Transcription
CHAPTER-5 & 7INTRUSION DETECTION SYSTEM& VIRTUAL PRIVATE NETWORKPage
Learning Objectives Students will learn about Intrusion Detection System Types of Intrusion Detection System Virtual Private Network1 Introduction to Intrusion Detection SystemOrganizations usually wish to preserve the confidentiality of their data which is veryvital to an organization. With the widespread use of the internet, it has become a keychallenge to maintain the secrecy and integrity of organizations’ vital data. Network securityhas been an issue almost since computers have been networked together. Since the evolutionof the internet, there has been an increasing need for security systems. Conventionaltechniques for network security include security mechanisms like user authentication,cryptography and intrusion prevention systems like firewalls.One important type of security software that has emerged since the evolution of theinternet is intrusion detection systems. Intuitively, intrusions in an information system are theactivities that violate the security policy of the system, and intrusion detection is the processused to identify intrusions. Intrusion detection, is the attempt to monitor and possibly preventattempts to intrude into or otherwise compromise your system and network resources. Simplyput, it works like this: You have a computer system. It is attached to a network, and perhapseven to the internet. You are willing to allow access to that computer system from thenetwork, by authorized people, for acceptable reasons. Consider a real life scenario: you havea web server, attached to the internet, and you are willing to allow your clients, staff, andpotential clients, to access the web pages stored on that web server. You are, however, notwilling to allow unauthorized access to that system by anyone, be that staff, customers, orunknown third parties. For example, you do not want people (other than the web designersthat your company has employed) to be able to change the web pages on that computer.Typically, a firewall or authentication system of some kind will be employed to preventunauthorized access. Sometimes, however, simple firewalling or authentication systems canbe broken. Intrusion detection is the set of mechanisms that you put in place to warn ofattempted unauthorized access to the computer. Intrusion detection systems can also takesome steps to deny access to would-be intruders. Intrusion detection systems (IDS) addressproblems that are not solved byPage 7
firewall techniques, as a firewalls simply act like a fence around a network. IDS is capable ofrecognizing these attacks which firewalls are not able to prevent. Also, newer attacks arebeing developed that are able to penetrate through firewalls. IDS provides a solution to thisproblem. As a result, IDSs, as originally introduced by Anderson (J. P Anderson, 1980) andlater formalized by Denning (D. E Denning, 1987), have received increasing attention in therecent years. The IDS along with the firewall form the fundamental technologies for networksecurity.1.2 Definitions and TerminologyIntrusion detection is the process of monitoring and analysing events that occur in acomputer or networked computer system to detect behaviour of users that conflict with theintended use of the system. An intrusion detection system (IDS) employs techniques formodeling and recognising intrusive behaviour in a computer system. When referring to theperformance of IDSs, the following terms are often used when discussing their capabilities: True positive (TP): classifying an intrusion as an intrusion. The true positive rate issynonymous with detection rate, sensitivity and recall, which are other terms oftenused in the literature. False positive (FP): incorrectly classifying normal data as an intrusion. Also knownas a false alarm. False positives measure the false alarm rate.Page 8
True negative (TN): correctly classifying normal data as normal. Thetrue negative rate is also referred to as specificity. False negative (FN): incorrectly classifying an intrusion as normal.False negatives measure the detection rate.The performance metrics calculated from these are: TPTrue positive rate (TPR)TP FNFPFalse positive rate(FPR)TN FPTrue negative rate(TNR) TN FPTNFNFalse negative rate(FNR)TP FNTwo additional performance metrics also commonly used, referred to asaccuracy and precision: Accuracy PrecisionTP TNTP FP TN FNTPTP FPNo.of correct classificationsNo.of all instancesNo.of correct intrusionsNo.of instances classified as intusionAccuracy is also referred to as an overall classification rate, and according toWu and Yen (Su-yun Wu and Ester Yen, 2009), precision is also referred to asrecall. Due to the direct nature of many intrusions, the terms ‘intrusion’ and‘attack’ are used interchangeably.1.3 Components of Intrusion Detection SystemsAn intrusion detection system typically consists of three sub systems orcomponents:* Information Sources: It is responsible for collecting and providing theaudit data (in a specified fonn) that will be used by the next component(analysis engine) to make a decision. Information sources is, thus,concerned with collecting the data from the desired source andconverting it into a format that is comprehensible by the analysisengine. This gathers data that may contain evidence of intrusion. Allmodem IDS monitor host computers, networks, routers or applicationlinks to capture intrusion-relevant data. Also, it is based upon wheredata analysis is done which is explained in section 2.4.Page 9
