An intrusion detection system looks for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent. When the IDS look for these patterns in network traffic via a promiscuous interface it is considered a Network Based IDS. Beside that in some cases the IDS may also respond to anomalous by taking action such as blocking the user or source IP address from accessing the network. Intrusion detection system come in a variety of "flavors" and approach the goal detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats-similar to the way antivirus software typically detects and protects against malware and there are intrusion detection system that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat.
The intrusion detection system can divided into the network-based IDS, host based IDS and application-based IDS. Then the other IDS that monitor network backbones and look for attack signatures are called network-based IDS, whereas those that operate on hosts defend and monitor the operating and file systems for signs of intrusion and are called host-based IDS.
First is the network-based intrusion detection system use raw network packet as the data source. The IDS typically uses a network adapter in promiscuous mode that listens and analyses all traffic in real-time as it travels across the network. A first level filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This first level filters help performance and accuracy by allowing known un-malicious traffic to be filtered out. An example of this would be if an event for suspicious SNMP (Simple Network Management Protocol) get was detected and a known SNMP management station generated this event. Using Filters SNMP traffic from this machine could be filtered out of the examined traffic. Caution must be taken when using filters as traffic can be spoofed and miss-configurations can cause more traffic to be filtered than desired. At the attack recognition module, typically on of three methodologies are used for attack signatures, pattern, frequency or anomaly based detection. Once an attack is detected a response module provides a variety of options to notify, alert and take action in regards to the attack at hand.
Network-based intrusion detection system
Figure 1- Network-based intrusion detection system
Second is Host Based Intrusion Detection System that actually started in the early 1980 before networks were as prevalent, complex and inter-connected as they are today. In the 1980 it was common practice to review audit logs for suspicious and security relevant activity. Today host-based IDS still use various audit logs but they are much more automated, sophisticated and real-time with their detection and response. Host-based system use software that continuously monitors system specific logs. One method of host-based IDS is to monitor log activity in real-time, while other solutions run processes that check the logs periodically for new information and changes. Being that IDS is monitoring these logs continuously or frequently the detections and responses are considered to be in near real-time. Some host-based IDS can also listen to port activity and alert when specific ports are accessed, this allows for some network type attack detection.
Host-based intrusion detection system
Figure 2- Host-based intrusion detection system
Third are application-based IDS that concentrate on event occurring within some specific application. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. Sometimes application-based IDS can even track unauthorized activity from individual users. They also can work with encrypted data, using application-based encryption/decryption services. The Application-based IDS are sometimes more vulnerable to attack than the host-based IDS. They can also consume significant application resources. In practice, most commercial environments use some combination of network and host or application-based IDS systems to observe what is happening on the network while also monitoring key hosts and applications more closely. IDS may also be distinguished by their differing approaches to event analysis. Some IDS primarily use a technique called signature detection. This resembles the way many antivirus programs use virus signatures to recognize and block infected files, programs or active Web content from entering a computer system, except that it uses a database of traffic or activity patterns related to known attacks, called attack signatures. Indeed, signature detection is the most widely used approach in commercial IDS technology today. Another approach is called anomaly detection. It uses rules or predefined concepts about "normal and abnormal" system activity to distinguish anomalies from normal system behavior and to monitor, report on or block anomalies as they occur. Some IDS support limited types of anomaly detection; most experts believe this kind of capability will become part of how more IDS operate in the future.
Why need IDS
Intrusion detection describes the intention- not the methodology. There are several different by which this can be achieved so anything that detects intrusions is an IDS. Which method you choose really depends upon what you need and if you do not need already have in house security expertise, it would be worth employing a consultant to help reach you decision.
Armed with this information, you can look for features such as:
Attack halting (stops the attack, whether it is a program or a hacker)
Attack blocking (closes the loop-hole through which the attacker gained access)
Information collecting (on what is done by the attack to the network and from where the attack came- helps gather forensic evidence should a prosecution become necessary or possible)
Full reporting (so that you can learn from your mistakes and prevent future problems)
Deploying an IDS
Once an IDS is selected, a number of decisions will determine whether it is deployed effectively. These include decisions about how to protect the organization most critical assets, how to configure the IDS to reflect the organization security policies and what procedures to follow in case of an attack to preserve evidence for possible prosecutions. Organizations must also decide how to handle alerts from the IDS and how these alerts will correlate with other information such as system or application logs. An IDS does not prevent attacks. In fact, if attackers realize that the network they are attacking has an IDS, they may attack the IDS first to disable it or force it to provide false information that distracts security personnel from the actual attack. Many intrusion detection tools have security weaknesses that could include failing to encrypt log files, omitting access control and failing to perform integrity check on IDS files.
