SEMINAR REPORT

ON

INTRUSION DETECTION SYSTEM


SUBMITTED
BY
SUMANTA KUMAR DAS
Regd No :0701218126

INFORMATION TECHNOO!Y
"#$#%&o''() I*%'+'#'e O, E*gg- Te.&*/og0
ABSTRACT
An Intrusion Detection System (IDS) is a device or software application that monitors
network and/or system activities for malicious activities or policy violations and produces
reports to a Management Station. Intrusion prevention is the process of performing
intrusion detection and attempting to stop detected possile incidents. Intrusion detection
and prevention systems (ID!S) are primarily focused on identifying possile incidents"
logging information aout them" attempting to stop them" and reporting them to security
administrators. In addition" organi#ations use ID!Ss for other purposes" such as
identifying prolems with security policies" documenting e$isting threats" and deterring
individuals from violating security policies. ID!Ss have ecome a necessary addition to
the security infrastructure of nearly every organi#ation.
i
I%&'(SI)% D*&*+&I)% S,S&*M
I%&'(SI)% D*&*+&I)% S,S&*M
A-S&'A+&................................i
A+/%)01*D2*M*%&................... .......ii
1IS& )3 3I2('*S......................... . iii
4.I%&')D(+&I)%.............................4
5. )verview of digital image restoration... ..................5
5.4.0hat is intrusion 6................................................5
5.5. 0hat is intrusion detection system........... .........5
5.7. a rief history of IDS.........................5
5.8 0hy should I use IDS6 ..............................................................................................7
5.90hy should I use IDS I have a firewall....................7
5.: what an IDS can do for us6 .........................8
5.; IDS terminology............................8
7 types of IDS ..............................9
7.4 <ost ased IDS .............................9
TABLE OF CONTENTS
7.5 %etwork ased IDS..........................=
7.7 Application ased IDS...........................;
7.8 )ther type of IDS.............................>
8. 2eneral IDS with firewall........................4?
8.4 IDS and firewall..........................4?
8.5 general network layout with firewall.....................45
9. Intrusion detection process.......................48
9.4 Signature ased IDS..........................48
9.5 -ehavior anomaly detection.......................48
9.7 !rotocol anomaly detection........................49
:. )ther approaches of security.......................49
:.4. A layered security approach......................49
:.4.4 deploying network ased IDS.....................4:
:.4.5 deploying host ased IDS......................4:
=. general algorithm for IDS.........................4;
=.4. flow chart for D%S server IDS.....................4;
=.5 Algorithm for IDS...........................4>
=.7 flow chart for IDS in http server....................5?
;. data processing techni@ue used in IDS....................54
>. +omputer attacks and vulnerailities ...................57
>.4 attack types.............................57
>.5 types of computer attack detected y IDS.................58
>.7 !enetration attack y IDS........................5;
>.8 Determining attacker location from IDS output..............5>
4?. streangth and limitations of IDS......................5>
44. future of IDS............................74
45. +)%+1(SI)%.............................75
47. references.............................77

I%&'(SI)% D*&*+&I)% S,S&*M
3I2('* 8.5.........................45
3I2('* :..........................4;
3I2('* =..........................5?
3I2('* =.7......................... 57
LIST OF FIGURES
I%&'(SI)% D&*+&I)% S,S&*M
An Intrusion Detection System (IDS) is a device or software application that monitors
network and/or system activities for malicious activities or policy violations and produces
reports to a Management Station. Intrusion prevention is the process of performing
intrusion detection and attempting to stop detected possile incidents. Intrusion detection
and prevention systems (ID!S) are primarily focused on identifying possile incidents"
logging information aout them" attempting to stop them" and reporting them to security
administrators. In addition" organi#ations use ID!Ss for other purposes" such as
identifying prolems with security policies" documenting e$isting threats" and deterring
individuals from violating security policies. ID!Ss have ecome a necessary addition to
the security infrastructure of nearly every organi#ation.
ID!Ss typically record information related to oserved events" notify security
administrators of important oserved events" and produce reports. Many ID!Ss can also
1.INTRODUCTION
respond to a detected threat y attempting to prevent it from succeeding. &hey use several
response techni@ues" which involve the ID!S stopping the attack itself" changing the
security environment (e.g." reconfiguring a firewall)" or changing the attackAs content.
<ence we need IDS in our regular use of network. as it may protect us from malicious
activities which are invisile to us ut they are lightly or severely harmful for us . so IDS
is important for home user" server" workstations" govt security portal etc.

I%&'(SI)% D&*+&I)% S,S&*M
2.1 What is intrusion?
B Intrusion C Attempting to reak into or misuse your system.
B Intruders may e from outside the network or legitimate users of the network.
B Intrusion can e a physical" system or remote intrusion.
2.2. What is intrusion dt!tion?
An Intrusion Detection System (IDS) is a device or software application" that monitors
network and/or system activities for malicious activities or policy violations and produces
reports to a Management Station. Intrusion prevention is the process of performing
intrusion detection and attempting to stop detected possile incidents. Intrusion detection
2. O"ER"IEW OF INTRUSION DTECTION S#STE$
and prevention systems (ID!S) are primarily focused on identifying possile incidents"
logging information aout them" attempting to stop them" and reporting them to security
administrators. In addition" organi#ations use ID!Ss for other purposes" such as
identifying prolems with security policies" documenting e$isting threats" and deterring
individuals from violating security policies.
Intrusion detection systems are software of hardware product that automate those
monitoring and analysis process. <ence IDS can help us from attacking malwares"
poisonous programs" security threats" finally a total protection can e accomplished y an
IDS
2.%A Bri& 'istor( o& IDS
1)*+sD'udimentary auditEtrail analysis
1),+s D 'ulesE-ased e$pert systems
1))+s D *$plosion of availale IDS systems
2+++s -2+1+s.
B *mergence of Active IDS
B Intrusion Detection and !revention (ID!)
B Intrusion !revention Systems (I!S)
B +onvergence of &echnologies .
B 3irewall F ID! F Anti 3irewall F ID! F AntiEGirus.
B Appliances and Security Switches.
BA complete protection package
B&otal recovery of the system
I%&'(SI)% D&*+&I)% S,S&*M
2./ Wh( shou0d I us IDS?
IDS" allows organi#ations to protect their systems from the threats that come with
increasing network connectivity and reliance on information system. &here are some
@uestions including system protection can not e answered y our firewall" e.g. modem
protection" protection of firewall itself and so many
&here are several compelling reasons to ac@uire and use IDSsC
&o prevent the prolem ehavior y increasing the perceived risk of discovery and
punishment for those who would attack or otherwise ause the system
&o detect attacks and other security violations that are not prevented y other
security measures
&o detect and deal with preamles to attack
&o document the e$isting threats to an organi#ation
&o provide useful information aout intrusion and its imact on the network and
your system" allowing improved diagnosis" recovery and correction of causative
factors.
2.1Wh( shou0d I us Intrusion dt!tion s(st2 I ha3 a &ir4a00 ?
B IDS are a dedicated assistant used to monitor the rest of the security infrastructure
B &odayAs security infrastructure are ecoming e$tremely comple$" it includes
firewalls" identification and authentication systems" access control product"
virtual private networks" encryption products" virus scanners" and more. All of
these tools performs functions essential to system security. 2iven their role they
are also prime target and eing managed y humans" as such they are prone to
errors.
