Intrusion detection

A computer system should provide confidentiality, integrity and assurance against intrusion attempts. However, due to increased connectivity on the Internet, more and more systems are subject to attack by intruders. Intrusion Detection Systems (IDS) are used by organizations to extend their security infrastructure by detecting and responding to unauthorized access of resources in real time. This paper discusses what is an intrusion detection system, the models and the main techniques.

What is an IDS?

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. An Intrusion Detection System (IDS) analyze a system for filesystem changes or traffic on the network, this system, learns what normal traffic looks like, then notes changes to the norm that would suggest an intrusion or otherwise suspicious traffic. So an IDS protect a system from attack, misuse, and compromise. It can also monitor network activity, audit network and system configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection methods someone choose to deploy.

IDS Types

There are basically 3 main types of IDS being used today: Network based (a packet monitor), Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time), and Application Based IDS (monitor only specific applications).

Host-Based IDS (HIDS)

Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris’ BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept, etc.

Network-Based IDS (NIDS)

NIDS are used to monitoring the activities that take place on a particular network, Network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. They have n/w interface in promiscuous mode. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like “packet-sniffing” to pull data from TCP/IP orother protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities:

  • Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
  • Bandwidth theft/denial of service: these attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.

Some possible downsides to network-based IDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network- based IDS include Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler. One important topic about the NIDS is where to deploy the sensor, inside or outside the firewall. A interesting quote from SANS’ GIAC Director Stephen Northcutt’s book, Network Intrusion Detection: An Analyst’s Handbook:

“An IDS before the firewall is an Attack detection and after the firewall is Intrusion detection…. In a switched network, since we don’t have broadcasting, we have two better options on deploying the NIDS, using a hub to force a broadcast or using a mirroring-port in the switch.”

Application Based IDS

Application Based IDS monitor only specific applications such as database management systems, content management systems, accounting systems etc. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. Sometimes application-based IDS can even track unauthorized activity from individual users. They can also work with encrypted data, using application-based encryption/decryption services.

IDS Models

  • Knowledge-based IDS (signature-based model) Which alert administrators before an intrusion occurs using a database of common attacks.
  • Behavioral IDS (anomaly model) That tracks all resource usage for anomalies & malicious activity.
  • Some IDSes are standalone services that work in the background and passively listen for activity, logging any suspicious packets from the outside. Others combine standard system tools, modified configurations, and verbose logging.

    Knowledge-based IDS

    Knowledge based systems use signatures about attacks to detect instances of these attacks. Knowledge based systems is the most-used IDS model. Signatures are patterns that identify attacks by checking various options in the packet, like source address, destination address, source and destination ports, flags, payload and other options. The collection of these signatures composes a knowledge base that is used by the IDS to compare all packet options that pass by and check if they match a known pattern. Signatures have the same limitations as a patch – it is not possible to write the signature until the hack has materialized.

    Behavioral IDS

    Behavior based systems use a reference rule of normal behavior and flag deviations from this model as anomalous and potentially intrusive. A behavioral rule aims to define a profile of legitimate activity. Any activity that does not match the profile, including new types of attack, is considered anomalous. As rules are not specific to a particular type of attack, forensic information is not normally very detailed. However, rules can identify malicious behavior without having to recognize the specific attack used. This approach offers unparalleled protection against new attacks ahead of any knowledge being available in the security community. The disadvantage of this model is that it may cause a high number of false-positive alerts.

    Quick Terms

    -False positive: A report of an attack or attempted attack when no vulnerability existed or no compromise occurred.
    -False negative: The failure of an IDS to report an instance in which an attacker successfully compromises a host or network.
    -Sensor: The computer that monitors the network for intrusion attempts. Sensors usually run in promiscuous mode, often without an IP address.

    Useful Links & References

    http://www-rnks.informatik.tu-cottbus.de – Intrusion Detection Systems List
    http://www.securityfocus.com – Introduction to Intrusion Detection Systems
    http://www.lids.org – Linux Intrusion Detection System
    http://www.snort.org – The Open Source Network Intrusion Detection System
    http://www.sans.org/resources/idfaq/ – Intrusion Detection FAQ