Free Essay

Intrusion Detection Systems

In:

Submitted By jkleslie
Words 1749
Pages 7
Intrusion Detection Systems

CMIT368
August 12, 2006

Introduction
As technology has advanced, information systems have become an integral part of every day life. In fact, there are not too many public or private actions that can take part in today’s society that do not include some type of information system at some level or another. While information systems make our lives easier in most respects, our dependency upon them has become increasingly capitalized upon by persons with malicious intent. Therefore, security within the information systems realm has introduced a number of new devices and software to help combat the unfortunate results of unauthorized network access, identity theft, and the like – one of which is the intrusion detection system, or IDS.
Intrusion detection systems are primarily used to detect unauthorized or unconventional accesses to systems and typically consist of a sensor, monitoring agent (console), and the core engine. The sensor is used to detect and generate the security events, the console is used to control the sensor and monitor the events/alarms it produces, and the engine compares rules against the events database generated by the sensors to determine which events have the potential to be an attack or not (Wikipedia, 2006, para. 1-3).
IDS generally consist of two types – signature-based and anomaly-based. Signature-based IDS operate by comparing network traffic against a known database of attack categories. In fact, signature-based IDS work much in the same way that antivirus software does, except network traffic is examined instead of files. This type of IDS is extremely effective against known attack types. Anomaly-based IDS observe actual system behavior against “baselined” behavior. Any activities that contradict otherwise standard system use may be considered an attack and generate an alert. This is considered a heuristic approach to intrusion detect and is effect against unknown attacks (Foster, 2005, para. 2 & 6).
The purpose of this paper is to delve a little deeper into intrusion detection systems and briefly describe the three different device types of IDS that are currently available – Host-based, network-based, and application-based. The following sections will give insight to how each of these IDS work, their advantages, and their disadvantages.
Host-based IDS
Host-based IDS, or HIDS, are just what the name implies – IDS that reside on a host system. This system can be a server, workstation, or even a decoy (honeypot) configured to lure intruders in so that they can be safely monitored to study their intrusion techniques or intent. HIDS are generally platform-specific, therefore often software-based and having both Microsoft Windows and UNIX-compatible versions. HIDS work by examining log files, hardware usage, critical data files or data stores, and even the actions of processes running on the system. HIDS then compare this data to a specified system state either determined by the security administrator, or by a strict security policy established from extensive baselining. Whenever the system encounters activity, either internal or external, that varies from the baseline or security policy by a certain percentage, it is determined to be an attack (Ciampa, 2005, p. 163).
HIDS are most beneficial in providing detection capabilities for the internal environment of an organization. Unauthorized accesses by employees, trespassers, etc. are almost always the most abundant kind of attack and are usually the most costly. HIDS help defend against this by allowing centralized monitoring of all HIDS within the network, generating local or remote alarms when suspicious activity is detected, and also by providing some security-related reactions such as file/data quarantining, locking out questionable user accounts, and disabling compromised services and/or processes. HIDS are also somewhat cost-effective in comparison to other IDS types since they are most commonly software-based on not a hardware appliance.
Unfortunately, there are a number of disadvantages to HIDS, as well. The most significant problem with HIDS is that the majority are software-based and operate on the system itself. What this can lead to is controlling the HIDS if the system becomes entirely compromised. HIDS can also be difficult to manage if spread across many systems without an efficient administration plan in place. Finally, HIDS use the same resources the server it resides on uses. Depending on the activity of the server, a HIDS can be quite a burden to an already busy system. This can lead to bottlenecks, costly hardware upgrades, and other technical issues (Shimonski, 2004, para. 6).
Network-based IDS
Network-based IDS, or NIDS, are normally hardware-based devices (or dedicated systems) that reside at critical points of the network – capturing all incoming (and sometime outgoing and localized) packet traffic and analyzing it for suspicious patterns in accordance with the signature or rule database. Specifically, NIDS capture IP datagrams and TCP streams, reassemble them, and then use one of these techniques in order to determine malicious patterns:
1. Protocol stack verification checks underlying protocols for specific attack types associated with individual protocols such as those associated with Denial-of- Service (DoS) attacks, SYN sweeps, invalid ICMP traffic, etc.
2. Application protocol verification detects invalid application-level protocol usage such as those used in DNS cache poisoning, out of band (OOB) NetBIOS traffic, and some types of buffer overflow attacks that utilize application-level protocols.
3. Creating new loggable events by capitalizing on preexisting audit capabilities that exist on the network by associating the NIDS’ logging abilities with the logs collected by other systems on the network (TICM, 2000, para. 2.2).
NIDS offer excellent secondary protection to firewalls for a network. If placed correctly, any and all traffic that passes in and out of a firewall can be analyzed for potential attack attempts. Additional NIDS can also be placed throughout the network for even more protection at critical points. NIDS ability to reconstruct TCP/IP traffic alone make it one of the most valuable IDS types available.
Despite NIDS excellent abilities to detect potential attacks at even the lowest protocol levels, there are still some glaring weaknesses NIDS posses. One of these weaknesses happens to consist of its networking abilities in the first place. Considering NIDS are most effective capturing all traffic passed, NIDS can either become a congestion point or fail to capture all traffic if there is an extremely large amount of data passing over the wire. This can lead to poor network performance or DoS effect on the NIDS itself – causing it to miss what could be malicious traffic with absolutely no warning. NIDS also can generate excessive false positives, unless properly configured. False positives are triggers that resemble an attack, but in actuality are legitimate traffic. An improperly configured NIDS can make examining logs a very tedious event due to the large number of these false positives. False negatives, the opposite of false positives, are also an even more serious problem with NIDS. Finally, most current NIDS in system are incapable of analyzing encrypted traffic. Considering more and more organizations, and users, are turning to data encryption, a serious threat is at hand since intruders have the same capabilities to carry out their attacks using encryption as anyone else (Spitzner, 2003, para. 10).
Application-based IDS
Application-based IDS (AIDS) are fairly self-explanatory – they operate on a system like HIDS do, but monitor specific applications for malicious activity. This type of IDS is especially useful for protecting critical services such as Email, Web, FTP, and others because of its specialization in the application that provide these services. AIDS scan log files, monitor user interaction, collect usage patterns, and analyze application layer traffic. The AIDS uses this information in the same manner as the HIDS – it compares it against an established baseline to determine what legitimate application interaction is, and what is not. One of the most important aspects of AIDS are that most are capable of analyzing encrypted data through the use of services already present on the system.
The disadvantages of AIDS are quite similar to that of the HIDS. However, most of those disadvantages are somewhat magnified due to the fact that the entire system need not be compromised to take control over an AIDS – only the AIDS itself needs to be captured. AIDS usually do not consume as many resources as HIDS, but if the AIDS is used to analyze large concentrations of encrypted traffic, it can be a direct contributor to the reduced availability of system resources since dealing with encryption induces a large amount of overhead. Finally, the specialization AIDS exhibit can be its own downfall. Because AIDS are targeted to protect a specific application, an attack on the rest of the system can easily go undetected – ultimately leading to the application, AIDS, and system to become compromised without warning (Posey, 2005, para. 5).
Conclusion
Intrusion detection systems are becoming commonplace in most networks for obvious reasons. Specialized variations of the IDS types discussed within this paper also exist – protocol and application protocol-based IDS, as well as hybrid IDS which encompass two or more of the available IDS types. While IDS are no substitute for solid access control lists on routers and firewalls, excellent security policy management, and sound network design, they do offer an excellent second line of defense for network and security administrators. The availability of passive IDS to generate alerts and/or reactive IDS which can actually configure firewalls and routers at the detection of a possible intrusion, are giving more and more combinations of providing network security. Despite the disadvantages presented in this paper of the various IDS available, the only real disadvantage is not having one on your network.

References
Ciampa, M. (2005). Security + guide to network security fundamentals (2nd Ed.). Thomson Course Technology.
Foster, J. (2005, May). IDS: Signature versus anomaly detection. Retrieved July 20, 2006, from http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1092691,00.html
Posey, B. (2005, April). Choosing an intrusion detection system: Network, host or application-based IDS. Retrieved July 20, 2006, from http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1083969,00.html
Shimonski,R. (2004, July). What you need to know about intrusion detection systems. Retrieved July 20, 2006, from http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html
Spitzner, L. (2003, April). Honeypots: Simple, cost-effective detection. Retrieved July 20, 2006, from http://www.securityfocus.com/infocus/1690
TICM. (2000, March). FAQ: Network intrusion detection systems. Retrieved July 20, 2006, from http://www.ticm.com/kb/faq/idsfaq.html#2.2
Wikipedia. (2006, July). Intrusion detection systems. Retrieved July 20, 2006, from http://en.wikipedia.org/wiki/Intrusion_detection_systems

Similar Documents

Free Essay

Distributed Intrusion Detection Using Mobile Agent in Distributed System

...Emerging Trends in Computer Science and Information Technology -2012(ETCSIT2012) Proceedings published in International Journal of Computer Applications® (IJCA) Distributed Intrusion Detection using Mobile Agent in Distributed System Kuldeep Jachak University of Pune, P.R.E.C Loni, Pune, India Ashish Barua University of Pune, P.R.E.C Loni, Delhi, India ABSTRACT Due to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the Intrusion detection technology becomes popular. There is tremendous rise in attacks on wired and wireless LAN. Therefore security of Distributed System (DS) is become serious challenge. One such serious challenge in DS security domain is detection of rogue points in network. Lot of work has been done in detection of intruders. But the solutions are not satisfactory. This paper gives the new idea for detecting rouge point using Mobile agent. Mobile agent technology is best suited for audit information retrieval which is useful for the detection of rogue points. Using Mobile agent we can find the intruder in DS as well as controller can take corrective action. This paper presents DIDS based on Mobile agents and band width consumed by the Mobile Agent for intrusion detection. information it receives from each of the monitors. Some of the issues with the existing centralized ID models are:  Additions of new hosts cause the load on the centralized...

Words: 2840 - Pages: 12

Free Essay

Lab #10 Securing the Network with an Intrusion Detection System (Ids)

...Lab #10 Securing the Network with an Intrusion Detection System (IDS) Introduction Nearly every day there are reports of information security breaches and resulting monetary losses in the news. Businesses and governments have increased their security budgets and undertaken measures to minimize the loss from security breaches. While cyberlaws act as a broad deterrent, internal controls are needed to secure networks from malicious activity. Internal controls traditionally fall into two major categories: prevention and detection. Intrusion prevention systems (IPS) block the IP traffic based on the filtering criteria that the information systems security practitioner must configure. Typically, the LAN-to-WAN domain and Internet ingress/egress point is the primary location for IPS devices. Second to that would be internal networks that have or require the highest level of security and protection from unauthorized access. If you can prevent the IP packets from entering the network or LAN segment, then a remote attacker can’t do any damage. A host-based intrusion detection system (IDS) is installed on a host machine, such as a server, and monitors traffic to and from the server and other items on the system. A network-based IDS deals with traffic to and from the network and does not have access to directly interface with the host. Intrusion detection systems are alert-driven, but they require the information systems security practitioner to configure them properly. An IDS provides...

Words: 3209 - Pages: 13

Premium Essay

Intrusion Detection System

...Intrusion Detection System ABSTRACT: An Intrusion Detection System (IDS) is a program that analyzes the computer during the execution, tries to find and indications that the computer has been misused. One of the main concept in (IDS) is distributed Intrusion Detection System (DIDS). It consists of several IDS over a large network of all of which communicate with each other. The DIDS mainly evaluate with fuzzy rule based classifiers. It deals with both wired and wireless network by Ad-Hoc network. It explores the use of conversation exchange dynamics (CED) to integrate and display sensor information from multiple nodes. It examines the problem of distributed intrusion detection in Mobile Ad-Hoc Networks (MANETs). Intrusion Detection System...

