chain Option structures.

Chain Header Source IP addr Dest. IP addr Source port Dest. port

Chain Header Source IP addr Dest. IP addr Source port Dest. port

Chain Header Source IP addr Dest. IP addr Source port Dest. port

Chain Option Content TCP flags ICMP Codes/types Payload size

Chain Option Content TCP flags ICMP Codes/types Payload size

Chain Option Content TCP flags ICMP Codes/types Payload size - 25 -

Intrusion Detection System

Fig. 3 Rule Chain logical structure

These rule chains are searched recursively for each packet in both directions. The detection engine checks only those chain options which have been set by the rules parser at run-time. The first rule that matches a decoded packet in the detection engine triggers the action specified in the rule definition and returns.

The Logging/Alerting Subsystem

The alerting and logging subsystem is selected at run-time with command line switches. There are currently three logging and five alerting options. The logging options can be set to log packets in their decoded, human readable format to an IP-based directory structure, or in tcpdump binary format to a single log file. The decoded format logging allows fast analysis of data collected by the system. The tcpdump format is much faster to record to the disk and should be used in instances where high performance is required. Logging can also be turned off completely, leaving alerts enabled for even greater performance improvements.

Alerts may either be sent to syslog, logged to an alert text file in two different formats, or sent as WinPopup messages using the Samba smbclient
- 26 -

Intrusion Detection System

program. The syslog alerts are sent as security/authorization messages that are easily monitored with tools such as swatch. WinPopup alerts allow event notifications to be sent to a user-specified list of Microsoft Windows consoles running the WinPopup software. There are two options for sending the alerts to a plain text file; full and fast alerting. Full alerting writes the alert message and the packet header information through the transport layer protocol. The fast alert option writes a condensed subset of the header information to the alert file, allowing greater performance under load than full mode. There is a fifth option to completely disable alerting, which is useful when alerting is unnecessary or inappropriate, such as when network penetrations tests are being performed.

5.1.3 Features

High performance pattern matching rules can be written

Computationally, the content matching option is the most expensive process that can be performed in the detection engine. Accordingly, it is performed after all other rule tests. This fact can be used to advantage by specifying other rule options in combination with the content option. For example, almost all requests to web servers have their TCP PUSH and ACK flags set. Using this knowledge, it is relatively easy to write a rule which will perform a simple TCP flag test before running the far more computationally intensive pattern match test.

Snort offers options in writing rules that can be used to limit the amount of data that must be searched. The offset and depth keywords were
- 27 -

Intrusion Detection System

made specifically to fulfill this function. Using these options, the area of the packet payload to search for an exploit pattern can be localized.

Passive Trap

Snort can be used to implement another concept that is being advocated today; that of "passive traps". One aspect of this concept is that administrators know which services are not available on their networks. Snort rules can be written that watch for traffic headed for these non-existent services. Packets which are found to be using these ports may be an

indication of port scanning, backdoors, or other hostile traffic. Thus Snort can trap all packets from hostile parties interested in a network.

Focused monitoring

"Focused monitoring" is the concept of watching a single critical node or service on a network for signs of hostile activity. For example, a single Snort sensor could be deployed on a SMTP server with a rule set that covers all known Sendmail attacks and would provide highly focused monitoring of that specific traffic on the network. These rules could even be extended to provide a running narrative of all of the commands and responses into and out of SMTP servers on the defended network. Focused monitoring can be especially useful in instances where existing NIDS provide inadequate coverage.

5.1.4 Requirements

- 28 -

Intrusion Detection System

The current version of Snort is 1.2.1, and libpcap is required to compile and run the software. Snort is known to run on RedHat Linux 5.1/5.2/6.0, Debian Linux, MkLinux, S/Linux, HP-UX, Solaris 2.5.1 - 2.7 (x86 and Sparc), x86 Free/Net/OpenBSD, M68k NetBSD, and MacOS X.

- 29 -

Intrusion Detection System



5.2.1 Introduction

Dragon is a family of IDS products from Enterasys Networks which includes Dragon Sensor, a network based intrusion detection system (NIDS); Dragon Squires, a host based intrusion detection system (HIDS) and Dragon Server, a management and reporting system.

