lOMoARcPSD|19805106

KNC401
UNIT 2 (CSS) - css notes of unit 2

B.tech (Dr. A.P.J. Abdul Kalam Technical University)

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

UNIT 2

Confidentiality Policies: Confinement Principle, Detour Unix user IDs process IDs and
privileges, more on confinement techniques, System call interposition, Error 404 digital
Hacking in India part 2 chase, VM based isolation, Confinement principle, Software fault
isolation, Rootkits, Intrusion Detection Systems

CONFIDENTIALITY POLICIES

A confidentiality policy is intended to protect secrets and to prevent unauthorized disclosure of

information so that an unauthorized person cannot access it. This type of protection is most
important in military and government organizations that need to keep plans and capabilities
secret from enemies.

Goals of Confidentiality Policies

 To ensure that secret information is protected from unauthorized disclosure.
 To prevent, detect and rectify confidentiality breaches.
 Monitor network communications for authorized transmissions of sensitive information.
Example: Privacy Act requires that certain personal data be kept confidential. E.g., income
tax return info only available to IT department and legal authority with court order. It limits
the distribution of documents and information.

Methods used to ensure Confidentiality of information are as follows:

1. Data Encryption
2. Take physical security measure (give complex User ID and complicated password).
3. Non-disclosure agreement.
4. Restrict access to data.
5. Two factor authentication

Threat to Confidentiality of data

1. Hackers
2. Masqueraders
3. Unauthorized user activity
4. Unprotected downloaded files
5. LAN
6. Trojan Files

Confidentiality Model
1. Bell-LaPadula Model: Here the relationship between OBJECTS that contain or receive
information and SUBJECT that causes the information to flow between the object are
described. The relationship between subject and object is described in terms of subject
assigned, level of access and the objects level of sensitivity.
OBJECTS (Information): Files, Records, Program
SUBJECTS (Users): Person, Process

2. Access and Control Model:

 It organises the system into OBJECT (resources being acted upon), SUBJECT (person
doing action) and operation (the process of interaction).
 A set of rule specifies which operation can be performed on an object by which subject.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

CONFINEMENT PRINCIPLE

 The confinement principle deals with preventing a server from disclosing the information
that the user of the service considers confidential. The confinement ensures that the web
server should allow accessing certain services to authorized users only.
 The confinement problem deals with preventing a process from taking disallowed actions.
 Consider a client/server situation: the client sends a data request to the server; the server
uses the data, performs some function, and sends the results (data) back to the client. In
this case the confinement problem deals with preventing a server from leaking information
that the user of that service considers confidential.
 Access control affects the function of the server in 2 ways.
Goal of service provider. The server must ensure that the resources it accesses on behalf
of the client include only those resources that the client is authorized to access.
Goal of the service user. The server must ensure that it does not reveal the client’s data
to any other entity not authorized to see the client’s data.

Approach of Confinement: If any application shows unauthorized activity, we need to

KILL it so that it should not harm rest of the system.

Confinement can be Implemented at many levels

1. Hardware Confinement or Air gapped system: We can use a computer which is totally
isolated from all the other computers present in the LAN, in our network. We can install
the required operating system and all other software present in this special dedicated
system and run untrusted application (hardware level). This is very expensive.
2. Virtual Machine Confinement: We can install a guest operating system in the virtual
machine (cloud computing environment) in our system, then run the untrusted
programmes on that machine. Isolate OS on a single machine.
3. Process Confinement: A process is isolated in a single operating system by a system
called interposition.
4. Thread Confinement: Isolating threads sharing the same address space. This is done by
software fault isolation (SFI).
5. Browser based Confinement: Not advisable to run any browser on the PC, only use
trusted browser.