Maintaining an IDS
An intrusion detection system must be constantly monitored after it is deployed. Procedures must be developed for responding to alerts; these procedures will determine how staff members analyze and act on alerts and how staff monitors the outcomes of both manual and automatic responses. In addition, as upgrades become available, they should be installed to keep the IDS as current and secure as possible.
Technology alone cannot maintain network security; trained technical staffs are needed to operate and maintain the technology. Unfortunately, the demand for qualified intrusion analysts and system/network administrators who are knowledgeable about and experienced in computer security is increasing more rapidly than the supply.
When an IDS is properly maintained, it can provide warnings about when a system is being attacked, even if the system is not vulnerable to the specific attack. The information from these warnings can be used to further increase the system resistance to attacks. An IDS can also confirm whether other security mechanisms, such as firewalls, are secure. If the necessary time and effort is spent on an IDS through its life cycle, its capabilities will make it a useful and effective component of an overall security plan.
Figure 1-1 Block diagram of a complete network Intrusion detection system consisting of Snort, MySQL, Apache, ACID, PHP, GD Library and PHPLOT.
Figure 1-2 A network intrusion detection system with web interface.
Figure 1-3 Multiple Snort sensors in the enterprise logging to a centralized database server.
Now that we have examined the two basic types of IDS, we can investigate how they go about doing their job. For each of the two types, there are four basic techniques used to detect intruders: anomaly detection, misuse detection (signature detection), target monitoring and stealth probes.
Anomaly Detection
Designed to uncover abnormal patterns of behavior, the IDS establishes a baseline of normal usage patterns and anything that widely deviates from it gets flagged as a possible intrusion. What is considered to be an anomaly can vary, but normally, any incident that occurs on frequency greater than or less than two standard deviations from the statistical norm raise an eyebrow. An example of this would be if a user logs on and off of a machine 20 times a day instead of the normal 1 or 2. Also, if a computer is used at 2.00 AM when normally no one outside of business hours should have access, this should raise some suspicious. At another level, anomaly detection can investigate user patterns, such as profiling the programs executed daily. If a user in the graphics department suddenly starts accessing accounting programs or compiling code, the system can properly alert its administrators.
Misuse Detection
Commonly called signature detection, this method uses specifically known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures. For host-based intrusion detection, one example of a signature is "three failed logins." For network intrusion detection, a signature can be as simple as a specific pattern that matches a portion of a network packet. For instance, packet content signatures and/or header content signatures can indicate unauthorized actions, such as improper FTP initiation. The occurrence of signatures might not signify an actual attempted unauthorized access, but it is a good idea to take each alert seriously. Depending on the robustness and seriousness of a signature that is triggered, some alarm, response or notification should be sent to the proper authorities.
Denial of Service (DoS) Detection
The objective of DoS and Distributed DoS attack is to deny legitimate users access to critical network services. Hackers achieve this by launching attacks that consume excessive network bandwidth or host processing cycles or other network infrastructure resources. DoS attacks have caused some of the world biggest brands to disappoint customers and investors as Web sites became inaccessible to customers, partners and users-sometimes for up to twenty-four hours. Intrusion detection products often compare current traffic with acceptable normal behavior to detect DoS attacks, where normal traffic is characterized by a set of pre-programmed thresholds. This can lead to false alarms or attacks being missed because the attack traffic is below the configured threshold.
Target Monitoring
These systems do not actively search for anomalies or misuse, but instead look for the modification of specified files. This is more of a corrective control, designed to uncover an unauthorized action after it occurs in order to reverse it. One way to check for the covert editing of files is by computing a cryptographic hash beforehand and computing this to new hashes of the file at regular intervals. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals you wish and on either all files or just the mission/system critical files.
Stealth Probes
This technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period and wait another two months to actually launch the attacks. Stealth probes collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks. In effect, this method combines anomaly detection and misuse detection in an attempt to uncover suspicious activity.
