chapter-3 intruder detection and intruder...

Chapter 3: Intruder Detection and Intruder Identification

Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network

Chapter-3

Intruder Detection

and Intruder Identification


Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 67

3.1 Introduction

3.1.1 1998 DARPA Intrusion Detection System Evaluation

Heavy reliance on networked computer resources and the increasing

connectivity of these networks has greatly increased the potential damage

that can be caused by attacks launched against computers from remote

sources. These attacks are difficult to prevent with firewalls, security

policies, or other mechanisms because system and application software is

changing at a rapid pace, and this rapid pace often leads to software that

contains unknown weaknesses or bugs. Intrusion detection systems are

designed to detect those attacks that inevitably occur despite security

precautions. Some intrusion detection systems detect attacks in real time

and can be used to stop an attack in progress. Others provide after-the-fact

information about attacks that can be used to repair damage, understand

the attack mechanism, and reduce the possibility of future attacks of the

same type [105].

Many parties are working on the development of intrusion detection

systems, including universities, commercial software companies, and

organizations within the Department of Defence. As these groups explore

different methods and develop various new systems for intrusion detection,

it is clearly advantageous to have a means of evaluating the success of these

systems in detecting attacks. The best environment for testing and

evaluation of an intrusion detection system is the actual environment in

which it will be used. However, research groups often do not have access to

operational networks on which to test their systems, and these systems

(especially while they are still in early development) are tested in a simulated

environment. The ability to perform accurate testing and evaluation in a

simulated environment requires high-quality data that is similar to the

traffic (including attacks) that one finds on operational networks. In general,

this data is difficult to acquire because it contains private information and

reveals potential vulnerabilities of the networks from which the data is

collected. These factors led to DARPA sponsorship of MIT Lincoln



Laboratory’s 1998 intrusion detection evaluation, which created the first

standard corpus for the evaluation of intrusion detection systems.

The 1998 intrusion detection evaluation was the first of an ongoing series of

yearly evaluations conducted by MIT Lincoln Laboratory under DARPA ITO

and Air Force Research Laboratory sponsorship. These evaluations

contribute significantly to the intrusion detection research field by providing

direction for research efforts and calibration of current technical

capabilities. The 1998 evaluation was designed to be simple, to focus on

core technology issues, and to encourage the widest possible participation

by eliminating security and privacy concerns and by providing data types

that are used by the majority of intrusion detection systems. Data for the

first evaluation was made available in the summer of 1998. The evaluation

itself occurred towards the end of the summer. A follow-up meeting for

evaluation participants and other interested parties was held in December

1998 to discuss the results of the evaluation.

3.1.2 The Development of Attacks for the 1998 DARPA Evaluation

This section describes the computer attacks that were included in the 1998

DARPA intrusion detection evaluation. A large sample of actual computer

attacks was needed to accurately test the performance of intrusion detection

systems. These attacks needed to cover the different classes of attack types.

Many of the attacks used in the evaluation were drawn from public sources,

but some novel attacks were developed specifically for use in this evaluation.

In all cases, these attacks had to be adapted to work reliably in the largely

automated simulation network from which the 1998 DARPA evaluation data

were collected. Later sections of this thesis discuss the methods that were

developed to create realistic simulations of computer intrusion scenarios,

and the methods that were developed to vary the degree of attack stealthiest.

People who attack computer networks often have goals beyond simply

gaining access to a system. Some attackers break into computers simply for

the challenge, others are interested in collecting information and some are

motivated by the desire to cause damage. Attackers are also vary in their



level of sophistication and an accurate evaluation of intrusion detection

systems require testing how well the systems are able to detect attacks from

all types of attackers—from the relative novice who is not aware that an

intrusion detection system is monitoring a network to the sophisticated,

experienced cracker who knows about intrusion detection systems and

takes steps to avoid being caught.