Advantages of Confinement

1. Prevent system from malicious activity.

2. Unauthorized activity is terminated immediately.
3. Makes system user friendly.

Disadvantages of Confinement

1. Makes the system slow.

2. Can increase the probability of error in a system.
3. It is very expensive.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

DETOUR UNIX USER IDS, PROCESS IDS, and PRIVILEGES

Unix is an operating system which was first developed in 1960s, and has been under constant
development.
Operating Systems: suite of programs which make the computer work. It is a stable,
multiuser, multi-tasking system for server, desktops, and laptop. Various Operating systems
are: MS DOS, Windows OS, LINUX OS, SOLARIS OS, Symbian OS, Android Mobile OS,
iOS Mobile OS.

Detour is defined as few words about Unix user IDs and IDs associated with Unix processes.
1. Unix like operating system is identified by a different integer number, this unique number
is called as user identifier/ UserID/ UID.
2. UID along with the group identifier (GID) and other access control criteria, is used to
determine which system resources a user can access.
3. There are three types of UID defined for a process, which can be dynamically changed as
per the privilege of task.
a. Real UserID: It is account of owner of this process. It defines which files that this
process has access to.
b. Effective UserID: It is normally same as real UserID, but sometimes it is changed to
enable a non-privileged user to access files that can only be accessed by root. When the
effective user ID is zero means root/ super admin, then the process has unrestricted
access i.e., any security restrictions are bypassed for them.
c. Saved UserID: It is used when a process is running with elevated privileges (generally
root), subject needs to do some under-privileged work, saved UID can be given so that
temporarily switching of privileged account to non-privileged account can be achieved.

How to manage UNIX Security

Step I: Create Account EUID- Get user account under control, so each user truly has one
user name, one ID, one password, one home directory.
Step II: Authority (Task Execution)- Implement a central privileged access management
(PAM) solution to enable ongoing discovery of UNIX super user privileged and enforce
consistent management.
Step III: Check the correctness of Output- Enable UNIX privilege management system to
control what actions user can take while meeting compliance regulations and policies for
UNIX super usage privilege management (SUPM).

PROCESS IDS, and PRIVILEGES

• In a system where security is important application should run with fewest privilege
possible.
• Doing this help reduce the impact of possible compromise and can also help lower the
privileged escalation attack surface of the device.
• The more difficult it is for attacker to elevate applications privilege the better forcing
attackers to chain multiple attack against various application that each have minimal set of
privileges.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

CONFINEMENT TECHNIQUES

Following are the various confinement techniques

1. Chroot (change root):

a. A chroot on Unix operating systems is an operation that changes the apparent root
directory for the current running process.
b. The programs that run in this modified environment cannot access the files outside the
designated directory tree. This essentially limits their access to a directory tree and thus
they get the name chroot jail.
c. As the process cannot actually refer paths outside the modified root, it cannot
maliciously read or write to those locations.
The idea is that we create a directory tree where we copy or link in all the system files needed
for a process to run. We then use the chroot system call to change the root directory to be at
the base of this new tree and start the process running in that chrooted environment.

2. Jail kits:
a. Jail kit is a specialized tool that is developed with a focus on security.
b. Jail kit is a set of utilities to limit user accounts to specific files using chroot () or
specific commands.
c. Setting up a chroot shell, a shell is limited to some specific command and can be
automated using these utilities.
d. It will abort in a secure way if the configuration is not secure, and it will send useful log
messages that explain what is wrong to system log.
e. Jail kit is known to be used in network security applications.

3. FreeBSD jail:
a. FreeBSD is a popular free and open-source operating system that is based on the
Berkeley Software Distribution (BSD) version of the Unix operating system.
b. It runs on processors such as the Pentium that are compatible with Intel's x86.
c. FreeBSD is an alternative to Linux that will run Linux applications.
d. The jail mechanism is an implementation of FreeBSD’s OS-level virtualization that
allows system administrators to partition a FreeBSD-derived computer system into
several independent mini-systems called jails, all sharing the same kernel, with very
little Overhead.
e. The need for the FreeBSD jails came from a small shared-environment hosting
provider's desire to establish a clean, clear-cut separation between their own services
and those of their customers, mainly for security and ease of administration.