Analysis Engine: It is the core component which analyzes the audit patterns todetect attacks. This is a critical component and one of the most researched.Various pattern matching, machine learning, data mining and statisticaltechniques can be used as intrusion detectors. The capability of the analyzer todetect an attack often determines the strength of the overall system. This canalso categorize three types of detections: misuse detection, anomaly detection,and hybrid detection. Also, it is based upon how data analysis is done which isexplained in section 2.5. Response Component: It controls the reaction mechanism and determines howto respond when the analysis engine detects an attack. The system may decideeither to raise an alert without taking any action against the source i.e.“passive response” or may decide to block the source for a predefined periodof time i.e. “active response”. Such an action depends upon the predefinedsecurity policy of the network. This reports intrusions and takes otherresponses such as isolation, changing logging or disconnection, etc.1.4 Overview of Intrusion Detection SystemMany intrusion detection systems have been employed. These systems differprimarily where, when and how the data analysis has been carried out. Based onwhere data analysis is done, intrusion detection systems can be classified into thefollowing two broad categories:1.41 Network-based Intrusion Detection SystemsThis type of systems are placed on the network, near the system or systemsbeing monitored and analyze network traffic for attacks that exploit the connectionsbetween computers and the data that can be accessed via a network connection byexamining the individual packets flowing through aPage 10
network. Unlike firewalls, which typically only look at IP addresses, ports andICMP types, network based intrusion detection systems (NIDS) are able tounderstand all the different flags and options that can exist within a networkpacket. The role of the network intrusion detection systems (IDS) is to flag andsometimes stop an attack before it gets to information assets or causes damage.A NIDS can therefore detect maliciously crafted packets that are designed to beoverlooked by a firewall's relatively simplistic filtering rules. Hackers oftencraft such traffic in order to "map out" a network, as a form of preattackreconnaissance. NIDS are also able to look at the "payload" within a packet,i.e. to see which particular web server program is being accessed, and withwhat options, and to raise alerts when an attacker tries to exploit a bug in suchcode. Most firewalls are unable to do this. NIDS can detect the broadest rangeof attacks on corporate information assets. NIDS are effective for monitoringboth inbound and outbound network traffic. Network sniffers are an effectivemeans for gathering information about events that occur on the networkarchitecture. Capturing packets before they enter the server is an effectivemeans of monitoring data on the network. If the analysis is on the lower levelof analyzing the content of the TCP or IP packet, then the system can performquickly. However, if the system analyses each packet with respect to theapplication or protocol, this could be time consuming and raises several issues.Detection of network specific attacks cannot be determined in a timely fashion.Also, is it difficult to identify the user how submitted the packets. Anotherproblem that arises is that the encryption makes it hard to analyze the payloadof the packets. Therefore, a skillful attacker could still get past these intrusiondetection systems.1.4.1.1 Advantages of Network-based Intrusion Detection Systems The deployment of network-based IDSs is usually easy with minimaleffort. Network-based IDSs can be made very secure and is often invisible tomost attackers.Page 11