5.2.2 Dragon Sensor Features • High-Bandwidth Support — Supports high-bandwidth networks exceeding 100 Mbps, as well as networks up to 300 Mbps with correct tuning and architecture • Protocol Decoding — Decodes most commonly encoded protocols, foiling an attacker’s attempt to avoid detection with an encoded attack • Stream Reassembly — Reassembles UDP and TCP streams to disable attacks, which are divided into many small packets • Anomaly-Based Detection — Detects scans, buffer overflows and traffic profiling to gain an additional layer of detective capability beyond pure signature-based systems • Management and Monitoring Interfaces — Configure with two interfaces, one to monitor the network and one for management and reporting, for secure communications to the Dragon Server.

5.2.3 Dragon Squire Features

- 30 -

Intrusion Detection System

• Firewall Support — Supports most commercial firewalls via installation on the firewall by forwarding logs to a Dragon Squire system, protecting the firewall and allowing the correlation of firewall activity with activity seen elsewhere in the infrastructure. • Web Server Support — Detects attacks directed specifically at IIS, Apache and Netscape web servers. • Application Support — Detects attacks directed at highly vulnerable and often attacked applications, including DNS servers, mail servers, FTP servers. • File Integrity Monitoring — Monitors the integrity of key system files, reporting when they are accessed, modified or deleted based on setting, providing another layer of detection capability.

5.2.4 Dragon Server Features • Web-Based Management and Reporting — Enables accessibility from any system with a web browser, saving the time and cost of deploying softwarebased clients. • Policy-Based Alarm Mechanisms — Develops alarm policies for specific users and groups within the organization, providing significant flexibility and time savings when managing large-scale deployments. • Authenticated Communications — Authenticates communications between the Dragon Sensor and Squire, ensuring that intersystem communications are authorized and not an attempt to evade detection • Encrypted Communications — Encrypts communications to prevent eavesdropping of sensitive information

- 31 -

Intrusion Detection System

• Event Correlation — Combines with firewall log forwarding and application monitoring to correlate events across the entire enterprise based on IP addresses, ports and time. • Vulnerability Correlation — Correlates with the Nessus (a Linux-based vulnerability scanner) to identify vulnerabilities and attackers seeking to exploit them • Forensics Analysis — Perform detailed forensics analysis of activity via Forensics Console to identify, assess and respond to events and support further legal action • Event Trending — provides a higher level, long-term analysis tool via the Trending Console for "data-mining" of historical security events.

5.2.5 Requirements The Dragon products run on the following operating systems – Windows NT/2000, Solaris, HP-UX, Linux, OpenBSD and FreeBSD via software license. 5.3 Network Flight Recorder

Network Flight Recorder provides both host based & network based IDS.

5.3.1 NFR host based IDS


The main components of an NFR HID system are:
- 32 -

Intrusion Detection System

NFR HID Consoles – three console types are provided: Administrative, View, and Report. NFR HID Distributed Data Broker – for processing data, forwarding alerts, and registering consoles. This layer of the system includes the Analyzers, which collect data from the targets, and the Dispatcher, which forwards it for display on the relevant consoles, as well as the NFR HID database (Microsoft SQL Server or Oracle). NFR HID Agents – installed on each server or workstation to be monitored (called target hosts). The agents collect audit data and send it to the console where it is scanned for suspicious activity, and then stored in a database for later analysis and reporting. All log data is retained in its raw form.

Two types of agents are provided:

Log Analysis Agents monitor kernel logs, and can be configured to operate in real-time mode or batch mode allowing prioritization of the collection of data.

Network Node Agents monitor the network traffic associated with the target host for common attacks such as DoS attacks, FTP password grabbing, Web phf attacks, CGI scans, etc.


- 33 -

Intrusion Detection System

NFR HIDS can run on Microsoft Windows NT 4.0 or later; Microsoft Windows 2000 Professional, Server, or Advanced Server; or Microsoft Windows XP Professional, Sun Solaris 2.5.1, 2.6, 7.0, 8.0 ; IBM AIX 4.2.3, 4.3.2, 4.3.3; Hewlett-Packard HP-UX 10.2, 11.0

5.3.2 NFR network based IDS


The NFR network based IDS comprises of NID Sensors – NFR offers 4 different sensor ‘packages’ that can interface either with Ethernet or Gigabit Ethernet. Generally, each package consists of 2 such sensors where the second one serves as a backup sensor in case of failure of first sensor. NID Console – It provides a GUI interface for administering sensors, querying logs and alerts, and reporting. NID Distributed Data Broker – for collecting alert and event data from its associated sensors. It includes a central management server for storing data from sensors and a facility to export the data to Oracle database. It can be set up in a distributed environment.


