Intrusion Detection System (IDS)
1 like1,025 views
The document discusses Intrusion Detection Systems (IDS) and their role in network security, emphasizing the necessity of detecting unauthorized or anomalous behaviors. It describes the two main types of IDS: host-based (HIDS) and network-based (NIDS), along with their components and methodologies including anomaly-based and misuse detection. The future of IDS is projected to expand significantly, reflecting the increasing need for advanced security measures in response to rising cyber threats.
![Formoredetailscontact:ers.info@hcl.com
Followusontwitter:http://twitter.com/hclersand
Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services
Visitourwebsite:http://www.hcltech.com/engineering-rd-services
Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts
andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems
to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense,
Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office
Automation,SemiconductorandServers&Storageforourcustomers.
ThiswhitepaperispublishedbyHCLEngineeringandR&DServices.
Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional
businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply
anyassociationbetweenHCLandlawfulownersofsuchtrademarks.
FormoreinformationaboutHCLEngineeringandR&DServices,
Pleasevisithttp://www.hcltech.com/engineering-rd-services
Copyright@ HCCopyright@ HCLTechnologies
Allrightsreserved.
SaumendraDash
HCLEngineeringandR&DServices
Reference
Conclusion
AuthorInfo
[1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf
[2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf
[3]https://iseclab.org/papers/driveby.pdf
[4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf
Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour
esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi-
dence,andcreateawin-winatmospherefornewopportunities.
Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga-
nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The
effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical
toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently
designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace
withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate
withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible
manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision
makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill
improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution,
usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems.
IntrusionDetectionSystem (IDS)|10](https://image.slidesharecdn.com/intrusiondetectionsystem-150605100023-lva1-app6891/85/Intrusion-Detection-System-IDS-10-320.jpg)
Intrusion Detection System (IDS)
- 3. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. Due to the phenomenaldevelopmentofNetworking technology,applicationsand otherservices,IP networksarepreferredforcommunication,butaremorevulnerabletoattacks.Tocopewiththegrowing- menaceofsecuritythreats,securitysystemshavetobemademoreintelligentandrobustbyintroducing IntrusionDetectionSystems(IDS)inthesecuritylayersofanetwork.IDSmonitortheuseofcomputersand thenetworksoverwhichtheycommunicate,todetectunauthorizeduseandanomalousbehaviorbyidentify- ingactivitiesthatviolatethesecuritypolicyinthesystem.Thereareseveralreasonsthatmake intrusion detectionanecessarypartoftheentiredefensesystem.Moreimportantly, Manylegacysystemsandapplicationsweredevelopedwithoutkeepingsecurityinmind Computersystemsorapplicationsmayhavedesignflawsorbugsthatcanbeusedbyanintruderto attackthesystem orapplications AnIDSprovideswaystomonitor,identifyandrespondtoattacksagainstthesesystems.ThegoalofIDSisnot onlytodetectattacksaccuratelyandnotifynetworkadministrators,butdetectthem atanearlystageto minimizetheimpact. Sl.No 1 2 3 4 5 IDS HIDS NIDS VMM VMI IntrusionDetectionSystem Host-basedIDS Network-basedIDS VirtualMachineMonitor VirtualMachineIntrospection FullFormAcronyms Abstract Abbreviations IntrusionDetectionSystem (IDS)|3