3.2 Background Details

3.2.1 Overview of Computer Attacks

In its broadest definition, a computer attack is any malicious activity

directed at a computer system or the services it provides. Examples of

computer attacks are viruses, use of a system by an unauthorized

individual, denial-of-service by exploitation of a bug or abuse of a feature,

probing of a system to gather information, or a physical attack against

computer hardware. Subsets of the possible types of computer attacks were

included in the 1998. DARPA intrusion detection system evaluation

including:

i. Attacks that allow an intruder to operate on a system with more

privileges than are allowed by the system security policy,

ii. Attacks that deny someone else access to some service that a

system provides, or

iii. Attempts to probe a system to find potential weaknesses

The following paragraphs provide some examples of the many ways that an

attacker can either gain access to a system or deny legitimate access by

others.

• Social Engineering: An attacker can gain access to a system by

fooling an authorized user into providing information that can be used

to break into a system. For example, an attacker can call an

individual on the telephone impersonating a network administrator in

an attempt to convince the individual to reveal confidential

information (passwords, file names, details about security policies).



Alternatively, an attacker can deliver a piece of software to a user of a

system which is actually a Trojan horse containing malicious code

that gives the attacker system access.

• Implementation Bug: an attacker to gain unauthorized access to a

computer system can exploit Bugs in trusted programs. Specific

examples of implementation bugs are buffer overflows, race conditions

and mishandled of temporary files.

• Abuse of Feature: There are legitimate actions that one can perform

that when taken to the extreme can lead to system failure. Examples

include opening hundreds of telnet connections to a machine to fill its

process table, or filling up a mail spool with junk e-mail.

• System Misconfiguration: An attacker can gain access because of an

error in the configuration of a system. For example, the default

configuration of some systems includes a “guest” account that is not

protected with a password.

• Masquerading: In some cases, it is possible to fool a system into

giving access by misrepresenting oneself. An example is sending a TCP

packet that has a forged source address that makes the packet appear

to come from a trusted host.

3.2.2 Intrusion Detection Systems

Intrusion detection systems gather information from a computer or network

of computers and attempt to detect intruders or system abuse. Generally, an

intrusion detection system will notify a human analyst of a possible

intrusion and take no further action, but some newer systems take active

steps to stop an intruder at the time of detection [136].

Although there are many possible sources of data an intrusion detection

system can use, three types of data were provided to participants in the

1998 Lincoln Laboratory intrusion detection evaluation. Most intrusion



detection systems in existence today use one or more of these three types of

data. The first of these data sources is traffic sent over the network. All data

that is transmitted over an ethernet network is visible to any machine that

is present on the local network segment. Because this data is visible to every

machine on the network, one machine connected to this ethernet can be

used to monitor traffic for all the hosts on the network. During the DARPA

evaluation, network traffic was sniffed using a single machine running the

tcpdump program [91] to save the network traffic. A second source of data

for an intrusion detection system is system-level audit data. Most operating

systems offer some level of auditing of operating system events. The amount

of data that is collected could be as limited as logging failed attempts to log

in, or as verbose as logging every system call. Basic Security Module (BSM)

[159] data from a Solaris victim machine was collected and distributed as

part of the DARPA evaluation data. A third source of data distributed to the

evaluation participants was information about file system state. Daily file

system dumps were collected from each of the machines used in the

simulation. An intrusion detection system that examines this file system

data can alert an administrator whenever a system binary file (such as the

ps, login, or ls program) is modified. Normal users have no legitimate reason

to alter these files, so a change to a system binary file indicates that the

system has been compromised. Although there are many other potential

sources of data that can be used by an intrusion detection system to find

attacks (such as real-time process lists, logfiles, processor loads, etc.), these

three sources (sniffed network traffic, host-level audit files, and file-system

state) were provided to participants in the 1998.

After the three types of data were collected and aggregated, the data was

distributed to participants via CD-ROM. Once participants obtained this

data, each group used its particular intrusion detection system to the find

intrusions and abuses that were inserted into the collected traffic. Although

the 1998 DARPA evaluation tested only the ability to find attacks offline,

some intrusion detection systems can evaluate data in real-time, allowing


Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network 2

administrators (or the system itself) to take defensive action against the

intruder.

3.2.3 Strategies for Intrusion Detection

The different approaches that have been pursued to develop intrusion

detection systems are described in many papers, including [30][106][160].

Figure 3-1 shows four major approaches to intrusion detection and the

different characteristics of these approaches. The lower part of this figure

shows approaches that detect only known attacks, while the upper part

shows approaches that detect novel attacks. Simpler approaches are shown

on the left and approaches that are both computationally more complex and

have greater memory requirements are shown towards the right.

The most common approach to intrusion detection, denoted as “signature

verification” is shown on the bottom of Figure 3-1. Signature verification

schemes look for an invariant sequence of events that match a known type

of attack. For example, a signature verification system that is looking for a

Ping of Death denial-of-service attack (an oversize ping packet that causes

some machines to reboot) would have a simple rule that says, “Any ping

packet of length greater than 64 kilobytes is an attack.” Attack signatures

can be devised that detect attempts to exploit many possible system

vulnerabilities, but a large drawback of this strategy is that it is difficult to

establish rules that identify novel types of attacks. The Network Security

Monitor (NSM) was an early signature-based intrusion detection system that

found attacks by searching for keywords in network traffic captured using a

sniffer. Early versions of the NSM [100][68] were the foundation of many

government and commercial intrusion detection systems, including

NetRanger [46] and NID [104]. Signature verification systems are popular

because one sniffer can monitor traffic to many workstations, the

computation required to reconstruct network sessions, and search for

keywords is not excessive. In practice, these systems can have high false-

alarm rates (e.g. 100’s of false alarms per day) because it is often difficult to

select keywords by hands that successfully detect real attacks without



creating false alarms for normal traffic. In addition, signature verification

schemes must be updated frequently to detect new attacks as they are

discovered. Recent research on systems, which rely on signature

verification, includes BRO[128] and NSTAT[90].

(Figure 3-1: Approaches to Intrusion Detection)

The approaches shown in the upper half of Figure 3-1 can be used to find

novel attacks. This capability is essential to protect critical hosts because

new attacks and attack variants are constantly being developed.

Anomaly detection, shown in the upper right of Figure 3-1, is one of the

most frequently suggested approaches to detect novel new attacks. Anomaly

detection schemes construct statistical models of the typical behaviour of a

system and issue warnings when they observe actions that deviate

significantly from those models. NIDES were one of the first statistical-based

anomaly detection systems used to detect unusual user [131] and unusual

program [23] behaviour. The statistical component of NIDES forms a model

of a user, system, or network activity during an initial training phase. After

training, anomalies are detected and flagged as attacks. Of course,

anomalous behaviour does not always signal that an attack is taking place,

so anomaly detection systems need to be carefully tuned to avoid high false

alarm rates. This level of tuning is only possible if normal user or system

activity is stable over time and does not overlap with attacker activity. A

user with very regular habits will be easy to model, and any intruder

attempting to masquerade as such a user would likely exhibit behaviour



that deviated significantly from the user’s normal activity. The actions of a

system administrator, however, might be more irregular and harder to

distinguish from the actions of an attacker. In addition, a hacker may be

able to slowly change the characteristics that an anomaly detection system

considers “normal” by deviating only slightly from normal behaviour over a

long period. After the anomaly detection system had been trained to

consider more actions “normal” the attacker could mount an attack and

avoid detection. A second disadvantage of anomaly detection schemes is the

large computation and memory resources required to maintain the

statistical model. Recent research on anomaly detection includes the

development of EMERALD [127], which combines statistical anomaly

detection from NIDES with signature verification.

Specification-based intrusion detection [91] is a second approach that can

be used to detect new attacks. It detects attacks that make improper use of

system or application programs. This approach involves first writing security

specifications that describe the normal intended behaviour of programs.

Host-based audit records are then monitored to detect behaviour that

violates the security specifications. This approach was applied to UNIX

system programs and successfully found many attacks [91]. Specification-

based intrusion detection has the potential to provide very low false alarm

rates and detect a wide range of attacks including many forms of malicious

code such as Trojan horses, viruses, attacks that take advantage of race

conditions, and attacks that take advantage of improperly synchronized

distributed programs. Unfortunately, it is difficult to apply because security

specifications must be written for all monitored programs. This is difficult

because system and application programs are constantly updated.

Specification based intrusion detection is thus best applied to a small

number of critical user or system programs that might be considered prime

targets for an attack.



The final strategy shown in Figure 3-1 is bottleneck verification. The

bottleneck verification approach applies to situations where there are only a

few, well-defined ways to transition between two groups of states.

3.3 Intrusion Detection and Prevention Principles

Intrusion detection is the process of monitoring the events occurring in a

computer system or network and analyzing them for signs of possible

incidents, which are violations or imminent threats of violation of computer

security policies, acceptable use policies, or standard security practices.

Incidents have many causes, such as malware (e.g., worms, spyware),

attackers gaining unauthorized access to systems from the Internet, and

authorized users of systems who misuse their privileges or attempt to gain

additional privileges for which they are not authorized. Although many

incidents are malicious in nature, many others are not; for example, a

person might mistype the address of a computer and accidentally attempt to

connect to a different system without authorization.

An Intrusion Detection System (IDS) is software that automates the

intrusion detection process. An Intrusion Prevention System (IPS) is

software that has all the capabilities of an intrusion detection system and

can attempt to stop possible incidents. This section provides an overview of

IDS and IPS technologies as a foundation for the rest of the publication. It

first explains how IDS and IPS technologies can be used. Next, it describes

the key functions that IDS and IPS technologies perform and the detection

methodologies that they use. Finally, it provides an overview of the major

classes of IDS and IPS technologies.

IDS and IPS technologies offer many of the same capabilities, and

administrators can usually disable prevention features in IPS products,

causing them to function as IDSs. Accordingly, for brevity the term Intrusion

Detection and Prevention Systems (IDPS) is used throughout the rest of this

thesis to refer to both IDS and IPS technologies.



3.3.1 Uses of IDPS Technologies

IDPSs are primarily focused on identifying possible incidents. For example,

an IDPS could detect when an attacker has successfully compromised a

system by exploiting vulnerability in the system. The IDPS could then report

the incident to security administrators, who could quickly initiate incident

response actions to minimize the damage caused by the incident. The IDPS

could also log information that could be used by the incident handlers [121].

Many IDPSs can also be configured to recognize violations of security

policies. For example, some IDPSs can be configured with firewall rule set

like settings, allowing them to identify network traffic that violates the

organization’s security or acceptable use policies. In addition, some IDPSs

can monitor file transfers and identify ones that might be suspicious, such

as copying a large database onto a user’s laptop.

Many IDPSs can also identify reconnaissance activity, which may indicate

that an attack is imminent. For example, some attack tools and forms of

malware, particularly worms, perform reconnaissance activities such as host

and port scans to identify targets for subsequent attacks. An IDPS might be

able to block reconnaissance and notify security administrators, who can

take actions if needed to alter other security controls to prevent related

incidents. Because reconnaissance activity is so frequent on the Internet,

reconnaissance detection is often performed primarily on protected internal

networks.

In addition to identifying incidents and supporting incident response efforts,

organizations have found other uses for IDPSs, including the following:

• Identifying security policy problems. An IDPS can provide some

degree of quality control for security policy implementation, such as

duplicating firewall rule sets and alerting when it sees network traffic

that should have been blocked by the firewall but was not because of a

firewall configuration error.



• Documenting the existing threat to an organization. IDPSs log

information about the threats that they detect. Understanding the

frequency and characteristics of attacks against an organization’s

computing resources is helpful in identifying the appropriate security

measures for protecting the resources. The information can also be

used to educate management about the threats that the organization

faces.

• Deterring individuals from violating security policies. If individuals

are aware that their actions are being monitored by IDPS technologies

for security policy violations, they may be less likely to commit such

violations because of the risk of detection.

