Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.
Intrusion detection is a necessary security infrastructure for any organization. Its a process of noticing or monitoring the events like imminent threats or unexpected new attacks, standard security practices, acceptable policies and existing attacks that occur in a network or computer. Detecting process is mainly based on signs of incidents. The process which attempts to block these detected incidents is known as intrusion prevention. Both the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are principally focused on log information, identifying incidents, blocking incidents, reporting incidents to administrator. The regular problems when handling IDS is analysis of system generated events, because in a busy network there will be so many events to analyse with help of some monitoring tools and devices but it’s very hard manage due to unwanted outcomes, undetected threats and unmanageable threats. These threats can cause a serious damage to the network or organization.
Research Question and Objectives:
Every organisation recurrently face problem because of threats. As an Information Systems Security student I would like to do some research in Intrusion detection system. My main aim is to do an experiment on the Network Intrusion Detection System (NIDS) with help of Snort to detect network based attacks.
Presently how the security infrastructure of the organizations is facing problems with imminent threats and malicious attacks? How it can be reduced by intrusion detection system? In what way the tools and techniques can be used to experiment the network based attacks?
The research objectives are planning and implementing IDS, Monitoring for critical security threats and detecting them network wide, detecting malicious users on the network, proactive administration, regular network maintenance, 24/7 security event management, Signature and protocol tuning, alerting and preventing the detected threats. Hopefully all these objectives can be achieved by implement a network security with Snort. Snort is a flexible, small, light-weight and cross platform tool which is very suitable for NIDS. While working on this research network may also need some other computer running with tools like Suricata and Bro which are also familiar for NIDS and Experiment will also examine the integration of OSSEC with the analyst console Sguil.
The Intrusion Detection Systems (IDS) are vital modules of defensive methods to protect a network or computer system from abuse. Network intrusion detection system examines all inbound and outbound network activities and notices the attack in network or computer. IDS are a passive monitoring system it alerts when distrustful activity takes place. It inspects the network traffic and data. It identifies the probes, exploits, attacks and vulnerabilities. It responds to the malicious events in several ways like displaying alerts, events log or paging an administrator. It can reconfigure the network and reduce the effect of the malicious activities like worms and virus. It precisely looks at intrusion signatures or hacker signatures so that it can distinguish worms or viruses from general system activities. Intrusion detections are categorized as misuse detection, anomaly detection, passive and reactive system, network based system and host based system.
This picture shows history of Intruder Knowledge versus Attack sophistication
In misuse detection IDS investigates the gathered information and compares it to huge databases of attack signature. Primarily IDS look for particular attack which was already documented. It is very similar to anti-virus because the detection software has good collection of intrusion signature database and it compares packets against the database.
In anomaly the administrator provides the baseline, network traffic load state, typical packet size, breakdown and protocol. Anomaly detector compares the inspected network segment to normal baseline and examines the anomalies.
Passive and Reactive systems:
In passive systems IDS perceive a potential security breach, signal alerts and information of logs. Coming to reactive system IDS reacts to the distrustful and malicious activities either by shutting down the user or by reprogramming the firewall to stop or block network traffic from a malicious source.
Network based IDS:
IDS are network or host based solutions. Network based intrusion detection systems (NIDS) is an independent platform which categorizes network traffic and examines multiple hosts. They are hardware appliances hence they consists of network intrusion detection capabilities. It does consist of hardware sensors which are located along the network or demilitarized zone. NIDS gains access over network traffic by connecting to network hubs and switches and they are configured got network tap or port mapping. The sensor software will examine all the data packets which are going in and out of the network. NIDS are comparatively cheaper solutions that HIDS. It also need less training and administration but it is not as flexible as HIDS. NIDS system must have a good bandwidth Internet access and regular updates of latest worms and virus signatures. Best example is Snort
Host based IDS:
Host based intrusion detection systems (HIDS) are not suitable for real time detection. It has to be configured properly to use in real time. It has software agents which are installed on individual host computers within the system. It analyse the packets going in and out from that specific computer where the intrusion detection software is installed. It also examines the application logs, system calls and file system changes. HIDS can provide some addition features which not there in NIDS. For instance HIDS are capable to inspect activities which are only able to implement by administrator. It detects the modifications in the key system files and can also examine the attempts to overwrite key files. Trojans and backdoors installation can be detected and stopped; these particular intrusions are not generally seen in NIDS. HIDS systems must have internet access and also frequent updates of worms and virus signatures. Certain application based IDS are also a portion of HIDS. Best example is OSSEC.