- 4. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. IDSisusuallydeployedasasecondlineofdefensealongwithothersecuritymechanisms,suchasaccess control,authenticationandfirewalls.ThoughIDSareoftenusedinconjunctionwithfirewalls,thetwotools havecompletelydifferentfunctionalities.Forexample,thinkofIDSasasecurityguardinafactorypremises andthefencesurroundingthefactoryasthefirewall.Nobodyisallowedinsidethefactorywithoutproper authenticationandthefencekeepsallunwantedvisitorsoutsideofthepremises.Buttheholesinthefence canbeusedbyunwantedvisitorstoenterthepremises.Thiskindofintrusioneventcanbemonitoredbya securitysecurityguardwhoalertstheheadsecurityofficerorpreventsthepersonfrom enteringintothepremises.A firewallessentiallyprotectsanetworkandattemptstopreventintrusionsbyusingnetworkorapplication levelfiltering,whereasIDSdetectsanysecuritybreachinthesystem orwhenthenetworkisunderattack.IDS usespoliciestodefinecertaineventsasthreats,raisealertsupondetection,andoftenrespondstotheevents appropriately. AnIDStypicallyconsistsofthreecomponents: DataDataPreprocessor:Thiscomponentcollectsuser(audit)dataandpatternsfrom thedesiredsourceand convertsitintoaformatcomprehensiblebythenextcomponenti.e.the‘analyzer’.Datausedfordetecting© 2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor, allrightsreserved.intrusionrangesfrom useraccesspatternstonetworkpacketlevelfeatures(sourceand destinationIP,typesofpackets,etc.)alongwiththeapplicationandsystem levelbehaviors(sequenceof system calls). Thesystem isassumedtobesafeandhealthy,ifthefollowingconditionsaremetforuseractions. Conformstostatisticallypredictablepatterns Doesnotincludesequencesthatviolatethesecuritypolicy Correspondstoasetofspecificationswhichdescribewhattheprocessisallowedtodo Ifatleastoneoftheseconditionsarenotmeet,thenthesystem isassumedtobeunderattack.Further,intru- siondetectionisbaseduponthefollowingassumptionsregardlessofthemethodsadoptedbytheIDS. Asecuritypolicyisdefinedtodifferentiatethenormalandabnormalusageofeveryresource. Thepatternsgeneratedforabnormalsystem usagearenoticeablydifferentfrom thoseofnormalsystem usage,andresultsindifferentsystem behavior.Thisanomalyinbehaviorcanbeusedtodetectintrusions. ThedetectionmechanismsusedbyIDSaremainlycategorizedintotwomethodologies:Anomalydetection, andsignature/misusedetection. Principles&AssumptionsinIDS ComponentsandTypesofIDS IDSOverview IntrusionDetectionSystem (IDS)|4
- 5. Analyzer(IntrusionDetector):ThisisthecorecomponentinIDS,whichanalyzestheauditpatternssuchas machinelearning,patternmatching,dataminingandstatisticaltechniquestodetectanattack.Itscapability todetectanattackoftendeterminesthestrengthoftheoverallsystem. ResponseEngine:Thiscomponentcontrolsthereactionmechanism anddeterminestheresponsewhenthe analyzerdetectsanattack.Dependinguponthesecuritypolicyofthenetwork,itdecideswhethertoraisean alertorblockthesourcetemporarily.IDScanbeeithernetwork-based,orhost-based.Eachhasdistinct approachesformonitoringandsecuringdata. HIDSpreventsthreatsthatarisefrom insidethenetworkbycollectingdataoriginatedonindividualhostsand analyzingthem byadedicatedsystem.Thesesystemsresideontrustednetworksystemsandareaccessible onlytoauthenticatedusers.Ifoneoftheseusersattemptunauthorizedactivity,HIDSdetectsitandcollects themostpertinentinformationinthequickestpossiblemanner.Forexample,theOperatingSystemsaudit logsarehighlyeffectivefordetectinginsiderabuse.AtypicalHIDSarchitectureisrepresentedinFigure1.The bluecoloredmachinesrepresentHIDSthathavebeeninstalled. Figure-1:HIDSArchitecture ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. HIDS(Host-basedIntrusionDetectionSystems) IntrusionDetectionSystem (IDS)|5
- 6. NIDSanalyzedatapacketsthattravelovertheactualnetworkandoftencompareswithempiricaldatato verifytheirnature.NIDSareplacedatstrategicpointswithinthenetworktomonitorit,andarebestatdetect- ingthefollowingactivities: Denialofservice:NIDSnoticesthepacketsthatinitiateattacksfrom outsideofthenetworkandsinglesout networkresourcesforabuseoroverload. Unauthorizedoutsideraccess:Detectsunauthorizedloginattemptsbyusersbeforetheactuallogin.NIDS typicalarchitectureisrepresentedinFigure2.ThetraffichasbeenfunneledthroughtheNIDSdeviceinthe network.Itdoesnotisolateanysinglehostmachineforintrusiondetection. Figure-2:NIDSArchitecture ThevirtualizedenvironmentprovidesprotectiontosystemswiththehelpofaVirtualMachineMonitor(VMM) orHypervisorbyusingthebestofbothhost-andnetwork-basedIDS.TheVMM pullstheIDSoutsideofthe monitoredhostintoacompletelydifferenthardwareprotectiondomain;thispropertyofVMM isknownas isolation.TheVMMprovidesahugebarrierbetweentheIDSandtheattacker’smaliciouscode,whichensures thattheIDScan’tbetamperedwithevenifthemonitoredhostiscompromised.Theabilitytodirectlyinspect thehardwarestateofaVirtualMachine(VM)thatamonitoredhostisrunning,andtherebyprovidemonitor- ingingofbothhardwareandsoftwarelevelevents,iscalledinspection.Anyattempttomodifyaregistercan easilybedetectedbytheVMM;thisiscalledtheinterpositionpropertyofVMM. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. NIDS(Network-basedIntrusionDetectionSystems) IntrusionDetectioninVirtualizedSystems IntrusionDetectionSystem (IDS)|6
- 7. TheOSInterfaceLibrary,whichprovidesanOS-levelviewofthevirtualmachine’sstateinordertofacilitate easypolicydevelopmentandimplementation.Itinterpretslowlevelmachinestatesfrom theVMM interms ofhigherlevelOSstructures,byusingknowledgeabouttheguestOSimplementationtointerprettheVM’s machinestate,whichisexportedbytheVMM. TheThePolicyEngineexecutesIDSpoliciesbyusingtheOSinterfacelibraryandtheVMM interface.Itprovides aninterfaceformakinghigh-levelqueriesabouttheOSofthemonitoredhost,andinterpretssystem state andeventsfrom theVMM interfaceandOSinterfacelibraryforanysecuritybreach.Thepolicyengine respondsappropriatelyincaseofthreatsandisconsideredtobetheheartofIDS. Figure3showshow theVM runs,thehostbeingmonitored,andtheVMI-basedIDSwithitsmajorcom- ponents. VirtualMachineIntrospection(VMI)inspectsaVM from outsideandanalyzesthesoftwarerunningonit.The VMIIDSimplementsintrusiondetectionpoliciesbyanalyzingthemachinestateandtheeventsthroughthe VMM interface.VMI-IDSusesthepropertiesoftheVMM toprovideaveryrobustarchitectureforintrusion detection. IDs PolicyModules PobeyFramework OSInterfaceLib PolicyEngine MonitoredHost GuestApps GuestOS VirtualMachine H/W State VirtualMachineMonitor Response Command Query Response Figure-3:VMI-basedIDS ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. TheVMI-IDSisdividedintotwoparts: IntrusionDetectionSystem (IDS)|7
- 8. Thisisdesignedtouncoverabnormalpatterns.TheIDSestablishesabaselineofnormalusagepatterns, whichismodeledonthebasisofauditdatacollectedoveraperiodthrough‘training’.Anythingthatwidely deviatesfrom itgetsflaggedasapossibleintrusion.Whatisconsideredtobeanomalycanvary,butnormally differentparameterssuchasbandwidth,protocols,portsanddevices,etc.arecomparedwiththebaselineto seeifitcrossesathreshold,andthenananomalyisdetected.Anomalydetectioncanalsoinvestigateuser patternsbyprofilingtheprogramsexecuteddaily.Thealgorithmsinthisapproachuse‘system callsequence’ andand‘program counters’tocalculatetheanomalyscore.Itraisesanalarm iftheanomalyscoredeviatesfrom thethreshold. Isolation:SoftwarerunninginavirtualmachinecannotaccessormodifyanythingrunninginVMM orother VMs.Evenifanintruderhascompletelysubvertedthemonitoredhost,hestillcannottamperwiththeIDS. Inspection:Beingabletodirectlyinspectthevirtualmachine’sCPU,memoryandI/Ostatus,thereisnostate inthemonitoredsystem thatIDScannotsee. Interposition:VMI-IDSleveragesthefunctionalityofVMM tointerposevirtualmachineoperations,sothat anyattemptstomodifyahardwareregistercanbeeasilydetected. AAVMIcompletelyencapsulatesthestateofaVMinsoftware,andcollectsthecheckpointsofaVMeasily.This capabilitycanbeusedtocomparethestateofa‘VMunderobservation’forperformingofflineanalysis,orcap- turingtheentirestateofthecompromisedmachineforforensicpurposes. AVMIIDSoffersamorerobustviewofthesystem andutilizesthepropertyofVMM todirectlyobservehard- warestatesandeventsofavirtualmachine.Itusestheinformationtoextrapolatethesoftwarestateofthe hostsimilartothatofHIDS.Atamperedsshdprocesscanbedetectedbyperiodicallyperformingintegrity checksonitscodesegment.AVMMcanprovideaccesstopagesofphysicalmemory/diskblocksinaVM,but discoveringthecontentsofsshd’scodesegmentrequiresansweringqueriesaboutmachinestateinthe contextofOSrunningintheVM. VMI-basedVMI-basedIDSarestronglyisolatedfrom thehosttheyaremonitoring,givingahighdegreeofattackresis- tance,providingcompleteprotectiontohardwareaccess,andmaintainingtheconstraintsimposedbytheOS evenifthehosthasbeencompromised.VMI-basedIDSsuspendthehostswhiletheIDSrestartsincaseofa fault,providinganeasymodelforfail-safefaultrecovery. TheVMI-IDSleveragesthreepropertiesofavirtualizedenvironment: ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. Anomaly-basedIDS IntrusionDetectionSystem (IDS)|8
