CHAPTER SS Intrusio, 141 INTRODUCTION ity i oming increasingly important in the modern systems, where Na ely ai cts oo tiara ee its use in day-to-day life has increased the need for network security systems, With the development of networking and interoperation on public networks, the number and the severity of security threats have increased significantly. Internet has changed the life of human being completely. Applications of computer using Internet are unlimited Unfortunately, due to large scale use of Internet, the risks and chances of attacks are also increased. So, it is essential to protect our system from different attacks. The system which is used to protect our system from different attacks is called intrusion detection systems (IDS). The process of identifying the attacks in a system or network is called intrusion detection. An intrusion is a deliberate or unauthorised activity or action that attempts to access or manipulate the information or compromise the security of the systems to make them unreliable or unusable. An intruder is a person who is responsible for intrusions. He may be a person from inside the network, ie., legitimate user of the network or-from outside the network. It is a well-known thought that prevention is better than cure. Same is applicable to computer systems and networks, Generally, firewall is used to prevent attacks on the network. Firewall is having a set of rules and it protects those attacks, which are defined in advance as a rule. So, firewall cannot protect the new attack, as the mule is not defined. In this case, IDS is useful to detect new attacks. But it is unrealistic to prevent all the attacks. An IDS collects the information from inside as well ® from outside the network and analyses this information to identify whether there is intrusion or not. Intrusion detection is diffe; means the process of observin; data. Then, it analyses the dat rent from intrusion prevention. Intrusion detect ig the incoming and outgoing traffic and it collects 38 ta for possible attacks, Intrusion prevention is the pt 370the attacks and it endeavoy, rs to bh ho have feed ok the ai f the person, W ve unauthori, letected possible in. ee ars different types of intruders," “°88S to the netwoaye'® Seiden, ere " ; This refers to the un: i rader: 1 ‘authorised y., gue! ‘ity of computer s; ing eno the wees th rn outsider. Ystem by using legitimate meee ee evstem, who ie r posed? sf mate user account. Generally e 7: Ib refers to a legitimate user who aco 2 es: ioe ance, oF he User who is an aengaeese the resomces that he is not (ta het tho Hs an ath Ser of a system, but misuses * : It refers to A stine user I f a user who = 4 olanderjestine may be either an insider or an outside oo Cont! over the ete Cecon, first time in 1980, introduced the concept of intrusi ie i Tisiom igen attorapt‘or a tteos pt of intrusion detection. He Co t ‘eo ore ‘unauthorised attempt to © be the potential possibility of a 1, Access information 3 Manipulate information, or 3, Render a system unreliable or unusable After 1980, many techniques for intrusion detections have been studied. 42 INTRUSION DETECTION jurusion detection means to detect the vulnerabilities exploited againat the computer seem or against any application. Intrusion detection system helps in providing the poration about such vulnerabilities to the network administrator and helps him in rearing some system to protect such attacks or deal with such vulnerabilities. It iacudes collection of information by monitoring the network traffic and the suspicious afivties in the network. It also collects the information about these vulnerabilities fom different sources and analyses the same. Many people think that firewall is | nfficient to protect their network and can recognise the attacks on the network and | thck the intrusions. But the fact is that the firewall works just like a fence to our lone. It restricts the access only to the designated points on the network, but the hole network cannot be secured using firewall: Firewall cannot detect the new attacks the network. This detection of new attacks is done by IDS. Intrusion detection provides the following functions: . . Monitoring and analysing both the user and the system activities : fralysing system configurations and yumareyniees . Assessing the integrity of system and iles Analysing the wath pattern based on knowing attack patterns Analysing abnormal activity patterns packing the policy violations by the user ~ Doin, i ing system a Today, Hee “ 2 ernie uate 100% security to any nee The fe use {ut 38 more difficult to p ‘user-friendly and many free to e technologies for attacks are very noose epr; ge ig ~ technical Knowledge is reading making the attack with mod tg 372 . [72> 