B 3ailure of one of the aove component of your security infrastructure Heopardi#ed
the system they are supposed to protect
B %ot all traffic may go through a firewall
iCe modem on a user computer
B %ot all threats originates from outside. As networks uses more and more
encryption" attackers will aim at the location where it is often stored unencrypted
(Internal network)
B 3irewall does not protect appropriately against application level weaknesses and
attacks
B Fir4a00s ar su56!t to atta!7s th2s03s
B !rotect against misconfiguration or fault in other security mechanisms
I%&'(SI)% D&*+&I)% S,S&*M
2.8What an IDS !an do &or us?
Monitor and analyse user and system activities
Auditing of system and configuration vulnerailities
Asses integrity of critical system and data files
'ecognition of pattern reflecting known attacks
Statistical analysis for anormal activities
Data trail" tracing activities from point of entry up to the point of e$it
2.* What an IDS !an not do &or us9
+ompensate for weak authentication and identification mechanisms
Investigate attacks without human intervention
2uess the content of your organi#ation security policy
+ompensate for weakness in networking protocols" for e$ampleC I!
Spoofing
+ompensate for integrity or confidentiality of information
Analy#e all traffic on a very high speed network
Deal ade@uately with attack at the packet level
Deal ade@uately with modern network hardware
2.8 IDS Terminology
A0rt:A0ar2; A signal suggesting that a system has een or is eing attacked.
Tru <ositi3; A legitimate attack which triggers an IDS to produce an alarm.
Fa0s <ositi3; An event signaling an IDS to produce an alarm when no attack
has taken place.
Fa0s N=ati3; A failure of an IDS to detect an actual attack.
Tru N=ati3; 0hen no attack has taken place and no alarm is raised.
Nois; Data or interference that can trigger a false positive.
Sit >o0i!(; 2uidelines within an organi#ation that control the rules and
configurations of an IDS.
Sit >o0i!( a4arnss; &he aility an IDS has to dynamically change its rules and
configurations in response to changing environmental activity.
Con&idn! 3a0u; A value an organi#ation places on an IDS ased on past
performance and analysis to help determine its aility to effectively identify an
attack.
A0ar2 &i0trin=; &he process of categori#ing attack alerts produced from an IDS
in order to distinguish false positives from actual attacks.
Atta!7r or Intrudr; An entity who tries to find a way to gain unauthori#ed
access to information" inflict harm or engage in other malicious activities.
I%&'(SI)% D&*+&I)% S,S&*M
5.; IDS &erminology(continued)
$as?uradr; A user who does not have the authority to a system" ut tries to
access the information as an authori#ed user. &hey are generally outside users.
$is&asor; &hey are commonly internal users and can e of two typesC
4. An authori#ed user with limited permissions.
5. A user with full permissions and who misuses their powers.
C0andstin usr; A user who acts as a supervisor and tries to use his privileges
so as to avoid eing captured.
%. T(>s o& IDS
&here are three main types of Intrusion Detection SystemsC
B <ost -ased(<IDS)
B %etwork -ased(%IDS)
BApplication ased
%.1Host Based IDS
Intrusion Detection System is installed on a host in the network. <IDS collects and
analy#es the traffic that is originated or is intended to that host. <IDS leverages their
privileged access to monitor specific components of a host that are not readily accessile
to other systems. Specific components of the operating system such as passwd files in
(%II and the 'egistry in 0indows can e watched for misuse. &here is great risk in
making these types of components availale to %IDS to monitor.
In most cases" a <ost Intrusion Detection System (<IDS) component is made up of two
partsC a centralised manager and a server agent. &he manager is used to administer and
store policies" download policies to agents and store information received y agents. &he
agent is installed onto each server and registered with the manager. Agents use policies to
detect and respond to specific events and attacks. An e$ample of a policy would e an
agent that sends an S%M! trap when three concurrent logins as root have failed on a
(%II server. System logs and processes are also monitored to see if any actions that
violate the policy have occurred. If a policy has een violated" the agent will take a
predefined action such as sending an email or sending a S%M! trap to a network
management system. <ost ased intrusion detection system may further e divided into
System integrity verifiers (SIG)C monitors system files to find when a intruder changes
them (therey leaving ehind a ackdoor). &he most famous of such systems is
I%&'(SI)% D&*+&I)% S,S&*M
J&ripwireJ. A SIG may watch other components as well" such as the 0indows registry
and chron configuration" in order to find well known signatures. It may also detect when
a normal user somehow ac@uires root/administrator level privileges. Many e$isting
products in this area should e considered more JtoolsJ than complete JsystemsJC i.e.
something like J&ripwireJ detects changes in critical system components" ut doesnKt
generate realEtime alerts upon an intrusion.
1og file monitors (13M)C monitor log files generated y network services. In a similar
manner to %IDS" these systems look for patterns in the log files that suggest an intruder is
attacking. A typical e$ample would e a parser for <&&! server log files that looking for
intruders who try wellEknown security holes" such as the JphfJ attack. *$ampleC swatch
Although <IDS is far etter than %IDS in detecting malicious activities for a particular
host" they have limited view of entire network topology and they cannot detect attack that
is targeted for a host in a network which does not have <IDS installed.
%.1.1 Ad3anta=s
<ost ased IDSs" with their aility to monitor events local to a host" can detect
attacks that cannot e seen y network ased IDS.
<ost ased IDSs can often operate in an environment in which network traffic is
encrypted " when the host ased information sources are generated efore data is
encrypted at the destination host.
<ost ased IDSs are unaffected y switched network.
0hen host ased IDSs operate on )S audit trails" they can help detect &roHan
<orse or other attacks that involves software integrity.
%.1.2 Disad3anta=s
<ost ased IDSs are harder to manage" as information must e configured and
managed for every host monitored
Since at least the information sources (and sometimes part of analysis engines)for
host ased IDSs reside on the host targeted y attacks" the IDSs may e attacked
and disaled as part of the attack.
<ost ased IDSs are not well suited for detecting network scans or other such
surveillance that targets an entire network" ecause the IDS only sees those
network packets received y its host.
<ostEased IDSs can e disaled y certain denialEofE service attacks.
0hen hostEased IDSs use operating system audit trails as an information source"
the amount of information can e immense" re@uiring additional local storage on
the system .
<ost ased IDSs use the computing resources of the host they are monitoring"
therefore inflicting a performance cost on the monitored system.
I%&'(SI)% D&*+&I)% S,S&*M
%.2 Network Based IDS
%etwork IDSs (%IDS) are placed in key areas of network infrastructure and monitors the
traffic as it flows to other host. (nlike <IDS" %IDS have the capaility of monitoring the
network and detecting the malicious activities intended for that network. Monitoring
criteria for a specific host in the network can e increased or decreased with relative ease.
A %etwork Intrusion Detection system (%IDS) transparently monitors network traffic"
looking for patterns indicative of an attack on a computer or network device. -y
e$amining the network traffic" a network ased intrusion detection system can detect
suspicious activity such as a port scan or Denial of Service (D)S) attacks.
A %ID monitors the network traffic it has access to" y comparing the data in the &+!/I!
packet to a dataase of attack signatures. In a network environment" it can see packets to
and from the system(s) that it monitors. In a switched environment" it can see packets
coming to and from the system(s) that it monitors" providing it can see all data traffic on
the ports that connect to the systems. )nce a %IDS detects an attack" the following
actions may e takenC .
Send email notification
Send an S%M! trap to a network management system
Send a page (to a pager)
-lock a &+! connection
/ill a &+! connection
'un a user defined script
In general terms a %ID will e deployed on a DML. &his assumes that you have a
firewall in place and that you have a DML configured. 0hen deployed ehind the
firewalls" the %ID will detect attacks from protocols and sources allowed through the
firewall and from internal users. -y taking an action" such as sending an S%M! trap or a
page" it can alert network staff that an attack is in progress and enale them to make
decisions ased on the nature of the attack. It is recommended that the IDS is used for
detection and alerting only and not for proactive defence i.e. killing/locking &+!
connections as this can often cause more prolems.
%IDS should e capale of standing against large amount numer of network traffic to
remain effective. As network traffic increases e$ponentially %IDS must gra all the
traffic and analy#e in a timely manner.
I%&'(SI)% D&*+&I)% S,S&*M
%.2.1 Ad3anta=s o& NIDS
A few wellEplaced networkEased IDS can monitor a large network.
&he deploying of %IDSs has little impact upon an e$isting network. %IDSs are
usually passive devices that listen on a network wire without interfering with the
normal operation of a network .&hus" it is usually easy to retrofit a network to
include %IDSs with minimal effort.
%IDSs can e made very secure against attack and even made invisile to many
attackers.
%.2.2 Disad3anta=s o& NIDS
%IDSs may have difficulty possessing all packets in a large or usy network and"
therefore" may fail to recogni#e an attack launched during period of high traffic.
Some vendors are attempting to solve this prolem y implementing IDS
completely in hardware" which is much faster. &he need to analy#e packets
@uickly also forces vendors to oth detect fewer attacks and also detects attacks
with as little computing as possile which can reduce detection effectiveness .
Many of advantages of %IDSs donAt apply to more modern switchEased
networks. Switches sudivide networks into many small segments and provide
dedicated links etween host serviced y the same switch. Most switches do not
provide universal monitoring ports and this limits the monitoring range of a
%IDSs systems sensor to to a single host. *ven when switches provide such
monitoring ports" often the single port can not mirror all traffic traversing the
switch.
%IDSs can not analy#e encrypted information. &his prolem is increasing as more
organi#ations (and attackers) use virtual private network.
Most %IDSs can not tell whether or not an attack was successful M they can only
discern that an attack was initiated. &his means that after %IDSs detect an attack"
administrator must manually investigate each attacked host to determine whether
it was indeed penetrated.
%.%A>>0i!ation 5asd IDS
An application protocolEased intrusion detection system (A!IDS) is an intrusion
detection system that focuses its monitoring and analysis on a specific application
protocol or protocols in use y the computing system. An A!IDS will monitor the
dynamic ehavior and state of the protocol and will typically consist of a system or agent
that would typically sit etween a process" or group of servers" monitoring and analy#ing
the application protocol etween two connected devices. A typical place for an A!IDS
would e etween a we server and the dataase management system" monitoring the
SN1 protocol specific to the middleware/usiness logic as it interacts with the dataase.
I%&'(SI)% D&*+&I)% S,S&*M
%.%.1$onitorin= d(na2i! 5ha3ior
At a asic level an A!IDS would look for" and enforce" the correct (legal) use of the
protocol. <owever at a more advanced level the A!IDS can learn" e taught or even
reduce what is often an infinite protocol set" to an acceptale understanding of the suset
of that application protocol that is used y the application eing monitored/protected.
&hus" an A!IDS" correctly configured" will allow an application to e JfingerprintedJ"
thus should that application e suverted or changed" so will the fingerprint change.
%.%.2 Ad3anta=s
o An application protocolEased intrusion detection system can monitor the
interaction etween user and application" which often allows them to trace
unauthori#ed activity to individual users .
o An application protocolEased intrusion detection system can often can work in
encrypted environment" since they interface with the applications at the
transaction end points" where the information is presented to users in unencrypted
form.
%.%.% Disad3anta=s
An application protocolEased intrusion detection system may e more vulnerale
than hostEased IDS to attack as the applications log are not as well protected as
the operating system audit trails used for host ased IDS.
As an application protocolEased intrusion detection system often monitor events
at the user level of astraction" they cannot detect &roHan horse or ether such
software tampering attacks. &herefore" it is advisale to use Application ased
IDS in comination with <ost ased IDS or network ased IDS.
%./ Othr t(>s o& IDS
&here are other types of IDS can e e$plained "these are
3.4.1Stack Based IDS
Stack ased IDS is latest technology" which works y integrating closely with the &+!/I!
stack" allowing packets to e watched as they traverse their way up the )SI layers.
0atching the packet in this way allows the IDS to pull the packet from the stack efore
the )S or application has a chance to process the packets.
I%&'(SI)% D&*+&I)% S,S&*M
%./.2Signature-Based IDS
SignatureE-ased IDS use a rule set to identify intrusions y watching for patterns of
events specific to known and documented attacks. It is typically connected to a large
dataase which houses attack signatures. It compares the information it gathers against
those attack signatures to detect a match.
&hese types of systems are normally presumed to e ale to detect only attacks OknownP
to its dataase. &hus" if the dataase is not updated with regularity" new attacks could slip
through. It can" however" detect new attacks that share characteristics with old attacks"
e.g. " accessing Kcmd.e$eK via a <&&! 2*& re@uest. -ut" in cases of new" uncataloged
attacks" this techni@ue is pretty porous.
Also" signature ased IDSAs may affect performance in cases when intrusion patterns
match several attack signatures. In cases such as these" there is a noticeale performance
lag. Signature definitions stored in the dataase need to e specific so that variations on
known attacks are not missed. &his sometimes leads to uilding up of huge dataases
which eat up a chunk of space.
%./.%Anomaly Based IDS
AnomalyE-ased IDS e$amines ongoing traffic" activity" transactions and ehavior in
order to identify intrusions y detecting anomalies. It works on the notion that Oattack
ehaviorP differs enough from Onormal user ehaviorP such that it can e detected y
cataloging and identifying the differences involved .
In most anomalyEased IDSAs the system administrator defines the aseline of normal
ehavior. &his includes the state of the networkKs traffic load" reakdown" protocol" and
typical packet si#e .
Anomaly detectors monitor network segments to compare their state to the normal
aseline and look for current ehavior which deviate statistically from the normal. &his
capaility theoretically gives anomalyEased IDSs ailities to detect new attacks that are
neither known nor for which signatures have een created. )n the other hand" anomalyE
ased IDS systems have een known to e prone to a lot of false positives. In these cases"
the attacks are reported ased on changes to the current .System on which the IDS is
installed. &his is ecause there is a change in the normal state of the system which is not
perceived y the IDS .
Sometimes" anomalyEased IDS systems can cause heavy processing overheads on the
computer system they are installed on. It takes a short period of time for anomalyEased
systems to create statistically significant aselines. During this period" they are relatively
open to attack.
I%&'(SI)% D&*+&I)% S,S&*M
/. Gnra0 intrusion dt!tion s(st2 4ith &ir4a00
Fi=./.