They can monitor a heterogeneous set of hosts and operating systemssimultaneously, due to the fact that standard network protocols (e.g.TCP, UDP and IP) are supported and used by most major operatingsystems.1.5 Disadvantages of Network-based Intrusion Detection Systems Network-based IDSs cannot analyse encrypted information. Thisproblem is increasing as more organizations and attackers use virtualprivate networks, which normally utilize encrypted information. The processing load in a large or busy network may cause significantdifficulties to the analysis engine part of the IDS. This condition (highprocessing load) can seriously limit an IDS’s ability to detect attackswhen the network load is above a specific amount of network traffic.Although some vendors have adopted hardware-based solutions forIDSs, to increase the speed of their processing capability (and the cost ofimplementation), the limitation still remains. The need to analyse packets as fast as possible, force developers todetect fewer attacks. Thus, the detection effectiveness is oftencompromised for the sake of cost effectiveness.1.6Host-based Intrusion Detection SystemThis type of systems monitor specific files, logs and registry settings ona single individual computer or "host" and can alert on any access,modification, deletion and copying of the monitored object. The role of a HIDSis to flag any tampering with a specific host and can automatically replace thealtered files when changed to ensure data integrity. They are able to detect suchthings as repeated failed access attempts or changes to critical system files. Aderivation of HIDS is centralized-host-based intrusion detection (CHIDS) thatserves the same purpose but does the analysis centrally by sending monitoredfiles, logs and registiy settings to the manager for analysis. The primarydifference between these systems is as follows. CHIDS is more secure becauseit sends all the needed information off the host so that if the host iscompromised, the alerting and forensic analysis can still take place. ThePage 112
tradeoff is that centralized analysis requires substantially more networkbandwidth to move the data to the manager. HIDS makes policy compliancedecisions locally and only sends alerts to the manager when warranted. Thisuses substantially less network bandwidth. The shortcoming of HIDS is that ifthe host is compromised there is no alert or forensic data to determine whathappened or what was lost. Information about the activities are gathered by thehost audit. However, while the host based intrusion detection system isprocessing the audit trail and setting off alarms, the attacker can sabotage theaudit trail or the entire system. There are other audit sources that are used inhost based intrusion detection systems to gather information. The operatingsystem can obtain a snapshot of the information about the events occurring.Accounting, another method, provides information on the consumption of theshared resources, such a processor time, memory, etc. Syslog is another auditservice that is provided by the operating system to the applications. The servicereceives a text string from the application and prefixes it with a time stamp andthe name of the system, then it is archived. C2 security audits are required onall computers systems. It records the crossing of instructions executed by theprocessor in the user space arid instructions executed in the kernel. Thiscontains information about the events, and user identification. There are manyadvantages to this because it identifies the user and login information. Itrepartitions the audit events into classes to facilitate the configuration of theaudit system.1.6.1 Advantages of Host-based Intrusion Detection System Host-based IDSs can analyse intrusion activities with greater reliabilityand precision, because of the vast amount of input data collected froman individual computer system. Host-based IDSs can operate in an encrypted network environment,because audit and system logs are generated before and after datapackets are encrypted. Host-based IDSs are unaffected by switched networks.Page 13
Trojan horse or other attacks that involve software integrity breaches canbe detected by host-based IDSs. These breaches appear as a result ofinconsistencies in process execution (R. G Bace, 2000).1.6.2 Disadvantages of Host-based Intrusion Detection System Host-based IDSs are harder to manage, as information must beconfigured and managed for every host monitored. Since sensors for host-based IDSs reside on the host targeted by attacks,the IDS may be attacked and disabled as part of the attack. Host-based IDSs are not well suited for detecting network scans or othersuch surveillance that targets an entire network, because the IDS onlyanalyses those network packets received by its host. Host-based IDSs can be disabled by certain denial-of-service attacks.The amount of information included in operating system audit trails canbe immense, which can result in the need for additional local storage onthe system.1.6.3 Hybrid Intrusion Detection SystemHybrid Intrusion Detection Systems complement HIDS technology withthe ability to monitor the network traffic coming in or out of a specific host.This is very different than NIDS technology that monitors all network trafficmanagement and alert notification from network and host based intrusiondetection devices can be done with Hybrid intrusion detection systems.1.7 Classification of Intrusion Detection SystemThe task of intrusion detection systems is to monitor and detect anymisuse of the system. In today's computerized world, commercial tools forintrusion detection systems are becoming easily available. A generic intrusiondetection system is essentially a detector that processors information receivedfrom a system (server, mainframe, firewall etc.). The detector processes thefollowing information: knowledge of attacks, configuration information of thecurrent state of the system, and audit information (information about the innerworkings and behavior of the system). The detector evaluates all this data todetermine if there is indeed an intrusion. Evaluating efficiency is essential inPage 14