1". no prior ‘ollowing two types 4° 2s, : Pes Sepencine hal fl i ilable to perform such 8” | ttacker in D cay able Fe vce nt a The Intrusion detection system © ae ; It works on the netw, on the archi mE detection system (NIDSY eoticelaubee’ iver wk ang 1. Network few all the traffic passing Mpnormal behaviour is obser, et is ae ibored 0 eet ttack is identified or some ed itored and if the a en the alert can be sent to the na ee eas : intrusi tion system ‘a snap shot of the 2. Host intrusion ee ne event JOBS: It then takes, 8 enap sho 2 the exist system events and aut it with the previous snap pe able. f nee ihe system files and oovori/or deleted, then the alert is sent aa files are found mov a CTION SYSTEM ecurity system that monitors the netwo 14.3 INTRUSION DETE attacks from outside the network or fre ‘An intrusion detection system (IDS) is e s traffic and analyses the data for possible Se a ee eetogarieed depending on.the method of detection attacks. Following are the categories of IDS: : / 1. Misuse-based detection versus anomaly-based detection: The misuse-based intrusion detection systems (IDS) uses a database of previous attack patterns and Jnown vulnerabilities as a reference. Each intrusion have some specific pattern. This pattern is called signature. This pattern or signature is used to identify the attacks on the computer system or on the network. So, this system is also called signature-based IDS. The drawback of misuse-based IDS is that there is a need of frequently updation of the database. If there are some unique attacks, this IDS may fail to identify such attacks. In anomaly-based intrusion detection systems (IDS), a baseline or learned pattern of normal system activity is used as references to identify intrusion. Using this information, an alarm is to be triggered. The drawback of this method is that it has higher false alarm rate. - 2. Network-based system versus host-based systems: Network-based intrusion detection system monitor the packets that flow over the network. These packets are compared with the reference data present and then analysed. Then, it is verified whether the said packet is malicious or benign. It is responsible to control the lities in the networks, so, it is distributed IDS. Network-based IDS.uses packet-sniffing technique to collect the pack tecture for Network-based IDS is shown in Figure tan none The network. The aLow stem versus AClIVe System: A . ras je OF work traffic Fl Passive IDS ; ine tbe net ic and if vulnerabilj IDS is configure ‘lity sured to only monitor 4 “ys dmini . | sM%nal® etwork administrator. Tt is not attack . vio five IDS is used to block the sus able to protect or omnes it sends an \ | ii an eet ured from the network adnate’ attacks automatically Tees istrator. Tt ic ally. There is Tt is ah 8 no él enti? ention system. The rn ind prev . The adv; : si ait Oye action. antage of this method ie agin os intrusion wh cosree - is that it takes real 3 Internet I 0 - 3 ine — SS —ee Figure 14.1 Network-based IDs gat Need for Intrusion Detection Systems f the total security attacks that occur on # He users inside the network. These users Tay be althluieed eet cbttaerrion fs meining attacks come from outside the network. It consists of mainly denial of ane attacks OF attacks to penetrate the infrastructure of the network. To protect |] 2yeevork from all these types of attacks, IDS is an integral part of the network information security. It is helpful for complete supervision of the network. IDS is 7 uel to 1 Prevent problem like behaviours of the system 2. Detect various attacks and vulnerabilities in the network 3, Detect new attacks and identify its signature 4, Protect the network from internal as well as external users Nowadays, due to the availability of tools for making attacks, it is very easy to make attack on any computer system or network. There are different methods to protect Firstly, develop a fully secure computer. ite system or network from these attacks. gstem or network. For this, the system is accessible only to the authenticated and tiihorised users, Secondly, use of cryptographic methods to protect the data applies itt access control. But in real life, all these solutions are feasible due to the following ns; i ible. 1. In actual practice, to develop a completely securt system is not possible Designing and implementing a totally secure system 18 an extremely difficult task. ; : hed . Use of eryptographic methods to protect the informa’ has ts on limitations The security of these methods depends on the fares ey oe cee able to capture this secret key, then-he can read, change and the entire system can be broken. ee Many times, the protective measures are ne 1% of the attacks, But as discussed above, approxima ed to prevent the external total attacks arecryptograPl ‘i legitimate the jnternal leg users Misuse cause 5 bece™ internally- Seiency OF the system reduces, effi ae ns the network administrator, yp me. It works a8 an informatiy e from internal use! their privileges 2° 4, If we tight the acces! oe Sa is deter et tative Wen an attack i Seefastond of PREY work: system. 