Intrusion detection system (IDS) vs. Intrusion prevention system (IPS):
Most of them believe like IDS & IPS works similar and IPS is future way of IDS. But it is like comparing an apple and banana. These two solutions are very different from each other. IDS is passive it monitors and detects but IPS is active prevention system. The IDS drawbacks can be overcome by implementation, management and proper training. IDS is a cheaper implementation that IPS. However, by looking at IPS benefits most of them believe that IPS is following generation of IDS. The main point to remember is that no single security device can prevent all attacks at all the time. IDS and IPS works satisfactory when they are integrated with some addition and current security solutions. The combination of firewall and IDS gives protection to system so IPS is usually considered as next generation IDS. Presently IPS also has both types of HIPS and NIPS as like IDS. IPS can some more actions like dropping the malicious data packets, sending an alarm, reorganizing the connection and/or stopping the traffic from the malicious IP address, correcting CRC errors and few more like cleaning up unwanted network and transport layer options.
Snort is free and open source software which is used for network intrusion detection (NIDS) and network intrusion prevention system (NIPS). Martin Roesch was the creator of snort in 1998 but now it is maintained by a network security software and hardware company known as Sourcefire. Roesch is the founder and Chief technical officer of Sourcefire. The latest version is 220.127.116.11 and it was released on 6th April 2011. It is written in C language and cross-platform so that can run on any operating system. It is also a licensed by GNU general public license. Over a decade Snort has been recognized as the best prominent software in the security Industry.
Snort is a great piece of software used for NIDS. It has ability to perform real time traffic analysis, protocol analysis, content matching, Internet Protocol networks packet log and content search. It can even examine probes or attacks, buffer overflows, OS fingerprinting, common gateway interface, stealth port scans and server message block probes. Snort mainly configured in three modes network intrusion detection, sniffer and packet logger. In NIDS mode it can examine network traffic and inspect it against ruleset provided by the user. As a sniffer it read all network data packets and displays them on the user console. As a packet logger it writes all log packets to the harddisk. Some 3rd party tools like Snorby, RazorBack and Base interface with snort for administration, log analysis and reporting.
Snort provides dramatic power, speed and performance. It is light weight and protects against latest dynamic threats by rules based detection engine. Its source code and ruleset are regularly revised and tested by worldwide security professionals. It is most popular for IDS and IPS solutions with more than 205,000 registered users. There are minimum 25 companies that are incorporate with Snort for network security assistance.
Snort vs. Suricata vs. Bro
Suricata and Bro:
Suricata is also an open sources which is used for IDS and/or IPS. Open Information Security Foundation (OISF) has developed it. First standard release was in July 2010. It was written in C language and can run in Linux, Mac and Windows operating systems. It was licensed by GNU general public license. Suricata is a new tool when compared with other Opensource IDS and very best in all as shown in the above figure. As its new software there are no much research papers and journals. Bro is open source and UNIX based, it is used for NIDS. It was written by Vern Paxson and licensed by BSD. It runs on any Linux based operating system. These two tools are very good very there is no much research and literature on them. But these two are quite good when compared to Snort.
OSSEC and SGUIL:
OSSEC is an open source HIDS. It does log analysis, rootkit detection, windows registry monitoring, active response and integrity checking. It offers IDS for all Linux, Mac and Windows Operating systems because it has centralized cross platform. It was written by Daniel B in 2004. SGUIL is a pool of free software modules for Network Security Monitoring and IDS alerts. It was written in Tcl/Tk and run on any OS which supports Tcl/Tk. It integrates with Snort and generates alert data and session data from SANCP. Full content can be retrieved my running Snort in packet logger mode. Sguil is an application of Network Security Monitoring (NSM)
The gathered information from different sources gives a brief idea of research. Literature covers all the aims and objectives of the research which was drawn and supported from the pool of journals, research papers, white papers, blogs and wikis. Introduction gives the over idea of the research going to takes place. Research question focuses on the field of interest and research area. Objectives mentions the clear tasks what are going to be achieved and it’s designed as a step by step procedure like starting with planning and implementation of IDS and later the steps that have to be achieved in the research area and ends with the some necessary applications like Snort, OSSEC and SGUIL which are very important to achieve the most out of Intrusion detection.
