The document discusses Intrusion Detection Systems (IDS) and their role in network security, emphasizing the necessity of detecting unauthorized or anomalous behaviors. It describes the two main types of IDS: host-based (HIDS) and network-based (NIDS), along with their components and methodologies including anomaly-based and misuse detection. The future of IDS is projected to expand significantly, reflecting the increasing need for advanced security measures in response to rising cyber threats.

1. IntrusionDetectionSystem (IDS)

2. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Abstract
Abbreviations
IDSOverview
Principles&AssumptionsinIDS
ComponentsandTypesofIDS
HIDS(Host-basedIntrusionDetectionSystems)
NIDS(Network-basedIntrusionDetectionSystems)NIDS(Network-basedIntrusionDetectionSystems)
IntrusionDetectioninVirtualizedSystems
Anomaly-basedIDS
LimitationsofAnomalyDetection
Misuse-basedIDS
LimitationsofMisuseDetection
FutureDirections
ConclusionConclusion
Reference
AuthorInfo
3
3
4
4
4
5
66
6
8
9
9
9
9
1010
10
10
TableofContents

3. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Due to the phenomenaldevelopmentofNetworking technology,applicationsand otherservices,IP
networksarepreferredforcommunication,butaremorevulnerabletoattacks.Tocopewiththegrowing-
menaceofsecuritythreats,securitysystemshavetobemademoreintelligentandrobustbyintroducing
IntrusionDetectionSystems(IDS)inthesecuritylayersofanetwork.IDSmonitortheuseofcomputersand
thenetworksoverwhichtheycommunicate,todetectunauthorizeduseandanomalousbehaviorbyidentify-
ingactivitiesthatviolatethesecuritypolicyinthesystem.Thereareseveralreasonsthatmake intrusion
detectionanecessarypartoftheentiredefensesystem.Moreimportantly,
Manylegacysystemsandapplicationsweredevelopedwithoutkeepingsecurityinmind
Computersystemsorapplicationsmayhavedesignflawsorbugsthatcanbeusedbyanintruderto
attackthesystem orapplications
AnIDSprovideswaystomonitor,identifyandrespondtoattacksagainstthesesystems.ThegoalofIDSisnot
onlytodetectattacksaccuratelyandnotifynetworkadministrators,butdetectthem atanearlystageto
minimizetheimpact.
Sl.No
1
2
3
4
5
IDS
HIDS
NIDS
VMM
VMI
IntrusionDetectionSystem
Host-basedIDS
Network-basedIDS
VirtualMachineMonitor
VirtualMachineIntrospection
FullFormAcronyms
Abstract
Abbreviations
IntrusionDetectionSystem (IDS)|3

4. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
IDSisusuallydeployedasasecondlineofdefensealongwithothersecuritymechanisms,suchasaccess
control,authenticationandfirewalls.ThoughIDSareoftenusedinconjunctionwithfirewalls,thetwotools
havecompletelydifferentfunctionalities.Forexample,thinkofIDSasasecurityguardinafactorypremises
andthefencesurroundingthefactoryasthefirewall.Nobodyisallowedinsidethefactorywithoutproper
authenticationandthefencekeepsallunwantedvisitorsoutsideofthepremises.Buttheholesinthefence
canbeusedbyunwantedvisitorstoenterthepremises.Thiskindofintrusioneventcanbemonitoredbya
securitysecurityguardwhoalertstheheadsecurityofficerorpreventsthepersonfrom enteringintothepremises.A
firewallessentiallyprotectsanetworkandattemptstopreventintrusionsbyusingnetworkorapplication
levelfiltering,whereasIDSdetectsanysecuritybreachinthesystem orwhenthenetworkisunderattack.IDS
usespoliciestodefinecertaineventsasthreats,raisealertsupondetection,andoftenrespondstotheevents
appropriately.
AnIDStypicallyconsistsofthreecomponents:
DataDataPreprocessor:Thiscomponentcollectsuser(audit)dataandpatternsfrom thedesiredsourceand
convertsitintoaformatcomprehensiblebythenextcomponenti.e.the‘analyzer’.Datausedfordetecting©
2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,
allrightsreserved.intrusionrangesfrom useraccesspatternstonetworkpacketlevelfeatures(sourceand
destinationIP,typesofpackets,etc.)alongwiththeapplicationandsystem levelbehaviors(sequenceof
system calls).
Thesystem isassumedtobesafeandhealthy,ifthefollowingconditionsaremetforuseractions.
Conformstostatisticallypredictablepatterns
Doesnotincludesequencesthatviolatethesecuritypolicy
Correspondstoasetofspecificationswhichdescribewhattheprocessisallowedtodo
Ifatleastoneoftheseconditionsarenotmeet,thenthesystem isassumedtobeunderattack.Further,intru-
siondetectionisbaseduponthefollowingassumptionsregardlessofthemethodsadoptedbytheIDS.
Asecuritypolicyisdefinedtodifferentiatethenormalandabnormalusageofeveryresource.
Thepatternsgeneratedforabnormalsystem usagearenoticeablydifferentfrom thoseofnormalsystem
usage,andresultsindifferentsystem behavior.Thisanomalyinbehaviorcanbeusedtodetectintrusions.
ThedetectionmechanismsusedbyIDSaremainlycategorizedintotwomethodologies:Anomalydetection,
andsignature/misusedetection.
Principles&AssumptionsinIDS
ComponentsandTypesofIDS
IDSOverview
IntrusionDetectionSystem (IDS)|4

5. Analyzer(IntrusionDetector):ThisisthecorecomponentinIDS,whichanalyzestheauditpatternssuchas
machinelearning,patternmatching,dataminingandstatisticaltechniquestodetectanattack.Itscapability
todetectanattackoftendeterminesthestrengthoftheoverallsystem.
ResponseEngine:Thiscomponentcontrolsthereactionmechanism anddeterminestheresponsewhenthe
analyzerdetectsanattack.Dependinguponthesecuritypolicyofthenetwork,itdecideswhethertoraisean
alertorblockthesourcetemporarily.IDScanbeeithernetwork-based,orhost-based.Eachhasdistinct
approachesformonitoringandsecuringdata.
HIDSpreventsthreatsthatarisefrom insidethenetworkbycollectingdataoriginatedonindividualhostsand
analyzingthem byadedicatedsystem.Thesesystemsresideontrustednetworksystemsandareaccessible
onlytoauthenticatedusers.Ifoneoftheseusersattemptunauthorizedactivity,HIDSdetectsitandcollects
themostpertinentinformationinthequickestpossiblemanner.Forexample,theOperatingSystemsaudit
logsarehighlyeffectivefordetectinginsiderabuse.AtypicalHIDSarchitectureisrepresentedinFigure1.The
bluecoloredmachinesrepresentHIDSthathavebeeninstalled.
Figure-1:HIDSArchitecture
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
HIDS(Host-basedIntrusionDetectionSystems)
IntrusionDetectionSystem (IDS)|5

6. NIDSanalyzedatapacketsthattravelovertheactualnetworkandoftencompareswithempiricaldatato
verifytheirnature.NIDSareplacedatstrategicpointswithinthenetworktomonitorit,andarebestatdetect-
ingthefollowingactivities:
Denialofservice:NIDSnoticesthepacketsthatinitiateattacksfrom outsideofthenetworkandsinglesout
networkresourcesforabuseoroverload.
Unauthorizedoutsideraccess:Detectsunauthorizedloginattemptsbyusersbeforetheactuallogin.NIDS
typicalarchitectureisrepresentedinFigure2.ThetraffichasbeenfunneledthroughtheNIDSdeviceinthe
network.Itdoesnotisolateanysinglehostmachineforintrusiondetection.
Figure-2:NIDSArchitecture
ThevirtualizedenvironmentprovidesprotectiontosystemswiththehelpofaVirtualMachineMonitor(VMM)
orHypervisorbyusingthebestofbothhost-andnetwork-basedIDS.TheVMM pullstheIDSoutsideofthe
monitoredhostintoacompletelydifferenthardwareprotectiondomain;thispropertyofVMM isknownas
isolation.TheVMMprovidesahugebarrierbetweentheIDSandtheattacker’smaliciouscode,whichensures
thattheIDScan’tbetamperedwithevenifthemonitoredhostiscompromised.Theabilitytodirectlyinspect
thehardwarestateofaVirtualMachine(VM)thatamonitoredhostisrunning,andtherebyprovidemonitor-
ingingofbothhardwareandsoftwarelevelevents,iscalledinspection.Anyattempttomodifyaregistercan
easilybedetectedbytheVMM;thisiscalledtheinterpositionpropertyofVMM.
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
NIDS(Network-basedIntrusionDetectionSystems)
IntrusionDetectioninVirtualizedSystems
IntrusionDetectionSystem (IDS)|6

7. TheOSInterfaceLibrary,whichprovidesanOS-levelviewofthevirtualmachine’sstateinordertofacilitate
easypolicydevelopmentandimplementation.Itinterpretslowlevelmachinestatesfrom theVMM interms
ofhigherlevelOSstructures,byusingknowledgeabouttheguestOSimplementationtointerprettheVM’s
machinestate,whichisexportedbytheVMM.
TheThePolicyEngineexecutesIDSpoliciesbyusingtheOSinterfacelibraryandtheVMM interface.Itprovides
aninterfaceformakinghigh-levelqueriesabouttheOSofthemonitoredhost,andinterpretssystem state
andeventsfrom theVMM interfaceandOSinterfacelibraryforanysecuritybreach.Thepolicyengine
respondsappropriatelyincaseofthreatsandisconsideredtobetheheartofIDS.
Figure3showshow theVM runs,thehostbeingmonitored,andtheVMI-basedIDSwithitsmajorcom-
ponents.
VirtualMachineIntrospection(VMI)inspectsaVM from outsideandanalyzesthesoftwarerunningonit.The
VMIIDSimplementsintrusiondetectionpoliciesbyanalyzingthemachinestateandtheeventsthroughthe
VMM interface.VMI-IDSusesthepropertiesoftheVMM toprovideaveryrobustarchitectureforintrusion
detection.
IDs
PolicyModules
PobeyFramework
OSInterfaceLib
PolicyEngine
MonitoredHost
GuestApps
GuestOS
VirtualMachine
H/W State
VirtualMachineMonitor
Response
Command
Query Response
Figure-3:VMI-basedIDS
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
TheVMI-IDSisdividedintotwoparts:
IntrusionDetectionSystem (IDS)|7

8. Thisisdesignedtouncoverabnormalpatterns.TheIDSestablishesabaselineofnormalusagepatterns,
whichismodeledonthebasisofauditdatacollectedoveraperiodthrough‘training’.Anythingthatwidely
deviatesfrom itgetsflaggedasapossibleintrusion.Whatisconsideredtobeanomalycanvary,butnormally
differentparameterssuchasbandwidth,protocols,portsanddevices,etc.arecomparedwiththebaselineto
seeifitcrossesathreshold,andthenananomalyisdetected.Anomalydetectioncanalsoinvestigateuser
patternsbyprofilingtheprogramsexecuteddaily.Thealgorithmsinthisapproachuse‘system callsequence’
andand‘program counters’tocalculatetheanomalyscore.Itraisesanalarm iftheanomalyscoredeviatesfrom
thethreshold.
Isolation:SoftwarerunninginavirtualmachinecannotaccessormodifyanythingrunninginVMM orother
VMs.Evenifanintruderhascompletelysubvertedthemonitoredhost,hestillcannottamperwiththeIDS.
Inspection:Beingabletodirectlyinspectthevirtualmachine’sCPU,memoryandI/Ostatus,thereisnostate
inthemonitoredsystem thatIDScannotsee.
Interposition:VMI-IDSleveragesthefunctionalityofVMM tointerposevirtualmachineoperations,sothat
anyattemptstomodifyahardwareregistercanbeeasilydetected.
AAVMIcompletelyencapsulatesthestateofaVMinsoftware,andcollectsthecheckpointsofaVMeasily.This
capabilitycanbeusedtocomparethestateofa‘VMunderobservation’forperformingofflineanalysis,orcap-
turingtheentirestateofthecompromisedmachineforforensicpurposes.
AVMIIDSoffersamorerobustviewofthesystem andutilizesthepropertyofVMM todirectlyobservehard-
warestatesandeventsofavirtualmachine.Itusestheinformationtoextrapolatethesoftwarestateofthe
hostsimilartothatofHIDS.Atamperedsshdprocesscanbedetectedbyperiodicallyperformingintegrity
checksonitscodesegment.AVMMcanprovideaccesstopagesofphysicalmemory/diskblocksinaVM,but
discoveringthecontentsofsshd’scodesegmentrequiresansweringqueriesaboutmachinestateinthe
contextofOSrunningintheVM.
VMI-basedVMI-basedIDSarestronglyisolatedfrom thehosttheyaremonitoring,givingahighdegreeofattackresis-
tance,providingcompleteprotectiontohardwareaccess,andmaintainingtheconstraintsimposedbytheOS
evenifthehosthasbeencompromised.VMI-basedIDSsuspendthehostswhiletheIDSrestartsincaseofa
fault,providinganeasymodelforfail-safefaultrecovery.
TheVMI-IDSleveragesthreepropertiesofavirtualizedenvironment:
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Anomaly-basedIDS
IntrusionDetectionSystem (IDS)|8

9. Theconsofthisapproacharethebaselinecollectedthroughtraining.Asubject’snormalbehaviorusually
changesovertimeandtheIDSthatusesthisapproachusuallyallowsthesubject’sprofiletochange
gradually.AnintrudercanusethisloopholetotraintheIDSandmakeanintrusiveactivityacceptable.Addi-
tionally,itcangiveaseriesoffalsealarmsincaseofanoticeablechangeinthesystem environment.False
positivealertsareissuedwhennormalbehaviorisincorrectlyidentifiedasabnormal,andfalsenegative
alertsareissuedwhenabnormalbehaviorisincorrectlyidentifiedasnormal.Moreover,duringthetraining,
thetheinputparametersoftendonotcontainallthefeaturesrelatedtointrusiondetection.Thesemissing
featuresmakeitdifficulttodistinguishattacksfrom normalactivities.
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
LimitationofAnomalyDetection
Thisiscomplementarytoanomalydetection.Theknownattackpatternscanbedetectedmoreeffectivelyby
usingtheknowledgeaboutthem.Thiswillmonitorpacketsonthenetworkandcomparethem againstadata-
baseofsignaturesorattributesfrom knownmaliciousthreats.Misusedetectionwilllookforwell-defined
patternsofknownattacksorvulnerabilities,evenaverytrivialintrusiveactivitythatisusuallyignoredby
anomalydetectioncanbedetectedbythesesystems.Thedetectionalgorithm usuallyfollowsdirectlyfrom
the representation mechanisms.Rule-based expertsystemsare used in misuse-basedalgorithms,in
whichrulesareappliedtoauditrecords,todetectintrusion.whichrulesareappliedtoauditrecords,todetectintrusion.
Misuse-basedIDS
Thismodelcannotdetectunknownattacks.Asystemprotectedbythismethodmayfacetheriskofbeingcom-
promisedwithoutdetectingtheattacks.Misusedetectionrequiresexplicitrepresentationofattackswhichis
notaneasytask,andthenatureoftheattacksalsoneedstobethoroughlyunderstoodtoraiseanalert.This
requireshuman/expertinterventionforanalysis,whichisbothtimeconsuminganderrorprone.
LimitationsofMisuseDetection
Intrusiondetectionisstillafledglingfieldofresearch.ThegrowthoftheInternet,thepossibilitiesopeningup
inelectronictradeandthelackoftrulysecuresystemsmakesitanimportantfieldofresearch.
Todetectunknownpatternsofattackswithoutgeneratingtoomanyfalsealarms,stillremainsanunre-
solvedproblem.Futureresearchtrendsseem tobeconvergingtowardsamodelthatisahybridofanomaly
andmisusedetection,sinceneitherofthemodelscandetectallintrusionattemptsontheirown.
Thedrasticincreaseinthenumberofintrusionincidentsinbusinessnetworkshaspushedenterprisesto
increasetheirITsecuritybudgetsbyadaptingtonew advancedsecuritytechnologies,whicheventually-
boostedthemarketofIDStoagreatextent.ThemarketrelatedtoIDSisexpectedtogrowfrom $2.716bil-
lionin2014to$5.042billionby2019,anestimatedgrowthrateof13.2%.
FutureDirectionsandBusinessRelevance
IntrusionDetectionSystem (IDS)|9

10. Formoredetailscontact:ers.info@hcl.com
Followusontwitter:http://twitter.com/hclersand
Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services
Visitourwebsite:http://www.hcltech.com/engineering-rd-services
Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts
andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems
to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense,
Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office
Automation,SemiconductorandServers&Storageforourcustomers.
ThiswhitepaperispublishedbyHCLEngineeringandR&DServices.
Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional
businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply
anyassociationbetweenHCLandlawfulownersofsuchtrademarks.
FormoreinformationaboutHCLEngineeringandR&DServices,
Pleasevisithttp://www.hcltech.com/engineering-rd-services
Copyright@ HCCopyright@ HCLTechnologies
Allrightsreserved.
SaumendraDash
HCLEngineeringandR&DServices
Reference
Conclusion
AuthorInfo
[1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf
[2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf
[3]https://iseclab.org/papers/driveby.pdf
[4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf
Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour
esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi-
dence,andcreateawin-winatmospherefornewopportunities.
Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga-
nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The
effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical
toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently
designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace
withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate
withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible
manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision
makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill
improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution,
usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems.
IntrusionDetectionSystem (IDS)|10