7 id ion Detection Methos *s ee 14.3.2 Intrusion done using the following strategies: n be dor of the computer system or network behaviour of th 2 er ich viowsponsible for the change in behavigu, then search for the occurrence of an Intrusion detection 6a 1, Define the rules for the 0 and then search for the ue f the system or computer 2. Define the patterns of the attack and attack: The first strategy is called ¢ misuse-based IDS. We will now discus based IDS and the second strategy is calleq in the subsequent sections, aly led anoma er mit these methods ss about ‘Anomaly-based Detection ‘Anomaly-based detection techniques Jctivities are malicious. Therefore, we have to are based on the assumption that all intrusive | build a system, with a normal activity | profile of the computer system and then wait for the anomalous activities to happen, That is, we identify the system states which have different behaviour from the normal established profile. Such activities are jdentified as intrusive activities and flagged as jntrusion. However, if we assume that the rules for intrusive activities and the rules © of anomalous activities are not exactly the same, but there are some matches among them, then there are chances like 1. Some activities, which are flagged as intrusion. This results in false positives. 2, Some activities are intrusive activities, but not anomalous. Such activities are not flagged and treated as normal activities. This results in false negatives. . False negative is a serious problem, as malicious packets are allowed in the network | et system as a normal packet. It may tart the system. pig moa Rie ees i oi IDS and deteriorates the performance of the IDS. To reduce the plea malar ie e eyetem, generally the threshold is used. In anomaly-based IDS, Segiived. Tharefore ee a system profile and also updating of system profile is tnathud is that itis able fo detace the new or walivoot atcha inaee dg ‘A'Hlobk diagratt of or unknown attacks. gre anomaly-based detection system is shown in Figure 14.2. anomalous, but not intrusive activities, are also Attack state Audit d = ‘System profile Figure 1: igure 14.2 Anomaly-based detection system.es of anamaly. Soi aavantet maly-based detect gem is possible to detect the new oy Js ouracy is more. unknown at i joternal attacks can be detecteg easily. On syste, ™ "stem are as follows: tacks, of anamaly-based . a antases . detection system are gi ie raise negatives are more, given below: | ip is expensive. ; Accuracy is less. jose ase Detection yf ; i nge-based detection method, the patt i misuse jations i patterns or signat sig here ae vations in he etme aac, dene ee aa gs BY using, DAC ignature. Misuse-based detection eystene vec ene sim rmation that has a number of patterns. The syste systems use a database ‘pares this data with the stored patterns in its database If oe alarm is generated. If the match is not found, then it any match is found, then slate success of misuse-based detecti is sonetdened as legitimate oat ection method depends on th caatures: OT pee The database should include all possible fosie tiie ee variations for different attacks and also for normal activities. How to generate these patterns oF signatures is the main issue of this approach. ‘Ablock diagram of a misuse-based detection system is shown in Figure 14.3. Audit data System profile Timing information ‘Add new rulesimodify existing rule Figure 14.3 Misuse-based detection system.. The only advantages of misuse-based detection system is that it generally produces very few false positives. Disadvantages of misuse-base' 1. A lot of effort is required for the gener 2. Tt cannot detect new attacks. d detection system are as under: ation of pattern or signature database. ; ! os | (ON DETECTION SYSTEMS | 4 ANOMALY-BASED INTRUSI e few major approaches to detect the stems hav! Anom, . . . omaly-based intrusion detection SY’ tems exibed here trusions. Some of these approachescoprorapy ar 1441 Statitical Approsch 41 used for intrusion detection. It is assy i Fi od us fl iffere! 5 Me Statistical approach is the earliest aa pohaviour are different. So, statistic’ malicion® ormal user from the intruder, Tp i ances are generated from a m 1 behaviour an entiate the i fforentia® arated. Its var" coe Mormance of this approach 1 Is that the normal A “i al -oach can be use to diffe! DDr behaviour profiles gonerater” she pe adaphve ne intruders are trained gradually g9 4, e nis approach depends on th, e approach, the rath ‘This approae js that the thod 38 © ce of # hen it affects false negatiy, e8 present profile. 