Today, there are primarily four approaches to achieving a secure computing environment:
1.the use of special procedures - such as passwords,
access controls, and manual reviews
2.the inclusion of additional functions or mechanisms
in the system
3.the use of assurance techniques - such as
penetration analysis, formal
specification and verification, and covert channel
analysis - to increase
one's confidence in the security of a system
4.the use of intrusion detection systems (IDSs)
(Kemmerer, Richard A. "Computer Security,"
1153-1164. Encyclopedia of Software Engineering. New York, NY: John
Wiley and Sons)
This report will concentrate on the last approach, intrusion detection (ID). It will give an overview of ID, discuss different solutions and products available, and concentrate on the core issues present in trying to detect inappropriate, incorrect, or anomalous activity in the computer environment.
Attacks on information systems and networks are becoming increasingly frequent and sophisticated. Moreover, traditional security measures are often unable to deal with the modern malicious acts. For this reason, a more advanced tool is needed to fight the evil. The solution, intrusion detection system, is an important part of defensive measures, safeguarding computer systems and networks from malicious attacks.
There are two different approaches to intrusion detection: misuse detection and anomaly detection. (SANS Institute/Resources, http://www.sans.org/ newlook/resources/IDFAQ/data_mining.htm). Misuse detection deals with identifying intrusions based on pattern-matching techniques, where as the second approach, anomaly detection, is the undertaking to spot malicious traffic based on deviations from normal network traffic patterns.
Intrusion detection systems can be divided into two general classes: IDSs that operate on a host to discover malicious acts are called host-based intrusion detection systems. ID systems that watch data flows on the network are called network-based ID systems.
The science and art of ensuring security in a computer system or network is becoming increasingly difficult. The task is made even more difficult due to a large number of breaches, which originate from someone legitimately behind the company’s firewall. Therefore, companies have started to implement intrusion detection systems as an additional part of their security architecture.
Intrusion detection systems are a tool to help a
company secure its information assets. The tool could be used to
detect an intruder, identify and stop the intruder, support
investigations to find out how the intruder got in, and stop the
exploit from use by future intruders. Therefore, intrusion detection
system can be a very useful tool in ensuring security on a company’s
information systems.
http://www.sans.org/newlook/resources/IDFAQ/ID_required.htm
The basic purpose of a network intrusion detection system is the
monitoring of packets that flow in its network segment to detect
anomalous activity. It seeks to provide protection for an entire
network by looking for network-based attacks and other inappropriate
activity. Network-based IDS are designed to watch all traffic on a
network and to compare the network packets with certain patterns. If
a pattern is detected (meaning bad traffic), an alarm is raised.
http://www.dsinet.org/textfiles/ids/network_ids_with_snort.html#Fef2
Network-based IDSs are often considered the active component of intrusion detection. They are designed to monitor many machines, whereas others (host-based IDS) monitor only a single machine to which they are loaded into.
Host-based intrusion detection system, the passive component of ID, includes a software program(s) downloaded to the specific computer to be monitored. It monitors communication traffic in and out of the computer, tries to ensure the integrity of the system files and watches suspicious acts. The installed software uses log files and/or the system's auditing agents as sources of data. When used in a multi-computer environment, host-based IDS software needs to be installed on every computer.
Host-based intrusion detection can be divided into
two general classes: host wrappers/personal firewalls and agent-based
software. Both approaches are much more effective in detecting
insider attacks than is network-based IDS, and both are relatively
effective in detecting attacks from outside. Compared to
network-based IDSs, host-based IDSs can use far more efficient
intrusion detection techniques such as heuristic rules and analysis.
Generally they also require only little configuration.
http://www.sans.org/newlook/resources/IDFAQ/host_based.htm
The concept behind Anomaly-based intrusion detection system was more recently developed than host-based or network-based IDS. When investigating internal traffic, anomaly-based IDS search for actions that differ from the normal activity. Any deviance from what the system considers normal in either traffic type or amount could then be checked and considered a potential incident.
