Professional Documents
Culture Documents
IDS
IDS
IDS
1.2 Background
Lisong
In the last few years, the networking revolution has finally come of age. More than ever
before, we see that the Internet is changing rapidly constantly delivering new services. The
1
http://perso.rd.francetelecom.fr/debar/papers/Debar00a.pdf
possibilities and opportunities are limitless; unfortunately, so are also the risks and chances of
malicious intrusions.
It is very important that the security mechanisms of a system are designed to prevent
unauthorized access to system resources and data. However, completely preventing breaches
of security appear, at present, unrealistic. We can, however, try to detect these intrusion
attempts so that action may be taken to repair the damage later. This field of research is called
Intrusion Detection.2
If a firewall is like having a security guard at your office door, checking the credentials of
everyone coming and going, then an intrusion-detection system (IDS) is like having a network
of sensors that tells you when someone has broken in, where they are and what they're doing.3
Intrusion-detection systems aim at detecting attacks against computer systems and networks
or, in general, against information systems. They have the mission of monitoring the usage of
systems to detect any apparition of insecure states.
1.3 Principles
Jakob
iterate
1.3.1 Approaches
Jakob
There are two main approaches for detecting intrusions, knowledge-based and behavior-
based. The majority of all IDS tools on the market uses knowledge-based detection. One
2
Aurobindo Sundaram, An Introduction to Intrusion Detection, www.acm.org/crossroads/xrds2-4/intrus.html
3
Pete Loshin, Intrusion Detection, April 16, 2001 (Computerworld)
www.computerworld.com/hardwaretopics/hardware/story/0,10801,59611,00.html
common thing for the both approaches is that they never know themselves if they have done a
correct decision or not.
4
http://www.pcmag.com/article2/0,1895,83893,00.asp
5
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf
6
http://www.sans.org/resources/idfaq/knowledge_based.php?portal=9057acb9e88df77ac68efdf15c5ea5b3
7
http://www.sans.org/resources/idfaq/behavior_based.php
• Behavior can change over time, introducing the need for periodic online retraining of
the behavior profile, resulting either in unavailability of the IDS or in additional false
alarms.
• The information system can undergo attacks at the same time the IDS is learning the
behavior. As a result, the behavior profile contains intrusive behavior, which is not
detected as anomalous.
1.4 Implementations
Carlos
There are 5 different types of IDS, but the Network, Host-based and Hybrid IDS are used
most frequently. The different types can be found in table below.
8
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf
9
https://ia.gordon.army.mil/iaso/lesson13.htm
10
This feature is often referred to as IDS shunning or blocking.
protocols
Internals of a computing
Host-Based IDS Tripwire
system
Combines one or more
Hybrid IDS Prelude
approaches
11
Table
Now we are going to explain the different kinds of Intrusion Detection System.
1.4.1 Network
The Network intrusion detection systems (called NIDS) monitors packets on the network
wire and attempts to discover if a hacker/cracker is attempting to break into a system (or
cause a denial of service attack). A typical example is a system that watches for large number
of TCP connection requests (SYN) to many different ports on a target machine, thus
discovering if someone is attempting a TCP port scan. A NIDS may run either on the target
machine who watches its own traffic (usually integrated with the stack and services
themselves), or on an independent machine promiscuously watching all network traffic (hub,
router, probe).
1.4.1.1 Snort
Snort is a open source network intrusion detection and prevention system capable of
performing packet logging and real-time traffic analysis, on IP networks12.
Snort IDS console
11
http://staff.science.uva.nl/~delaat/sne-2006-2007/p12/report.pdf
12
http://www.maestrosdelweb.com/editorial/snort/
1.4.2 Application protocol
An application protocol-based intrusion detection system (APIDS) is an intrusion
detection system that focuses its monitoring on a specific application protocol or protocols in
use by the computing system.
1.4.3 Protocol
A protocol-based intrusion detection system (PIDS) is an intrusion detection system which
is typically installed on a web server and useful in monitoring and in analysis of the protocol
or protocols in use by the computing system.13
A PIDS will monitor the dynamic behaviour and state of the protocol and will typically con-
sist of a system or agent that would typically sit at the front end of a server, monitoring and
analysing the communication protocol between a connected device (a user/PC or system) and
the system it is protecting.
For a web server this would typically monitor the HTTPS protocol stream and understand the
HTTP protocol relative to the web server/system it is trying to protect.
1.4.4 Host
A host-based intrusion detection system consists of an agent on a host which identifies
intrusions by analysing system calls, application logs, file-system modifications and other
host activities.
Host-based Intrusion Detection Systems can be used to determine if a system has been
compromised and can warn administrators if that happen. We recognize 4 different methods:
• Filesystem monitoring.
13
www.wikipedia.org
• Log file analysis.
• Connection analysis.
• Kernel-based intrusion detection.
Implementations of intrusion detection systems commonly use one of these 4 methods to
detect intrusions. It is because these methods are the more efficient and offer a good results
and it is very important in order to detect intrusion.
1.4.5 Hybrid
A hybrid intrusion detection system combines two or more approaches, offering management
of and alert notification from both network and host-based intrusion detection devices. Hybrid
solutions provide the logical complement to Network Intrusion Detection and Host-based
Intrusion Detection.
1.5 Conclusion
The Intrusion detection system is a step towards the utopia for complete secure systems. Now
can also the use of the system be monitored. There are still lot of disadvantages with this type
of systems. The knowledge based systems will fail if the hackers find a new hole in the
system to exploit before the good guys make a signature who can stop the attack. On the other
hand the Behavior-based systems can learn but there is no way to ensure that they are acting
correct. IDS is an area for research in the future, we especially that the field: “AI in the
Behavior-based systems” will be put a lot effort into. Think about a system that are
maintenance free and secure.
We knew nothing about IDS when we started to work with this report. This report has given
us all an insite of this area. We have gained knowledges the two main approaches and also
learned something about the implantations.
1.6 References
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-
Spring/CSE409/presentations/Intrusion_Detection.pdf, 2007-10-06
http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,59611,00.html,
2007-10-06
http://perso.rd.francetelecom.fr/debar/papers/Debar00a.pdf, 2007-10-05
www.acm.org/crossroads/xrds2-4/intrus.html, 2007-10-06
http://www.pcmag.com/article2/0,1895,83893,00.asphttp://www.cs.sunysb.edu/~sion/teachin
g/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf, 2007-10-06
http://www.sans.org/resources/idfaq/knowledge_based.php?portal=9057acb9e88df77ac68efd
f15c5ea5b3, 2007-10-06
http://www.sans.org/resources/idfaq/behavior_based.php, 2007-10-06
http://www.maestrosdelweb.com/editorial/snort/, 2007-10-06
http://staff.science.uva.nl/~delaat/sne-2006-2007/p12/report.pdf, 2007-10-06
www.wikipedia.org, 2007-10-06