4. Scoping: It is defined as restricted data usage in a particular application, a scope for

running an application is given.

5. Access Control: It is the ability of a system to give restricted access so that only required
information is disclosed.

6. Data Handling and Encapsulation: It is to protect the data by encryption to avoid data
leakage.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

SYSTEM CALL INTERPOSITION

System call interposition is a powerful approach or method to restrict, regulate and monitor
the power of a program by intercepting its system calls.

A system call is the programmatic way or an instruction in which a computer program

requests a service from a respective operating system on which it is executed.
A computer programme makes a system call when it makes a request to the operating
system’s kernel. System call provides the services of the operating system to the user
programmes via Application Programme Interface (API). It provides an interface between a
process and operating system to allow user-level processes to request services of the
operating system. System calls are the only entry points into the kernel system. All
programmes needing resources must use system calls.
Basically, the system call is an instruction that request the operating system to perform
desired operation that needs hardware access or other privileged operations.
System call generates an interrupt that causes the operating system to gain control of the
CPU. The Operating system then finds out the type of system call and the corresponding
interrupt Handler routine is executive to perform the operation.
System call are inherently used for security reason. Due to the use of system calls, a user
program is not able to enter operating system or any other's uses region. Similarly Input and
Output Devices are also safe from any misuse of the user. Thus, using system call, kernel,
other user program, input output devices are safe and Secure from that malicious user
program.

The kernel is a core component of an operating system and serves as the main interface
between the computer's physical hardware and the processes running on it. The kernel
enables multiple applications to share hardware resources by providing access to CPU,
memory, disk I/O, and networking.

Kernel Space and User Space in Main Memory

Services Provided by System Calls

1. Process creation and management

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

2. Main memory management

3. File Access, Directory and File system Management
4. Device handling (I/O).
5. Protection
6. Networking, etc

Types of System Calls: There are 5 different categories of system calls –

1. Process control: It is a system calls that is used to direct the processes. Such as
process creation, deletion, and termination, etc. There are some examples: fork ()-
create a process, Exit ()- terminate a process, kill ()- terminate a process abnormally,
Nice ()- increase a Priority of a process.

2. File management: It is a system call that is used to handle the files. Creation, Deletion,
Opening, Closing, Reading, and Writing are some general operations on files. Similarly
for organizing files, there is a directory system and thereby system calls for managing
them. Examples include creating files, delete files, open, close, read file, write, etc.
Create ()- to create a new file, Open ()- to open a file,
Close ()- to close a file, read ()- to read a file,
write ()- to write a file,
LSeek()- change the position of the read write pointer,
Link ()- give another name to a file,
unlink ()- delete a file in the directory,
Mkdir()- create a new directory.

3. Device management: It is a system call that is used that is used to deal with devices.
Examples include read device, write device, get device, attributes, release device,
request off device, and so on.

4. Information maintenance: It is a system call that is used for the purpose of transferring
information between the user program and the operating system Or to maintain
information. Examples include: getting system data, set time or date, set system data,
number of current users, Return current time and date, The version of the operating
system, Amount of free memory, etc.
Get time (), get processor (),
set time (), get date (),
get system data (), set process (),
Set time (), set custom data (),

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

get file ().

5. Communication: It is a system call that is used for communication among the processes
in the system. Examples include: create, delete communication connections, send,
receive messages, etc.
General operations are- opening and closing the connection, sending, and receiving the
messages, reading, and writing messages and so on.
msgsnd() sending a message,
msgrcv() receiving a message
The system calls may be related to communication between processes either on the
same machine or between processes on different nodes of a network. Thus, inter
process communication is provided by the operating system through these
communication related system calls.

Objective: To damage host system, to delete or overwrite file, to do network attack

application must make a system call.
Idea: To monitor application system call and block unauthorised call.
Implementation Option: Completely OS (Kernel) space, Completely User space.