Anomaly-based IDSs are becoming increasingly important in protecting networks from insider attacks. This is largely due to the fact that they solve the difficulty of allowing certain users access to certain systems while disallowing others. The anomaly-based IDS solves this dilemma by only detecting things which deviate from the normal, thus tackling this problem without a lot of analytical time that would normally be used to filter out the normal traffic from the log files of other IDS systems.
Anomaly-based intrusion detection systems are usually placed in
the same locations that a network-based IDS would be, which is to say
switches, hubs, or any other point where multiple systems are
networked together.
online.securityfocus.com/infocus/1558
File integrity checkers are widely used for every-day intrusion detection. They attempt to ensure file integrity by computing a checksum of every given file in the system. This checksum can later be re-computed to verify the file's integrity. To improve the robustness of the checksums, cryptographic hashes such as MD5 are recommended. File integrity checkers are quite basic tools according to today’s standards and should, therefore, be included in all the commercial intrusion detection packages.
The most common challenges related to file integrity
checking tools include keeping the checksums up-to-date (when a file
is legally modified its checksum changes) and ensuring the
confidentiality of the stored checksums.
(http://www.sans.org/newlook/resources/IDFAQ/integrity_checker.htm)
Honeypot is another intrusion detection tool used to deal with unauthorized access. Its main task is to act as a legitimate computer, and catch the eyes of possible intruders. In reality, a honeypot does not contain any relevant/important information about its host, but has enough interesting data to fool a hacker. It is specially designed to collect information about the malicious attacks, with an intention to prevent such attacks in the future. It will also inform its host about potential attacks before they occur in the company’s actual systems.
Honeypots are especially beneficial when run on
well-know servers, such as Web, mail, or DNS servers because these
systems come under attacks very often. A honeypot is also used when a
system comes under attack by substituting a honeypot system for the
target.
http://www.sans.org/newlook/resources/IDFAQ/honeypot2.htm
SSCAN is popular among the hacker community and gives
a good example of the kinds of tools against which an IDS is
developed to fight. The SSCAN tool performs probes against hosts to
identify vulnerabilities for exploitation. Although SSCAN by itself
does not seek to exploit vulnerabilities, it can be configured to
automatically execute malicious scripts of commands that can be
crafted to exploit vulnerabilities. The following link gives detailed
information about the SSCAN tool.
http://www.cert.org/incident_notes/IN-99-01.html
In the below, several intrusion detection products are introduced. One product was chosen from each major IDS category (Network-based, Host-based, Anomaly-based, File Integrity Checker, Honeypot). Also, an open-source product called SNORT is presented.
Cisco IDS (Network-based Intrusion Detection)
”Providing complete intrusion protection, Cisco IDS delivers
a comprehensive, pervasive security solution for combating
unauthorized intrusions, malicious Internet worms, along with
bandwidth and e-Business application attacks.”
http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml
Intrusion SecureHost (Host-based Intrusion Detection)
”In order to protect all the hosts in an
enterprise, Intrusion Inc. offers the Intrusion SecureHost family of
host-based intrusion detection products. Unlike existing host-based
solutions that are attack-centric and reliant on databases of known
attack signatures, SecureHost focuses on profiling and enforcing the
behavior of mission-critical applications.”
http://www.intrusion.com/products/productcategory.asp?lngCatId=10
”EMERALD represents state-of-the art in research and
development of systems and components for anomaly and misuse
detection in computer systems and networks.”
http://www.sdl.sri.com/projects/emerald/
Tripwire (File integrity checker)
”Data integrity assurance depends on your ability to quickly
determine if-and how-your data has changed. Tripwire automatically
monitors changes to files and system attributes, including file size,
access flags, write time, and much more.”
http://www.tripwiresecurity.com/products
Deception Tool Kit (honeypot)
”In the case of DTK, the deception is intended
to make it appear to attackers as if the system running DTK has a
large number of widely known vulnerabilities. DTK's deception is
programmable, but it is typically limited to producing output in
response to attacker input in such a way as to simulate the behavior
of a system which is vulnerable to the attackers method.”
http://www.all.net/dtk/
As an enterprice-wide network monitoring system can be very expensive to implement and maintain, a vast amount of open source intrusion detection applications have emerged. A variety of solid open-source software can be installed onto a low-performance, relatively inexpensive hardware, providing many of the same features as a commercial Enterprice-wide network-based ID system.