- 34 -

Intrusion Detection System

The Console supports all Windows OS like NT, XP, 2000. The Distributed Data Broker works on Solaris 2.7, Redhat Linux 7.1, 7.2 etc.

6. FUTURE OF INTRUSION DETECTION SYSTEMS 6.1 Limitations of existing IDSs Current IDSs generate too many inaccurate alarms. Simply stated, IDSs aren’t good enough yet. There are many factors to consider when evaluating IDSs such as speed, cost, effectiveness, ease-of-use, scalability, and interoperability. Without taking specific environment details into consideration, effectiveness and ease-of-use can be used as general metrics to compare IDSs. Both factors measure general aptitude because they are determined by the detection algorithm of the IDS. The detection algorithm maps incoming events to attacks and normal activity. The resulting classification can be used to determine the effectiveness of an IDS. Effectiveness is the ability of an IDS to maximize the detection rate while minimizing the false alarm rate (false positive rate). In other words, good IDS reports intrusions when they occur, and does not report intrusions when they do not occur. Stefan Axelsson analyzed the intrusion detection problem with Bayesian3 statistics and determined that the base-rate fallacy governs the effectiveness of IDSs. The probability that an intrusion is actually occurring, given that an IDS reports an intrusion, is dominated by the false alarm rate of the IDS. The important measure of an


Stefan Axelsson’s work can be found at

- 35 -

Intrusion Detection System

IDS is not how frequently it detects attacks, but how infrequently it produces false alarms. Another important factor for measuring IDSs is its ease-of-use. Because active response is not yet an acceptable technology, human intervention is necessary to use IDSs. It is therefore necessary for IDSs to be intuitive and easy to manage. Alarms from an IDS must be investigated by a security officer to separate the real threats from the false alarms. The fewer false alarms an IDS generates, the easier it is for an operator to find the real intrusions in his network and the more effective the system. However, easeof-use also includes the user interface, interoperability with other products, reporting capabilities, and investigation capabilities. 6.2 Distributed Intelligent Agents for Intrusion Detection using

Protocol Anomaly Detection In this section, I propose the idea of an artificially intelligent system for intrusion detection in a network environment using data mining technology. Data gathering agents will render system logs and activity data into common formats while low-level agents classify recent activities and provide data and current classification states to each other and to higher level agents that implement data mining over the entire knowledge base. 6.2.1 Related Work Before coming to this idea, I have found projects related to this idea which include DIDS, Computer Immunology, JAM, and EMERALD.

- 36 -

Intrusion Detection System

The Distributed IDS uses a combination of host monitors and local area network monitors to monitor system & network activities with a centralized director aggregating information from the monitors to detect intrusions. In DIDS, the intelligence is purely centralized. The Computer Immunology project explored designs of IDSs that can effectively detect & defect intrusions in a networked computer system in a manner similar to the immune system in animals. They developed a sense for privileged programs by creating a database of normal & abnormal system call traces for instances of execution of certain programs. The Java Agents for Meta-Learning (JAM) project is used intelligent, distributed agents to learn models for intrusive activity. The knowledge learned by these agents is exchanged with other agents to train the other agents. 6.2.2 System Design The components of the proposed system are shown in figure 4. The distributed data cleansing agents process data obtained from log files, network protocol monitors and system activity monitors on heterogeneous systems. The low-level agents above the data-cleansing agents form the first step in intrusion detection. These agents communicate with their respective data-cleansing agents to gather recent information and try to correlate the data with the information obtained. The current data is then classified as suspicious if the correlation detects any anomaly. At the top level, the data warehouse provides a global knowledge base. It can provide a temporal view of the activity of the distributed system,
- 37 -

Intrusion Detection System

and this can be used by other low-level agents to train themselves for patterns they have never come across. The user interface shows the status reported by low-level agents to the console. The user interface also provides features like managing the knowledge in the data warehouse and applies data mining functions to find new correlation and association from the stored knowledge.
User interface Data Warehouse
Low level Agents: System Calls Low level Agents: Network
Low level Agents: Authentication

Low level Agents: Other functions

Data Cleaner: System Calls

Data Cleaner: Network

Data Cleaner: Authenticatio n Events

Data Cleaner: Other functions

Fig.4 Architecture of the Intrusion Detection System

6.2.3 Protocol Anomaly Detection Current IDS using anomaly detection approach generate too many false alarms due to their inability to model what is ‘normal’ usage or activity. In this proposed IDS, I suggest the use of the Protocol Anomaly Detection given by Kumar Das. Instead of training models on normal behavior, protocol anomaly detectors build models of TCP/IP protocols using their specifications. Protocols are well defined and a normal "use" model can be created with
- 38 -

Intrusion Detection System

greater accuracy. Protocols are created with specifications, known as RFCs (request for comments), to dictate proper use and communication. All connection oriented protocols have state. Certain events must take place at certain times. As a result, many protocol anomaly detectors are built as state machines. Each state corresponds to a part of the connection, such as a server waiting for a response from a client. The transitions between the states describe the legal and expected changes between states. For example, legal transitions from the "server waiting" state are the "client sends data" state, "client cuts connection" state, or the "server timeout" state.

The space of malicious attack signatures is growing at an incredible rate. As such, attack signature databases must be updated frequently to effectively detect attacks. In comparison, new protocols and extensions to existing protocols are being developed at a much slower rate. The space of network protocols is well-defined and changing slowly. Protocol anomaly detectors are able to detect most new attacks without being updated because the new attacks deviate from the protocol specifications.

Occasionally, new protocols will be developed or new protocol extensions will become popular and it is necessary to update or add new protocol state machines to an IDS. However, the frequency of such updates is much less than the frequency of current attack signature updates. Protocol anomaly detection systems are essential for understanding new attacks. Protocol violation information is crucial to determining the intrusion method. Another benefit of protocol anomaly detection is increased efficiency. Well designed anomaly detectors use less rules to describe

- 39 -

Intrusion Detection System

acceptable behavior than signature detectors use to describe the numerous malicious behaviors.

- 40 -

Intrusion Detection System



What Intrusion Detection Systems Can and Cannot Do?  They can lend a greater degree of security to your infrastructure.  They can make sense of often complex system information sources, telling you what’s really happening on your systems.  They can trace user activity from the point of entry to the point of exit or impact.  They can recognize and report alterations to data files.  They can spot errors of your system configuration that have security implications, sometimes correcting them if the user wishes.  They can recognize when your system appears to be subject to a particular attack.  They can relieve your system management task of monitoring the Internet searching for the latest hacker attacks.  They can make the security management of your systems by nonexpert staff possible.  They can provide guidelines that assist you in the vital step of establishing a security policy for your computing assets.

 They cannot compensate for weak identification and authentication mechanisms.  They cannot conduct investigation of an attack without human intervention.
- 41 -

Intrusion Detection System

 They cannot intuit the contents of your organizational security policy.  They cannot compensate for weaknesses in network protocols.  They cannot compensate for problems in the quality or integrity of information the system provides.  They cannot analyze all of the traffic on a busy network.  They cannot always deal with problems involving packet-level attacks.  They cannot deal with modern network hardware and features.


Criteria for selection of an Intrusion Detection System  suitability for IDS architecture and management scheme  flexibility of adaptation for a specific network to be monitored  protection against malicious tampering  interoperability with other network management and security tools  comprehensiveness, to expand the concept of intrusion detection such as blocking Java applets or Active-X controls, monitoring e-mail urls

content, blocking specific

 event management, such as managing and reporting event trace, updating attack database  active response when an attack occurs, such as firewall or router reconfiguration

- 42 -

Intrusion Detection System

BIBLIOGRAPHY 8.1 Books 1. Terry Escamilla, ‘Intrusion Detection : Network Security Beyond the Firewall’, John Wiley & Sons, Inc., 1998 2. Schneier, Bruce, ‘Secrets and Lies’, John Wiley and Sons, Inc. 2000 8.2 Journals 1. Network Magazine, "Can Intrusion Detection Keep an Eye on Your Network’s Security?" , Anita Karve , 04/01/99 (1999) 8.3 URLs 1. Kumar Das, ‘Protocol Anomaly Detection for Network-based Intrusion Detection’, 2. Guy Bruneau, ‘The History and Evolution of Intrusion Detection’, 3. 4. Jean-Philippe Planquart, ‘Application of Neural Networks to Intrusion Detection’, 5. 6. Steve Schupp, ‘Limitations of Network Intrusion Detection’, 7. Rebecca Bace, ‘An introduction to Intrusion Detection & Assessment’, 8. ISS article (1998). ‘Network- vs. Host-based Intrusion Detection: A Guide to Intrusion Detection Technology’,
- 43 -

Intrusion Detection System


- 44 -

To top