In general intrusion detection process" there is an IDS etween our firewall and the
internet(0A%). Also there may e IDS in the system(server" pc etc)
/.1 IDS and Fir4a00s
A common misunderstanding is that firewalls recogni#e attacks and lock them. &his is
not true .
3irewalls are simply a device that shuts off everything" then turns ack on only a few
wellEchosen items. In a perfect world" systems would already e Jlocked downJ and
secure" and firewalls would e unneeded. &he reason we have firewalls is precisely
ecause security holes are left open accidentally. &hus" when installing a firewall" the first
thing it does is stops A11 communication. &he firewall administrator then carefully adds
JrulesJ that allow specific types of traffic to go through the firewall. 3or e$ample" a
typical corporate firewall allowing access to the Internet would stop all (D! and I+M!
datagram traffic" stops incoming &+! connections" ut allows outgoing &+! connections.
&his stops all incoming connections from Internet hackers" ut still allows internal users
to connect in the outgoing direction .
I%&'(SI)% D&*+&I)% S,S&*M
A firewall is simply a fence around you network" with a couple of well chosen gates. A
fence has no capaility of detecting someody trying to reak in (such as digging a hole
underneath it)" nor does a fence know if someody coming through the gate is allowed in.
It simply restricts access to the designated points .
In summary" a firewall is not the dynamic defensive system that users imagine it to e. In
contrast" an IDS is much more of that dynamic system. An IDS does recogni#e attacks
against the network that firewalls are unale to see .
3or e$ample" in April of 4>>>" many sites were hacked via a ug in +old3usion. &hese
sites all had firewalls that restricted access only to the we server at port ;?. <owever" it
was the we server that was hacked. &hus" the firewall provided no defense. )n the other
hand" an intrusion detection system would have discovered the attack" ecause it matched
the signature configured in the system. .
Another prolem with firewalls is that they are only at the oundary to your network.
'oughly ;?Q of all financial losses due to hacking come from inside the network. A
firewall a the perimeter of the network sees nothing going on insideM it only sees that
traffic which passes etween the internal network and the Internet.
Some reasons for adding IDS to you firewall are C
DouleEchecks misconfigured firewalls
+atches attacks that firewalls legitimate allow through (such as attacks
against we servers).
+atches attempts that fail
+atches insider hacking
Suddenly alerts users if any intrusion is detected
It has the power to prevent the intrusion also.
2reater potentiality against new intruders (newly poisonous viruses )
.
.
.
I%&'(SI)% D&*+&I)% S,S&*M
/.2Gnra0 nt4or7 0a(out 4ith &ir4a00
Fi= /.1
I%&'(SI)% D*&*+&I)% S,S&*M
1. Intrusion dt!tion >ro!ss
IDSes use a numer of different technologies to detect malicious activity. &he three most
widely distriuted technologies are signature detection" ehavioral anomaly detection"
and protocol anomaly detection.
1.1Si=natur Basd Dt!tion .
&he maHority of commercial IDS products on the market are ased upon a system that
e$amines the network traffic for specific patterns of attack. &his means that for every
e$ploit" the IDS vendor must code a signature specifically for that attack in order to
detect it" and therefore the attack must e known. Almost all IDS systems are structured
around a large signature dataase and attempt to compare every packet to every signature
in the dataase.
(nfortunately" there are some significant flaws in this approach that render the IDS
incapale of recogni#ing attacks. As network speeds increase" the IDS sensor does not
have the resources to look at every packet" so some packets are discarded" allowing
attacks to slip y unnoticed y the sensor. Most IDS sensors can only operate effectively
up to aout :?M/sec. <igher data speeds generally decrease their detection rate and
increase their false positive rate consideraly" thus reducing their effectiveness. Many
companies today fully utili#e 4?/4??M/sec or even up to 42/sec on their network
ackone" where most of their mission critical servers reside. -ecause a signatureEased
sensor cannot effectively operate at these data speeds" it leaves these systems vulnerale
to attack.
Another known issue with signatureEased systems is the time it takes the IDS vendor to
identify new attacks" create a signature" and release an update. Attacks like +ode 'ed and
%imda cannot e identified y signatureEased systems until the signature is added to the
dataase" leaving a window of opportunity for attacks to penetrate the network unnoticed.
(nfortunately" a new attack does the most damage during this window of opportunity.
1.2Bha3iora0 Ano2a0( Dt!tion
A less prevalent method of Intrusion Detection is the aility to detect statistical
anomalies. &he framework of statistical anomaly detection is the JaselineJ of certain
system statistics" or patterns of ehavior that are tracked continually y the system.
+hanges in these patterns are used to indicate an attack. *$amples include detection of
e$cessive use" detection of use at unusual hours" and detection of changes in system calls
made y user processes.
I%&'(SI)% D&*+&I)% S,S&*M
&he enefit of this approach is that it can detect the anomalies without having to
understand the underlying cause ehind the anomaliesM however" legitimate use of the
system can trigger anomalies leading to a very high numer of false positives.
1.%<roto!o0 Ano2a0( Dt!tion
!rotocol anomaly detection is performed at the application protocol layer. It focuses on
the structure and content of the communications. Many attacks target protocols such as
&elnet" <&&!" '!+" SM&!" and 'login for e$ample.
0hen protocol rules are modeled directly in the sensors" it is easy to identify traffic that
violates the rules" such as une$pected data" e$tra characters" and invalid characters. &hat
is e$actly how some of these attacks can e identified. !rotocolEased IDSes" for
e$ample" can detect code 'ed" ecause they model the <&&! protocol e$actly as it is
reflected in the '3+. &he +ode 'ed attack violates the <&&! protocol specification
ecause it uses a 2*& re@uest to post and e$ecute malicious code on the victim server.
&he IDS recogni#es this as a violation of the protocol and alerts the system administrator
to the violation. 0hile the same kind of attack is making its way past signatureEased
systems" this attack is recogni#ed y the IDS as a protocol violation and is reported to the
system administrators" giving them hours" sometimes even days to respond to the new
threat efore a signature for the attack is developed and distriuted.
8. Othr a>>roa!hs o& s!urit(
8.1 A 0a(rd S!urit( A>>roa!h
In the layered security approach" Intrusion Detection enters the game at the highest level"
providing a highly coordinated approach to managing security issues" from identifying
threats on the network and gathering additional information on demand" to responding
@uickly and taking appropriate action. &hrough the use of distriuted sensors" protocol
anomaly detection" and highEspeed statistical correlation analysis" a layered security
approach to Intrusion Detection can identify and respond to oth common and novel
attacks to protect your network against usiness interruption" and prevent damage to your
network as well as to customer confidence.
I%&'(SI)% D&*+&I)% S,S&*M
8.1.1D>0o(in= Nt4or7 IDS
A successful IDS deployment is one that monitors each network segment y installing a
sensor on the segment itself or on a segment oundary device" such as a switch" that has
the aility to inspect all packets on the sunet. If you are using a signatureEased IDS"
you must consistently otain the updated set of attack signatures from all your IDS and
firewall vendors and review all security policies weekly to help narrow the window of
vulneraility. It may e advisale to use a configuration management tool to track the
signature file information on all systems.
IDS sensors are most effective when deployed on the network perimeter" such as on oth
sides of the firewall" near dialEup servers" and on links to partner networks.
8.1.2 D>0o(in= 'ost Basd IDS
&he ne$t step is to deploy hostEased intrusion detection mechanisms on all servers
identified as mission critical y your security policy" increasing their chances of surviving
an attack. (nless you have an unlimited udget" you will want to prioriti#e your
deployment. If your main concern is attack from the Internet" you should concentrate
your hostEased defenses in the Demilitari#ed Lone (DML).
I%&'(SI)% D&*+&I)% S,S&*M
Deception is perhaps the easiest tool in your arsenal to manage and perhaps the most
rewarding tool when identifying malicious activity on the network. As deception hosts
log every connection and keystroke entered" it is possile to learn the intentions" motive"
and e$perience of the attacker. A common scheme for deploying deception hosts is ased
on J&he MinefieldJ principle" and simply involves placing them where an attacker is
likely to find them" often with appealing server names (such as J!rimary Mail ServerJ
etc.). Deception systems can e placed in your DML to attract attackers away from
production network assets" and on the internal network to catch snooping employees or
hackers that may have ypassed your other defenses.
*stalishing a policy for centrally monitored IDS systems and sensors will aid in the
correlation and analysis of events. It is also recommended that administrators rotate their
logs" a copy of which should always e written to remote" removale media in case an
attacker tries to delete or modify the log data.
In Su22ar(
&o e effective" a network security solution must e made up of several layers to address
the various types of threats faced y todayKs networks. Intrusion detection systems will
not pick up every attack" no matter what kind of system the company has deployed. If
only signature IDSes are deployed throughout the network" they will not pick up new
attacks. Since protocol anomaly systems can detect many new attacks like +ode 'ed"
+ode 'ed II" and %imda" corporations should" at minimum" e ale to strengthen their
defenses at the gates to their networksC at the Internet connection" G!% connections"
customer network connections" and so on. &hus they olster the first line of defense at the
entryEpoints so that these attacks can e detected as soon as possile.
&he Internet provides a cost effective platform for companies and usinesses to sell their
products and services to a vast audience that is without geographic constraints. In 4>>9
there were 9? million people accessing the Internet worldwide" with recent proHections
suggesting somewhere in the region of ;?= million people y 5??7. &he possiilities for
companies with sound usiness practices and solid security are limitless. Detecting
attacks @uickly re@uires advanced warning systems. Most corporations need to improve
their detection ailities in order to protect their data" their customers" and their partnersK
networks. Strengthen your defenses and reduce your network risk.
I%&'(SI)% D*&*+&I)% !')+*SS
*.GENERAL ALGORIT'$ FOR INTRUSION DETECTION
*.1FLOW C'ART; -FOR DNS SER"ER.
FIG. *.1
I%&'(SI)% D*&*+&I)% !')+*SS
*.2ALGORIT'$-&or DNS sr3r.
4. A system(D%S server) is re@uested a file y client
5. check whether the current record in the system log is availale in D%
dataase.
7. found6
8. If yes"
i. check the record in the D%S dataase.
ii. if found "serve the data to client as per re@uest.
iii. else" Oraise an intrusion alarmP
iv. Investigation y SS)
v. Intrusion detected6
vi. if yes" take an action
vii. %o" then
a. check monitor if record e$ists
. record e$ists6
c. If yes" update on D%S dataase and go to stepE4
d. if %o" update monitor and go to stepE4
9. else " go to step i.
:. continue till connection ends.
<ence the D%S server has an intrusion detection system" which checks the client re@uest"
first of all it checks whether there is actual re@uest or fake re@uest y the intruder. 3irst of
all it checks whether the re@uested file is availale on the D%S server or D%S dataase"
if there is no re@uested file then it raises an alarm as an intrusion detected and necessary
actions are taken y IDS. If the re@uest is actual then it simply serve the re@uested file
to the client.
3urther the action is taken y the SS) whether that re@uest was an intrusion or not" if
intrusion detected then raises an alarm" if not detected then it checks the record if
monitor e$ists" in oth cases data is updated and further loop is continued(from step 4 to
onward)
I%&'(SI)% D*&*+&I)% S,S&*M
*.% FLOW C'ART FOR 'TT< SER"ER INTRUSION DETECTION S#STE$
3I2.=.7
I%&'(SI)% D*&*+&I)% S,S&*M
8. DATA PROCESSING TECHNIQUES USED IN INTRUSION DETECTION
SYSTEMS
Depending on the type of approach taken in intrusion detection" various processing
mechanisms (techni@ues) are employed for data that is to reach an IDS. -elow" several
systems are descried rieflyC
E@>rt s(st2s" these work on a previously defined set of rules descriing an
attack. All security related events incorporated in an audit trail are translated in
terms of ifEthenEelse rules. *$amples are 0isdom R Sense and +omputer0atch.
Si=natur ana0(sis Similarly to e$pert System approach" this method is ased on
the attack knowledge. &hey transform the semantic description of an attack into
the appropriate audit trail format. &hus" attack signatures can e found in logs or
input data streams in a straightforward way. An attack scenario can e descried"
for e$ample" as a se@uence of audit events that a given attack generates or patterns
of searchale data that are captured in the audit trail. &his method uses astract
e@uivalents of audit trail data. Detection is accomplished y using common te$t
string matching mechanisms. &ypically" it is a very powerful techni@ue and as
such very often employed in commercial systems (for e$ample Stalker" 'eal
Secure" %et'anger" *merald eIpertE-SM).
Co0ord <tri Nts &he +olored !etri %ets approach is often used to generali#e
attacks from e$pert knowledge ases and to represent attacks graphically. !urdue
(niversityAs IDI)& system uses +olored !etri %ets. 0ith this techni@ue" it is
easy for system administrators to add new signatures to the system. <owever"
matching a comple$ signature to the audit trail data may e timeEconsuming. &he
techni@ue is not used in commercial systems.
StatAtransition ana0(sis <ere" an attack is descried with a set of goals and
transitions that must e achieved y an intruder to compromise a system.
&ransitions are represented on stateEtransition diagrams.
Statisti!a0 ana0(sis a>>roa!h &his is a fre@uently used method (for e$ample
S*+('*%*&). &he user or system ehavior (set of attriutes) is measured y a
numer of variales over time. *$amples of such variales areC user login" logout"
numer of files accessed in a period of time" usage of disk space" memory" +!(
etc. &he fre@uency of updating can vary from a few minutes to" for e$ample" one
month. &he system stores mean values for each variale used for detecting
e$ceeds that of a predefined threshold. ,et" this simple approach was unale to
match a typical user ehavior model. Approaches that relied on matching
individual user profiles with aggregated group variales also failed to e efficient.
&herefore" a more sophisticated model of user ehavior has een developed using
shortE and longEterm user profiles. &hese profiles are regularly updated to keep up
with the changes in user ehaviors. Statistical methods are often used in
implementations of normal user ehavior profileEased Intrusion Detection
Systems.
I%&'(SI)% D*&*+&I)% S,S&*M
Nura0 Nt4or7s %eural networks use their learning algorithms to learn aout
the relationship etween input and output vectors and to generali#e them to
e$tract new input/output relationships. 0ith the neural network approach to
intrusion detection" the main purpose is to learn the ehavior of actors in the
system (e.g." users" daemons). It is known that statistical methods partially e@uate
neural networks. &he advantage of using neural networks over statistics resides in
having a simple way to e$press nonlinear relationships etween variales" and in
learning aout relationships automatically. *$periments were carried out with
neural network prediction of user ehaviors. 3rom the results it has een found
that the ehavior of (%II superEusers (roots) is predictale (ecause of very
regular functioning of automatic system processes). 0ith few e$ceptions"
ehavior of most other users is also predictale. %eural networks are still a
computationally intensive techni@ue" and are not widely used in the intrusion
detection community.