intrusion detection systems. Different measures need to be considered such asaccuracy, performance, such as the rate at which audit events are processed.Completeness is also important as well as fault tolerance. The intrusiondetection system should be resistant to attacks. Finally, timeliness to performand propagate the analysis as soon as possible so that it can be handled. Thereare many characteristics of intrusion detection systems. The analyzer has twofunctionality's: it can be behavior based, using information about the normalbehavior, or knowledge based where the system uses information about theattacks. Another functional characteristic is the behavior on detection, how itreacts. It can react passively, generating alarms, or actively for examplelogging out attackers.The audit source location distinguishes amongst systemsbased on the kind of information they analyze (logs, packets etc.). Finally,there is a usage frequency concept, either running real-time or periodically. Inreal- time analysis information about the environment is acquired immediatelyafter an event occurs, but with a static intrusion detection tool a snapshot of theenvironment is taken periodically.Based on how data analysis is done, intrusion detection can be classifiedinto the following two types.1.7.1 Misuse DetectionThe system learns patterns from already known attacks. These learnedpatterns are searched through the incoming data to find intrusions of thealready known types. This method is not capable in detecting new attacks thatdo not follow pre-defined patterns. Since this approach searches for patternsknown to cause security problems, it is called a “misuse” or “attack signature”detection approach. Attack patterns that correspond to known attacks are calledsignatures (R. G Bace, 2000; R Mosses, 2001; A Sundaram, 1996). A blockdiagram of typical misuse detection system is given in figure 2.3.The misuse detection approach is particularly suited to detecting externalpenetrators that produce repeated login attempts or exploit known securityvulnerabilities in order to break into a system. However, the definition of attacksignatures may not be comprehensive enough to cover all existing andPage 15
future intrusion patterns, thus certain variations of intrusive behavior may notbe detected, resulting in a false negative (R. G Bace, 2000).Modify existing rulesFigure 2.3 Block Diagram of a Typical Misuse Detection SystemIt is useful to consider the following example to understand the keyideas behind this approach of IDS. Consider a security guard present at anentrance who is responsible for allowing only valid persons to pass through thegate. In this approach, the guard can check each coming person with thedatabase and find out if the person is one of those culprits. If so, the guardprevents the culprit from passing through the entrance . The problem here isthat a culprit whose photograph is not in the database will be allowed entry.This approach corresponds to the misuse detection technique.1.5.1.1 Advantages of Misuse Detection It detects the intrusions and also identifying the type of the particularintrusion. It is very effective at detecting attacks without generating anoverwhelming number of false positive alarms.1.5.1.2 Disadvantages of Misuse Detection It can only detect those attacks that are known to the system. Therefore,systems utilizing this approach must be constantly updated withsignatures of new attacks. The process of developing a new attack signature is time consuming.1.5.2 Anomaly DetectionHere patterns are learned from normal data. The unseen data is checkedand searched to find deviations from these learned patterns. These deviationsare ‘anomalies’ or possible intrusions. So anomaly detection approaches mustPage 116
first baseline the normal behavior of the object being monitored, and thendetect possible intrusions by using deviations from this baseline. These profilesare constructed from historical data collected over a period of time of normaloperation. Anomaly detection typically creates knowledge bases containing theprofiles of the monitored users, programs or systems. Threshold detection,statistical measures, neural networks and rule-based measures are thetechniques used in anomaly detection. A block diagram of a typical anomalydetection system is given in figure 2.4.Generate New ProfileFigure 2.4 Block Diagram of a Typical Anomaly Detection SystemIt is useful to consider the following example to understand the keyideas behind in this approach of IDS. Consider a security guard present at anentrance who is responsible for allowing only valid persons to pass through thegate. In this approach that the guard may follow is to maintain a database ofphotographs of all the valid persons to be allowed entry. The guard allowsentry to the incoming person, only if his photograph is found in the database.This way, all persons whose photographs are not found in the database areidentified as culprits and not allowed entry. This approach corresponds to theanomaly detection technique.1.5.2.1 Advantages of Anomaly Detection» It has the advantages of not being able to find the type of the intrusionbut new or unknown intrusions can be detected using this method. Anomaly detectors do not require constant updating of rules orsignatures of novel intrusion.Page 17
1.5.2.2 Disadvantages of Anomaly Detection It usually has difficulty in determining whether unpredictable behaviourof users or objects of a system is indeed abnormal, thus they mayproduce a large number of false positive alarms. It often requires extensive training periods in order to characterisenormal behaviour of users and system objects.A combined approach of both these methods may be more helpful. Onesuch approach is to first apply anomaly detection to find possible intrusions,then the type of intrusions can be identified using misuse detection.1.5.3 Hybrid of Misuse and Anomaly IDSThere are systems out now that combines the two types of intrusiondetection systems. Hybrid systems can use a rules base to check for knownattacks against a system, and an anomaly algorithm to protect against newtypes of attacks(C. Herringshaw, 1997). This type of intrusion detection systemtakes the advantages from both systems, but unfortunately it also takes some ofthe disadvantages. Misuse detection could be used in combination withanomaly detection to name the attacks. This will shorten the response time thesystem administrator needs as he can see what type of attack the system areunder.Intrusion detection systems differs from on-line to off-line systems(J.Ryan et al., 1998). Depending on when audit data analysis is done, twosituations are possible:2.6 Offline Intrusion Detection SystemAlthough off line analysis permits greater depth of coverage becauseprocessing of audit information can be shifted to non-peak times. It can onlydetect intrusions after the event has occurred. Offline intrusion detectionsystems are run periodically and they detect intrusions after the fact based onsystem logs.2.7 Online Intrusion Detection SystemOnline systems are designed to detect intrusions while they arehappening, thereby allowing for quicker intervention. Online intrusionPage 18
detection systems are computationally very expensive because they requirecontinuous monitoring. Decisions need to be made quickly with less data andtherefore they are not as reliable.2.8 Current Intrusion Detection ProductsHaving defined intrusion detection architecture in the previous section,it might be useful to investigate current intrusion detection products. Thepurpose of this investigation is firstly to determine which architectures aremore commonly used by the current intrusion detection products and secondlyto determine which detection approaches are mostly utilized and whatresponses are provided. Intrusion detection products can basically becategorised into two main groups (R Hart et al, 1999) and they are: Commercial intrusion detection products; and Research intrusion detection products.In the rest of this section each of these groups will be investigated.2.8.1 Commercial Intrusion Detection ProductsAn extensive investigation revealed that there are a multitude ofcommercial intrusion detection products available today. The list is increasingdaily and Price, (1998) provides an extensive list of commercial as well as“public” products, for instance, Axent Technologies NetProwler, AxentTechnologies Intruder Alert, CentraxICE, Cisco Secure IDS, SessionWall andISS RealSecure (R Hart et al, 1999; Network Computing, 2000, J Me Hugh,2001; B Yocom et al, 2001). The following is a discussion of a variety ofcommercial products. The purpose of this section is only to illustrate eachproduct’s detection methods, the advantages and disadvantages. It is worthmentioning that Network Computing (2000) utilized a comprehensive testingenvironment and they spent several months in a lab to test these products, usingan assortment of attacks tools, utilities and load-generation mechanisms. Thegoal was to measure how accurately the systems detected hostile activity andhow well they conveyed such activity to the user.Page 19
