Intrusion detection systems

Lisong Pei, Jakob Schütte, Carlos Simon

2007-10-07
Table of Contents
INTRUSION DETECTION SYSTEMS................................................................................ 2
1.1 INTRODUCTION............................................................................................................................................................ 2
1.2 BACKGROUND............................................................................................................................................................ 2
1.3 PRINCIPLES.............................................................................................................................................................. 3
1.3.1 Approaches ............................................................................................ 3
1.3 . 1 . 1 Kno w l e d g e- bas e d IDS ................................................................................................................................ 4
1.3 . 1 . 2 Beh a v i o r- bas e d ID ...................................................................................................................................... 4
1.3.2 Passive and Reactive (active) systems ............................................................ 5
1.3 . 2 . 1 Wh a t Ha p p e n s Af t e r an At t a c k in t h e rea c t i v e cas e? ........................................................................... 5
1.4 IMPLEMENTATIONS........................................................................................................................................................ 5
1.4.1 Network................................................................................................. 6
1.4 . 1 . 1 Snor t ............................................................................................................................................................ 6
1.4.2 Application protocol.................................................................................. 7
1.4 . 2 . 1 Sec e r n o ....................................................................................................................................................... 7
1.4.3 Protocol................................................................................................. 7
1.4.4 Host..................................................................................................... 7
1.4.5 Hybrid................................................................................................... 8
1.5 CONCLUSION............................................................................................................................................................. 8
1.6 REFERENCES............................................................................................................................................................ 9

Intrusion Detection systems

1.1 Introduction
Lisong
In Information Security, intrusion detection is the act of detecting actions that attempt to
compromise the confidentiality, integrity or availability of a resource. A system that performs
automated intrusion detection is called an Intrusion Detection System (IDS).
There are two complementary trends in intrusion detection: (1) knowledge-based, to use the
knowledge accumulated about attacks and look for evidence of the exploitation of these
attacks, and (2) Behavior-based, to build a reference model of the usual behavior of the
information system being monitored and look for deviations from the normal usage.1
The behavior on detection describes the response of the intrusion-detection system to attacks,
reactive or passive. When it actively reacts to the attack by taking either or pro-active actions,
then the intrusion-detection system is said to be active. If the intrusion-detection system
merely generates alarms it is said to be passive. IDS can be host-based, if it monitors system
calls or logs, or network-based if it monitors the flow of network packets. There are also
protocol-based IDS, application protocol-based IDS and hybrid one which combines two or
more approaches.
This was a short introduction to the fields within IDS that we will focus on during this report.

1.2 Background
Lisong
In the last few years, the networking revolution has finally come of age. More than ever
before, we see that the Internet is changing rapidly constantly delivering new services. The

1
http://perso.rd.francetelecom.fr/debar/papers/Debar00a.pdf
possibilities and opportunities are limitless; unfortunately, so are also the risks and chances of
malicious intrusions.
It is very important that the security mechanisms of a system are designed to prevent
unauthorized access to system resources and data. However, completely preventing breaches
of security appear, at present, unrealistic. We can, however, try to detect these intrusion
attempts so that action may be taken to repair the damage later. This field of research is called
Intrusion Detection.2
If a firewall is like having a security guard at your office door, checking the credentials of
everyone coming and going, then an intrusion-detection system (IDS) is like having a network
of sensors that tells you when someone has broken in, where they are and what they're doing.3
Intrusion-detection systems aim at detecting attacks against computer systems and networks
or, in general, against information systems. They have the mission of monitoring the usage of
systems to detect any apparition of insecure states.

1.3 Principles
Jakob

Parse data, filter data

Application log, and execute detection Drop packets, send
network driver or algorithms alerts, update routing
network cable etc tables, kill processes etc

Capture Analyse Response

data data

iterate

An IDS is composed of several components:

• Sensors which generate security events
• A Console to monitor events and alerts and control the sensors
• A central Engine that records events logged by the sensors in a database and uses a
system of rules to generate alerts from security events received

1.3.1 Approaches
Jakob
There are two main approaches for detecting intrusions, knowledge-based and behavior-
based. The majority of all IDS tools on the market uses knowledge-based detection. One

2
Aurobindo Sundaram, An Introduction to Intrusion Detection, www.acm.org/crossroads/xrds2-4/intrus.html
3
Pete Loshin, Intrusion Detection, April 16, 2001 (Computerworld)
www.computerworld.com/hardwaretopics/hardware/story/0,10801,59611,00.html
common thing for the both approaches is that they never know themselves if they have done a
correct decision or not.

1.3.1.1 Knowledge-based IDS456

A Knowledge-based system looks for already defined types of intrusion. The IDS searches a
series of bytes or packet for sequences known to be harmful. The IDS will contain
information about vulnerabilities and looks for attempts to exploit these vulnerabilities. Some
vulnerability that could be detected is different kinds of: software or operating system holes,
viruses with matching signatures, and bad firewall/network/routing configurations.
A concrete example: An example string signature for UNIX might be "cat "+ +" > /.rhosts" ,
which if successful, might cause a UNIX system to become extremely vulnerable to network
attack.
When an attack attempt is detected it triggers an alarm and every action that is not known to
the system is then treated as a safe action. This leads to the conclusion that the security in
knowledge based systems are very dependent on how quick they are updated when new
exploits are identified. New signatures are easy to develop and understand if you know what
network behavior you're trying to identify. But the development and maintenance of the
knowledge base on a IDS require careful analysis of each vulnerability and is therefore a time
consuming task. The fact that knowledge about attacks is very bounded to its environment and
therefore depending on the operating system, version, platform, and application, makes it
difficult to transfer knowledge between different platforms.

1.3.1.2 Behavior-based ID7

Behavior-based systems has an advantage over knowledge-based engines. Behavior-based
intrusion detection techniques works after the principle that an intrusion can be detected by
observing a deviation from expected (normal) behavior of the system or the users.
First, what is a normal to a system? Normal or valid behavior is found in reference
information collected by a various of ways. The intrusion detection system later compares this
normal behavior with the current activity. Anything that does not correspond to a previously
learned behavior is considered to be an intrusion. An observed deviation generates an alarm.
Behavior based system might caught all the attacks,reality its not that simple, there will a lot
of false alarms.
There are both advantages and disadvantages with a system this paranoid.
The mainly advantages of the behavior-based approaches is
• Can detect attempts to exploit new and unforeseen vulnerabilities.
• Can contribute to the (partially) automatic discovery of these new attacks.
• They help detect 'abuse of privileges' types of attacks that do not actually involve
exploiting any security vulnerability.
• They are less dependent on operating system-specific mechanisms.
The mainly disadvantages:
• The high false alarm rate - the entire scope of the behavior of a system may not be
covered during the learning phase.

4
http://www.pcmag.com/article2/0,1895,83893,00.asp
5
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf
6
http://www.sans.org/resources/idfaq/knowledge_based.php?portal=9057acb9e88df77ac68efdf15c5ea5b3
7
http://www.sans.org/resources/idfaq/behavior_based.php
 • Behavior can change over time, introducing the need for periodic online retraining of
the behavior profile, resulting either in unavailability of the IDS or in additional false
alarms.
• The information system can undergo attacks at the same time the IDS is learning the
behavior. As a result, the behavior profile contains intrusive behavior, which is not
detected as anomalous.

1.3.2 Passive and Reactive (active) systems89

Jakob
An IDS can be either a Passive or active system. In a Passive system IDS sensor detects
something that looks like a gap in the system, logs the information and signals an alert on the
console but does not take any preventive measures to stop the attack.
A reactive IDS responds to the suspicious activity in the same way as the passive IDS with the
additional ability to take action on the attack. Reactive systems are also known as an intrusion
prevention system (IPS).

1.3.2.1 What Happens After an Attack in the reactive case?

Lisong
• Typical responses:
• Alerts and notifications: email, SMS, pager
• (important issue: alert path must be bulletproof)
• Increase Surveillance: log more
• Throttling: slow down malicious traffic
• Blocking Access: drop data, update firewall/router
• Nuke the Attacker: Eye for an eye tactics
• Honey Pots and Padded Cells: route the hacker to
• a fake system and let him play freely
• Inform other routers and firewalls so they can take preventing actions10

1.4 Implementations
Carlos
There are 5 different types of IDS, but the Network, Host-based and Hybrid IDS are used
most frequently. The different types can be found in table below.

Intrusion Detection System Scans Example

Network traffic and monitors
Network IDS Snort
multiple hosts
Certain protocol(s) for a
Protocol Based IDS N/A
specific service
Application Protocol Based IDS Communication on Secerno
application specific

8
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf
9
https://ia.gordon.army.mil/iaso/lesson13.htm
10
This feature is often referred to as IDS shunning or blocking.
 protocols

Internals of a computing
Host-Based IDS Tripwire
system
Combines one or more
Hybrid IDS Prelude
approaches
11
Table

Now we are going to explain the different kinds of Intrusion Detection System.