It works by replacing calls to system

functions with interposed functions
instead, which either approve or
reject the calls to base on security
policy. For example, an application
that does not need access to the
network would have its network
request function calls rejected. The
system call interface is a compelling
boundary on which to interpose, as
it allows virtually all an
application’s interactions with the
network, file system, and other
sensitive system resources to be
monitored and regulated.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

Error 404 Hacking Digital India Part 2 Chase

Some attacks discuss in error 404 digital hacking India part 2 chase are:
 Israel Power Grid hit by a big hack attack is being called one of the worst cyberattacks
ever.
 In 2014 a hydropower plant in upstate New York got hacked.
 France infrastructure including its main nuclear power plant is being targeted by a new
and dangerous powerful cyber worm.
 Bangladesh's best group hacked into nearly 20000 Indian websites including the Indian
border security force.
 First virus that could crash Power Grid or destroy the pipeline is available online for
anyone to download and tinker with.
 India’s biggest data breach, (the SBI debit card breach) when this happened Bank was
initially in a state of denial but subsequently, they had to own up the cyber security breach
that took place in Indian history.

VIRTUAL MACHINE (VM) BASED ISOLATION

 It is an isolated environment with access to a subset of physical resources of the computer

system. This is done by replacing the physical machine with virtual machine, running on
the same physical system.
 In the computing scenario, virtualisation is the creation of virtual versions of some real
objects such as hardware and software. Logical partitions of real objects are made, to
create instances of virtual objects. A well-known example is a hard disk drive. Each
partition of the hard disk in an operating system is the logical copy of origin al hard disk.

Types of VM Based Isolation

1. Process Virtual Machines Isolation:

a. Process virtual machines support individual processes or a group of processes and enforce
isolation between the processes and operating system environment.
b. Process virtual machines can run processes compiled for the same Instruction Set
Architecture based (ISA) or for a different ISA.
c. Isolation policies are provided by a runtime component which runs the processes under its
control.
d. Isolation is guaranteed because the virtual machine runtime does not allow direct access to
the resources.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

2. System Virtual Machines Isolation:

a. System virtual machines provide a full replica of the underlying platform and thus enable
complete operating systems to be run within it.
b. The system virtual machine monitor (SVM) runs at the highest privilege level and divides
the platforms hardware resources amongst multiple replicated guest systems.
c. All accesses by the guest systems to the underlying hardware resources are then mediated
by the virtual machine monitor.
d. This mediation provides the necessary isolation between the virtual machines.
e. System virtual machines can be implemented in a pure-isolation mode in which the virtual
systems do not share any resources between themselves or in a sharing-mode in which the
VM Monitor multiplexes resources between the machines.
f. Pure-isolation mode virtual machines are as good as separate physical machines.

3. Hosted Virtual Machines Isolation:

a. Hosted Virtual Machines are built on top of an existing operating system called the host.
b. The virtualization layer sits above the regular operating system and makes the virtual
machine look like an application process.
c. We then install complete operating systems called guest operating systems within the host
virtual machines.
d. The VM can provide the same instruction set architecture as the host platform or it may
also support a completely different Instruction Set Architecture (ISA).
e. VMware GSX Server is an example where the host ISA and guest ISA are same.
f. The processes running inside the virtual machine cannot affect the operation of processes
outside the virtual machine.

4. Hardware Virtual Machines Isolation:

a. Hardware virtual machines are virtual machines built using virtualization primitives
provided by the hardware like processor or I/O.
b. The advantage of hardware level virtualization is tremendous performance improvements
over the software-based approaches and guarantees better isolation between machines.
c. The isolation provided by the hardware assisted virtualization is more secure than that
provided by its software counterpart.