Where IDS Should be Placed in Network Topology
Depending upon your network topology, you may want to position intrusion detection system at one or more places. It also depends upon what type of intrusion activities you want to detect: internal, external or both. For example, if you want to detect only external intrusion activities and you have only one router connecting to the Internet, the best place for an intrusion detection system may be just inside the router or a firewall. If you have multiple paths to the Internet, you may want to place one IDS box at every entry point. However if you want to detect internal threats as well, you may want to place a box in every network segment.
In many cases you do not need to have intrusion detection activity in all networks areas. Note that more intrusion detection systems mean more work and more maintenance costs. Your decision really depends upon your security policy, which defines what you really want to protect from hackers. Figure 1-4 shows typical locations where you place an intrusion detection system.
Figure 1-4 Typical locations for an intrusion detection system
How to Protect IDS Itself
One major issue is how to protect the system on which your intrusion detection software is running. If security of the intrusion detection system is compromised, you may start getting false alarms or no alarms at all. This intruder may disable IDS before actually performing any attack. There are different ways to protect your system, starting from very general recommendations to some sophisticated methods there are:
The first thing that you can do is not run any service on your IDS sensor itself. Network servers are the most common method of exploiting a system.
New threats are discovered and patches are released by vendors. This is almost a continuous and non-stop process. The platform on which you are running IDS should be patched with the latest released from your vendor. For example, if Snort is running on Microsoft Windows machine, you should have all the latest security patches from Microsoft installed.
Configure the IDS machine so that is does not respond to ping packets.
If you are running Snort on a Linux machine, use net filter/iptable to block any unwanted data. Snort will still be able to see all of the data.
You should use IDS only for the purpose of intrusion detection. It should not be used for other activities and user accounts should not be created expect those that are absolutely necessary.
In addition to these common measures, Snort can be used in special cases as well. Following are two special techniques that can be used with Snort to protect it from being attacked.
Intrusion Detection System Challenges Today
Most of today IDS products are focused on Signature Detection and are designed for sub-100Mbps shared media network environments, employing detection capabilities introduced three to four years ago. Intrusion detection system products have failed to keep up with the rapid advancement in switching and bandwidth growth and the increased sophistication of attacks-as well as their sheer volume. Current IDS products often operate in a monitoring-only mode, sniffers, which can detect attacks but cannot effectively and reliably block malicious traffic before the damage is done.
Incomplete attack coverage: IDS products typically focus on Signature, Anomaly or Denial of Service detection. Network security managers have to purchase and integrate point solutions from separate vendors or leave networks vulnerable to attack.
Inaccurate detection: IDS products detection capabilities can be characterized in terms of accuracy and specificity. Accuracy is often measured in true detection rate-sometimes referred o as the false negative rate-and the false-positive rate. The true detection rate specifies how successful a system is in detecting attacks when they happen. The false-positive rate tells us the likelihood that a system will misidentify benign activity as attacks. Specificity is a measure of how much detailed information about an attack is discovered when it is detected. IDS products today are lacking in both accuracy and specificity and generate too many false-positives, alerting security engineers of attacks, when nothing malicious is taking place. In some cases, IDS products have delivered tens of thousands of false-positive alerts a day. There is nothing more corrosive to network vigilance than a jumpy security system, which is continually issuing false alarms.
Performance challenged: Software applications running on general purpose PC/server hardware do not have the processing power required to perform thorough analysis. These underpowered products result in inaccurate detection and packet dropping, even on low bandwidth networks.
Lack of high-availability deployment: Single port products are not able to monitor asymmetric traffic flows. Also, with networks becoming a primary mechanism to interact with customers and partners, forward-thinking organizations have developed back-up systems should their current infrastructure fail in any way. The inability of current IDS products to cope with server failovers renders them virtually useless for any mission-critical network deployment.
Require significant IT resources: IDS products today require substantial hands-on management-for example, the simple task of frequent signature updates can take up a lot of time and skilled engineering resources, delivering a very high total cost of ownership.
In response to these limitations, a new architecture that detects and prevents known, unknown and Denial of Service attacks was developed for even the most demanding enterprise and government networks. The remainder of this paper will discuss the innovative technologies and capabilities of the IntruShield architecture.