Usr intntion idnti&i!ation &his techni@ue (that to our knowledge has only
een used in the S*+('*%*& proHect) models normal ehavior of users y the
set of highElevel tasks they have to perform on the system (in relation to the usersA
functions). &hese tasks are taken as series of actions" which in turn are matched to
the appropriate audit data. &he analy#er keeps a set of tasks that are acceptale for
each user. 0henever a mismatch is encountered" an alarm is produced.
Co2>utr i22uno0o=( Analogies with immunology has lead to the
development of a techni@ue that constructs a model of normal ehavior of (%II
network services" rather than that of individual users. &his model consists of short
se@uences of system calls made y the processes. Attacks that e$ploit flaws in the
application code are very likely to take unusual e$ecution paths. 3irst" a set of
reference audit data is collected which represents the appropriate ehavior of
services" then the knowledge ase is added with all the known OgoodP se@uences
of system calls. &hese patterns are then used for continuous monitoring of system
calls to check whether the se@uence generated is listed in the knowledge aseM if
not S an alarm is generated. &his techni@ue has a potentially very low false alarm
rate provided that the knowledge ase is fairly complete. Its drawack is the
inaility to detect errors in the configuration of network services. 0henever an
attacker uses legitimate actions on the system to gain unauthori#ed access" no
alarm is generated.
$a!hin 0arnin= &his is an artificial intelligence techni@ue that stores the userE
input stream of commands in a vectorial form and is used as a reference of normal
user ehavior profile. !rofiles are then grouped in a lirary of user commands
having certain common characteristics .
Data 2inin= generally refers to a set of techni@ues that use the process of
e$tracting previously unknown ut potentially useful data from large stores of
data. Data mining method e$cels at processing large system logs (audit data).
<owever they are less useful for stream analysis of network traffic. )ne of the
fundamental data mining techni@ues used in intrusion detection is associated with
decision trees . Decision tree models allow one to detect anomalies in large .
I%&'(SI)% D*&*+&I)% S,S&*M
&his is done y matching patterns e$tracted from a simple audit set with those
referred to warehoused unknown attacks. A typical data mining techni@ue is
associated with finding association rules. It allows one to e$tract previously unknown
knowledge on new attacks or uilt on normal ehavior patterns. Anomaly detection
often generates false alarms. 0ith data mining it is easy to correlate data related to
alarms with mined audit data" therey consideraly reducing the rate of false alarms .
). CO$<UTER ATTACBS AND "OLNERABILITIES
Many organi#ations ac@uire intrusion detection system ecause they know that IDS
are a necessary complement to comprehensive system security architecture .
<owever" given the relative youth of commercial IDSs" most organi#ations lacks
e$perienced IDS operator. Despite vendor claims aout ease of usage" such training or
e$perience is necessary. An IDS is only as effective as the human operating it . IDS
user interfaces very greatly in @uality. Some produces responses in in the form of
cryptic te$t logs while other provide graphical depictions of the attack on the
network. Despite this wide variance in display techni@ue" most IDSs output the same
asic information aout computer attacks. If user understand this common set of
outputs" they can @uickly learn to use the maHority of commercial IDSs.
).1 ATTACB T#<ES
Most computer attacks only corrupt a systems security in very specific ways. 3or
e$ample" certain attacks may enale an attacker to read specific files ut donAt allow
alternation of any system components. Another attacker may allow an attacker to shut
down certain system components ut doesnAt allow access to any files. Despite the
varied capailities of computer attacks" they usually result in violation of only four
different security properties C availaility" confidentiaility" integrity" and control .
these violations are descried elowC
Con&idntia5i0it(; an attack causes confidentiaility violation if it allows attackers
to access data without authori#ation from the owner of the information .
Int=rit(; an attack causes an integrity violation if it allows the attacker to change the
system state or any data residing on or passing through a system.
A3ai0a5i0it(; causes an availaility violation if it keeps an authori#ed user (human or
machine) from accessing a particular system resource when" where" and in the form
that they need it.
I%&'(SI)% D*&*+&I)% S,S&*M
Contro0 ; an attack causes a control violation if it grants an (authori#ed ) attacker
privilege in violation of the access control policy of the system. &his privilege enales a
suse@uent confidentiaility" integrity" or availaility violation.
).2 T(>s o& !o2>utr atta!7s !o22on0( dt!td 5( IDSs
).2.1s!annin= atta!7;
A particular type of -'(&* 3)'+* A&&A+/ on a computer system. It involves the use
of a program known as a 0A' DIA11*'. &his generates a large numer of se@uences of
characters that could e telephone numers or passwords. A typical scanning attack
would involve the program eing set up to dial a long series of telephone numersM any
numers giving some indication of a modem eing used are stored. After a scanning
session an intruder dials these numers and attempts to reak in using a variety of
techni@ues including trying wellEknown passwords.
).2.2 <ort S!an Atta!7
!ort Scan attack refers to scan &+!/(D! ports to discover services they can reak into.
All machines connected to a 1A% or connected to Internet via a modem run many
services that listen at wellEknown and not so wellEknown ports. -y port scanning the
attacker finds which ports are availale (i.e." eing listened to y a service). *ssentially" a
port scan consists of sending a message to each port" one at a time. &he kind of response
received indicates whether the port is used and can therefore e proed further for
weakness.
).2.% A dnia0Ao&Asr3i! atta!7
(DoS attack) or distriuted denialEofEservice attack (DDoS attack) is an attempt to make a
computer resource unavailale to its intended users. Although the means to carry out"
motives for" and targets of a DoS attack may vary" it generally consists of the concerted
efforts of a person or people to prevent an Internet site or service from functioning
efficiently or at all" temporarily or indefinitely. !erpetrators of DoS attacks typically
target sites or services hosted on highEprofile we servers such as anks" credit card
payment gateways" and even root nameservers. &he term is generally used with regards to
computer networks" ut is not limited to this field" for e$ample" it is also used in
reference to +!( resource management.
)ne common method of attack involves saturating the target (victim) machine with
e$ternal communications re@uests" such that it cannot respond to legitimate traffic" or
I%&'(SI)% D*&*+&I)% !')+*SS
responds so slowly as to e rendered effectively unavailale. In general terms" DoS
attacks are implemented y either forcing the targeted computer(s) to reset" or consuming
its resources so that it can no longer provide its intended service or ostructing the
communication media etween the intended users and the victim so that they can no
longer communicate ade@uately.
DenialEofEservice attacks are considered violations of the IA-Ks Internet proper use
policy" and also violate the acceptale use policies of virtually all Internet service
providers. &hey also commonly constitute violations of the laws of individual nations.
).2./ <rAtoA>r atta!7s
Attackers have found a way to e$ploit a numer of ugs in peerEtoEpeer servers to initiate
DDoS attacks. &he most aggressive of these peerEtoEpeerEDDoS attacks e$ploits D+FF.
!eerEtoEpeer attacks are different from regular otnetEased attacks. 0ith peerEtoEpeer
there is no otnet and the attacker does not have to communicate with the clients it
suverts. Instead" the attacker acts as a Kpuppet master"K instructing clients of large peerEtoE
peer file sharing hus to disconnect from their peerEtoEpeer network and to connect to the
victimKs wesite instead. As a result" several thousand computers may aggressively try to
connect to a target wesite. 0hile a typical we server can handle a few hundred
connections/sec efore performance egins to degrade" most we servers fail almost
instantly under five or si$ thousand connections/sec. 0ith a moderately ig peerEtoEpeer
attack a site could potentially e hit with up to =9?"??? connections in a short order. &he
targeted we server will e plugged up y the incoming connections. 0hile peerEtoEpeer
attacks are easy to identify with signatures" the large numer of I! addresses that need to
e locked (often over 59?"??? during the course of a ig attack) means that this type of
attack can overwhelm mitigation defenses. *ven if a mitigation device can keep locking
I! addresses" there are other prolems to consider. 3or instance" there is a rief moment
where the connection is opened on the server side efore the signature itself comes
through. )nly once the connection is opened to the server can the identifying signature e
sent and detected" and the connection torn down. *ven tearing down connections takes
server resources and can harm the server.
&his method of attack can e prevented y specifying in the p5p protocol which ports are
allowed or not. If port ;? is not allowed" the possiilities for attack on wesites can e
very limited.
I%&'(SI)% D*&*+&I)% !')+*SS
).2.1<r2annt dnia0Ao&Asr3i! atta!7s
A permanent denialEofEservice (!DoS)" also known loosely as phlashing" is an attack that
damages a system so adly that it re@uires replacement or reinstallation of hardware.T>U
(nlike the distriuted denialEofEservice attack" a !DoS attack e$ploits security flaws
which allow remote administration on the management interfaces of the victimKs
hardware" such as routers" printers" or other networking hardware. &he attacker uses these
vulnerailities to replace a deviceKs firmware with a modified" corrupt" or defective
firmware imageSa process which when done legitimately is known as flashing. &his
therefore JricksJ the device" rendering it unusale for its original purpose until it can e
repaired or replaced.
&he !DoS is a pure hardware targeted attack which can e much faster and re@uires fewer
resources than using a otnet in a DDoS attack. -ecause of these features" and the
potential and high proaility of security e$ploits on %etwork *naled *medded
Devices (%**Ds)" this techni@ue has come to the attention of numerous hacker
communities. !hlashDance is a tool created y 'ich Smith (an employee of <ewlettE
!ackardKs Systems Security 1a) used to detect and demonstrate !DoS vulnerailities at
the 5??; *(Sec0est Applied Security +onference in 1ondon.
).2.8 Tardro> atta!7s
A &eardrop attack involves sending mangled I! fragments with overlapping" overEsi#ed
payloads to the target machine. &his can crash various operating systems due to a ug in
their &+!/I! fragmentation reEassemly code. 0indows 7.4$" 0indows >9 and 0indows
%& operating systems" as well as versions of 1inu$ prior to versions 5.?.75 and 5.4.:7 are
vulnerale to this attack.
Around Septemer 5??>" a vulneraility in Gista was referred to as a Jteardrop attackJ"
ut the attack targeted SM-5 which is a higher layer than the &+! packets that teardrop
used
).%.* Distri5utd atta!7
A distriuted denial of service attack (DDoS) occurs when multiple systems flood the
andwidth or resources of a targeted system" usually one or more we servers. &hese
systems are compromised y attackers using a variety of methods.
Malware can carry DDoS attack mechanismsM one of the etterEknown e$amples of this
was MyDoom. Its DoS mechanism was triggered on a specific date and time. &his type of
DDoS involved hardcoding the target I! address prior to release of the malware and no
further interaction was necessary to launch the attack.
I%&'(SI)% D*&*+&I)% S,S&*M
A system may also e compromised with a troHan" allowing the attacker to download a
#omie agent (or the troHan may contain one). Attackers can also reak into systems using
automated tools that e$ploit flaws in programs that listen for connections from remote
hosts. &his scenario primarily concerns systems acting as servers on the we.
Stacheldraht is a classic e$ample of a DDoS tool. It utili#es a layered structure where the
attacker uses a client program to connect to handlers" which are compromised systems
that issue commands to the #omie agents" which in turn facilitate the DDoS attack.
Agents are compromised via the handlers y the attacker" using automated routines to
e$ploit vulnerailities in programs that accept remote connections running on the targeted
remote hosts. *ach handler can control up to a thousand agents.
&hese collections of systems compromisers are known as otnets. DDoS tools like
stacheldraht still use classic DoS attack methods centered on I! spoofing and
amplification like smurf attacks and fraggle attacks (these are also known as andwidth
consumption attacks). S,% floods (also known as resource starvation attacks) may also
e used. %ewer tools can use D%S servers for DoS purposes. See ne$t section.
Simple attacks such as S,% floods may appear with a wide range of source I! addresses"
giving the appearance of a well distriuted DDoS. &hese flood attacks do not re@uire
completion of the &+! three way handshake and attempt to e$haust the destination S,%
@ueue or the server andwidth. -ecause the source I! addresses can e trivially spoofed"
an attack could come from a limited set of sources" or may even originate from a single
host. Stack enhancements such as syn cookies may e effective mitigation against S,%
@ueue flooding" however complete andwidth e$haustion may re@uire involvement
It is important to note the difference etween a DDoS and DoS attack. If an attacker
mounts an attack from a single host it would e classified as a DoS attack. In fact" any
attack against availaility would e classed as a Denial of Service attack. )n the other
hand" if an attacker uses a thousand systems to simultaneously launch smurf attacks
against a remote host" this would e classified as a DDoS attack.
&he maHor advantages to an attacker of using a distriuted denialEofEservice attack are
that multiple machines can generate more attack traffic than one machine" multiple attack
machines are harder to turn off than one attack machine" and that the ehavior of each
attack machine can e stealthier" making it harder to track down and shut down. &hese
attacker advantages cause challenges for defense mechanisms. 3or e$ample" merely
purchasing more incoming andwidth than the current volume of the attack might not
help" ecause the attacker might e ale to simply add more attack machines
I%&'(SI)% D*&*+&I)% S,S&*M
).2., R&0!td atta!7
A distriuted reflected denial of service attack (D'DoS) involves sending forged re@uests
of some type to a very large numer of computers that will reply to the re@uests. (sing
Internet protocol spoofing" the source address is set to that of the targeted victim" which
means all the replies will go to (and flood) the target.
I+M! *cho 'e@uest attacks (Smurf Attack) can e considered one form of reflected
attack" as the flooding host(s) send *cho 'e@uests to the roadcast addresses of misE
configured networks" therey enticing many hosts to send *cho 'eply packets to the
victim. Some early DDoS programs implemented a distriuted form of this attack.
Many services can e e$ploited to act as reflectors" some harder to lock than others.D%S
amplification attacks involve a new mechanism that increased the amplification effect"
using a much larger list of D%S servers than seen earlier..
).2.) D=radationAo&Asr3i! atta!7s
J!ulsingJ #omies are compromised computers that are directed to launch intermittent
and shortElived floodings of victim wesites with the intent of merely slowing it rather
than crashing it. &his type of attack" referred to as JdegradationEofEserviceJ rather than
JdenialEofEserviceJ" can e more difficult to detect than regular #omie invasions and can
disrupt and hamper connection to wesites for prolonged periods of time" potentially
causing more damage than concentrated floods. *$posure of degradationEofEservice
attacks is complicated further y the matter of discerning whether the attacks really are
attacks or Hust healthy and likely desired increases in wesite traffic.
).%.+ >ntration atta!7s
!enetration attacks involves the unauthori#ed ac@uisition of and/alternation of the system
privileges" resources" or data. +onsider these integrity control violations as contrasted to
D)S attacks" which donAt do any illegal . a penetration attack can gain control of a
system y e$ploiting a variety of software flaws. &he most common flaws and the
security conse@uences of each are e$plained and enumerated elow. 0hile penetration
attacks very tremendously in detail and impact " the common types areC
Usr to root; a local user on host gains complete control of the target host
R2ot to usr; an attacker on the network gains access to an user account on the target
host.
R2ot to root ; an attacker on the network gains access to a user account on the target
host.
I%&'(SI)% D*&*+&I)% S,S&*M
R2ot dis7 rad; an attacker on the network gains the aility to read private data files
on the target host without the authori#ation of the owner.
R2ot dis7 4rit; An attacker on the network gains the aility to write to private data
files on the target host without the authori#ation of the owner.
)./ Dtr2inin= atta!7r 0o!ation &ro2 IDS out>ut
In notification of detected attacks" IDSs will often report the location of attacker . this
location is most commonly e$pressed as an source I! address. &he reported address is
simply the source address that attack on the attack packets" this doesnot necessarily
represent he true source address of the attacker. &he key to determining the significance
of the reported source I! address is to classify the type of attack and then determine
whether or not the attacker needs to see the reply packet sent y the victim. If the attacker
launches a oneEway attacks" like many floody D)S attack " where the attacker does not
need to see any reply packets " then the attacker can lael his packets with random I!
addresses . the attacker is doing the real world e@uivalent of sending a postcard with a
fake return address to fill a mailo$ so that no other mail can fit into it. in this case" the
attacker cannot receive any reply from the victim . however the attacker needs to view the
victims replies" which is usually true with penetration attacks " then the attacker usually
cannot lie aout his source I! address. (sing the postcard analogy" the attacker needs to
know that his postcards go to the victim and therefore must usually lael his postcards
with his actual address . in general " attacker must use the correct I! address when
launching penetration attack ut not with D)S attacks . however" there e$ist one caveat
when dealing with e$pert attackers. An attacker can send attack packets using a source I!
address " ut arrange to wiretap the victims reply to the faked address. &he attacker can
do this without having access to the computer at the fake address . this manipulation of I!
address is called OI! spoofingP.
1+.Strn=th and 0i2itations o& IDSs
Although Intrusion Detection System are a valuale addition to an organi#ationAs security
infrastructure" there are thing they do well " and other things they do not do well . as we
plan the security strategy for our organi#ationAs system " it is important for us to
understand what IDSs should e trusted to do and what goals might e etter served y
other types of security mechanisms.
I%&'(SI)% D*&*+&I)% S,S&*M
1+.1 Strn=ths o& IDSs
IDSs performs followings wellC
Monitoring and analysis of system events and user ehaviors.
&esting the security states of system configurations
-ase lining the security states of a systems " then attacking any changes to
that aseline
'ecogni#ing patterns of system events that correspond to known attacks
'ecogni#ing patterns of activity that statistically vary from normal activity
Alternating appropriate staff y appropriate means when attack are
detected.
Measuring enforcement of security policies encoded in the analysis engine
!roviding default information security policies
Allowing nonEsecurity e$perts to perform important security monitoring
functions.
1+.2 Li2itations o& IDSs
IDS cannot perform the following functionsC
+ompensating for weak or missing security mechanisms in the protection
infrastructure. Such mechanisms include firewall" identification and
authentication " link encryption" access control mechanisms" and virus
detection and eradication .
Instantaneously detecting " reporting" and responding to an attack" when
there is a heavy network or processing load .
Detecting newly pulished attacks or variants of e$isting attacks .
*ffectively responding to attacks launched y sophisticated attackers
Automatically investing attacks without human interaction.
'esisting attacks that are intended to defeat or circumvent them
+ompensating for prolems with the fidelity of information sources
Dealing effectively with switched networks.
I%&'(SI)% D*&*+&I)% S,S&*M
11. Futur o& IDS
Although the system audit function that represent the original vision of IDSs has een
formal discipline for almost fifty years " the IDS research field is still young" with most
research dating to the 4>;?s and 4>>?s. furthermore" the wideEscale commercial use of
IDS did not start until the mid 4>>?s.
<owever the intrusion detection and vulneraility assessment market has grown into a
significance commercial presence. &echnology market analysts predict continued growth
in the demand foe IDS and other network security product and services for the
foreseeale
*ven while the IDS research field is maturing" commercial IDSs are still in their
formative years. Some commercial IDSs has received negative pulicity due to their large
numer of false alarms " awkward control and reporting interfaces" overwhelming
numers of attack reports" lack of scalaility " and lack of integration with enterprise
network management systems . however the strong commercial demand for IDS will
increase the likelihood that these prolem will e successfully addressed in the near y
future . we anticipate that the improvement over time in @uality of performance of IDS
products will likely parallel that of antivirus software . early antivirus software created
false alarm on many normal user actions and did not detect all known viruses . however"
over the past decade " antivirus software progressed to its current state " in which it is
transparent to the users " yet so effective that few dout is effectiveness .
furthermore" it is very that certain IDS capaility will ecome core capailities of the
network infrastructure and operating system . in this case " the IDS product market will
e ale to etter focus its attention on resolving some of the pressing issues associated
with the scalaility and manageaility of IDS products. &here are other trends in
computing that we elieve will affect the form and functions of IDS products including
the move to applianceEased IDSs. It is also likely that certain IDS pattern matching
capailities will move to hardware in order to increase andwidth . finally the entry of
insurance and other classic commercial risk management measures to the network
security arena will drive enhanced IDS re@uirements for investigative support and
features.
I%&'(SI)% D*&*+&I)% S,S&*M
IDSs are here to stay" with illion dollar firm supporting the development of commercial
security products and driving hundreds of millions in annual sales. <owever" they remain
difficult to configure and operate and often cant e effectively used y the very novice
security personnel who need to enefit from them most. Due to the nationwide shortage
of e$perienced security e$perts" many novice are assigned to deal with IDSs that protect
our nations computer security systems and network.
<ence IDS is very important and useful for our security. So for uninterruptedly
using the network and computer system we must use an IDS " which will not only
protects us ut also gives useful information aout intruder" saves our time and money
either directly or indirectly.

12. CONCLUSION
I%&'(SI)% D*&*+&I)% S,S&*M
4. httpC//www.wikipedia.org
5. httpC//www.google.co.in
7. httpC//www.nist.gov.in
8. httpC//www.securityfocus.com
9. httpC//www.windowsecurity.com
:. httpC//networkintrusion.co.uk
=. httpC//www.symantec.com
;. httpC//www.cerias.purdue.edu
>. httpC//www.dictionary.com
4?. httpC//www.answers.com
REFERENCES