An Intruder is a person who attempts to gain unauthorized access to a system, to damage that system, or to disturb data on that system. This person attempts to violate Security by interfering with system Availability, data Integrity or data Confidentiality.
Types of Intruders:
Misfeasor: An individual who works within the scope of his privileges but misuses them. (Eg.Imagine someone who emails blueprints and schematics the company he works for is holding a patent on to his home email account in order to sell it to a competitor company).
Clandestine user: An individual who seizes supervisory control to disengage or avoid security mechanisms of the system such as audit and access controls. (Eg. user might take advantage of a security hole in the operating system in order to gain administrative privileges to a computer resource)
Masquerader: An individual who overcomes a systems access control to exploit a legitimate user's account. (Eg. Individual could steal another user's login id and the associated password. If this data is at the disposal of an attacker he can use the system incognito for his illicit intensions. Masquerader can be an attacker from outside the networks if he happens to correctly guess a password ).
An Intrusion is an intentional violation of the security policy of a system. Intrusions are commonly referred to as penetrations.
Intrusion Detection System:
An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.
Functions of IDS:
Monitoring and analyzing both user and system activities.
Analyzing system configurations and vulnerabilities.
Assessing system and file Integrity.
Analysis of abnormal activity patterns.
Ability to recognize patterns typical of attacks.
Tracking user policy violations.
Q. Describe Types of IDS.
Ans. Types of Intrusion Detection Systems
Intrusion detection systems (IDS) can be classified into different ways. The major classifications are Active and passive IDS, Network Intrusion detection systems (NIDS) and host Intrusion detection systems (HIDS) .
Passive system vs. reactive system:
In a passive system, the IDS detects a potential security breach, logs the information and signals an alert.
In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network.
An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
Network Intrusion detection systems (NIDS) and Host Intrusion detection systems (HIDS)
Network Intrusion Detection Systems (NIDS)
NIDS usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.
A Host Intrusion Detection Systems (HIDS)
HIDS and software applications (agents) installed on workstations which are to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. A host Intrusion detection systems (HIDS) can only monitor the individual workstations on which the agents are installed and it cannot monitor the entire network. Host based IDS systems are used to monitor any intrusion attempts on critical servers.
Knowledge-based (Signature-based) IDS and behavior-based (Anomaly-based) IDS
A knowledge-based (Signature-based) Intrusion Detection Systems (IDS)
References a database of previous attack signatures and known system vulnerabilities. The meaning of word signature, when we talk about Intrusion Detection Systems (IDS) is recorded evidence of an intrusion or attack. Each intrusion leaves a footprint behind (e.g., nature of data packets, failed attempt to run an application, failed logins, file and folder access etc.). These footprints are called signatures and can be used to identify and prevent the same attacks in the future. Based on these signatures Knowledge-based (Signature-based) IDS identify intrusion attempts.
The disadvantages of Signature-based Intrusion Detection Systems (IDS) are signature database must be continually updated and maintained and Signature-based Intrusion Detection Systems (IDS) may fail to identify a unique attacks.
A Behavior-based (Anomaly-based) Intrusion Detection Systems (IDS)
References a baseline or learned pattern of normal system activity to identify active intrusion attempts. Deviations from this baseline or pattern cause an alarm to be triggered.
Higher false alarms are often related with Behavior-based Intrusion Detection Systems (IDS).
These host-based agents, which are sometimes referred to as sensors, would typically be installed on a machine that is deemed to be susceptible to possible attacks.
The term “host” refers to an individual computer, thus a separate sensor would be needed for every machine.
Sensors work by collecting data about events taking place on the system being monitored. This data is recorded by operating system mechanisms called audit trails.
Other sources from which a host-based sensor can obtain data, “include system logs, other logs generated by operating system processes, and contents of objects not reflected in standard operating system audit and logging mechanisms.
These logs are for the most part simple text files, which are written a few lines at a time, as events occur and operations on a system take place.
As host-based systems rely heavily on audit trails, they become limited by these audit trails, which are not provided by the manufacturers who design the intrusion detection system itself. As a result, theses trails may not necessarily support the needs of the intrusion detection system, leading some to conclude that having more effective hostbased systems may require the developer to amend the operating system kernel code to generate event information.
As briefly mentioned above, because host-based systems can monitor access to information in terms of “who accessed what,” these systems can trace malicious or improper activities to a specific user ID.
Host-based sensors are also useful in that they can keep track of the behavior of individual users. This can help catch attacks while they are happening or possibly stop a potential attack before it affect the system.
They have the ability to operate in environments that are encrypted, as well as over a switched network topology.
The distribution of host-based systems also allows them to be scalable, the load is spread evenly over a network which is a valuable asset when network traffic becomes very large
The sensors are host-based, so they have to be compatible with the platform they are running over. This lack of cross-platform support would represent a major obstacle for a corporation wishing to employ a host-based solution.
Network Based IDS
Network-based intrusion detection systems offer a different approach.
These systems collect information from the network itself rather than from each separate host.
They operate essentially based on a “wiretapping concept,” information is collected from the network traffic stream, as data travels on the network segment.
The intrusion detection system checks for attacks or irregular behavior by inspecting the contents and header information of all the packets moving across the network.
The network sensors come equipped with “attack signatures” that are rules on what will constitute an attack, and most network-based systems allow advanced users to define their own signatures.
This offers a way to customize the sensors based on an individual network’s needs and types of usage.
The sensors then compare these signatures to the traffic that they capture, this method is also known as packet sniffing and allows the sensor to identify hostile traffic.
Using network data as a primary source if information is desirable in several ways.
To start, running network monitors does not degrade the performance of other programs running over the network. This low performance cost is due to the fact that the monitors only read each packet as they come across its network segment .
The operation of the monitors will be transparent to system users, and this is also significant for the intrusion detection system itself.
The transparency of the monitors decreases the likelihood that an adversary will be able to locate it and nullify its capabilities without significant effort. This decreased vulnerability strengthens the intrusion detection system, and adds another measure of security.
From a financial perspective, network based systems are very desirable.
The primary resource for these monitors is storage space, so companies could use older and slower equipment to do this work rather than purchase additional equipment. This could significantly save on deployment costs.
Network-based systems are also extremely portable.
They only monitor traffic over a specific network segment, and are independent of the operating systems that they are installed on.
This offers more options for businesses that run specialized software or software they have developed inhouse, which will become increasingly attractive as the newer UNIX-based operating systems continue to increase in popularity.
Adding to their convenience, network-based sensors can be inserted easily on part of a network and data can be collected with minimal work.
In many cases, all that is required to collect information for analysis is the configuration of a network card. This is beneficial in situations where network topology changes or where system resources have been moved, the intrusion detection system monitors can be moved and used as needed.
The sensors spot attacks based on their attack signatures. These signatures are written based on data collected from known and previous attacks, and this unfortunately ensures that these signatures will always be a step behind the latest underground exploits.
Although intrusion detection system vendors offer regular updates to their signature databases, many have not caught up in defining signatures for all known attacks .
Network monitors must inspect every packet that is passed through the segment they are placed on. It has been demonstrated that network-based systems have difficulty keeping up on 100 Mbps environments , they simply can’t handle it, and now the trend is moving toward gigabit speeds.
Encryption and switching represent two further limitations of network-based approaches. First, if network traffic is encrypted, an agent cannot scan the protocols or the content of these packets. Second, the nature of switches makes network monitoring extremely difficult.
In addition, network monitors are unable to see traffic travelling on other communication media, such as dial-up phone lines. This is an increasing concern as organizations employ a greater number of telecommuters, since their traffic cannot be monitored using this approach.
Although some networkbased systems can infer from network traffic what is happening on hosts, they cannot tell the outcomes of commands executed on the host. This is an issue in detection, when distinguishing between user error and malfeasance.