Study On Intrusion Detection And Prevention Systems Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Intrusion detection and prevention has been a hot topic in the technology-related circles since shortly before the turn of the century, and especially after the introduction of various compliance acts such as Sarbanes-Oxley. To verify compliance and the reliability of their intrusion detection controls, a stampede of corporations rushed into the acquisition of systems and installed them on their networks. Intrusion Detection Systems evolved logically into Intrusion Prevention Systems. Several years have passed, so what do we know now about Intrusion Detection and Prevention systems?

The common opinion in industry is that Intrusion Detection Systems (IDS) will be disuse very soon. In its place is something much more capable, an Intrusion Prevention System (IPS). IPSs are not a new technology; they are generally a new version of IDS supplanted by firewalls and network layer filtering to provide a more active filtering of malicious content. Our goal is to understand both IDS and IPS systems, the evolution from IDS to IPS in industry.

Intrusion Detection Systems

An Intrusion Detection System, IDS, is developed to detect malicious attacks on systems. IDSs are the computer network which is equal to home security systems. The primary responsibility of IDS is to detect unwanted and malicious network traffic. This can be done by using different techniques. There are two main types of Intrusion Detection (ID) systems - ID systems which operate on a host are called host-based ID systems (HIDS), and ID systems which operate on network data flow are called network-based ID systems (NIDS).

Network Based IDS

A Network Based Intrusion Detection System (NIDS) has one or more networks based sensors which scan and filter all network traffic. A sensor is generally just a network interface that has been set to wakeful mode to sniff all the traffic going through the network. The sensors filter network traffic and generate trigger when suspicious or malicious traffic has been detected. There are mainly two types of detection strategies signature matching, and statistical anomaly detection. Signature filters is the most widespread type of filter. A signature detection system just monitors the data which is transmitting through the system. In general, signature may be the pattern of bits which is transmitting through the network in the form of packets. If that pattern matches with the predefined pattern then the filter will generate trigger stating that an attack has occurred. This technique is very simple to implement. However, the drawback of this technique is that we must know the signature of the malicious packet to detect them. This requires an additional amount of overhead to continually update the system with the most current malicious signatures. In addition, the attacker can slightly modify the attack in order to avoid matching the pre-existing signature rules for the original attack. The alternative approach is to use a statistical anomaly filter. Statistical anomaly filters are meant to monitor a system and detect if something abnormal occurs. The normal behavior of a system is determined under normal, safe operating conditions, and then "exceptional" events are identified. When the systems behavior deviates far from the "normal" behavior, alerts are generated. For instance, one way to determine normal behavior would be to monitor user's network usage. If it is later perceived that a user is using much more bandwidth than previous measurements, this might be a signal that something abnormal is happening. The major problem with this is that systems' behaviors change with time. As a result, the system's behavior will deviate more and more from the "normal" reference model initially determined. As a result, there is a need for the reference model to evolve. However, if the reference model is updated too often, an attacker could spread out the attack over a longer period of time and possibly go unnoticed in the system. The reference model will learn the attacker's behavior and incorporate that into the reference model.

Host-Based IDS

As NIDS inspect all network traffic, generally HIDS will detect abnormal behavior with in the host and also inspect its behavior. As an example, HIDS may monitor which program accesses which resources and might trigger an alert when a program abnormally starts draining system resources or modifying the file. A HIDS can also monitor the state of the system and make sure everything makes sense, which is very analogous to the statistical anomaly filter. The principle behind the effectiveness of HIDS is that attacker leaves traces of their activities. For instance, they might install software on a computer they have taken over. In general, a HIDS will maintain a database of system objects it should monitor. The database contains important information about these system objects - attributes, modification time, size, etc. In addition, the database may contain a checksum or hash of the system objects. These objects will later be used for comparison to the current system objects. If at some point an object becomes inconsistent, the system can generate an alert. However, the attacker may somehow be able to gain access to the database. As a result, simply matching a hash doesn't guarantee that an intruder has not tampered with the file in question. For files which are very dynamic, this checksum technique will not be effective. There are many other techniques available, however our focus on HIDS ends here.

Intrusion Prevention Systems

Intrusion Detection Systems (IDS) are products designed to detect unwanted accesses or manipulations of a system. However, they typically do not prevent or protect from attacks. IDS systems are also the oldest systems available. On the contrary, the purpose of an Intrusion Prevention System (IPS) is to not only detect that an attack is occurring, but also to stop it. To do so, it can be considered to be an advanced combination of a firewall and an ID. To illustrate this, we first consider what a firewall does. The idea behind firewalls comes from their use in building construction to prevent the spread of fires. In a networking sense, they perform a similar function. Instead of preventing fire from spreading from one building to another, they prevent certain network traffic from traveling from one network section to another (or in an organization, usually from the outside network to the internal network). It typically does this by examining portions of the IP packets (including source and destination IP addresses and port numbers) and decides whether or not to let the packet pass. Firewalls can work in both directions, preventing traffic both into and out of a network. A firewall can be considered a very simple type of IPS in that it operates using IP addresses and ports and other header information, but it does not look into the contents of the packet. An IPS is more advanced in that it can use application-layer information to attempt to determine intent of the packet. As mentioned, it combines the power of filtering that a firewall has, with the power of detection like an IDS has, along with the ability to prevent attacks. For these reasons IPSs are considered to be among the promising of network technologies. Similar to IDSs, IPS can be divided into several types. Also like IDSs, these include Network Based IPS (NIPS) and Host Based IPS (HIPS). The distinction is very similar to that of IDSs and so will not be discussed further.

IPS compared to IDS

Recent trends in industry show that more and more companies are choosing IPS based solutions over IDS based solutions, primarily due to the need to actively block worm and hacker attacks, instead of passively monitoring them as an IDS system would do. Although legitimate traffic is often blocked just as malicious traffic is, most system administrators believe that the benefits certainly outweigh the downsides, especially when considering the significant damage that a successful worm or hacker can have on an organization. It should be noted that the blocking of legitimate traffic is not a unique problem in IPS systems. This problem occurs in any type of system that blocks traffic, including firewalls. The ability to determine with 100% accuracy whether a packet is malicious or not is simply not possible. For this reason, any security implementation will suffer from false positives. However, a system administrator must weigh the benefits of blocking good traffic (false positive) versus allowing some bad traffic (false negatives) to determine how strictly to check data.

Attacks on IDS

There are many different type of attacks which can corrupt a system. Those attacks can be generally grouped into the following categories:

• Confidentiality- this type of attack gives access to the information with out Authorization.

• Integrity - This type of attack allows the unauthorized attackers to change state of the system. That means changing state of the system or changing the data on the system or the data passing between systems.

• Availability - This principle violated when authorized user is not allowed to access system resources by attacker.

• Control - If the attack grants an unauthorized attacker a privilege in violation of the access control policy of the system, the attack is on the control principle. This attack can give means to further attacks on confidentiality, integrity, and/or availability.

Scanning Attacks

Scanning attack is a form of attacking technique through which attacker scans the information about the system, gains topology information, and the type of network traffic allowed through the firewall, active hosts on the network, OS and kernel of hosts on a network, server software running, version number of software, and much more, . Using this information, the attacker may launch attacks aimed at more specific exploits. For instance, if a host on the network is running a version of sshd which is susceptible to a buffer overflow, and the attacker determines this via a network scan, the attacker can immediately abuse this exploit.

Denial of Service Attacks

There are two main types of denial of service (DoS) attacks: flooding and flaw exploitations. Flooding attacks can often be very simply implemented. For example, one can launch a DoS attack by just using the ping command: ping -f victim. This will result in sending the victim an overwhelming number of ping packets. If the attacker has access to greater bandwidth than the victim, this will easily and quickly overwhelm the victim. As another example, a SYN flood attack sends a flood of TCP/SYN packets with a forged source address to a victim. This will cause the victim to open half open TCP connections - the victim will send a TCP SYN/ACK packet and wait for an ACK in response. Since the ACK never comes, the victim eventually will exhaust available resources waiting for ACKs from a nonexistent host.

Penetration Attacks

Penetration attack is attack on the system through which an unauthorized user gets the ability to change the system data and privileges to access system resources. One common way for this to happen is by exploiting a software flaw. For instance, in July of 2002 an exploit was found in sshd challenge response handling code which allowed the attacker to execute arbitrary code as the user running sshd. This attack would be considered a penetration attack. Being able to arbitrarily execute code as root easily gives an attacker to whatever system resource imaginable. In addition, this could allow the user to launch other types of attack on this system, or even attack other systems from the compromised system.

Computer Vulnerabilities:

• Input Validation Error - The two most common errors of input validation error are buffer overflow and boundary condition error, this type of errors occurs when program does not properly checks the input data which has entered by the user or data received from the system. A buffer overflow attack exploits the boundaries of some buffer, resulting in some data overwriting adjacent memory locations. A boundary condition error occurs when input to a program causes the program to exceed some boundary. For instance, the input may cause the system to run out of memory.

• Access Validation Error - The access control policy of the system is flawed. As a result, the attacker can utilize this to gain control of the system.

• Exceptional Condition Handling Error - The system becomes vulnerable because some type of exception has arisen. This exception could either not be caught, or handled incorrectly, thus allowing the attacker to exploit the system.

• Configuration Error - This error results as a fault of the end administrator whom is responsible for configuring the system. This is not a fault of how the system was designed, but a fault of the user who incorrectly configured the system.

• Race Condition - A flaw in a system where the output exhibits unexpected dependence on the timing of events. Attackers can exploit race conditions with respect to denial of service attacks. Also, attackers can take advantage of programs which reach race conditions while stuck in a privileged state. While in this privileged state, the attacker could convince systems to perform illegal operations.

Many organizations use multiple IPSs products, usually from different vendors. By default, these products function completely independently of each other. This has some notable benefits, such as minimizing the impact that a failure or compromise of one IPS product has on other IPS products. However, if the products are not integrated in any way, the effectiveness of the entire IPS implementation may be somewhat limited. Data cannot be shared by the products, and IPS users and administrators may have to expend extra effort to monitor and manage multiple sets of products. IPS products can be directly integrated, such as one product feeding alert data to another product, or they can be indirectly integrated, such as all the IPS products feeding alert data into a security information and event management system.

More and more everyday intelligent and creative people are finding new ways to attack computer systems. Until recently, system administrators were limited to choosing from a small variety of protection mechanisms, including the useful, yet limited, firewalls and Intrusion Detection System solutions. These systems combine the benefits of both firewalls and IDSs to block traffic and detect malicious behavior. They also add the power of preventing attacks by looking at the application-layer information within the packet. This powerful combination will certainly serve the industry well over the next several years.

Works Sited:

[1] Karen Scarfone and Peter Mell. Guide to Intrusion Detection and Prevention Systems, NIST Special publication 800-94, 2007.

[2] Avolio, F. Putting It Together. Net Worker, Volume2 Issue 2, pp 15-22 (1998, May).

[3] Cabrera, J., Lewis, L & Mehra, R. Proactive Intrusion Detection and Distributed Denial of Service Attacks - A Case Study in Security Management. Journal of Network and Systems Management (2002, June).

[4] Comer, D. Computer Networks and Internets, 4th ed. Upper Saddle River, NJ: Pearson Prentice Hall. (2004).

[5] Crothers, Tim, Implementing Intrusion Detection Systems: A Hands-On Guide for Securing the Network, 2002.