Advantages of VM:

1. Less physical hardware.

2. Central location to manage all assets.
3. More eco-friendly: maximize your machines’ potential while saving money on energy
costs.
4. Disaster recovery is quick.
5. Expansion potentials. With the infrastructure in place, it is simply a matter of deploying a
new machine and configuring. No need to go buy new servers.
6. Software licensing. Many software packages (such as Rockwell products) tie a license
key to a hard drive ID. In a virtual environment, the hard drive ID stays the same no
matter which piece of hardware it is running on.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

SOFTWARE FAULT ISOLATION

We have been discussing protection measures that a single operating system can provide.
Confinement….
Another way to get programs to behave in a manner consistent with a given security policy is
by "brainwashing." That is, modify the programs so that they behave only in safe ways.
This is embodied by an approach to security known as Software-Based Fault
Isolation (SFI).
While protecting a computer system, it is necessary to isolate an untrusted component into
a separate protection domain and provide controlled interaction between the domain and
the rest of the system. SFI establishes a logical protection domain by inserting dynamic
checks before memory and control transfer instructions.
Compared to other isolation mechanism, it has high efficiency and not rely on special
hardware or OS support.

 It is a security enhancing program transformation for instrumenting an untrusted

binary module so that it runs inside a dedicated isolated address space called
Sandbox. Fault isolation is part of determining the cause of a problem also called
fault diagnosis. It also deals with method that can isolate the component, device or
software module which is causing error in the system. SFI has been successfully
applied in many applications such as isolating OS Kernel extensions, isolating plug
ins in browsers and isolating native libraries in the JAVA virtual machine.

So far, the environment has been responsible for policy enforcement, where the environment
is either the OS/kernel or the hardware. Hardware methods include addressing mechanisms
(e.g., virtual memory); OS methods include having two modes (where the supervisor mode
has access to everything).

 In this approach we construct a piece of software that transforms a given program p

into a program p', where p' is guaranteed to satisfy a security policy of interest.

This SFI SW transformation could be any number of things. It could be a piece of the
compiler or of the loader. It could also involve a separate pass over machine language code
before execution commences. The point is that we are modifying the program before it is
executed. (One easy realization of SFI SW is to always output a program that does nothing.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

However, there are likely to be properties of the original program that we are interested in
preserving, and these properties might not be satisfied by a program that does nothing.)

When would the SFI approach be useful

 If we are trying to run programs on a machine that lacks suitable protection hardware, then
with this method we can achieve the functionality that the hardware does not support.
 Another application is when hardware does not support the security policy of interest. This
is likely to become increasingly important, especially in situations where security policies
relate to higher-level abstractions (e.g., paragraphs in a document being assigned security
ratings). If the hardware or the OS software does not know about a particular abstraction,
we can add a program as described above to handle it.
 The original motivation for this approach was performance. We can use SFI to achieve
memory protection at a low cost. Most operating systems/HW provide security by
protecting disjoint address spaces. However, programs operating in these isolated address
spaces need to communicate with each other. An inter-process communication (IPC)
provided by the operating system is invariably 10-100 times as costly as a procedure call.
An IPC needs to trap, copy arguments, save/restore arguments, change the address space
and then repeat all the above on the way out. We would like to avoid this costly
mechanism and can replace it with SFI.
 Another use might be for programs that support plug-ins. We would like to protect the
main program (e.g., a browser) from buggy plug-ins. This is a form of "sub-address space"
protection, since the browser and the plug-in execute in the same address space.
 Finally, this approach is useful for programs comprising many "objects." Such programs
would profit from having sub-address space level protection. If one object "goes bad," it
would be nice if that behavior did not trash everything else. However, an IPC-like
operation that would accompany operating system address space protection is likely to be
much too expensive for use with every method invocation.

MOVING ONE STEP AHEAD OF ATTACKER

Techniques of Implementing SFI

1. Segment Matching: Insert checking code before every unsafe instruction. If checking
fails then trap the instruction.
2. Optimization: Instead of checking, simply overwrite the segment bit.
3. Data Sharing: Share data among system in order to cross verify error.
4. Cross Domain Communication: Connect to different domain while accessing a data.