2.8.1.1 ISS RealSecureRealSecure is a network based intrusion detection product from InternetSecurity Systems. It offers a secure, distributed architecture that consists offive components listed below: RealSecure Network Sensor; RealSecure Server Sensor; RealSecure OS Sensor; RealSecure for Nokia; and RealSecure Workgroup Manager.The intrusion detection is done through multiple detection engines. Eachengine can be distributed to various networks and reports back to a centralmanagement console. The engines can be set to detect a multitude of intrusionsby using technical controls and a technique called pattern matching (it is a formof misuse detection). Pattern matching is a technique where the system looksfor a signature that identifies an intruder. This signature is usually in the formof a pattern of events. When the intrusion engine detects a suspicious activity,it notifies the system administrator. All events are logged and a completerecord of the intrusion can be viewed. (Me Clure, et al. 1998; B Yocom et al.2001).Advantages: “Accurate Attack Identification” - the product accurately identifiesknown intrusions;»“Flexible, Secure Distributed Management” - the product offers a securedistributed environment; “Easy to use GUI”; and “Quality Reporting with interesting session-recordingtools”. Disadvantages: “Cannot create custom attacks”- the product cannot identify new typesof intrusions (McClure et al., 1998).Page 20
2.8.1.2 SessionWallSessionWall is a product from Abimet. The SessionWall product issimilar to a firewall. It also utilizes the pattern matching technique and allowsthe system administrator to define rules for monitoring, filtering and blockingnetwork traffic. Thus, its action is very similar to a firewall except that itcaptures the TCP/IP session from a LAN segment and applies the defined rulesaccordingly. SessionWall does not offer distributed management and it canonly be monitored on the host that is watching the LAN segment. SessionWalldoes offer a variety of methods for reporting intrusions and will alert the localconsole, e-mail, page, and log data depending on configuration. It does alsooffer many other reporting features and it consists of a report scheduler thatallows report generation as often as every fifteen minutes. The report containsa variety of LAN data including data on the attack (McClure et al., 1998).Advantages: “Easy to use GUI”; “Granular session filtering and blocking”; “Simple to administer”; and “Low cost”.Disadvantages “No Distributed Management” - the product can only be monitored onthe host that is watching the LAN segment; “No True Intrusion-Detection Reports” - the intrusion-detection reportdoes not contain all the details of the intrusion attack; and Minor trafficmonitoring bugs” (McClure et al., 1998).2.8.1.3 Cisco Secure IDSCisco Secure IDS is a large scale, real network IDS and formerly knownas NetRanger. It uses various different detection techniques and these includestateful pattern recognition, protocol parsing, heuristic detection, and anomalydetection. It comes with two components, the sensor and director. The sensorcomponent detects the misuse in real time and forwards an alert to the director.The director component can then take the appropriate action, such as, removingPage 21
the offender off the network. The director provides a centralized managementpoint for the sensors. The sensor has comprehensive intrusion detectioncapabilities and can detect many known intrusions (B Yocom et al.s 2001; RHartetal., 1999).Advantages Uses a network vulnerability database that is updated with currentthreats on a regular basis; Ability to define own vulnerabilities; and “Centralized Management” through the director.Disadvantage Only available for Sun Operating System (R Hart et al., 1999).Three commonly known commercial packages were briefly described inthis sub-section. These packages offer various detection and managementfunctions. The detection function detects attacks through analysing networktraffic. The management component usually allows for event managing andreporting, and incorporates a response component with a varying level offunctionality. Most of these packages have numerous drawbacks which lead tothe increase in the amount of new research projects conducted on intrusiondetection. A few of these projects will be discussed in the following subsection.2.8.2 Research Intrusion Detection ProductsCurrently, there is a significant amount of active research performed inthe intrusion detection domain. The most commonly known research projectswill be investigated theoretically, in order to determine whether these projectsdeveloped new advanced approaches that can be used to overcome theshortcomings of the commercial products.2.8.2.1 EmeraldEvent Monitoring Enabling Responses to Anomalous Live Disturbances(EMERALD) is an intrusion detection project, being pursued within the SystemsDesign Laboratory at SRI International, which has been actively involved in theintrusion detection domain since 1983. Their first effort was the development ofthe Intrusion Detection Expert System (IDES), followed by thePage 22
1.4 Overview of Intrusion Detection System Many intrusion detection systems have been employed. These systems differ primarily where, when and how the data analysis has been carried out. Based on where data analysis is done, intrusion detection systems can be classified into the following two broad categories:
