TEHMINA YASEEN (BS0910016) COURSE NO.

618 RESEARCH REPORT DEPARTMENT OF COMPUTER SCIENCE

SUBMITTED TO: Dr. Tahseen Ahmed Jilani

INTRUSION DETECTION SYSTEM

1.1 COMPUTER SECURITY Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help us to stop unauthorized users (also known as "intruders") from accessing any part of our computer system. Detection helps us to determine whether or not someone attempted to break into our system, if they were successful, and what they may have done

We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although we may not consider our communications "top secret," we probably do not want strangers reading our email, using our computer to attack other systems, sending forged email from our computer, or examining personal information stored on our computer (such as financial statements). Intruders (also referred to as hackers, attackers, or crackers) may not care about our identity. Often they want to gain control of our computer so they can use it to launch attacks on other computer systems. Having control of our computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if we have a computer connected to the Internet only to play the latest games or to send email to friends and family, our computer may be a target. Intruders may be able to watch all our actions on the computer, or cause damage to our computer by reformatting our hard drive or changing our data. How easy is it to break into my computer? Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems. When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to us, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes. Also, some software applications have default settings that allow other users to access our computer unless we change the settings to be more secure. Examples include chat programs that let outsiders execute commands on our computer or web browsers that could allow someone to place harmful programs on our computer that run when we click on them. 1.2 INTRUSION DETECTION SYSTEM An intrusion detection system is used to monitor network traffic, check for suspicious activities and notifies the network administrator or the system. An IDS can be a piece of installed

software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. IDSes are classified in many different ways, including active and passive, network-based and host-based, and knowledge-based and behaviorbased:

1.3 COMPONENETS There are three main components to the Intrusion detection system: 1.3.1 Network intrusion detection system (NIDS) Network intrusion detection system is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort. 1.3.2 Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC. A HIDS must be installed on each machine and requires configuration specific to that operating system and software. 1.3.3 Network Node Intrusion detection system (NNIDS)

It performs the analysis of the traffic that is passed from the network to a specific host. The difference between NIDS and NNIDS is that the traffic is monitored on the single host only and not for the entire subnet. The example of the NNIDS would be, installing it on a VPN device, to examine the traffic once it was decrypted. This way you can see if someone is trying to break into your VPN device. 1.4 STRUCTURE AND ARCHITECTURE OF INTRUSION DETECTION SYSTEMS An intrusion detection systems always has its core element - a sensor (an analysis engine) that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions. Sensors receive raw data from three major information sources (Fig.1): own IDS knowledge base, syslog and audit trails. The syslog may include, for example, configuration of file system, user authorizations etc. This information creates the basis for a further decisionmaking process.

(Fig.1) A sample IDS. The arrow width is proportional to the amount of information flowing between system components. The sensor is integrated with the component responsible for data collection (Fig.2) an event generator. The collection manner is determined by the event generator policy that defines the filtering mode of event notification information. The event generator (operating system, network, application) produces a policy-consistent set of events that may be a log (or audit) of system events, or network packets. This, set along with the policy information can be stored either in the protected system or outside. In certain cases, no data storage is employed for example, when event data streams are transferred directly to the analyzer. This concerns the network packets in particular.

Fig.2 IDS components The role of the sensor is to filter information and discard any irrelevant data obtained from the event set associated with the protected system, thereby detecting suspicious activities. The analyzer uses the detection policy database for this purpose. The latter comprises the following elements: attack signatures, normal behavior profiles, necessary parameters (for example, thresholds). In addition, the database holds IDS configuration parameters, including modes of communication with the response module. The sensor also has its own database containing the dynamic history of potential complex intrusions (composed from multiple actions). 1.5 COMPARISON OF IDS

1.6 DETECTION TYPE 1.6.1 Signature Based IDS Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures. This can be used to do a comparison against the database of attributes or signatures from recognized malicious threats. It is similar to how most anti-virus software would detect malware. However, there is a downside with this system

because there will be a lag in between when new threats are identified in the wild and also the signature for finding that threat being used on our IDS. In that lag period the IDS will be unable to identify any new threat. Some important topics comes under intrusion detection are as follows: 1) Signatures - Signature is the pattern that we look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of scripts/iisadmin in a packet going to our web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack. 2) Alerts - Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts. 3) Logs - The log messages are usually saved in file. Log messages can be saved either in text or binary format. 4) False Alarms - False alarms are alerts generated due to an indication that is not an intruder activity. For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert. Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, we have to modify and tune different default rules. In some cases we may need to disable some of the rules to avoid false alarms. 5) Sensor The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to sense the network. 6) Snort - Snort is a very flexible network intrusion detection system that has a large set of preconfigured rules. Snort also allows us to write our own rule set. There are several mailing lists on the internet where people share new snort rules that can counter the latest attacks. Snort is a modern security application that can perform the following three functions : * It can serve as a packet sniffer. * It can work as a packet logger. * It can work as a Network-Based Intrusion Detection System (NIDS). 7) OSSEC- OSSEC is a free, open source host-based intrusion detection system (IDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, timebased alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid and made public in 2004.

1.7 DETECTION MODEL There are two primary models to analyzing events to detect attacks: 1.7.1 Anomaly detection model It detect intrusions by searching abnormal network traffic. An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is normal for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. An anomaly-based IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous.

1.7.2 Misuse detection model It detect intrusions by looking for activity that corresponds to known signatures of intrusions or vulnerabilities. The common approach for misuse detection concerns signature verification , where a system detects previously seen, known attacks by looking for an invariant signature left by these attacks. This signature is found in audit files, in host-intrused machine, or in sniffers

looking for packets inside or outside of the attacked machine.

1.8 COMPARISON BETWEEN ANAMOLY AND MISUSE DETECTION MODEL

1.8.1 Misuse Vs Anomaly DeteMisuse Vs. Detection

1.9 NETWORK ATTACKS A network attack can be defined as any method, process, or means used to maliciously attempt to compromise network security. There are a number of reasons that an individual(s) would want to attack corporate networks. The individuals performing network attacks are commonly referred to as network attackers, hackers, or crackers. A few different types of malicious activities that network attackers and hackers perform are summarized here:         Illegally using user accounts and privileges. Stealing hardware. Stealing software. Running code to damage systems. Running code to damage and corrupt data. Modifying stored data. Stealing data. Using data for financial gain or for industrial espionage.

 Performing actions that prevent legitimate authorized users from accessing network services and resources.  Performing actions to deplete network resources and bandwidth. 1.9.1 TYPES OF ATTACK y Back door Attacks y Spoofing Attacks y Eavesdropping y Snooping y Interception y Identity Spoofing (IP Address Spoofing) y Modification Attacks y Repudiation Attacks y Man-in-the-Middle Attacks y Replay Attacks y Password Guessing Attacks y Sniffer Attack 1.9.1.1 UDP Attacks  ICMP Attacks  Smurf Attacks  ICMP Tunneling 1.9.1.2 Denial of Service (DoS)  Flooding  Ping flood (Smurf)  Send mail flood  SYN flood  Distributed Denial of Service  Remote System Shutdowne (DDoS)  Buffer Overflow