ROOTKITS

‘Root’ refers to the admin account on Unix & Linux system and ‘Kit’ refers to malwares such
as trojans, worms, viruses that conceal their existence and action from users & other system
processes.
A rootkit is a type of malware, basically malicious used by cybercriminals to gain control
over a target computer or network. Once they control the entire system, they can steal any
information from computer.

How Hacker Install Rootkit on Target Computer

1. By sending attractive video link.
2. Downloading a trojan or apk file
3. Downloading any unknown software.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

Types of Rootkits

1. Hardware/ Firmware Toolkit: It can affect or replace the main hardware of the system.
This toolkit is installed in the computer system. This malware has the potential to disrupt
the system’s hard drive or BIOS or the memory chip installed on the motherboard, router.
Intruders use this to gain access to the data on the disk.
2. Bootloader Rootkit: It can affect or replace the OS installed on a computer. The
bootloader does the work of loading on the operating system of the computer when the
machine is turned on. Once the bootloader is started, the authentic is attacked, and the
hacked one replaces it.
3. Memory Rootkit: It can affect or replace the entire memory space of PC. Memory rootkit
hides the RAM, and it carries out distrustful activities in the background. They generally
have a short lifespan. Mostly they disappear once the system is rebutted. However, in rare
situations, further work may be necessary.
4. Application Rootkit: It replaces original application by hacked one. The standard files are
replaced by the rootkit ones. There may be a change in the way the standard application
works. Few programs like Word, Paint may be infected. Hackers and intruders will have
access whenever these programs are started. The infected system will be still functioning,
making it challenging for the users to notice the rootkit.
5. Kernel Mode Rootkits: The focus of this rootkit is to attack the core system of the
operating system. This often results in changing the way of functioning of the operating
system. They easily add their code by which they gain easy access to steal personal
information.
6. Virtual Rootkit: It takes control of OS in virtual manner.

Rootkit Examples: Stuxnet, flame, Necurs, Zero Access, TDSS.

Detecting the presence of a rootkit on a computer can be difficult, as this kind of malware is
explicitly designed to stay hidden. Rootkits can also disable security software, which makes
the task even harder. As a result, rootkit malware could remain on your computer for a long
time causing significant damage. If a rootkit has already infected a system, though, the
detection and removal of the rootkit requires much more sophisticated techniques than are
required for a typical infection. Basically, the best prevention relies on the fact that the rootkit
has not yet had a chance to hide itself in the system.

Possible signs of Rootkit malware include:

1. Blue Screen: A large volume of Windows error messages or blue screens with white text
(called” the blue screen of death”), while your computer constantly needs to reboot.
2. Unusual Web Browser Behaviour: This might include unrecognized bookmarks or link
redirection.
3. Slow Device Performance: Device may take a while to start and perform slowly or freeze
often. It might also fail to respond to input from the mouse or keyboard.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

4. Windows Settings Change Without Permission: Examples might include screensaver

changing, the taskbar hiding itself, or the incorrect date and time displaying when you
have not changed anything.
5. Web Page Do Not Function Properly: Web pages or network activities appear
intermittent or do not function properly because of excessive network traffic.

Rootkit Prevention
As rootkits can be dangerous and difficult to detect, it is important to stay vigilant when
browsing the internet or downloading programme.
1. Use A Comprehensive Cyber Security Solution: Install advanced antivirus solutions.
Kaspersky total security provides full scale protection from cyber threats and allows to run
rootkit scans.
2. Use dedicated firewall.
3. Keep all programme and operating system up to date.
4. Download files from trusted source only. Download software from reputed sites only. Do
not ignore web browsers warnings when it tells that a website, we are trying to visit is
unsafe.
5. Be alert to change in your PC behaviour.