1.4.1 Network
The Network intrusion detection systems (called NIDS) monitors packets on the network
wire and attempts to discover if a hacker/cracker is attempting to break into a system (or
cause a denial of service attack). A typical example is a system that watches for large number
of TCP connection requests (SYN) to many different ports on a target machine, thus
discovering if someone is attempting a TCP port scan. A NIDS may run either on the target
machine who watches its own traffic (usually integrated with the stack and services
themselves), or on an independent machine promiscuously watching all network traffic (hub,
router, probe).

1.4.1.1 Snort
Snort is a open source network intrusion detection and prevention system capable of
performing packet logging and real-time traffic analysis, on IP networks12.
Snort IDS console

11
http://staff.science.uva.nl/~delaat/sne-2006-2007/p12/report.pdf
12
http://www.maestrosdelweb.com/editorial/snort/
1.4.2 Application protocol
An application protocol-based intrusion detection system (APIDS) is an intrusion
detection system that focuses its monitoring on a specific application protocol or protocols in
use by the computing system.

Secerno is a example of APIDS.

1.4.2.1 Secerno
The Secerno.SQL database security appliance in IDS mode detects unusual movement and
produces alerts, but does not directly block potential threats. Alerting can be fine-tuned to
specific types of SQL statement that reflect how the applications interact with a database.
There is no impact on database traffic, as the network traffic to the database is replicated
using standard networking techniques.

1.4.3 Protocol
A protocol-based intrusion detection system (PIDS) is an intrusion detection system which
is typically installed on a web server and useful in monitoring and in analysis of the protocol
or protocols in use by the computing system.13

A PIDS will monitor the dynamic behaviour and state of the protocol and will typically con-
sist of a system or agent that would typically sit at the front end of a server, monitoring and
analysing the communication protocol between a connected device (a user/PC or system) and
the system it is protecting.

For a web server this would typically monitor the HTTPS protocol stream and understand the
HTTP protocol relative to the web server/system it is trying to protect.

1.4.4 Host
A host-based intrusion detection system consists of an agent on a host which identifies
intrusions by analysing system calls, application logs, file-system modifications and other
host activities.
Host-based Intrusion Detection Systems can be used to determine if a system has been
compromised and can warn administrators if that happen. We recognize 4 different methods:
• Filesystem monitoring.
13
www.wikipedia.org
• Log file analysis.
• Connection analysis.
• Kernel-based intrusion detection.
Implementations of intrusion detection systems commonly use one of these 4 methods to
detect intrusions. It is because these methods are the more efficient and offer a good results
and it is very important in order to detect intrusion.

1.4.5 Hybrid

A hybrid intrusion detection system combines two or more approaches, offering management
of and alert notification from both network and host-based intrusion detection devices. Hybrid
solutions provide the logical complement to Network Intrusion Detection and Host-based
Intrusion Detection.

1.5 Conclusion
The Intrusion detection system is a step towards the utopia for complete secure systems. Now
can also the use of the system be monitored. There are still lot of disadvantages with this type
of systems. The knowledge based systems will fail if the hackers find a new hole in the
system to exploit before the good guys make a signature who can stop the attack. On the other
hand the Behavior-based systems can learn but there is no way to ensure that they are acting
correct. IDS is an area for research in the future, we especially that the field: “AI in the
Behavior-based systems” will be put a lot effort into. Think about a system that are
maintenance free and secure.

We knew nothing about IDS when we started to work with this report. This report has given
us all an insite of this area. We have gained knowledges the two main approaches and also
learned something about the implantations.
1.6 References
http://www.cs.sunysb.edu/~sion/teaching/sunysb/2007-
Spring/CSE409/presentations/Intrusion_Detection.pdf, 2007-10-06

http://www.computerworld.com/hardwaretopics/hardware/story/0,10801,59611,00.html,
2007-10-06

http://perso.rd.francetelecom.fr/debar/papers/Debar00a.pdf, 2007-10-05

www.acm.org/crossroads/xrds2-4/intrus.html, 2007-10-06

http://www.pcmag.com/article2/0,1895,83893,00.asphttp://www.cs.sunysb.edu/~sion/teachin
g/sunysb/2007-Spring/CSE409/presentations/Intrusion_Detection.pdf, 2007-10-06

http://www.sans.org/resources/idfaq/knowledge_based.php?portal=9057acb9e88df77ac68efd
f15c5ea5b3, 2007-10-06

http://www.sans.org/resources/idfaq/behavior_based.php, 2007-10-06

http://www.maestrosdelweb.com/editorial/snort/, 2007-10-06

http://staff.science.uva.nl/~delaat/sne-2006-2007/p12/report.pdf, 2007-10-06

www.wikipedia.org, 2007-10-06