International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)86
IDS : Intrusion Detection System the Survey of Information
Security
Sheetal Thakare1, Pankaj Ingle2, Dr. B.B. Meshram3
1,2
Computer Technology Department, VJTI, Matunga,Mumbai
3
Head Of Computer TechnologyDepartment, VJTI, Matunga, Mumbai
Abstract—With the increased use of computerized / online
transactions it is very much of the importance to secure the information from intruders. Intrusion detection is the process of monitoring the activities or events occurring in the computer system or network and analyzing them to find out suspicious events intruding the system or network. Such events will be reported to the administrator of Intrusion Detection System(IDS) who will decide the further action. This Paper surveys different types of IDS and lists preventive methods.An intrusion detection system (IDS) is software that automates the intrusion detection process. An intrusion prevention system (IPS) is software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
Keywords—Intruder, Intrusion, anomaly, IDS, NIDS, HIDS
I. INTRODUCTION
Intrusions are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion detection systems (IDS) are primarily focused on –
1) Identifying possible incidents by monitoring both user and system
2) Logging information about them
3) Analyzing system configuration and vulnerability 4) Assessing file and system integrity
5) Recognizing abnormal activities and patterns typical of attacks.
6) Reporting them to security administrator.
In addition, organizations use IDSs for other purposes, such as
1) Identifying problems with security policies 2) Documenting existing threats
3) Deterring individuals from violating security policies. IDSs have become a necessary addition to the security infrastructure of nearly every organization.
Following terms give idea about possible threats to security
Risk : Accidental or unpredictable exposure of information or violation of operations integrity due to the malfunction of hardware or incomplete or incorrect software design.
Vulnerability: A known or suspected flaw in the hardware or software or operation of a system that exposes the system to penetration or its information to accidental disclosure.
Attack : A specific formulation or execution of a plan to carry out a threat.
Penetration : A successful attack -- the ability to obtain unauthorized (undetected) access to files and programs or the control state of a computer system.
Intruders are of two types, the external intruders who are unauthorized users of the machines they attack, and internal intruders, who have permission to access the system, but not some portions of it. Further internal intruders are divided into intruders who masquerade as another user, those with legitimate access to sensitive data, and the most dangerous type, the clandestine intruders who have the power to turn off audit control for themselves. Different types of threats include :
Attempted break – in : generates large number of password failure events.
Masquerading : logging into system using unauthorized account and password. So event has different login time, location or connection type than legitimate user.
Penetration by legitimate user : user will execute different programs or trigger more protection violations.
Leakage by legitimate user : user might route data to remote unused printer.
Interference by legitimate user : user might attempt to retrieve unauthorized data from database through aggregation and inference might retrieve more record than usual.
Trojan Horse : program planted in system, its behavior differs from legitimate program in terms of CPU utilization or I/O activity.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)87
[image:2.612.331.556.154.259.2] Denial of Service : event will monopolizes a resource. So resource will be unavailable to other activities.
Fig 1 Typical locations for an IDS
II. TYPES OF INTRUSION DETECTION METHODS
A. Anomaly Detection
This method finds ‖normal activity profile‖ for the system. Using it as a measure, all activites carried out in system are cross checked with this profile to find anamolous behaviour of the activity. If found alarm is raised against the event, which indicates it is a intruding event.
[image:2.612.76.263.174.346.2]Fig 2 Typical anomaly detection system B. Misuse Detection/ Signature based Detection This method stores the pattern / signature of the attacks. Any event occurring in system has its own pattern, which is matched with the data stored. As soon as the match found alarm is raised. It cannot detect an unknown event(signature not known).
Fig 3 Typical misuse detection system C. Stateful Protocol Analysis
[image:2.612.76.259.477.595.2]International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)88
III. TYPES OF IDS TECHNOLOGIES
There are many types of IDS technologies. They are divided into the following mainly four groups based on the type of events that they monitor and the ways in which they are deployed:
A. Network-Based IDS
It monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity. It can identify many different types of events of interest. It is most commonly deployed at a boundary between networks, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks.
B. Host-Based IDS
It monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDS might monitor are network traffic (only for that host), system logs, running processes, application activity, file access and modification, and system and application configuration changes. Host-based IDSs are most commonly deployed on critical hosts such as publicly accessible servers and servers containing sensitive information.
Fig 4HIDS Architecture
C. Wireless IDS
[image:3.612.325.567.271.485.2]It monitors wireless network traffic and analyzes its wireless networking protocols to identify suspicious activity involving the protocols themselves. It cannot identify suspicious activity in the application or higher-layer network protocols (e.g., TCP, UDP) that the wireless network traffic is transferring. It is most commonly deployed within range of an organization’s wireless network to monitor it, but can also be deployed to locations where unauthorized wireless networking could be occurring.