Literature review covers almost each and every necessary step that is required in the research area. It is also very relevant to the research area and completely confined to it without any deviations. Intrusion detection and different types of IDS are clearly explained. Host based intrusion detection systems and Network based intrusion detection systems are clearly explained with help of graphical images. The differences between IDS and IPS are mentioned and it also explains why IPS is more powerful. Lastly main application like Snort, Suricata, Bro, OSSEC and SGUIL are completely covered with features. But the interesting finding during literature search is Suricata and Bro. Both are very good for IDS and they are having more advanced features than the Snort. However there is very less research done it that area. So there is a need of qualitative data by taking interviews of some security professionals and lectures. At last, in brief literature covers all the parameters of research question, objectives, methods and outcomes of different IDS and applications which are suitable for IDS are well organized and documented.
Research Methods and Methodology:
I would like do the research according to Inductive process because I am sure about the topic and I want to know the outcomes of the experiment. As inductive research moves from specific point to general I selected it and start working. In this research I am planning to implement an experiment in small network with some applications. I am using these methodology and methods for the sake of researching, investigating and evaluating the research area. I have got some set of research problems and classifications. According to explanatory research action I have set some aims to achieve. As a next step collected a pool of information required, organized the required out of it, analysed information and evaluated the literature, planning the experiment in all possible ways to detect more threats even in a busy traffic network.
Now it is an important time to start my experiment before that I have to do some qualitative research by conducting interviews about Suricata and Bro because I need some assistance on suricata and bro to take a advantage of it. I am not interested on survey because as they are new applications people might know less about it and I thing its waste of doing. Case study and field study are also better to do because they can have depth look at issue or problem. But problem with field study is they may consume more time and they are very expensive. Quantitation method will be used analysing some numerical values, graphs and proportions. Experiment design can be categorized by certain criteria “Controlled experiment, Cross-sectional designs, Quasi experimental designs and Pre experimental designs”
Methodologies discussed in the literature review are from user view so I might vulnerable to attack and have plan well for the implementation of experiment. These vulnerabilities can be fixed face to face interviews with security professionals and can also do by narrowing hypothesis. After the experiment the observations and analysis must be tested with hypothesis of proposed theory. Finally I will use both quantitative and qualitative methods for data collection process. I have planned to continue my experiment with the same Inductive research approach.
Planning and implementation of IDS
Literature review, research papers and interviews
Literature review, case study and research papers
Network maintenance, proactive administration and security Management
Literature review, white papers, blogs, case studies
Signature and Protocol tuning
Interviews, updates from, on-going research’s and literature reviews
Implementing of security management tools
Interviews, case studies and some more qualitative approaches
Issues of access and ethics:
The experiment impact would be more informative and extremely useful in the field of intrusion detection. Research will clearly show the intrusions events and blocks them even at the busy network traffic time. It may also show some new advantages because of the suricata and bro. In my opinion this research is going to detect and block all the intrusions up to date. Depending upon the qualitative approach some more methods of suricata and bros can be implement to network to get the best out of it.
The research at first started with a study of intrusion detection and then after I have drawn some boundaries with that following objectives. During literature collection I found some other interesting tools like Suricata and Bro which are predominately better that Snort. Though they are good but I couldn’t find much literature and research area with them. So finally I decided to do an experiment on IDS with a small network consisting of Snort IDS and secondarily I am planning to keep one computer with Suricate IDS and other with Bros IDS and see the difference of these three tools from another angle. If I am successful dissertation can end up like Snort vs Suricata vs Bro or else minimum I can be successful with Snort. Using the research methodology of data collection and critical evaluation the literature work is investigated and evaluated. Lastly the outcomes of the theory are assumed from the research.
I have already spoken to Neil regarding my dissertation idea and selected him as my supervisor. Finally I thank Neil Richardson and Louise Webb for providing ne this opportunity.
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please: