Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intrusion Detection System (IDS)

874 views

Published on

Due to the phenomenal development of Networking technology, applications and other services, IP networks are preferred for communication, but are more vulnerable to attacks. To cope with the growing menace of security threats, security systems have to be made more intelligent and robust by introducing Intrusion Detection Systems (IDS) in the security layers of a network.
This white paper explores the role of IDS to detect attacks accurately at an early stage to minimize the impact.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Intrusion Detection System (IDS)

  1. 1. IntrusionDetectionSystem (IDS)
  2. 2. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. Abstract Abbreviations IDSOverview Principles&AssumptionsinIDS ComponentsandTypesofIDS HIDS(Host-basedIntrusionDetectionSystems) NIDS(Network-basedIntrusionDetectionSystems)NIDS(Network-basedIntrusionDetectionSystems) IntrusionDetectioninVirtualizedSystems Anomaly-basedIDS LimitationsofAnomalyDetection Misuse-basedIDS LimitationsofMisuseDetection FutureDirections ConclusionConclusion Reference AuthorInfo 3 3 4 4 4 5 66 6 8 9 9 9 9 1010 10 10 TableofContents
  3. 3. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. Due to the phenomenaldevelopmentofNetworking technology,applicationsand otherservices,IP networksarepreferredforcommunication,butaremorevulnerabletoattacks.Tocopewiththegrowing- menaceofsecuritythreats,securitysystemshavetobemademoreintelligentandrobustbyintroducing IntrusionDetectionSystems(IDS)inthesecuritylayersofanetwork.IDSmonitortheuseofcomputersand thenetworksoverwhichtheycommunicate,todetectunauthorizeduseandanomalousbehaviorbyidentify- ingactivitiesthatviolatethesecuritypolicyinthesystem.Thereareseveralreasonsthatmake intrusion detectionanecessarypartoftheentiredefensesystem.Moreimportantly, Manylegacysystemsandapplicationsweredevelopedwithoutkeepingsecurityinmind Computersystemsorapplicationsmayhavedesignflawsorbugsthatcanbeusedbyanintruderto attackthesystem orapplications AnIDSprovideswaystomonitor,identifyandrespondtoattacksagainstthesesystems.ThegoalofIDSisnot onlytodetectattacksaccuratelyandnotifynetworkadministrators,butdetectthem atanearlystageto minimizetheimpact. Sl.No 1 2 3 4 5 IDS HIDS NIDS VMM VMI IntrusionDetectionSystem Host-basedIDS Network-basedIDS VirtualMachineMonitor VirtualMachineIntrospection FullFormAcronyms Abstract Abbreviations IntrusionDetectionSystem (IDS)|3
  4. 4. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. IDSisusuallydeployedasasecondlineofdefensealongwithothersecuritymechanisms,suchasaccess control,authenticationandfirewalls.ThoughIDSareoftenusedinconjunctionwithfirewalls,thetwotools havecompletelydifferentfunctionalities.Forexample,thinkofIDSasasecurityguardinafactorypremises andthefencesurroundingthefactoryasthefirewall.Nobodyisallowedinsidethefactorywithoutproper authenticationandthefencekeepsallunwantedvisitorsoutsideofthepremises.Buttheholesinthefence canbeusedbyunwantedvisitorstoenterthepremises.Thiskindofintrusioneventcanbemonitoredbya securitysecurityguardwhoalertstheheadsecurityofficerorpreventsthepersonfrom enteringintothepremises.A firewallessentiallyprotectsanetworkandattemptstopreventintrusionsbyusingnetworkorapplication levelfiltering,whereasIDSdetectsanysecuritybreachinthesystem orwhenthenetworkisunderattack.IDS usespoliciestodefinecertaineventsasthreats,raisealertsupondetection,andoftenrespondstotheevents appropriately. AnIDStypicallyconsistsofthreecomponents: DataDataPreprocessor:Thiscomponentcollectsuser(audit)dataandpatternsfrom thedesiredsourceand convertsitintoaformatcomprehensiblebythenextcomponenti.e.the‘analyzer’.Datausedfordetecting© 2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor, allrightsreserved.intrusionrangesfrom useraccesspatternstonetworkpacketlevelfeatures(sourceand destinationIP,typesofpackets,etc.)alongwiththeapplicationandsystem levelbehaviors(sequenceof system calls). Thesystem isassumedtobesafeandhealthy,ifthefollowingconditionsaremetforuseractions. Conformstostatisticallypredictablepatterns Doesnotincludesequencesthatviolatethesecuritypolicy Correspondstoasetofspecificationswhichdescribewhattheprocessisallowedtodo Ifatleastoneoftheseconditionsarenotmeet,thenthesystem isassumedtobeunderattack.Further,intru- siondetectionisbaseduponthefollowingassumptionsregardlessofthemethodsadoptedbytheIDS. Asecuritypolicyisdefinedtodifferentiatethenormalandabnormalusageofeveryresource. Thepatternsgeneratedforabnormalsystem usagearenoticeablydifferentfrom thoseofnormalsystem usage,andresultsindifferentsystem behavior.Thisanomalyinbehaviorcanbeusedtodetectintrusions. ThedetectionmechanismsusedbyIDSaremainlycategorizedintotwomethodologies:Anomalydetection, andsignature/misusedetection. Principles&AssumptionsinIDS ComponentsandTypesofIDS IDSOverview IntrusionDetectionSystem (IDS)|4
  5. 5. Analyzer(IntrusionDetector):ThisisthecorecomponentinIDS,whichanalyzestheauditpatternssuchas machinelearning,patternmatching,dataminingandstatisticaltechniquestodetectanattack.Itscapability todetectanattackoftendeterminesthestrengthoftheoverallsystem. ResponseEngine:Thiscomponentcontrolsthereactionmechanism anddeterminestheresponsewhenthe analyzerdetectsanattack.Dependinguponthesecuritypolicyofthenetwork,itdecideswhethertoraisean alertorblockthesourcetemporarily.IDScanbeeithernetwork-based,orhost-based.Eachhasdistinct approachesformonitoringandsecuringdata. HIDSpreventsthreatsthatarisefrom insidethenetworkbycollectingdataoriginatedonindividualhostsand analyzingthem byadedicatedsystem.Thesesystemsresideontrustednetworksystemsandareaccessible onlytoauthenticatedusers.Ifoneoftheseusersattemptunauthorizedactivity,HIDSdetectsitandcollects themostpertinentinformationinthequickestpossiblemanner.Forexample,theOperatingSystemsaudit logsarehighlyeffectivefordetectinginsiderabuse.AtypicalHIDSarchitectureisrepresentedinFigure1.The bluecoloredmachinesrepresentHIDSthathavebeeninstalled. Figure-1:HIDSArchitecture ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. HIDS(Host-basedIntrusionDetectionSystems) IntrusionDetectionSystem (IDS)|5
  6. 6. NIDSanalyzedatapacketsthattravelovertheactualnetworkandoftencompareswithempiricaldatato verifytheirnature.NIDSareplacedatstrategicpointswithinthenetworktomonitorit,andarebestatdetect- ingthefollowingactivities: Denialofservice:NIDSnoticesthepacketsthatinitiateattacksfrom outsideofthenetworkandsinglesout networkresourcesforabuseoroverload. Unauthorizedoutsideraccess:Detectsunauthorizedloginattemptsbyusersbeforetheactuallogin.NIDS typicalarchitectureisrepresentedinFigure2.ThetraffichasbeenfunneledthroughtheNIDSdeviceinthe network.Itdoesnotisolateanysinglehostmachineforintrusiondetection. Figure-2:NIDSArchitecture ThevirtualizedenvironmentprovidesprotectiontosystemswiththehelpofaVirtualMachineMonitor(VMM) orHypervisorbyusingthebestofbothhost-andnetwork-basedIDS.TheVMM pullstheIDSoutsideofthe monitoredhostintoacompletelydifferenthardwareprotectiondomain;thispropertyofVMM isknownas isolation.TheVMMprovidesahugebarrierbetweentheIDSandtheattacker’smaliciouscode,whichensures thattheIDScan’tbetamperedwithevenifthemonitoredhostiscompromised.Theabilitytodirectlyinspect thehardwarestateofaVirtualMachine(VM)thatamonitoredhostisrunning,andtherebyprovidemonitor- ingingofbothhardwareandsoftwarelevelevents,iscalledinspection.Anyattempttomodifyaregistercan easilybedetectedbytheVMM;thisiscalledtheinterpositionpropertyofVMM. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. NIDS(Network-basedIntrusionDetectionSystems) IntrusionDetectioninVirtualizedSystems IntrusionDetectionSystem (IDS)|6
  7. 7. TheOSInterfaceLibrary,whichprovidesanOS-levelviewofthevirtualmachine’sstateinordertofacilitate easypolicydevelopmentandimplementation.Itinterpretslowlevelmachinestatesfrom theVMM interms ofhigherlevelOSstructures,byusingknowledgeabouttheguestOSimplementationtointerprettheVM’s machinestate,whichisexportedbytheVMM. TheThePolicyEngineexecutesIDSpoliciesbyusingtheOSinterfacelibraryandtheVMM interface.Itprovides aninterfaceformakinghigh-levelqueriesabouttheOSofthemonitoredhost,andinterpretssystem state andeventsfrom theVMM interfaceandOSinterfacelibraryforanysecuritybreach.Thepolicyengine respondsappropriatelyincaseofthreatsandisconsideredtobetheheartofIDS. Figure3showshow theVM runs,thehostbeingmonitored,andtheVMI-basedIDSwithitsmajorcom- ponents. VirtualMachineIntrospection(VMI)inspectsaVM from outsideandanalyzesthesoftwarerunningonit.The VMIIDSimplementsintrusiondetectionpoliciesbyanalyzingthemachinestateandtheeventsthroughthe VMM interface.VMI-IDSusesthepropertiesoftheVMM toprovideaveryrobustarchitectureforintrusion detection. IDs PolicyModules PobeyFramework OSInterfaceLib PolicyEngine MonitoredHost GuestApps GuestOS VirtualMachine H/W State VirtualMachineMonitor Response Command Query Response Figure-3:VMI-basedIDS ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. TheVMI-IDSisdividedintotwoparts: IntrusionDetectionSystem (IDS)|7
  8. 8. Thisisdesignedtouncoverabnormalpatterns.TheIDSestablishesabaselineofnormalusagepatterns, whichismodeledonthebasisofauditdatacollectedoveraperiodthrough‘training’.Anythingthatwidely deviatesfrom itgetsflaggedasapossibleintrusion.Whatisconsideredtobeanomalycanvary,butnormally differentparameterssuchasbandwidth,protocols,portsanddevices,etc.arecomparedwiththebaselineto seeifitcrossesathreshold,andthenananomalyisdetected.Anomalydetectioncanalsoinvestigateuser patternsbyprofilingtheprogramsexecuteddaily.Thealgorithmsinthisapproachuse‘system callsequence’ andand‘program counters’tocalculatetheanomalyscore.Itraisesanalarm iftheanomalyscoredeviatesfrom thethreshold. Isolation:SoftwarerunninginavirtualmachinecannotaccessormodifyanythingrunninginVMM orother VMs.Evenifanintruderhascompletelysubvertedthemonitoredhost,hestillcannottamperwiththeIDS. Inspection:Beingabletodirectlyinspectthevirtualmachine’sCPU,memoryandI/Ostatus,thereisnostate inthemonitoredsystem thatIDScannotsee. Interposition:VMI-IDSleveragesthefunctionalityofVMM tointerposevirtualmachineoperations,sothat anyattemptstomodifyahardwareregistercanbeeasilydetected. AAVMIcompletelyencapsulatesthestateofaVMinsoftware,andcollectsthecheckpointsofaVMeasily.This capabilitycanbeusedtocomparethestateofa‘VMunderobservation’forperformingofflineanalysis,orcap- turingtheentirestateofthecompromisedmachineforforensicpurposes. AVMIIDSoffersamorerobustviewofthesystem andutilizesthepropertyofVMM todirectlyobservehard- warestatesandeventsofavirtualmachine.Itusestheinformationtoextrapolatethesoftwarestateofthe hostsimilartothatofHIDS.Atamperedsshdprocesscanbedetectedbyperiodicallyperformingintegrity checksonitscodesegment.AVMMcanprovideaccesstopagesofphysicalmemory/diskblocksinaVM,but discoveringthecontentsofsshd’scodesegmentrequiresansweringqueriesaboutmachinestateinthe contextofOSrunningintheVM. VMI-basedVMI-basedIDSarestronglyisolatedfrom thehosttheyaremonitoring,givingahighdegreeofattackresis- tance,providingcompleteprotectiontohardwareaccess,andmaintainingtheconstraintsimposedbytheOS evenifthehosthasbeencompromised.VMI-basedIDSsuspendthehostswhiletheIDSrestartsincaseofa fault,providinganeasymodelforfail-safefaultrecovery. TheVMI-IDSleveragesthreepropertiesofavirtualizedenvironment: ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. Anomaly-basedIDS IntrusionDetectionSystem (IDS)|8
  9. 9. Theconsofthisapproacharethebaselinecollectedthroughtraining.Asubject’snormalbehaviorusually changesovertimeandtheIDSthatusesthisapproachusuallyallowsthesubject’sprofiletochange gradually.AnintrudercanusethisloopholetotraintheIDSandmakeanintrusiveactivityacceptable.Addi- tionally,itcangiveaseriesoffalsealarmsincaseofanoticeablechangeinthesystem environment.False positivealertsareissuedwhennormalbehaviorisincorrectlyidentifiedasabnormal,andfalsenegative alertsareissuedwhenabnormalbehaviorisincorrectlyidentifiedasnormal.Moreover,duringthetraining, thetheinputparametersoftendonotcontainallthefeaturesrelatedtointrusiondetection.Thesemissing featuresmakeitdifficulttodistinguishattacksfrom normalactivities. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved. LimitationofAnomalyDetection Thisiscomplementarytoanomalydetection.Theknownattackpatternscanbedetectedmoreeffectivelyby usingtheknowledgeaboutthem.Thiswillmonitorpacketsonthenetworkandcomparethem againstadata- baseofsignaturesorattributesfrom knownmaliciousthreats.Misusedetectionwilllookforwell-defined patternsofknownattacksorvulnerabilities,evenaverytrivialintrusiveactivitythatisusuallyignoredby anomalydetectioncanbedetectedbythesesystems.Thedetectionalgorithm usuallyfollowsdirectlyfrom the representation mechanisms.Rule-based expertsystemsare used in misuse-basedalgorithms,in whichrulesareappliedtoauditrecords,todetectintrusion.whichrulesareappliedtoauditrecords,todetectintrusion. Misuse-basedIDS Thismodelcannotdetectunknownattacks.Asystemprotectedbythismethodmayfacetheriskofbeingcom- promisedwithoutdetectingtheattacks.Misusedetectionrequiresexplicitrepresentationofattackswhichis notaneasytask,andthenatureoftheattacksalsoneedstobethoroughlyunderstoodtoraiseanalert.This requireshuman/expertinterventionforanalysis,whichisbothtimeconsuminganderrorprone. LimitationsofMisuseDetection Intrusiondetectionisstillafledglingfieldofresearch.ThegrowthoftheInternet,thepossibilitiesopeningup inelectronictradeandthelackoftrulysecuresystemsmakesitanimportantfieldofresearch. Todetectunknownpatternsofattackswithoutgeneratingtoomanyfalsealarms,stillremainsanunre- solvedproblem.Futureresearchtrendsseem tobeconvergingtowardsamodelthatisahybridofanomaly andmisusedetection,sinceneitherofthemodelscandetectallintrusionattemptsontheirown. Thedrasticincreaseinthenumberofintrusionincidentsinbusinessnetworkshaspushedenterprisesto increasetheirITsecuritybudgetsbyadaptingtonew advancedsecuritytechnologies,whicheventually- boostedthemarketofIDStoagreatextent.ThemarketrelatedtoIDSisexpectedtogrowfrom $2.716bil- lionin2014to$5.042billionby2019,anestimatedgrowthrateof13.2%. FutureDirectionsandBusinessRelevance IntrusionDetectionSystem (IDS)|9
  10. 10. Formoredetailscontact:ers.info@hcl.com Followusontwitter:http://twitter.com/hclersand Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services Visitourwebsite:http://www.hcltech.com/engineering-rd-services Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense, Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office Automation,SemiconductorandServers&Storageforourcustomers. ThiswhitepaperispublishedbyHCLEngineeringandR&DServices. Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply anyassociationbetweenHCLandlawfulownersofsuchtrademarks. FormoreinformationaboutHCLEngineeringandR&DServices, Pleasevisithttp://www.hcltech.com/engineering-rd-services Copyright@ HCCopyright@ HCLTechnologies Allrightsreserved. SaumendraDash HCLEngineeringandR&DServices Reference Conclusion AuthorInfo [1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf [2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf [3]https://iseclab.org/papers/driveby.pdf [4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi- dence,andcreateawin-winatmospherefornewopportunities. Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga- nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution, usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems. IntrusionDetectionSystem (IDS)|10

×