- 9. Theconsofthisapproacharethebaselinecollectedthroughtraining.Asubject’snormalbehaviorusually changesovertimeandtheIDSthatusesthisapproachusuallyallowsthesubject’sprofiletochange gradually.AnintrudercanusethisloopholetotraintheIDSandmakeanintrusiveactivityacceptable.Addi- tionally,itcangiveaseriesoffalsealarmsincaseofanoticeablechangeinthesystem environment.False positivealertsareissuedwhennormalbehaviorisincorrectlyidentifiedasabnormal,andfalsenegative alertsareissuedwhenabnormalbehaviorisincorrectlyidentifiedasnormal.Moreover,duringthetraining, thetheinputparametersoftendonotcontainallthefeaturesrelatedtointrusiondetection.Thesemissing featuresmakeitdifficulttodistinguishattacksfrom normalactivities. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. LimitationofAnomalyDetection Thisiscomplementarytoanomalydetection.Theknownattackpatternscanbedetectedmoreeffectivelyby usingtheknowledgeaboutthem.Thiswillmonitorpacketsonthenetworkandcomparethem againstadata- baseofsignaturesorattributesfrom knownmaliciousthreats.Misusedetectionwilllookforwell-defined patternsofknownattacksorvulnerabilities,evenaverytrivialintrusiveactivitythatisusuallyignoredby anomalydetectioncanbedetectedbythesesystems.Thedetectionalgorithm usuallyfollowsdirectlyfrom the representation mechanisms.Rule-based expertsystemsare used in misuse-basedalgorithms,in whichrulesareappliedtoauditrecords,todetectintrusion.whichrulesareappliedtoauditrecords,todetectintrusion. Misuse-basedIDS Thismodelcannotdetectunknownattacks.Asystemprotectedbythismethodmayfacetheriskofbeingcom- promisedwithoutdetectingtheattacks.Misusedetectionrequiresexplicitrepresentationofattackswhichis notaneasytask,andthenatureoftheattacksalsoneedstobethoroughlyunderstoodtoraiseanalert.This requireshuman/expertinterventionforanalysis,whichisbothtimeconsuminganderrorprone. LimitationsofMisuseDetection Intrusiondetectionisstillafledglingfieldofresearch.ThegrowthoftheInternet,thepossibilitiesopeningup inelectronictradeandthelackoftrulysecuresystemsmakesitanimportantfieldofresearch. Todetectunknownpatternsofattackswithoutgeneratingtoomanyfalsealarms,stillremainsanunre- solvedproblem.Futureresearchtrendsseem tobeconvergingtowardsamodelthatisahybridofanomaly andmisusedetection,sinceneitherofthemodelscandetectallintrusionattemptsontheirown. Thedrasticincreaseinthenumberofintrusionincidentsinbusinessnetworkshaspushedenterprisesto increasetheirITsecuritybudgetsbyadaptingtonew advancedsecuritytechnologies,whicheventually- boostedthemarketofIDStoagreatextent.ThemarketrelatedtoIDSisexpectedtogrowfrom $2.716bil- lionin2014to$5.042billionby2019,anestimatedgrowthrateof13.2%. FutureDirectionsandBusinessRelevance IntrusionDetectionSystem (IDS)|9
- 10. Formoredetailscontact:ers.info@hcl.com Followusontwitter:http://twitter.com/hclersand Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services Visitourwebsite:http://www.hcltech.com/engineering-rd-services Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense, Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office Automation,SemiconductorandServers&Storageforourcustomers. ThiswhitepaperispublishedbyHCLEngineeringandR&DServices. Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply anyassociationbetweenHCLandlawfulownersofsuchtrademarks. FormoreinformationaboutHCLEngineeringandR&DServices, Pleasevisithttp://www.hcltech.com/engineering-rd-services Copyright@ HCCopyright@ HCLTechnologies Allrightsreserved. SaumendraDash HCLEngineeringandR&DServices Reference Conclusion AuthorInfo [1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf [2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf [3]https://iseclab.org/papers/driveby.pdf [4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi- dence,andcreateawin-winatmospherefornewopportunities. Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga- nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution, usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems. IntrusionDetectionSystem (IDS)|10