INTRUSION DETECTION SYSTEMS

Intruder: A person who wants to gain unauthorized access to a network for some criminal
intension, to steal or corrupt data.
Outside Intruder (Masquerade): They are outside system, to steal or break credential to enter
or penetrate a system or network.
Inside Intruder (Misfeasor): have access to system with some restriction, starts misusing
resources.
Insider intruder is more harmful than outside.
Intrusion: An unauthorised access to a system by an intruder.
Intrusion Detection System (IDS): It monitor data packets in the system. Check whether
resources are not getting misused. When it observes any suspicious activity IDS alerts the
system admin so that system can be saved of damage.

An Intrusion Detection System (IDS) is a system that monitors network traffic for
suspicious activity and issues alerts when any such activity is discovered. It is a software
application that scans a network or a system for the harmful activity or policy breaching.
Any malicious venture or violation is normally reported either to an administrator or
collected centrally using a security information and event management (SIEM) system.

Classification of IDS
1. Network IDS (NIDS):
 Network based
 Monitors- Data packets travelling in network.
 Captures- Detect malicious data present into packets (where, from). If match is found it
means some attack is going to happen. Try to resolve attack.
 Analyse network traffic: matches traffic to the library of known attack.
 NIDS Analysis is very difficult in busy network.

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network. It performs an observation of
passing traffic on the entire subnet and matches the traffic that is passed on the subnets to
the collection of known attacks. Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator. An example of a NIDS is installing it on
the subnet where firewalls are located in order to see if someone is trying to crack the
firewall.

2. Host Intrusion Detection System (HIDS)

 Host based
 Installed on individual host or device on network.
 It monitors data packets from the device only and will alert the admin if suspicious
activity is detected.
 Takes snapshot (screen shot) and compares existing system (current/ running) with
previous system (initial/ ideal/clean/ undamaged).
 If files are deleted or modified then it means that suspicious thing is happening, a
message should be send so that attack can be avoided.
Host intrusion detection systems (HIDS) run on independent hosts or devices on the
network. A HIDS monitors the incoming and outgoing packets from the device only and
will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot
of existing system files and compares it with the previous snapshot. If the analytical system
files were edited or deleted, an alert is sent to the administrator to investigate. An example
of HIDS usage can be seen on mission-critical machines, which are not expected to change
their layout.
3. Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion
detection system (PIDS) comprises a system or agent that would consistently resides at the
front end of a server, controlling and interpreting the protocol between a user/device
and the server. It is trying to secure the web server by regularly monitoring the HTTPS
protocol stream and accept the related HTTP protocol. As HTTPS is un-encrypted and
before instantly entering its web presentation layer then this system would need to reside in
this interface, between to use the HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS): Application
Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and interpreting
the communication on application-specific protocols. For example, this would monitor the
SQL protocol explicit to the middleware as it transacts with the database in the web server.

5. Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches of the intrusion detection system. In the hybrid
intrusion detection system, host agent or system data is combined with network information
to develop a complete view of the network system. Hybrid intrusion detection system is more
effective in comparison to the other intrusion detection system. Prelude is an example of
Hybrid IDS.

Detection Method of IDS:

1. Signature-based Method: Signature-based IDS detects the attacks based on the specific
patterns such as number of bytes or number of 1’s or number of 0’s in the network
traffic. It also detects based on the already known malicious instruction sequence that is
used by the malware. The detected patterns in the IDS are known as signatures. Signature-
based IDS can easily detect the attacks whose pattern (signature) already

By Deepak Singh
 lOMoARcPSD|19805106

UNIT 2 |AKTU

exists in system but it is quite difficult to detect the new malware attacks as their pattern
(signature) is not known.
2. Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware are developed rapidly. In anomaly-based IDS there is use
of machine learning to create a trustful activity model and anything coming is compared
with that model and it is declared suspicious if it is not found in model. Machine learning-
based method has a better-generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and hardware configurations.

Advantages of IDS:
1) Protects the device, system, software, OS, hardware with unauthorized access.
2) Uses latest method which attacker can implement in current scenario.

Disadvantages of IDS:
1) May or may not be able to track error some times.

By Deepak Singh