1 good. The drawback of this me’ oe intrusions are treated a8 normal. "coe or t0 high, threshold. If the threshold is set too low Se peg mune of aie! Dasa are as follows: 1. Threshold: s for IDS. Some of them event or count of events occur, 8 t to occur an a ser account is not allowed atte Ct It is the heuristic limit to or" Within a specific interval. For example, logging into us aspeeific number of attempts of failed log in. and standard deviation: The confidence comparison of event measures ani 2. Mean interval for the abnormality j, ita mean én atandaida 5 computed using the profile deviation. ‘This model considers computini to the profile expectations. 3. Multivariate model: ith respect lel considers the types of events with respect to g the correlation between different event measures wit This mod 4. Markov process model: transition matrix. the state variables in a state Limitations 1. ‘The performance of statistics-based IDS dey 1e perfor f pends on the data ‘i If it contains some irrelevant data, then IDS may fail to identify an unknown attack. h depends on the threshold. If the threshold 2. The performance of this approacl h, then it affects false negatives and false positives. is set too low or too hig] 14.4.2 Immune System Approach This a) it ace penal seat model of, norm behaviour in the form. of application code conditions, th: icati i sequences of aeons, tHe applications aa parang fale These conditions include normal ea “8 vat ‘ Hlasadty thera an nerral. ar models are compared with the event toarved aad then but canact Gsir Eke attables ae This approach detects a number of typical attacks masqueradin, ee ete baeos On iti joy violations e. race conditions, policy violations 145 MIS USE-BASED INTRUSION DETECTION SYSTEMS Misuse-based i intrusio i n detection systems have few major aj Jes to detect th? pproaches letec~_. gome of these approaches are decors oe whether @ pattern being executed vier below. In mist " ¥ peck then set the ala, ~ Violates th, iene based detection, ; i pappens ™m for an intrusion, "© S°Urity poliey of the epoms it Expression Matching eo tf f mi simplest form of misuse-bas, 18 jot, searches for various event on “res/patterns easily. so ed IDS. It y, patterns, For thie tniaues like iS model, matching of » We can define the 52 state Transition Analysis sho itching events to ., model uses mate’ find out the attack, saved with the finite state machine pattems and eases i Observed event is ne reaches the final state, that means it os the transitions. If the . 4 / is an at h : Stytected using this model. Tt is used to detect distaibated Gomnple® intrusions can 453 Genetic Algorithm ic algorithm can be used to identif Genetic algoril lentify the known attacks. In this, the patt ihe observed event are compared with the available patterns and the bewe mech juni out. Then, a hypothesis vector is evaluated depending on the rick assndetet rit the attacks involved. If a mismatch occurs, a q ; wuadratic penalty function is used to give the details. In each turn, the best hypotheses of the current set are mutated ad retested again. This reduces the false positives and false negatives to zero. The petormance of this approach is good. 146 DISTRIBUTED INTRUSION DETECTION SYSTEM ] With the widespread growth of internet, there is an increase in malicious activity against tte network. Current IDS technology is not sufficient to protect the global network | infrastructure from attacks. So, there is a need of an IDS, which can support global '] “twork. Distributed IDS (dIDS) increases the identifying power and scope of single | ISby using an attack correlation with database obtained from geographically different | ‘tworks. A distributed IDS consists of multiple intrusion detection systems over a lige network. All these IDSs are communicated with each other, or with 8 eae! | er. This allows them to monitor different advanced networks, help for onalytis Abe out the attack data. There are different agents which coordina b ices En eee ate distributed across a network. This gives the detailed pictures 0 OMe fat take place in the network to the network administrators. 1 sot its Mae *ecords related to attacks at the central place so that i Bee nei, thene IEA lyst easily. There is a centralised analysis engine an ade the following limitations: “Nt which monitors the network traffic. Current dIDS has ; th 1 Observing a single site is not sufficient to deter the single attacker. e existence of attacks byny ttacks is requi he alysis coven oe Feoidont analyst is able to keep track of such attacks within the