Intrusion Detection System (IDS)

IntrusionDetectionSystem (IDS)

©2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,allrightsreserved.
Abstract
Abbreviations
IDSOverview
Principles&AssumptionsinIDS
ComponentsandTypesofIDS
HIDS(Host-basedIntrusionDetectionSystems)
NIDS(Network-basedIntrusionDetectionSystems)NIDS(Network-basedIntrusionDetectionSystems)
IntrusionDetectioninVirtualizedSystems
Anomaly-basedIDS
LimitationsofAnomalyDetection
Misuse-basedIDS
LimitationsofMisuseDetection
FutureDirections
ConclusionConclusion
Reference
AuthorInfo
3
3
4
4
4
5
66
6
8
9
9
9
9
1010
10
10
TableofContents

Due to the phenomenaldevelopmentofNetworking technology,applicationsand otherservices,IP
networksarepreferredforcommunication,butaremorevulnerabletoattacks.Tocopewiththegrowing-
menaceofsecuritythreats,securitysystemshavetobemademoreintelligentandrobustbyintroducing
IntrusionDetectionSystems(IDS)inthesecuritylayersofanetwork.IDSmonitortheuseofcomputersand
thenetworksoverwhichtheycommunicate,todetectunauthorizeduseandanomalousbehaviorbyidentify-
ingactivitiesthatviolatethesecuritypolicyinthesystem.Thereareseveralreasonsthatmake intrusion
detectionanecessarypartoftheentiredefensesystem.Moreimportantly,
Manylegacysystemsandapplicationsweredevelopedwithoutkeepingsecurityinmind
Computersystemsorapplicationsmayhavedesignﬂawsorbugsthatcanbeusedbyanintruderto
attackthesystem orapplications
AnIDSprovideswaystomonitor,identifyandrespondtoattacksagainstthesesystems.ThegoalofIDSisnot
onlytodetectattacksaccuratelyandnotifynetworkadministrators,butdetectthem atanearlystageto
minimizetheimpact.
Sl.No
1
2
3
4
5
IDS
HIDS
NIDS
VMM
VMI
IntrusionDetectionSystem
Host-basedIDS
Network-basedIDS
VirtualMachineMonitor
VirtualMachineIntrospection
FullFormAcronyms
Abstract
Abbreviations
IntrusionDetectionSystem (IDS)|3

IDSisusuallydeployedasasecondlineofdefensealongwithothersecuritymechanisms,suchasaccess
control,authenticationandfirewalls.ThoughIDSareoftenusedinconjunctionwithfirewalls,thetwotools
havecompletelydifferentfunctionalities.Forexample,thinkofIDSasasecurityguardinafactorypremises
andthefencesurroundingthefactoryasthefirewall.Nobodyisallowedinsidethefactorywithoutproper
authenticationandthefencekeepsallunwantedvisitorsoutsideofthepremises.Buttheholesinthefence
canbeusedbyunwantedvisitorstoenterthepremises.Thiskindofintrusioneventcanbemonitoredbya
securitysecurityguardwhoalertstheheadsecurityofficerorpreventsthepersonfrom enteringintothepremises.A
firewallessentiallyprotectsanetworkandattemptstopreventintrusionsbyusingnetworkorapplication
levelfiltering,whereasIDSdetectsanysecuritybreachinthesystem orwhenthenetworkisunderattack.IDS
usespoliciestodefinecertaineventsasthreats,raisealertsupondetection,andoftenrespondstotheevents
appropriately.
AnIDStypicallyconsistsofthreecomponents:
DataDataPreprocessor:Thiscomponentcollectsuser(audit)dataandpatternsfrom thedesiredsourceand
convertsitintoaformatcomprehensiblebythenextcomponenti.e.the‘analyzer’.Datausedfordetecting©
2015,HCLTechnologies.ReproductionProhibited.ThisdocumentisprotectedunderCopyrightbytheAuthor,
allrightsreserved.intrusionrangesfrom useraccesspatternstonetworkpacketlevelfeatures(sourceand
destinationIP,typesofpackets,etc.)alongwiththeapplicationandsystem levelbehaviors(sequenceof
system calls).
Thesystem isassumedtobesafeandhealthy,ifthefollowingconditionsaremetforuseractions.
Conformstostatisticallypredictablepatterns
Doesnotincludesequencesthatviolatethesecuritypolicy
Correspondstoasetofspecificationswhichdescribewhattheprocessisallowedtodo
Ifatleastoneoftheseconditionsarenotmeet,thenthesystem isassumedtobeunderattack.Further,intru-
siondetectionisbaseduponthefollowingassumptionsregardlessofthemethodsadoptedbytheIDS.
Asecuritypolicyisdefinedtodifferentiatethenormalandabnormalusageofeveryresource.
Thepatternsgeneratedforabnormalsystem usagearenoticeablydifferentfrom thoseofnormalsystem
usage,andresultsindifferentsystem behavior.Thisanomalyinbehaviorcanbeusedtodetectintrusions.
ThedetectionmechanismsusedbyIDSaremainlycategorizedintotwomethodologies:Anomalydetection,
andsignature/misusedetection.
Principles&AssumptionsinIDS
ComponentsandTypesofIDS
IDSOverview

