c

c
c

¯
 
 
Ã

     c

î c

à 
x
x
x
x x
    

c
Ã

    
c
c
c
c
c
     
In layman¶sview intrusion is an act of thrusting in or enteringinto a
place withoutinvitation,welcome or right.

 In technologicalview:
An intrusion is a deliberate, unauthorizedattempt to access
or manipulate information or system and to
renderthemunreliable or unusable.

Whensuspiciousactivityisfromyourinternal network
itcanalsobeclassified as misuseèc
c
c
      
0rocess of monitoring the events or a set of events occurring in a
system or a computer network for the signs of intrusive activity
manually or via software expert system is called Intrusion
Detection.

   :

Intrusion Detection Systems (IDS) can be a useful way to monitor
networks and critical computers for signs of unusual activity. They
can provide early warning of security and other problems,
allowing incidents to be dealt with quickly and their impact
reduced. However an IDS that is not properly configured and
maintained is likely to generate many spurious alerts, wasting
staff time and possibly missing important new signs.
Tuning an IDS to provide the appropriate level of alerts for a
particular network or host is likely to take some time. IDS look
forunusual signs but they cannot determine whether activity is
hostile or merely a change resulting from an unforeseen use of
the network or system. Each alert will normally need to be
checked by a system or network manager. An alert caused by
normal activity is called a µfalse positive¶, while hostile activity that
does not generate an alert is a µfalse negative¶. All IDS are likely
to generate both types of error: tuning the system to reduce false
negatives will almost alwaysincrease the number of false
positives and vice versa. The appropriate sensitivity is a matter of
local policy and should be governed by the risk to the systems
being monitored and the resources that are available to respond
to alerts.Network-based IDS, in particular, will normally detect
attempts to breach security rather than whether the attempt was
successful or not. Identifying successful intrusions is likely to
require prompt investigation by a skilled human. If this is not done
then the IDS¶s warning is likely to be wasted.

 



 ¦è
cc
cc


c
c

c
c

c  c

cc  c
c
èc
 îè c


cc

c
c

c
 è c  c c
c

Xc


ccc
c
c
c

0 
Some IDSs function from a dedicated (black box) appliance,
meaning that there is no need for the customer to load the
operating system, install the application software, and harden the
operating system separately. Others are software based and have
to be installed on top of a supported platform and operating
system.

c
IDSs generally can be broken into two components: the sensor
and the console. The sensor sits upon the network and acts as a
sniffer, listening to network traffic in promiscuous mode. The
console is the point of central management for an IDS system. By
using the console, an administrator may take notice of any current
attack alerts. In many cases, the console may be used to
customize certain preferences for the IDS.

[     
   !"

 

The IDS however is not an answer to all your Security related
problems. You have to know what you CAN, and CAN NOT
expect of your IDS. In the following subsections I will try to show
a few examples of what an Intrusion Detection Systems are
capable of, but each network environment varies and each
system needs to be tailored to meet your enterprise environment
needs. c

c
The IDS CAN provide the following: c
· CAN add a greater degree of integrity to the rest of You
infrastructure
· CAN trace user activity from point of entry to point of impact
· CAN recognize and report alterations to data
· CAN automate a task of monitoring the Internet searching for
the latest attacks
· CAN detect when your system is under attack
· CAN detect errors in your system configuration
· CAN guide system administrator in the vital step of establishing
a policy for your computing assets
· CAN make the security management of your system possible by
non-expert staff

The IDS CAN NOT provide:

· CAN NOT compensate for a weak identification and
authentication mechanisms
· CAN NOT conduct investigations of attacks without human
intervention
· CAN NOT compensate for weaknesses in network protocols
· CAN NOT compensate for problems in the quality or integrity of
information the system provides
· CAN NOT analyze al l the traffic on a busy network
· CAN NOT always deal with problems involving packet-level
attacks
· CAN NOT deal with some of the modern network hardware and
features

" # !$!%&$  0

0  
IDS can be set up either inside or outside of a firewall, depending
on the needs of an organization. An external IDS monitors attacks
that occur on a firewall that are not allowed into a network;
therefore potential attacks are discovered, but internal threats go
undetected. Internal IDS configurations do not see attacks that
are repelled by the firewall, but monitor attacks that penetrate the
firewall as well as internal attacks.
"  
 
To protect your network, your IDS must generate alarms when it
detects intrusive activity on your network. Different IDSs trigger

alarms based on different types of network activity. The two most

common triggering mechanisms are the following:

ô Anomaly detection
ô Misuse detection


   


Identify abnormal unusual behavior (anomalies) on a host or
network. They function on the assumption that attacks are
different from ³normal´ (legitimate) activity and can therefore be
detected by systems that identify these differences.

