Contenu connexe Similaire à Intrusion Detection System (IDS) (20) Plus de HCL Technologies (20) Intrusion Detection System (IDS)3. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Due to the phenomenaldevelopmentofNetworking technology,applicationsand otherservices,IP
networksarepreferredforcommunication,butaremorevulnerabletoattacks.Tocopewiththegrowing-
menaceofsecuritythreats,securitysystemshavetobemademoreintelligentandrobustbyintroducing
IntrusionDetectionSystems(IDS)inthesecuritylayersofanetwork.IDSmonitortheuseofcomputersand
thenetworksoverwhichtheycommunicate,todetectunauthorizeduseandanomalousbehaviorbyidentify-
ingactivitiesthatviolatethesecuritypolicyinthesystem.Thereareseveralreasonsthatmake intrusion
detectionanecessarypartoftheentiredefensesystem.Moreimportantly,
Manylegacysystemsandapplicationsweredevelopedwithoutkeepingsecurityinmind
Computersystemsorapplicationsmayhavedesignflawsorbugsthatcanbeusedbyanintruderto
attackthesystem orapplications
AnIDSprovideswaystomonitor,identifyandrespondtoattacksagainstthesesystems.ThegoalofIDSisnot
onlytodetectattacksaccuratelyandnotifynetworkadministrators,butdetectthem atanearlystageto
minimizetheimpact.
Sl.No
1
2
3
4
5
IDS
HIDS
NIDS
VMM
VMI
IntrusionDetectionSystem
Host-basedIDS
Network-basedIDS
VirtualMachineMonitor
VirtualMachineIntrospection
FullFormAcronyms
Abstract
Abbreviations
IntrusionDetectionSystem (IDS)|3
4. ©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
IDSisusuallydeployedasasecondlineofdefensealongwithothersecuritymechanisms,suchasaccess
control,authenticationandfirewalls.ThoughIDSareoftenusedinconjunctionwithfirewalls,thetwotools
havecompletelydifferentfunctionalities.Forexample,thinkofIDSasasecurityguardinafactorypremises
andthefencesurroundingthefactoryasthefirewall.Nobodyisallowedinsidethefactorywithoutproper
authenticationandthefencekeepsallunwantedvisitorsoutsideofthepremises.Buttheholesinthefence
canbeusedbyunwantedvisitorstoenterthepremises.Thiskindofintrusioneventcanbemonitoredbya
securitysecurityguardwhoalertstheheadsecurityofficerorpreventsthepersonfrom enteringintothepremises.A
firewallessentiallyprotectsanetworkandattemptstopreventintrusionsbyusingnetworkorapplication
levelfiltering,whereasIDSdetectsanysecuritybreachinthesystem orwhenthenetworkisunderattack.IDS
usespoliciestodefinecertaineventsasthreats,raisealertsupondetection,andoftenrespondstotheevents
appropriately.
AnIDStypicallyconsistsofthreecomponents:
DataDataPreprocessor:Thiscomponentcollectsuser(audit)dataandpatternsfrom thedesiredsourceand
convertsitintoaformatcomprehensiblebythenextcomponenti.e.the‘analyzer’.Datausedfordetecting©
2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,
allrightsreserved.intrusionrangesfrom useraccesspatternstonetworkpacketlevelfeatures(sourceand
destinationIP,typesofpackets,etc.)alongwiththeapplicationandsystem levelbehaviors(sequenceof
system calls).
Thesystem isassumedtobesafeandhealthy,ifthefollowingconditionsaremetforuseractions.
Conformstostatisticallypredictablepatterns
Doesnotincludesequencesthatviolatethesecuritypolicy
Correspondstoasetofspecificationswhichdescribewhattheprocessisallowedtodo
Ifatleastoneoftheseconditionsarenotmeet,thenthesystem isassumedtobeunderattack.Further,intru-
siondetectionisbaseduponthefollowingassumptionsregardlessofthemethodsadoptedbytheIDS.
Asecuritypolicyisdefinedtodifferentiatethenormalandabnormalusageofeveryresource.
Thepatternsgeneratedforabnormalsystem usagearenoticeablydifferentfrom thoseofnormalsystem
usage,andresultsindifferentsystem behavior.Thisanomalyinbehaviorcanbeusedtodetectintrusions.
ThedetectionmechanismsusedbyIDSaremainlycategorizedintotwomethodologies:Anomalydetection,
andsignature/misusedetection.
Principles&AssumptionsinIDS
ComponentsandTypesofIDS
IDSOverview
IntrusionDetectionSystem (IDS)|4
8. Thisisdesignedtouncoverabnormalpatterns.TheIDSestablishesabaselineofnormalusagepatterns,
whichismodeledonthebasisofauditdatacollectedoveraperiodthrough‘training’.Anythingthatwidely
deviatesfrom itgetsflaggedasapossibleintrusion.Whatisconsideredtobeanomalycanvary,butnormally
differentparameterssuchasbandwidth,protocols,portsanddevices,etc.arecomparedwiththebaselineto
seeifitcrossesathreshold,andthenananomalyisdetected.Anomalydetectioncanalsoinvestigateuser
patternsbyprofilingtheprogramsexecuteddaily.Thealgorithmsinthisapproachuse‘system callsequence’
andand‘program counters’tocalculatetheanomalyscore.Itraisesanalarm iftheanomalyscoredeviatesfrom
thethreshold.
Isolation:SoftwarerunninginavirtualmachinecannotaccessormodifyanythingrunninginVMM orother
VMs.Evenifanintruderhascompletelysubvertedthemonitoredhost,hestillcannottamperwiththeIDS.
Inspection:Beingabletodirectlyinspectthevirtualmachine’sCPU,memoryandI/Ostatus,thereisnostate
inthemonitoredsystem thatIDScannotsee.
Interposition:VMI-IDSleveragesthefunctionalityofVMM tointerposevirtualmachineoperations,sothat
anyattemptstomodifyahardwareregistercanbeeasilydetected.
AAVMIcompletelyencapsulatesthestateofaVMinsoftware,andcollectsthecheckpointsofaVMeasily.This
capabilitycanbeusedtocomparethestateofa‘VMunderobservation’forperformingofflineanalysis,orcap-
turingtheentirestateofthecompromisedmachineforforensicpurposes.
AVMIIDSoffersamorerobustviewofthesystem andutilizesthepropertyofVMM todirectlyobservehard-
warestatesandeventsofavirtualmachine.Itusestheinformationtoextrapolatethesoftwarestateofthe
hostsimilartothatofHIDS.Atamperedsshdprocesscanbedetectedbyperiodicallyperformingintegrity
checksonitscodesegment.AVMMcanprovideaccesstopagesofphysicalmemory/diskblocksinaVM,but
discoveringthecontentsofsshd’scodesegmentrequiresansweringqueriesaboutmachinestateinthe
contextofOSrunningintheVM.
VMI-basedVMI-basedIDSarestronglyisolatedfrom thehosttheyaremonitoring,givingahighdegreeofattackresis-
tance,providingcompleteprotectiontohardwareaccess,andmaintainingtheconstraintsimposedbytheOS
evenifthehosthasbeencompromised.VMI-basedIDSsuspendthehostswhiletheIDSrestartsincaseofa
fault,providinganeasymodelforfail-safefaultrecovery.
TheVMI-IDSleveragesthreepropertiesofavirtualizedenvironment:
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Anomaly-basedIDS
IntrusionDetectionSystem (IDS)|8
9. Theconsofthisapproacharethebaselinecollectedthroughtraining.Asubject’snormalbehaviorusually
changesovertimeandtheIDSthatusesthisapproachusuallyallowsthesubject’sprofiletochange
gradually.AnintrudercanusethisloopholetotraintheIDSandmakeanintrusiveactivityacceptable.Addi-
tionally,itcangiveaseriesoffalsealarmsincaseofanoticeablechangeinthesystem environment.False
positivealertsareissuedwhennormalbehaviorisincorrectlyidentifiedasabnormal,andfalsenegative
alertsareissuedwhenabnormalbehaviorisincorrectlyidentifiedasnormal.Moreover,duringthetraining,
thetheinputparametersoftendonotcontainallthefeaturesrelatedtointrusiondetection.Thesemissing
featuresmakeitdifficulttodistinguishattacksfrom normalactivities.
©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
LimitationofAnomalyDetection
Thisiscomplementarytoanomalydetection.Theknownattackpatternscanbedetectedmoreeffectivelyby
usingtheknowledgeaboutthem.Thiswillmonitorpacketsonthenetworkandcomparethem againstadata-
baseofsignaturesorattributesfrom knownmaliciousthreats.Misusedetectionwilllookforwell-defined
patternsofknownattacksorvulnerabilities,evenaverytrivialintrusiveactivitythatisusuallyignoredby
anomalydetectioncanbedetectedbythesesystems.Thedetectionalgorithm usuallyfollowsdirectlyfrom
the representation mechanisms.Rule-based expertsystemsare used in misuse-basedalgorithms,in
whichrulesareappliedtoauditrecords,todetectintrusion.whichrulesareappliedtoauditrecords,todetectintrusion.
Misuse-basedIDS
Thismodelcannotdetectunknownattacks.Asystemprotectedbythismethodmayfacetheriskofbeingcom-
promisedwithoutdetectingtheattacks.Misusedetectionrequiresexplicitrepresentationofattackswhichis
notaneasytask,andthenatureoftheattacksalsoneedstobethoroughlyunderstoodtoraiseanalert.This
requireshuman/expertinterventionforanalysis,whichisbothtimeconsuminganderrorprone.
LimitationsofMisuseDetection
Intrusiondetectionisstillafledglingfieldofresearch.ThegrowthoftheInternet,thepossibilitiesopeningup
inelectronictradeandthelackoftrulysecuresystemsmakesitanimportantfieldofresearch.
Todetectunknownpatternsofattackswithoutgeneratingtoomanyfalsealarms,stillremainsanunre-
solvedproblem.Futureresearchtrendsseem tobeconvergingtowardsamodelthatisahybridofanomaly
andmisusedetection,sinceneitherofthemodelscandetectallintrusionattemptsontheirown.
Thedrasticincreaseinthenumberofintrusionincidentsinbusinessnetworkshaspushedenterprisesto
increasetheirITsecuritybudgetsbyadaptingtonew advancedsecuritytechnologies,whicheventually-
boostedthemarketofIDStoagreatextent.ThemarketrelatedtoIDSisexpectedtogrowfrom $2.716bil-
lionin2014to$5.042billionby2019,anestimatedgrowthrateof13.2%.
FutureDirectionsandBusinessRelevance
IntrusionDetectionSystem (IDS)|9
10. Formoredetailscontact:ers.info@hcl.com
Followusontwitter:http://twitter.com/hclersand
Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services
Visitourwebsite:http://www.hcltech.com/engineering-rd-services
Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts
andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems
to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense,
Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office
Automation,SemiconductorandServers&Storageforourcustomers.
ThiswhitepaperispublishedbyHCLEngineeringandR&DServices.
Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional
businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply
anyassociationbetweenHCLandlawfulownersofsuchtrademarks.
FormoreinformationaboutHCLEngineeringandR&DServices,
Pleasevisithttp://www.hcltech.com/engineering-rd-services
Copyright@ HCCopyright@ HCLTechnologies
Allrightsreserved.
SaumendraDash
HCLEngineeringandR&DServices
Reference
Conclusion
AuthorInfo
[1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf
[2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf
[3]https://iseclab.org/papers/driveby.pdf
[4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf
Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour
esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi-
dence,andcreateawin-winatmospherefornewopportunities.
Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga-
nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The
effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical
toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently
designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace
withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate
withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible
manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision
makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill
improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution,
usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems.
IntrusionDetectionSystem (IDS)|10