Words: 1585 - Pages: 7

Premium Essay

Attack Prevention Paprer

...Attack Prevention Paper Introduction Cyber-attacks which are exclusively performed for the only objective of information collecting vary from monitoring the activities which a user makes to copying vital documents included in a hard drive. While those which do harm generally involve monetary thievery and interruption of services. Cyber-attacks are a slowly growing situation which is based on technology. The secret to avoiding this kind of attack is in the applications and programs which one uses for protection which identifies and informs the user that an attack is certain generally known as Cyber Warfare. As stated in the 1st explanation. However dependence and reliance aren't the only items which technology provides. Or an effort to monitor the online moves of people without their permission as the sophistication of cyber criminals continues to increase; their methods and targets have also evolved. Instead of building the large Internet worms that have become so familiar, these criminals are now spending more time concentrating on wealth gathering crimes, including fraud and data theft. An online article from Cyber Media India Online Ltd., suggests that because home users often have the poorest security measures in place, they have become the most widely targeted group. Cyber Media states that 86% of all attacks are aimed at home users (2006). As attacks on home users increase, new techniques are surfacing, including the use...

Words: 951 - Pages: 4

Premium Essay

Cyber Terror

...access to a control system device and/or network using a data communications pathway. (US-CERT, 2005) Over the past few years, we as a nation have seen a major increase in National Security threats in Cyberspeace. President Obama identified Cybersecurity as one of the most serious economic and national security challenges that we are currently facing. Federal government leaders admit to falling behind with the growing threat of attacks from hacker criminals. The government accountability office has identified weakness in security controls in almost all agencies for years but yet to have total control over the threats. One of the underlying causes of the weakness is that agencies fail to implement information security programs which include assessing and managing risks, developing and implementing security policies and procedures, and promoting security awareness. (Nextgov, 2009) In January 2008, President Bush introduced the Comprehensive National Cybersecurity initiative ( CNCI). The CNCI included a number of reinforcing methods that included 1.) Managing the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is headed by the Office of Management and Budget and the Department of Homeland Security, it covers the consolidation of the Federal Government’s external access points (including those to the Internet) 2.) Deploy an intrusion detection system of sensors across the Federal enterprise. Intrusion Detection Systems using passive sensors...

Words: 538 - Pages: 3

Premium Essay

Information Systems Security

...Information Systems Security Strayer University CIS 333 June 18, 2014 David Bevin Information Systems Security The scope of our assignment as an information officer at Whale Pharmaceuticals is to safeguardour daily operations which require a combination of both physical and logical access controls to protect medication and funds maintained on the premises and personally identifiable information and protected health information of our customers. The immediate supervisor has tasked us with identifying inherent risks associated with this pharmacy and establishing physical and logical access control methods that will mitigate all risks identified. There are few basic things to be cognizant of as we carry out this task. Security is easiest to define by breaking it into pieces. An information system consists of the hardware, operating system, and application software that work together to collect, process, and store data for individuals and organizations. Information systems security is the collection of activities that protect the information system and the data stored in (Kim & Solomon 2012). We should also be aware of what we are up against. Cyberspace brings new threats to people and organizations. People need to protect their privacy. Businesses and organizations are responsible for protecting both their intellectual property and any personal or private data they handle. Various laws require organizations to use security controls to protect private and confidential...

Words: 3283 - Pages: 14

Premium Essay

Homework 1

...IS4560 Hacker tools, techniques and incident handeling Unit 1 Homework 1 Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system, intrusion prevention system, or firewall. Based on the geographical map the whitepaper lays out for us, the United States receives chart topping threats in malicious code, phishing hosts, bots, and attack origin. Web based threats are increasing by the day with the endless amount of client-side vulnerabilities, attackers can focus on websites to mount additional, client side attacks. The most common web based attack in 2009 was related to malicious PDF activity, which actually accounted for almost 50% of web-based attacks. The year before that number was only at 11%. This attack got so popular because exchanging PDF files was a common day to day activity. So it wasn’t rare when you saw one in your inbox and didn’t think twice before opening it. 34% of all web based attacks happen in the United States, China is second with 7%. Some of those extremely high U.S. numbers are actually on the decline from the previous year’s report. Most of the decrease is because of increases in other countries and the Federal Trade Commission shut down a ISP that was known to distribute malicious code, among other content. One of the botnets linked to the ISP was Pandex (aka Cutwall). This botnet was responsible for as much as 35% of spam observed globally. The most difficult...

Words: 456 - Pages: 2

Premium Essay

Network Security Plan

...will not be visible outside of the organization and another firewall without NAT which will be visible outside of the organization. Network Security Plan Purpose Computer and network security incidents have become a fact of life for most organizations that provide networked information technology resources including connectivity with the global Internet. Current methods of dealing with such incidents are at best piecemeal relying on luck, varying working practices, good will and unofficial support from a few individuals normally engaged in central network or systems support. This approach undoubtedly leads to inefficiencies and associated problems with respect to:   * ·        Duplicated effort * ·        Inappropriate actions * ·        Poor co-ordination * ·        Confusion - No obvious authority, identifiable responsibilities or overall management * ·        Tardy incident detections and resolution times * ·        Missed, unreported or ignored...

Words: 3365 - Pages: 14

Premium Essay

Owner

...System Administrator | ← Job Descriptions Main Page  | ESSENTIAL FUNCTIONS: The System Administrator (SA) is responsible for effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software and related infrastructure. This individual participates in technical research and development to enable continuing innovation within the infrastructure. This individual ensures that system hardware, operating systems, software systems, and related procedures adhere to organizational values, enabling staff, volunteers, and Partners. This individual will assist project teams with technical issues in the Initiation and Planning phases of our standard Project Management Methodology. These activities include the definition of needs, benefits, and technical strategy; research & development within the project life-cycle; technical analysis and design; and support of operations staff in executing, testing and rolling-out the solutions. Participation on projects is focused on smoothing the transition of projects from development staff to production staff by performing operations activities within the project life-cycle. This individual is accountable for the following systems: Linux and Windows systems that support GIS infrastructure; Linux, Windows and Application systems that support Asset Management; Responsibilities on these systems include SA engineering and provisioning, operations and support, maintenance and research and development...

Words: 1105 - Pages: 5

Premium Essay

The Hacker in All of Us

...vulnerable to the latest Hack Attack. Now Business or Corporate users usually have an entire department dedicated to protecting them so they are less vulnerable. 2. What is the magnitude of the risk? That is, if security is compromised, what is the potential cost to the victim? Again this will depend on the user. Your average home users will run the risk of viruses, loss of data due to system crash and identity theft if they are not careful. With the Business or Corporate users the magnitude of the risk is much greater. If it is a financial institute, we could be talking millions of dollars at risk if security is compromised. 3. What policies and procedures can you suggest to counter the types of threats illustrated in this case study? * Intrusion Detection: A security service that monitors and analyzes system events for the purpose of finding and providing real-time or near-real-time warning of, attempts to access system resources in an unauthorized manner. * If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data compromised. * An effective IDS can serve as...

Words: 530 - Pages: 3

Free Essay

Legal Advise

...Assignment: Legal Advise By Eleanor P. Luu Professor Richard W. Landoll Course Title LEG100133VA016-1124-001 Business Law 1 May 22, 2012 Intrusion detection system “is a system to protect your computer from unwanted, often malicious, viruses, bugs, worms, and programs that can be destructive and, in some cases, lead to identity theft depending on what” the purpose was. I was able to find a company whose headquarters is located in Fairfax, Virginia. This company is in the process of developing not one but five major initiatives. Even though all of these initiatives are currently being worked, they all have work to be done with them. Most software development companies continuously upgrade their software or they find that it will go out of existence in a very short period of time or their competition will make big strides to win over their business. WetStone Technologies (The Company) was founded in 1997 but it did not relocate to this area until 2007. Giving the need for this type of software, the company set out to develop an intrusion detection system that would be used for not only the Government but also for the private sector. The Company was fortunate enough that their first several contracts with the Government actually helped pave the way and the direction for this type of software need. The Government requested that companies send in a White Paper to the Government...

Words: 1353 - Pages: 6

Premium Essay

Lkt2 Task 5

...capabilities of this network give Myrtle & Associates an advantage and helps make them competitive. The Bellview Law Group operates on an antiquated system that is stationary and not as secure as their counterpart. They do not have access to case files on the move. With the merger forming MAB Law Firm there must be some necessary and much needed changes to both systems to a single definitive network. Myrtle & Associates domain will become part of the MAB Law Firm domain. Myrtle & Associates will still have the same experience they previously encountered but will be able to interact more effectively with the employee of Bellview Law Group location. Belleview Law Group will see a complete over hall of their network and systems. Their outdated in-house built server towers will be replaced with new Dell power edge servers. They will operate the same case management software that the Myrtle & Associates operate. These systems will replicate with one another. The network will become a Server 2008 R2 based network utilizing windows active directory one the MAB Law Firm domain. Each site will host a domain controller and domain name system on the same server. The networks will be connecting via a secure wide area network. The office will be able operate as one unified organization from a network and systems stand point. This will help the blending of the two firms into one. A user form on office will be able to go to the sister office and seamlessly log...

Words: 2002 - Pages: 9

Free Essay

Sec 320

...Perimeter Security Applications Robinson Paulino DeVry College of New York Sec- 330 Professor: Gerard Beatty Perimeter Security Applications Outline Introduction 2 Intruder Detection Accuracy 3 Security Cameras 4 1. Using Size Filters for Video Analytics Accuracy 4 2. Geo-Registration and Perimeter Security Detection Accuracy 5 3. Clarity against a moving background 5 Perimeter Security Best Practices 6 Auto Tracking PTZ Camera 6 Long Range Thermal Camera 6 Covering Perimeter Camera Blind Spots 7 Determine a Perimeter Camera’s Range 7 Perimeter Fence . 8 Chain-Link Fences Protection 8 Electric and Infrared Fences 8 Fiber Optic Intrusion Detection Systems 9 In-Ground Intrusion Detection Systems 10 References 11 Perimeter Security Applications Introduction Physical security is the protection offered for property, these may be buildings or any other form of asset, against intruders (Arata, 2006). . The idea therefore, is to keep off unwanted persons or objects from ones premises. One’s premise is defined by a boundary which separates private property from the rest of the land. This boundary is referred to as the perimeter. The perimeter could be physical or logical. Physical security is intended to keep intruders from land and grounds around such property. Logical perimeters on the other hand, are for protection against computer sabotage or any other remote malicious activities (Fennelly, 2012). In a nutshell, perimeter security...

Words: 2429 - Pages: 10

Premium Essay

Cybersecurity

...computer networks, systems, data, and programs from unwanted access. Cyber security is sometimes referred to as information security, information network security, cyberspace security, or even computer security. There are many viewpoints by highly educated people on cyber security but the purpose of this paper is to tell my viewpoint on the subject. Every aspect of a persons life has some sort of cyber dimension. People paying for bills online, cloud computing, and even online gaming. This year in 2014, everyone is bombarded with news headlines that say cyber threats are up. Many of these headlines always include some kind of phishing attack trying to steal someones identity, a hacker that breached the network of a company, a new technique that attacks mobile devices like smart phones, or a government trying to monitor and take secrets from another government!!br0ken!! The concern for cyber security is now a real-world concern globally. The concern over cyber security is what is driving the governments worldwide to make it priority one on their list's now. This is so, because technology is growing at a very fast and continuous pace. The technology field itself is very vast and has much variety. Cyber security in particular though, is somewhat the backbone of technology. Most networks and data have to be protected. Mostly everyone that uses any type of computer system or network, will have something they want hidden or want protected. The integrity of a computer system or network,...

Words: 4041 - Pages: 17

Premium Essay

Paper 1

...layer of the multi-layered security plan is the user domain. The user domain consists of the people who access the companies information systems. The first thing that should be set up in the User Domain is some type of acceptable use policy. The next domain is the workstation domain. The workstation domain is where the employees of the company connect to the network infrastructure. In this domain there needs to be multiple layers of defense. Your main defense here will be passwords but it should also have other login techniques such as biometrics or authenticators. The LAN domain will be your companies physical infrastructure. In this domain the system administrator should keep track of all user accounts and their corresponding rights. In the LAN-to-WAN domain you have many security options are available such as Intrusion detection systems, intrusion prevention systems, and email content-filtering. The WAN domain includes both physical networking components and logical parts of communication systems. The main goal for this domain is to allow users the most access possible while making sure what goes in and out is safe and secure. The remote access domain is what allows users within the company to remotely connect to the network. A few ways to secure this domain is VPN routers and firewalls, and to use Secure Socket Layer. The last layer is the system/application domain. This domain is one of the most critical parts of the security plan and encompasses all major parts of the company’s...

Words: 293 - Pages: 2