One example of such an ID tool is SNORT, a lightweight intrusion
detection tool available for a variety of OSs. It's the only advanced
open source intrusion detection tool comparable to the commonly used
commercial solutions.
http://www.snort.org/
At the time being, intrusion detection system is by far the best and most sophisticated tool to prevent and detect malicious and other inappropriate acts on computerized systems. When identifying attacks, IDS works like an active alarm. It may be designed to simply warn humans or to work by itself to block the attacker of getting into the system, depending on the level of the product.
The most current IDSs are capable of blocking attacks, alerting
security officers and even reconfiguring routers or firewalls to
prevent similar attacks. These state-of-the-art systems can also be
monitored 24 hours a day by security companies to provide additional
protection.
http://www.osopinion.com/perl/story/17440.html
As intrusion detection systems have not been around for a long time, they are not foolproof by any standards. However, IDS can still provide previously unobtainable level of protection against threats coming from both inside and outside. Furthermore, better detection algorithms will be created in the future and the amount of errors/mistakes will decrease.
Without a proper IDS, companies are often unaware whether they’ve been hacked and cannot properly fight against the possible attacks. Therefore, a dynamic IDS tool is needed to deal with the unawareness and the various probes.
One very difficult, yet important part of intrusion detection is the collection of information about the incident to identify the intruder. This is often extremely challenging due to the fact that all the good hackers execute their attacks from other compromised systems (this method is the basis of distributed denial of service attack). The idea behind this IP spoofing, is to trick the good guys to believe the attacks are coming from machines, which, in reality, are also innocent victims.
Although difficult to actualize in practice, hacker
identification is possible. The success depends on the amount of
information gathered of the hacker. Furthermore, the system should
have full auditing and logging enabled on any/all systems exposed to
the Internet. These will help you figure out what happened when you
were hacked.
http://www.isaserver.org/pages/intrusion%20detection%20faq2.htm#3.9
First of all, in today’s e-world, intrusion detection system has emerged from nice-to-have to absolutely-mandatory. Especially in larger organizations, an IDS is a necessity and should be well planned and implemented. Therefore, after deciding to implement an IDS, the company faces a yet more difficult problem: What kind of IDS do we want? Both network-based and host-based IDSs have their pros and cons. To get the most out of the IDS, a combination of both is likely the desired solution. The process of figuring out where to use each type is a difficult and challenging task.
After all the hype about intrusion detection systems, it is important to remember that an IDS is only a part (although important part) of a good security architecture or defense strategy. It has strengths and weaknesses, which must be assessed and weighed before the final decision is made to implement one on your systems.
Kemmerer, Richard A. "Computer Security," 1153-1164. Encyclopedia of Software Engineering. New York, NY: John Wiley and Sons
http://www.sans.org/newlook/resources/IDFAQ/data_mining.htm
http://www.sans.org/newlook/resources/IDFAQ/ID_required.htm
http://www.sans.org/newlook/resources/IDFAQ/host_based.htm
http://www.dsinet.org/textfiles/ids/network_ids_with_snort.html#Fef2
online.securityfocus.com/infocus/1558
http://www.sans.org/newlook/resources/IDFAQ/integrity_checker.htm
http://www.sans.org/newlook/resources/IDFAQ/honeypot2.htm
http://www.cert.org/incident_notes/IN-99-01.html
http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml
http://www.intrusion.com/products/productcategory.asp?lngCatId=10
http://www.sdl.sri.com/projects/emerald/
http://www.tripwiresecurity.com/products
http://www.all.net/dtk/
http://www.snort.org/
http://www.osopinion.com/per1/story/17440.html
http://www.isaserver.org/pages/intrusion%20detection%20faq2.htm#3.9