Analyzer(IntrusionDetector):ThisisthecorecomponentinIDS,whichanalyzestheauditpatternssuchas
machinelearning,patternmatching,dataminingandstatisticaltechniquestodetectanattack.Itscapability
todetectanattackoftendeterminesthestrengthoftheoverallsystem.
ResponseEngine:Thiscomponentcontrolsthereactionmechanism anddeterminestheresponsewhenthe
analyzerdetectsanattack.Dependinguponthesecuritypolicyofthenetwork,itdecideswhethertoraisean
alertorblockthesourcetemporarily.IDScanbeeithernetwork-based,orhost-based.Eachhasdistinct
approachesformonitoringandsecuringdata.
HIDSpreventsthreatsthatarisefrom insidethenetworkbycollectingdataoriginatedonindividualhostsand
analyzingthem byadedicatedsystem.Thesesystemsresideontrustednetworksystemsandareaccessible
onlytoauthenticatedusers.Ifoneoftheseusersattemptunauthorizedactivity,HIDSdetectsitandcollects
themostpertinentinformationinthequickestpossiblemanner.Forexample,theOperatingSystemsaudit
logsarehighlyeﬀectivefordetectinginsiderabuse.AtypicalHIDSarchitectureisrepresentedinFigure1.The
bluecoloredmachinesrepresentHIDSthathavebeeninstalled.
Figure-1:HIDSArchitecture
HIDS(Host-basedIntrusionDetectionSystems)

NIDSanalyzedatapacketsthattravelovertheactualnetworkandoftencompareswithempiricaldatato
verifytheirnature.NIDSareplacedatstrategicpointswithinthenetworktomonitorit,andarebestatdetect-
ingthefollowingactivities:
Denialofservice:NIDSnoticesthepacketsthatinitiateattacksfrom outsideofthenetworkandsinglesout
networkresourcesforabuseoroverload.
Unauthorizedoutsideraccess:Detectsunauthorizedloginattemptsbyusersbeforetheactuallogin.NIDS
typicalarchitectureisrepresentedinFigure2.ThetraﬃchasbeenfunneledthroughtheNIDSdeviceinthe
network.Itdoesnotisolateanysinglehostmachineforintrusiondetection.
Figure-2:NIDSArchitecture
ThevirtualizedenvironmentprovidesprotectiontosystemswiththehelpofaVirtualMachineMonitor(VMM)
orHypervisorbyusingthebestofbothhost-andnetwork-basedIDS.TheVMM pullstheIDSoutsideofthe
monitoredhostintoacompletelydiﬀerenthardwareprotectiondomain;thispropertyofVMM isknownas
isolation.TheVMMprovidesahugebarrierbetweentheIDSandtheattacker’smaliciouscode,whichensures
thattheIDScan’tbetamperedwithevenifthemonitoredhostiscompromised.Theabilitytodirectlyinspect
thehardwarestateofaVirtualMachine(VM)thatamonitoredhostisrunning,andtherebyprovidemonitor-
ingingofbothhardwareandsoftwarelevelevents,iscalledinspection.Anyattempttomodifyaregistercan
easilybedetectedbytheVMM;thisiscalledtheinterpositionpropertyofVMM.
NIDS(Network-basedIntrusionDetectionSystems)
IntrusionDetectioninVirtualizedSystems

TheOSInterfaceLibrary,whichprovidesanOS-levelviewofthevirtualmachine’sstateinordertofacilitate
easypolicydevelopmentandimplementation.Itinterpretslowlevelmachinestatesfrom theVMM interms
ofhigherlevelOSstructures,byusingknowledgeabouttheguestOSimplementationtointerprettheVM’s
machinestate,whichisexportedbytheVMM.
TheThePolicyEngineexecutesIDSpoliciesbyusingtheOSinterfacelibraryandtheVMM interface.Itprovides
aninterfaceformakinghigh-levelqueriesabouttheOSofthemonitoredhost,andinterpretssystem state
andeventsfrom theVMM interfaceandOSinterfacelibraryforanysecuritybreach.Thepolicyengine
respondsappropriatelyincaseofthreatsandisconsideredtobetheheartofIDS.
Figure3showshow theVM runs,thehostbeingmonitored,andtheVMI-basedIDSwithitsmajorcom-
ponents.
VirtualMachineIntrospection(VMI)inspectsaVM from outsideandanalyzesthesoftwarerunningonit.The
VMIIDSimplementsintrusiondetectionpoliciesbyanalyzingthemachinestateandtheeventsthroughthe
VMM interface.VMI-IDSusesthepropertiesoftheVMM toprovideaveryrobustarchitectureforintrusion
detection.
IDs
PolicyModules
PobeyFramework
OSInterfaceLib
PolicyEngine
MonitoredHost
GuestApps
GuestOS
VirtualMachine
H/W State
VirtualMachineMonitor
Response
Command
Query Response
Figure-3:VMI-basedIDS
TheVMI-IDSisdividedintotwoparts:

Thisisdesignedtouncoverabnormalpatterns.TheIDSestablishesabaselineofnormalusagepatterns,
whichismodeledonthebasisofauditdatacollectedoveraperiodthrough‘training’.Anythingthatwidely
deviatesfrom itgetsflaggedasapossibleintrusion.Whatisconsideredtobeanomalycanvary,butnormally
differentparameterssuchasbandwidth,protocols,portsanddevices,etc.arecomparedwiththebaselineto
seeifitcrossesathreshold,andthenananomalyisdetected.Anomalydetectioncanalsoinvestigateuser
patternsbyprofilingtheprogramsexecuteddaily.Thealgorithmsinthisapproachuse‘system callsequence’
andand‘program counters’tocalculatetheanomalyscore.Itraisesanalarm iftheanomalyscoredeviatesfrom
thethreshold.
Isolation:SoftwarerunninginavirtualmachinecannotaccessormodifyanythingrunninginVMM orother
VMs.Evenifanintruderhascompletelysubvertedthemonitoredhost,hestillcannottamperwiththeIDS.
Inspection:Beingabletodirectlyinspectthevirtualmachine’sCPU,memoryandI/Ostatus,thereisnostate
inthemonitoredsystem thatIDScannotsee.
Interposition:VMI-IDSleveragesthefunctionalityofVMM tointerposevirtualmachineoperations,sothat
anyattemptstomodifyahardwareregistercanbeeasilydetected.
AAVMIcompletelyencapsulatesthestateofaVMinsoftware,andcollectsthecheckpointsofaVMeasily.This
capabilitycanbeusedtocomparethestateofa‘VMunderobservation’forperformingofflineanalysis,orcap-
turingtheentirestateofthecompromisedmachineforforensicpurposes.
AVMIIDSoffersamorerobustviewofthesystem andutilizesthepropertyofVMM todirectlyobservehard-
warestatesandeventsofavirtualmachine.Itusestheinformationtoextrapolatethesoftwarestateofthe
hostsimilartothatofHIDS.Atamperedsshdprocesscanbedetectedbyperiodicallyperformingintegrity
checksonitscodesegment.AVMMcanprovideaccesstopagesofphysicalmemory/diskblocksinaVM,but
discoveringthecontentsofsshd’scodesegmentrequiresansweringqueriesaboutmachinestateinthe
contextofOSrunningintheVM.
VMI-basedVMI-basedIDSarestronglyisolatedfrom thehosttheyaremonitoring,givingahighdegreeofattackresis-
tance,providingcompleteprotectiontohardwareaccess,andmaintainingtheconstraintsimposedbytheOS
evenifthehosthasbeencompromised.VMI-basedIDSsuspendthehostswhiletheIDSrestartsincaseofa
fault,providinganeasymodelforfail-safefaultrecovery.
TheVMI-IDSleveragesthreepropertiesofavirtualizedenvironment:
Anomaly-basedIDS

Theconsofthisapproacharethebaselinecollectedthroughtraining.Asubject’snormalbehaviorusually
changesovertimeandtheIDSthatusesthisapproachusuallyallowsthesubject’sprofiletochange
gradually.AnintrudercanusethisloopholetotraintheIDSandmakeanintrusiveactivityacceptable.Addi-
tionally,itcangiveaseriesoffalsealarmsincaseofanoticeablechangeinthesystem environment.False
positivealertsareissuedwhennormalbehaviorisincorrectlyidentifiedasabnormal,andfalsenegative
alertsareissuedwhenabnormalbehaviorisincorrectlyidentifiedasnormal.Moreover,duringthetraining,
thetheinputparametersoftendonotcontainallthefeaturesrelatedtointrusiondetection.Thesemissing
featuresmakeitdifficulttodistinguishattacksfrom normalactivities.
LimitationofAnomalyDetection
Thisiscomplementarytoanomalydetection.Theknownattackpatternscanbedetectedmoreeffectivelyby
usingtheknowledgeaboutthem.Thiswillmonitorpacketsonthenetworkandcomparethem againstadata-
baseofsignaturesorattributesfrom knownmaliciousthreats.Misusedetectionwilllookforwell-defined
patternsofknownattacksorvulnerabilities,evenaverytrivialintrusiveactivitythatisusuallyignoredby
anomalydetectioncanbedetectedbythesesystems.Thedetectionalgorithm usuallyfollowsdirectlyfrom
the representation mechanisms.Rule-based expertsystemsare used in misuse-basedalgorithms,in
whichrulesareappliedtoauditrecords,todetectintrusion.whichrulesareappliedtoauditrecords,todetectintrusion.
Misuse-basedIDS
Thismodelcannotdetectunknownattacks.Asystemprotectedbythismethodmayfacetheriskofbeingcom-
promisedwithoutdetectingtheattacks.Misusedetectionrequiresexplicitrepresentationofattackswhichis
notaneasytask,andthenatureoftheattacksalsoneedstobethoroughlyunderstoodtoraiseanalert.This
requireshuman/expertinterventionforanalysis,whichisbothtimeconsuminganderrorprone.
LimitationsofMisuseDetection
Intrusiondetectionisstillafledglingfieldofresearch.ThegrowthoftheInternet,thepossibilitiesopeningup
inelectronictradeandthelackoftrulysecuresystemsmakesitanimportantfieldofresearch.
Todetectunknownpatternsofattackswithoutgeneratingtoomanyfalsealarms,stillremainsanunre-
solvedproblem.Futureresearchtrendsseem tobeconvergingtowardsamodelthatisahybridofanomaly
andmisusedetection,sinceneitherofthemodelscandetectallintrusionattemptsontheirown.
Thedrasticincreaseinthenumberofintrusionincidentsinbusinessnetworkshaspushedenterprisesto
increasetheirITsecuritybudgetsbyadaptingtonew advancedsecuritytechnologies,whicheventually-
boostedthemarketofIDStoagreatextent.ThemarketrelatedtoIDSisexpectedtogrowfrom $2.716bil-
lionin2014to$5.042billionby2019,anestimatedgrowthrateof13.2%.
FutureDirectionsandBusinessRelevance

Formoredetailscontact:ers.info@hcl.com
Followusontwitter:http://twitter.com/hclersand
Ourbloghttp://www.hcltech.com/blogs/engineering-and-rd-services
Visitourwebsite:http://www.hcltech.com/engineering-rd-services
Hello,I’m from HCL’sEngineeringandR&DServices.Weenabletechnologyledorganizationstogotomarketwithinnovativeproducts
andsolutions.Wepatnerwithourcustomersinbuildingworldclassproductsandcreatingassociatedsolutiondeliveryecosystems
to help bringmarketleadership.Wedevelop engineeringproducts,solutionsand platformsacrossAerospaceand Defense,
Automotive,ConsumerElectronics,Software,Online,IndustrialManufacturing,MedicalDevices,NetworkingandTelecom,Office
Automation,SemiconductorandServers&Storageforourcustomers.
ThiswhitepaperispublishedbyHCLEngineeringandR&DServices.
Theviewsandopinionsinthisarticleareforinformationalpurposesonlyandshouldnotbeconsideredasasubstituteforprofessional
businessadvice.TheusehereinofanytrademarksisnotanassertionofownershipofsuchtrademarksbyHCLnorintendedtoimply
anyassociationbetweenHCLandlawfulownersofsuchtrademarks.
FormoreinformationaboutHCLEngineeringandR&DServices,
Pleasevisithttp://www.hcltech.com/engineering-rd-services
Copyright@ HCCopyright@ HCLTechnologies
Allrightsreserved.
SaumendraDash
HCLEngineeringandR&DServices
Reference
Conclusion
AuthorInfo
[1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf
[2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf
[3]https://iseclab.org/papers/driveby.pdf
[4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf
Last,butnottheleast,byprovidingasecureinfrastructurewithbothHost-andNetwork-basedIDSforour
esteemedclientsinHCL,apprehensionsaboutthesecurityvulnerabilitieswillmitigate,boosttheirconfi-
dence,andcreateawin-winatmospherefornewopportunities.
Intrusiondetectionhasbecomeanecessaryadditiontothesecurityinfrastructureofalmosteveryorga-
nization.Thecriticalityofdetectingintrusioninnetworksandapplicationsleavesnomarginforerrors.The
effectivecostofasuccessfulintrusionovershadowsthecostofdevelopingIDS,andhence,itbecomescritical
toidentifythebestpossibleapproachfordevelopingabetterIDS.Everynetworkandapplicationisdifferently
designed,soitbecomesextremelydifficulttodevelopsinglegenericsolutionthatworksforall.Tokeeppace
withtheeverchangingnetworksandapplications,theIDSmustbeinsyncwiththem both.IDSmustintegrate
withwith wirelesstechnologies,removableand mobiledevices,and providesupportin acomprehensible
manner.EvaluationandbenchmarkingofIDSareimportantareasofconcernfororganizationaldecision
makersandendusers.Moreover,reconstructingattackscenariosfromintrusionalertsandintegratingIDSwill
improvebothitsusabilityandperformance. WeexpectIDStobecomeapracticalandeffectivesolution,
usingbothhost-andnetwork-basedIDSthatprovidecompletedefensetoinformationsystems.

Intrusion Detection System (IDS)

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à Intrusion Detection System (IDS)

Similaire à Intrusion Detection System (IDS) (20)

Plus de HCL Technologies

Plus de HCL Technologies (20)

Dernier

Dernier (20)

Intrusion Detection System (IDS)