Shanze Ahmad Intro to ids

Intro to IDS:

On September 13, 1998 the New York Times web page was hacked into and altered by a group called HFG causing them embarrassment and also raising concerns about the security of both web sites , and company and government networks. At this time the Pentagon web site and the Whitehouse web pages were also compromised. This minor “information” terrorism made both the public and private sector realize the security implications of having network based systems.

The ARPANET network and the other fledgling beginnings of the Internet had security issues because they dealt with information and the Department of Defense but the networks were closed and only accessible to a few classified users. The real issues with hackers and network integrity came into play with the advent of the World Wide Web, the web is largely used for commercial purposes and all major companies maintain web sites which act as gateways into their host networks. Previous to the development of the World Wide Web the existing Internet mostly linked university networks and company research networks thus the information was classified but only accessible to authorized users and also the capacity to share and manipulate data was not as high. With the Web and the resulting growing commercial use the security issues concerning the integrity of data and the compromising of networks are often vital to the success and even life of an organization.

In order to help an organization protect itself from attacks intrusions detection systems (IDS) were created. Intrusion detection is necessary in today’s computing environment because all the reasons stated above and the vulnerabilities which are created due to these reasons. Vulnerabilities are weaknesses in a network or system which can be exploited by an attacker to compromise either the system or the integrity of the data. Every new innovation in a system or network introduces new vulnerabilities and new opportunities for an attack. An intrusion, in a worst case scenario, can cause production downtime; sabotage of critical information; theft of critical information, cash or assets; or even cause negative public relations.

Intrusion detection systems are used to identify and/or stop an intruder, track an intruder, support investigations to find out how and intruder got in and to stop exploitation from future intruders. They help protect against external attacks, insider abuse, user error, system misconfiguration, recreational hacker activity, and suspicious or anomalous activity. IDS are not usually proactive systems; they do not actually stop intrusion from suspect users because this usually blocks legitimate use also. They are used more in the way of network burglar alarms; they react when they detect any suspect activity or any outside intrusion. Thus they are useless without the aid of an analyst who actually monitors the system. They raise a flag or warning but without having anyone to observe and track the warning the intruder can meander undetected throughout the network until the damage has been done. IDS are merely tools to assist a systems analyst by notifying security staff, and providing data for investigations and monitor the integrity of a network as opposed an actual proactive protection tool.

“Host Based Intrusion Detection”

Host based IDS have grown to include other technologies, and it is one of the most popular methods for detection intrusion checks on key system files and executing thorough checks at regular intervals for unexpected changes. Host based IDS still use audit logs on the Microsoft Windows networks. For example, when there is an attack or any files change the system reads it, and it matches it with the signature of the files to see if they are the same. If so the system responds to the administration and the action will apply but if the signatures in the order won’t match the signatures the alarm will go on (hackzone.ru).

There are three types of signatures in the Host based IDS including statistical data which depends on the data we put in to create the signature. Its action is very much like historical data which compiles and tracks the time the people log in and out and perform ordinary functions on the network, but the only difference is that in historical data the computers basically uses artificial intelligence to build the signature. For example; if someone works from eight to five and logs in at twelve at night by using these signatures for example, the company’s system will realize there is some thing wrong and raise an alarm in case someone is trying to steal or add some information and compromise the information on the network. Tag files are another signature in the host based IDS that tags the files electronically. For instance, if some one touches sensitive files the flag will go on, the best example of this sort of file is password files.

IDS software has to be install in the computer. There are two types of software for IDS. First, it is the primary class of host based IDS software and the second is the host wrappers/ personal firewalls and agent-based software (hackzone.ru). Either approach is much more effective detecting trusted-insider attacks and protects the traffic. Host wrappers or personal firewalls can be configured to look at all the network packet attempts, or login attempts to the monitored machine. The best example of wrappers is TCPO Wrappers. Personal firewalls can also detect software on the host attempting to connect network such as WRQs AtGuard. On the other hand, Host-based agents may be able to monitor accesses and changes to critical changes in user privilege. (hackzone.ru)

In addition, Unix has reliable software tools to perform IDS. Programs can be written in Unix to analyze log files and alert the systems through e-mail. When some thing is a system logging out put, it can be sent to remote site or modified. Therefore, the log files will be in non-standard places to present hackers from covering their track. (sans.org)

Since, host computers are shared by many people at one time each person needs to have some kind of protection for their computers and have a user IDS. A user IDS is a unique name of up to 12 characters that identifies the users to their computers while they log in and out. A password can also be a combination of 6-32 characters letters or numbers. (jmu.edu) The password has to specially use by the user, and it is totally personal and private. The length of the password has to be used by special characters such as &, #, and *. These characters will be useful to the users so no one else can guess what they are. Password on the host based computers must change more often every 190 days (jmu.edu). In addition it is very important to secure our systems and make them very personal, so the hackers won’t get in to the systems in order to add or delete information from the system.

Host based IDS have different strength for variety of use and provide advantages for the users. These advantages will focus on the stronger forensic analysis, close focus on host-specific event data and lower entry-level costs (hackzone.ru)

One of the most important advantages is that Host Based IDS verifies success or failure of an attack. It uses logs containing events that have actually occurred, and they can measure where the attack has happened (geek-girl.com). It also measures where it was successful or failed. Second advantage is that it Monitors specific system activities. Host based IDS system finds out about user and file activities including file accessed, changes to file permissions, attempts to install new executables and attempts to access privileged services (hackzone.ru). For example, this software can monitor the users activity about when they log in or off. As well as what each user does while connected to the network. Host based technology also monitor activities that are normally executed only by administrator. Operating system can figure out any happening and events in to the system including where the files are created, deleted, or modified. In addition the system can also audit policies changes that affect the system and change to key system files. It also does some activities where will not happen in Net work system IDS such as, installing Trojan horses or backdoors that could be stopped. (hackzone.ru) The IDS also detects attacks that Network will miss. For instance, attacks from the keyboard of a critical server do not cross the Network, and cannot be seen in Network IDS. Host based IDS also provides greater visibility in the switch invoiernment by residing on as many critical hosts as needed. Another strength of Host based IDS is that it realizes the time very nearly to the real time and reacts to it. Although it does not offer the real time but it comes very close to it if it was implements correctly (netsys.com). This system receives an interrupt from the operating system when there is a new log file entry. The new entry can be processed soon after it comes in to the system, and it reduced the time between the attacks and their reactions. These responses fit in to three categories including notification, storage, and active response (hackzone.ru). This does not happen in other systems, and it makes it unique and special. It also provides reliability for IDS system in Host based computers. They do not need any extra hard ware for the system. It means that this system do not require another box on the network that requires addressing, maintenance, and management (hackzone.ru). Finally this system cost much less than networking. It costs approximately not more than couple of hundred dollars for a single agent and can be bought by customers with limited budget. On the other hand networking cost thousands of dollars for companies and customers (hackzone.ru).