Chapter 4:

INTRUSION Detection
Systems

ITT320 Introduction To Computer Security

Objectives

 Explain how intrusion-detection systems work

 Implement strategies for preventing intrusion
 Identify and describe several popular
intrusion-detection systems
 Define the term honey pot
 Identify and describe at least one honey pot
implementation
As a network administrator, how you
want to detect all intruder coming to
your network ?
Introduction

Intrusion-Detection Systems (IDS) allow system

administrators to detect possible attacks to the
network. This chapter explores implementations
of IDS solutions. We also explore the concept of a
“honey pot” and how it can help administrators
track attackers of the network.
Understanding IDS 4 Concepts

 Pre-emptive blocking
 Infiltration / disguise
 Intrusion deflection
 Anomaly detection
Understanding IDS Concepts cont.
 Pre-emptive Blocking
 Advantages:
 Sometimes called “banishment vigilance”
 Seek to prevent intrusion before they occur
 This is done by noting any sign of danger /
threats and then blocking them through
ipaddress
 Attempts to detect impending intrusions through
foot printing
 Understanding IDS Concepts cont.
 Pre-emptive blocking (situation)

IDS detect that numbers of packet are sent to each port in the main server coming from the
same ipaddress

This probably indicates that the server is being scan by network scanning software such as
Cerberus or nmap

So by default the IDS installed in the firewall will automatically block all transmission
connection coming from this person
Understanding IDS Concepts cont.
 Pre-emptive Blocking
 Disadvantages:
 The problem is your suspect person maybe not
really guilty / wrong guy / hacked victim
Understanding IDS Concepts cont.
 Infiltration
 Advantages:

 The concept of going undercover in the hacker

World via online:

• Group
• Forum
 Information is gathered through the hacker

community to find out what vulnerabilities are

being exploited (current trend)

 Disadvantages:
 Time consuming
 Administrators are not trained in detective work
 Dangerous
Understanding IDS Concepts cont.
 Intrusion Deflection
 Advantages:
 An attempted intrusion is redirected to a special
environment and monitored
 Act as a decoy to the real system
 Honey pots are used in this approach

 Disadvantages:
 Difficult to setup and maintain
 Assumes a target system will be compromised
Understanding IDS Concepts cont.
 Anomaly Detection
 Any activity that does not match normal use is

saved in a log

 Each user in the network will have their own specific

profile (specific users, group of users or application)

 Any activity that does not match the definition of normal

behaviour is considered and anomaly and is logged

 This is for the ‘trace back’ detection / process. So we are

able to establish from where this package was delivered
Understanding IDS Concepts cont.
 Anomalous Detection
 Threshold monitoring
 Define acceptable behaviors levels and observers
whether these levels are exceeded

 This could include something as simple as finite

number of failed login attempts or something as
complex as monitoring the time a user is connected
and the amount of data that user downloads.

 The challenge here is to find the right threshold level.

(not too high, not too low)
Understanding IDS Concepts cont.
 Anomaly Detection
 Resource Profiling
 Develops historic usage profile (certain time frame),
system-wide

 If the profiles is showing abnormal reading this can

indicates threat
Understanding IDS Concepts cont.
 Anomaly Detection
 User/Group Work
Profiling
 Profiles are kept on a
user or group level
 Changes in work
patterns need to be
updated in profile
 As the user changes his
activity, his profile also
need to be updated
Understanding IDS Concepts cont.
 Anomaly Detection
 Executable Profiling
 Monitors how programs use system resources
 Any abnormal system running that unknown by the
threshold will be blocked
 Able to track suspicious malware, viruses and Trojan
horse running in the network.
Understanding and Implementing IDS
Systems
 Two systems discussed in this section:
 Snort
 Cisco Intrusion-Detection
Understanding and Implementing
IDS Systems cont.
 Snort
 Possibly the most well-known open source IDS
 Installed on server to monitor incoming traffic
 Available on multiple platforms including:
 UNIX, Linux, and Windows

 It is a freeware software

 All documentation about snort can be found at

www.snort.org/
 The latest version of snort support real-time analysis and

packet logging

 Three modes of operation:

 Sniffer

 Packet logger

 Network intrusion-detection
Sniffer Mode
 Monitors all traffic coming and going on a
Computer (show in the console)
 Able to determine whether the transfer
packet is encrypted or not
 Helps determine potential sources of
problems
Packet Logger Mode
 All the sniffing result can be found in a log
 Packet contents are written to a text file
rather than display in a console
 Contents can be searched once data is in a
text file using a word processor’s search
capability
Network Intrusion-Detection
 Uses a heuristic approach to detect
anomalies
 Rules-based (learning from experience)
 Command line based interface
 Need to know commands and what they do
 Snort cont.
 Snort cont.
Cisco Intrusion-Detection
 Cisco IDS 4200 Series Sensors
 Cisco Catalyst 6500 Series Intrusion- Detection
System Services Module (IDSM-2)
Understanding and Implementing
Honey Pots
 A honey pot is a single machine / server
 Set up to appear to be an important server
 Prevent illegal user to bum the real server
 Two types of Honey Pots discussed here:
 Specter
 Symantec Decoy Server
Specter

 Software solution, phantom servers

 Documentation can be found at
www.specter.com
 Able to emulate common services:
 SMTP, FTP, HTTP, HTTPS, TELNET,
FINGER, POP3, etc.
Specter cont.
 Can be set up in one of five modes:
 Open – In this mode the system behaves like a badly

configured server in terms of security. The downside of

this mode is that you are most likely to attract and catch
the least skilful hackers.
 Secure – This mode make the system look alike a

secure server
 Failing – This mode causes the system to behave like a

server with various hardware and software problem

 Strange – In this mode the system behave in

unpredictable ways.
 Aggressive – This mode causes the system to actively

try to trace back intruder and derived his identity

Specter cont.
 Fake password files can also be configured
 Easy – The fake username & password is easy to crack
 Normal – This mode have a slightly more difficult password to crack
than the easy mode
 Hard – This mode has slightly even harder password to crack. The
more harder the password , the more longer time it take for hacker to
crack the password. So we can trace him while he is taking time to
crack the password
 Fun – This mode uses famous names and usernames
 Warning – This mode will throw warning if the hacker successfully
crack the username and password
Symantec Decoy Server

 Full details can be found at:

http://enterprisesecurity.symantec.com/conte
nt/displaypdf.cfm?pdfid=292
 Should be no surprise that Symantec
provides a honey pot solution
Summary

 There are a variety of Intrusion Detection

Systems available
 Should be used in conjunction with firewalls
 Can run at the perimeter and internally as
sensors
 Ideally implemented on every server
 Free IDS solutions are available
Summary cont.

 Honey Pots entice hackers to a fake server

 A server is set up specifically to monitor
hacker activity
 Honey Pots can help track and catch hackers
 Honey Pots can be configured to emulate
many server services