Static and dynamic:

Static: Static means a portion of the system remain constant,

e.g. data integrity, tripwire, virus checkers.

Dynamic: profile. A profile consists of a set of observed

measures of behavior for each of a set of dimensions.
Frequently used dimensions include:

‡ 0referred choices, e.g., log-in time, log-in location, and

favorite editor.

‡ Resources consumed cumulatively or per unit time.

‡ Representative sequences of actions.

‡ 0rogram profiles: system call sequence.


  Ã

Threshold detection: certain attributes of user and system
behavior are expressed in terms of counts, with some level
established as permissible. Such behavior attributes can include
the number of files accessed by a user in a given period of time,
the number of failed attempts to login to the system, the amount
of C0 utilized by a process, etc.
Statistical measures
‡ 0arametric: The distribution of the profiled attributes is assumed
to fit a particular pattern
‡ Non-parametric: The distribution of the profiled attributes is
³learned¶ from a set of historical values, observed over time.
Rule-based measures: similar to non-parametric statistical
measures in that ooberved
data defines acceptable usage patterns, but differs in that those
patterns are specified as rules, not numeric quantities.
Other methods:
‡ Machine learning
‡ Data mining
‡ Neural networks, genetic algorithms, etc.

ÃÃ   Ã 


 Ã  

×ooking for events or sets of events that match a predefined
pattern of events that describe a known attack. The patterns are
called signatures.
Rule-based systems: encoding intrusion scenarios as a set of
rules.
State-based intrusion scenario representations.
Advantages:
Very effective at detecting attacks without generating an
overwhelming number of false alarms.
Disadvantages :
Can only detect those attacks they know about²therefore they
must be constanlyupdated with signatures of new attacks.
Many misuse detectors are designed to use tighly defined
signatures that prevent them from detecting variants of common
attacks.

  $ 
To examine network traffic and trigger alarms when your network
is under attack, your IDS must somehow monitor your network at
specific points. The two common monitoring locations are as
follows:

ô Host-based
ô Network-based

Ã
 Ã  Ã
 sing OS auditing mechanisms: e.g. BSM in Solaris logs all
direct and indirect events generated by a user; strace monitors
system calls made by a program.
Monitoring user activities: analyzing shell commands.
Monitoring executions of system programs, e.g. sendmail's
system calls.
Advantages:
Can detect attacks that cannot be seen by NIDS.
Can operate in an environment in which network traffic is
encrypted.
naffected by switched networks .
Can help detect Trojan horse or other attacks that involve
software integrity breaches.
Disadvantages :
Since at least the information sources reside on the host
targeted by attacks, the IDS may be attacked and disabled as port
of the attack .
Are not well suited by detecting network scans or other such
surveillance that targets an entire network.
Since they use the computing resources of the hosts they are
monitoring, therefore
inflicting a performance cost on the monitored systems.

 

à   Ãà 
à à :=

 sing packet sniffing.
×ooking at I0 header as well as data parts.
Disadvantages of Network-Based IDSs:
NIDS may have difficult processing all packets in a large or busy
network and therefore, may fail to recognize an attack launched
during periods of high traffic.
Modern switch-based networks make NIDS more difficult:
Switches subdivide networks into many small segments and
provide dedicated links between hosts serviced by the same
switch. Most switches do not provide universal monitoring ports.
NIDS cannot analyze encrypted information.
Most NIDS cannot tell whether or not an attack was successful.


#'
   
We have examined the different mechanisms that different IDSs
use to signal or trigger alarms on your network. We have also
examined two locations that IDSs use to search for intrusive
activity. Each of these approaches has benefits and drawbacks.
By combining multiple techniques into a single hybrid system,
however, it is possible to create an IDS that possesses the
benefits of multiple approaches, while overcoming many of the
drawbacks.

Although it is true that combining multiple different IDS

technologies into a single system can theoretically produce a
much stronger IDS, these hybrid systems are not always better
systems. Different IDS technologies examine traffic and look for
intrusive activity in different ways. The major drawback to a hybrid
IDS is getting these different technologies to interoperate
successfully and efficiently. Getting multiple IDS approaches to
coexist in a single system can be a very challenging task

 
You use an IDS to monitor your network for signs of intrusive
activity. An IDS triggers alarms when it detects intrusive activity.
The triggering mechanism is probably based on one of the
following two techniques:

ô Anomaly detection
ô Misuse detection

To implement its triggering mechanism, your IDS needs to

monitor your network for intrusive activity at specific points in your
network. The two common monitoring locations are as follows:

ô Host-based
ô Network-based

Because each of these characteristics has benefits and

drawbacks, many intrusion detection systems are beginning to
incorporate multiple characteristics into hybrid IDSs. These
systems attempt to maximize the capability of the IDS while
minimizing their drawbacks.