Fig 5Wireless LAN Architecture Example D. Network Behavior Analysis (NBA)
It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations (e.g., a client system providing network services to other systems). NBA systems are most often deployed to monitor flows on an organization’s internal networks, and are also sometimes deployed where they can monitor flows between an organization’s networks and external networks (e.g., the Internet, business partners’ networks).
IV. KEY FUNCTIONS OF IDS TECHNOLOGIES
There are many types of IDS technologies, which are differentiated primarily by the types of events that they can recognize and the methodologies that they use to identify incidents.
Distribution System
STA1
STA2 AP1
AP2
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)89
In addition to monitoring and analyzing events to identify undesirable activity, all types of IDS technologies typically perform the following functions:
Recording information related to observed events. Information is usually recorded locally, and might also be sent to separate systems such as centralized logging servers, security information and event management (SIEM) solutions, and enterprise management systems. Notifying security administrators of important observed
events. This notification, known as an alert, occurs through any of several methods, including the following: e-mails, pages, messages on the IDS user interface, Simple Network Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A notification message typically includes only basic information regarding an event; administrators need to access the IDS for additional information.
Producing reports. Reports summarize the monitored events or provide details on particular events of interest.
Some IDSs are also able to change their security profile when a new threat is detected. For example, an IDS might be able to collect more detailed information for a particular session after malicious activity is detected within that session. An IDS might also alter the settings for when certain alerts are triggered or what priority should be assigned to subsequent alerts after a particular threat is detected.
V. HOW TO PROTECT IDS ITSELF
One major issue is how to protect the system on which your intrusion detection software is running. If security of the IDS is compromised, you may start getting false alarms or no alarms at all. The intruder may disable IDS before actually performing any attack. There are different ways to protect your system, starting from very general recommendations to some sophisticated methods. Some of these are mentioned below.
• The first thing that you can do is not to run any service on your IDS sensor itself. Network servers are the most common method of exploiting a system.
• New threats are discovered and patches are released by vendors. This is almost a continuous and non-stop process. The platform on which you are running IDS should be patched with the latest releases from your vendor. For example, if Snort# is running on a Microsoft Windows machine, you should have all the latest security patches from Microsoft installed.
• Configure the IDS machine so that it does not respond to ping (ICMP Echotype) packets.
• If you are running Snort on a Linux machine, use netfilter/iptable to block any unwanted data. Snort will still be able to see all of the data.
• You should use IDS only for the purpose of intrusion detection. It should not be used for other activities and user accounts should not be created except those that are absolutely necessary. In addition to these common measures, Snort can be used in special cases as well. Following are two special techniques that can be used with Snort to protect it from being attacked. Following are two special techniques that can be used with Snort to protect it from being attacked.
a.Snort on Stealth Interface
You can run Snort on a stealth interface which only listens to the incoming traffic but does not send any data packets out. A special cable is used on the stealth interface. On the host where Snort is running, you have to short pins 1 and 2. Pins 3 and 6 are connected to same pins on the other side.
b.Snort with no IP Address Interface
You can also use Snort on an interface where no IP address is assigned. For example, on a Linux machine, you can bring up interface eth0 using command ―ifconfig eth0 up‖ without assigning an actual IP address. The advantage is that when the Snort host doesn’t have an IP address itself, nobody can access it
# Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection.
VI. CONCLUSION
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, Volume 2, Issue 8, August 2012)90
Intrusion detection and prevention systems (IDS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDSs have become a necessary addition to the security infrastructure of nearly every organization.
REFERENCES
[1 ] Importance of Intrusion Detection System(IDS), Asmaa Shaker AsjoorInternational Journal of scientific and engineering research, volume 2 ,issue 1, jan 2011, ISSN 2229-5518.
[2 ] ―An Intrusion Detection Model‖, Dorothy E Dennin, IEEE transaction on software engineering 1987
[3 ] ―Guide to Intrusion Detection and Prevention System‖, NIST, Technology Administration US Department of commerce
[4 ] ―A Computationally Efficient Engine forFlexible Intrusion Detection‖Zachary K. Baker, Student Member, IEEE, and Viktor K. Prasanna, Fellow, IEEEIEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 13, NO. 10, OCTOBER 2005 1179
[5 ] ―Immune Model Based ApproachFor Network Intrusion Detection‖Vadim D. Kotov Ufa State Aviation Technical UniversityRussian Federation [email protected] Vladimir I. Vasilyev Ufa State Aviation Technical UniversityRussian [email protected]
[6 ] ―Network Intrusion Detection Based on SupportVector Machine‖ Xiaohui Bao, Tianqi Xu, Hui Hou
[7 ] ―Intrusion Detection In Wireless Ad Hoc Networks, Amitabh Mishra, Ketan Nadkarni, And Animesh Patcha, Virginia Tech, 1536-1284/04/$20.00 © 2004 Ieee Ieee Wireless Communications • February 2004
