World Library  
My Account |  Register |  Help  
  
Flag as Inappropriate
Email this Article

Intrusion detection system

Article Id: WHEBN0000113021
Reproduction Date:

Title: Intrusion detection system  
Author: World Heritage Encyclopedia
Language: English
Subject: Computer security, Artificial intelligence, Attack (computing), Security software, Malware
Collection: Intrusion Detection Systems
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Intrusion detection system

An intrusion detection system (IDS) is a device or

Infectious malware
Concealment
Malware for profit
By operating system
Protection
Countermeasures
  • Intrusion Detection Systems at DMOZ

External links

  • Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center ( 
  • "Intrusion Detection/Prevention Systems classification tree". IPsec.pl. Retrieved 30 July 2010. 
  • Singh, Abhishek. "Evasions In Intrusion Prevention Detection Systems". Virus Bulletin. Retrieved April 2010. 
  • Bezroukov, Nikolai (11 December 2008). "Architectural Issues of Intrusion Detection Infrastructure in Large Enterprises (Revision 0.82)". Softpanorama. Retrieved 30 July 2010. 
  • P.M. Mafra and J.S. Fraga and A.O. Santin (2014). "Algorithms for a distributed IDS in MANETs". Journal of Computer and System Sciences 80 (3). pp. 554–570. 

Further reading

  1. ^ a b Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center ( 
  2. ^ a b c d e f g h i j k nitin.; Mattord, verma (2008). Principles of Information Security. Course Technology. pp. 290–301.  
  3. ^ a b www-users.cs.york.ac.uk/~jac/PublishedPapers/AdhocNetsFinal.pdf
  4. ^ (Example)
  5. ^ a b c Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York:  
  6. ^ Anderson, James P., "Computer Security Threat Monitoring and Surveillance," Washing, PA, James P. Anderson Co., 1980.
  7. ^ Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131
  8. ^ Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22–23, 1990, pages 110–121.
  9. ^ Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on Auditing and Computer Technology, SRI International
  10. ^ Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion Detection: A Case Study," The 11th National Computer Security Conference, October, 1988
  11. ^ Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth Aerospace Computer Security Applications Conference, Orlando, FL, December, 1988
  12. ^ Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989
  13. ^ Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy
  14. ^ Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood, Jeff, and Wolber, David, "A Network Security Monitor," 1990 Symposium on Research in Security and Privacy, Oakland, CA, pages 296–304
  15. ^ Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks," The Thirteenth National Computer Security Conference, Washington, DC., pages 115–124, 1990
  16. ^ Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool," Proceedings of the 13th National Computer Security Conference, Washington, D.C., 1990
  17. ^ Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System) -- Motivation, Architecture, and An Early Prototype," The 14th National Computer Security Conference, October, 1991, pages 167–176.
  18. ^ Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach to Network Intrusion Detection," 14th National Computing Security Conference, 1991
  19. ^ Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time," Proceedings of The 7th USENIX Security Symposium, San Antonio, TX, 1998
  20. ^ Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, ISBN 0-9666700-7-8
  21. ^ Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip), Jr., Esler, Joel., Foster, James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit," Syngress, 2007, ISBN 978-1-59749-099-3
  22. ^ Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu, Ningning, "ADAM: Detecting Intrusions by Data Mining," Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, June 5–6, 2001
  23. ^ Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003

 This article incorporates public domain material from the National Institute of Standards and Technology document "Guide to Intrusion Detection and Prevention Systems, SP800-94" by Karen Scarfone, Peter Mell (retrieved on 1 January 2010).

References

Free Intrusion Detection Systems

See also

In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.[23]

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.[22]

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data.[19] Network Flight Recorder (NFR) in 1999 also used libpcap.[20] APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later. APE has since become the world's largest used IDS/IPS system with over 300,000 active users.[21]

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.[17] The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.[18] NADIR used a statistics-based anomaly detector and an expert system.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp on a VAX 3500 computer.[13] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.[14] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.[15] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.[16]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.[12] W&S created rules based on statistical analysis, and then used those rules for anomaly detection.

The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann.[10] Haystack was also developed this year using statistics to reduce audit trails.[11]

Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today.[7] Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data.[8] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).[9]

Fred Cohen noted in 1984 that it is impossible to detect an intrusion in every case, and that the resources needed to detect intrusions grow with the amount of usage.

One preliminary IDS concept consisted of a set of tools intended to help administrators review audit trails.[6] User access logs, file access logs, and system event logs are examples of audit trails.

Development

  • Fragmentation: by sending fragmented packets, the attacker will be under the radar and can easily bypass the detection system's ability to detect the attack signature.
  • Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to the protocol which is being transported. For example, an IDS may expect to detect a trojan on port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to detect the presence of the trojan.
  • Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
  • Address spoofing/proxying: attackers can increase the difficulty of the ability of Security Administrators to determine the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server then it makes it very difficult for IDS to detect the origin of the attack.
  • Pattern change evasion: IDS generally rely on ‘pattern matching’ to detect an attack. By changing the data used in the attack slightly, it may be possible to evade detection. For example, an IMAP server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does not resemble the data that the IDS expects, it may be possible to evade detection.

There are a number of techniques which attackers are using, the following are considered ‘simple’ measures which can be taken to evade IDS:

Evasion techniques

  • Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.[5]
  • It is not uncommon for the number of real attacks to be far below the number of false-alarms. Number of real attacks is often so far below the number of false-alarms that the real attacks are often missed and ignored.[5]
  • Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to newer strategies.[5]
  • For signature-based IDSes there will be lag between a new threat discovery and its signature being applied to the IDS. During this lag time the IDS will be unable to identify the threat.[2]
  • It can not compensate for a weak identification and authentication mechanisms or for weaknesses in network protocols. When an attacker gains access due to weak authentication mechanism then IDS can not prevent the adversary from any malpractise.
  • Encrypted packets are not processed by the intrusion detection software. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
  • Intrusion detection software provides information based on the network address that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.
  • Due to the nature of NIDS systems, and the need for them to analyse protocols as they are captured, NIDS systems can be susceptible to same protocol based attacks that network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause an NIDS to crash.Limitations.

Limitations

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.

Signature-based IDS

An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if the baselines are not intelligently configured.[2]

Statistical anomaly-based IDS

All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly and signature-based IDSes

Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

Comparison with firewalls

In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console or owner.[4] In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect (alert)" and "prevent".

Passive and reactive systems

Intrusion detection systems can also be system-specific using custom tools and honeypots.

Host intrusion detection systems run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.

Host Intrusion Detection Systems

Network intrusion detection systems NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis for a passing traffic on the entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of known attacks. Once the attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Example of the NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.

Network Intrusion Detection Systems

Intrusion detection systems are of two main types, network based (NIDS) and host based (HIDS) intrusion detection systems.

HIDS and NIDS

  • Burglar Alert/Alarm: A signal suggesting that a system has been or is being attacked.[2]
  • Detection Rate: The detection rate is defined as the number of intrusion instances detected by the system (True Positive) divided by the total number of intrusion instances present in the test set.[3]
  • False Alarm Rate: defined as the number of 'normal' patterns classified as attacks (False Positive) divided by the total number of 'normal' patterns.[3]
  • True Positive: A legitimate attack which triggers an IDS to produce an alarm.[2]
  • False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.[2]
  • False Negative: When no alarm is raised when an attack has taken place.[2]
  • True Negative: An event when no attack has taken place and no detection is made.
  • Noise: Data or interference that can trigger a false positive or obscure a true positive.[2]
  • Site policy: Guidelines within an organization that control the rules and configurations of an IDS.[2]
  • Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.[2]
  • Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.[2]
  • Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.[2]
  • Attacker or Intruder: An entity which tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
  • Masquerader: A person who attempts to gain unauthorized access to a system by pretending to be an authorized user. They are generally outside users.
  • Misfeasor: They are commonly internal users and can be of two types:
  • An authorized user with limited permissions.
  • A user with full permissions and who misuses their powers.
  • Clandestine user: A person who acts as a supervisor and tries to use his privileges so as to avoid being captured.

Terminology

Contents

  • Terminology 1
  • HIDS and NIDS 2
    • Network Intrusion Detection Systems 2.1
    • Host Intrusion Detection Systems 2.2
  • Passive and reactive systems 3
  • Comparison with firewalls 4
  • Statistical anomaly and signature-based IDSes 5
    • Statistical anomaly-based IDS 5.1
    • Signature-based IDS 5.2
  • Limitations 6
  • Evasion techniques 7
  • Development 8
  • See also 9
  • Free Intrusion Detection Systems 10
  • References 11
  • Further reading 12
  • External links 13

IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.[1]

[1]

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.