Because of the increasing dependence on information systems and the

prevalence and potential impact of intrusions against those systems, IDPSs

have become a necessary addition to the security infrastructure of nearly

every organization.

3.3.2 Key Functions of IDPS technologies There are many types of IDPS technologies, which are differentiated

primarily by the types of events that they can recognize and the

methodologies that they use to identify incidents. In addition to monitoring

and analyzing events to identify undesirable activity, all types of IDPS

technologies typically perform the following functions:

• Recording information related to observed events. Information is

usually recorded locally, and might be sent to separate systems such as

centralized logging servers, Security Information and Event

Management (SIEM) solutions, and enterprise management systems.

• Notifying security administrators of important observed events.

This notification, known as an alert, occurs through any of several

methods, including the following: e-mails, pages, messages on the IDPS

user interface, Simple Network Management Protocol (SNMP) traps,

syslog messages, and user-defined programs and scripts. A notification



message typically includes only basic information regarding an event;

administrators need to access the IDPS for additional information.

• Producing reports. Reports summarize the monitored events or

provide details on particular events of interest.

Some IDPSs are also able to change their security profile when a new threat

is detected. For example, an IDPS might be able to collect more detailed

information for a particular session after malicious activity is detected

within that session. An IDPS might also alter the settings for when certain

alerts are triggered or what priority should be assigned to subsequent alerts

after a particular threat is detected.

IPS technologies are differentiated from IDS technologies by one

characteristic: IPS technologies can respond to a detected threat by

attempting to prevent it from succeeding. They use several response

techniques, which can be divided into the following groups:

• The IPS stops the attack itself. Examples of how this could be done are

as follows:

– Terminate the network connection or user session that is being used

for the attack

– Block access to the target (or possibly other likely targets) from the

offending user account, IP address, or other attacker attribute

– Block all access to the targeted host, service, application, or other

resource.

• The IPS changes the security environment. The IPS could change the

configuration of other security controls to disrupt an attack. Common

examples are reconfiguring a network device (e.g. firewall, router, switch)

to block access from the attacker or to the target, and altering a host-

based firewall on a target to block incoming attacks. Some IPSs can even

cause patches to be applied to a host if the IPS detects that the host has

vulnerabilities.



• The IPS changes the attack’s content. Some IPS technologies can

remove or replace malicious portions of an attack to make it benign. A

simple example is an IPS removing an infected file attachment from an e-

mail and then permitting the cleaned email to reach its recipient. A more

complex example is an IPS that acts as a proxy and normalizes incoming

requests, which means that the proxy repackages the payloads of the

requests, discarding header information. This might cause certain attacks

to be discarded as part of the normalization process.

Another common attribute of IDPS technologies is that they cannot provide

completely accurate detection. When an IDPS incorrectly identifies benign

activity as being malicious, a false positive has occurred. When an IDPS fails

to identify malicious activity, a false negative has occurred. It is not possible

to eliminate all false positives and negatives; in most cases, reducing the

occurrences of one increases the occurrences of the other. Many

organizations choose to decrease false negatives at the cost of increasing

false positives, which means that events that are more malicious are

detected but more analysis resources are needed to differentiate false

positives from true malicious events. Altering the configuration of an IDPS to

improve its detection accuracy is known as tuning.

Most IDPS technologies also offer features that compensate for the use of

common evasion techniques. Evasion is modifying the format or timing of

malicious activity so that its appearance changes but its effect is the same.

Attackers use evasion techniques to try to prevent IDPS technologies from

detecting their attacks. For example, an attacker could encode text

characters in a particular way, knowing that the target understands the

encoding and hoping that any monitoring IDPSs do not. Most IDPS

technologies can overcome common evasion techniques by duplicating

special processing performed by the targets. If the IDPS can “see” the

activity in the same way that the target would, then evasion techniques will

generally be unsuccessful at hiding attacks.



3.3.3 Types of IDPS Technologies

There are many types of IDPS technologies. For the purposes of this

document, they are divided into the following four groups based on the type

of events that they monitor and the ways in which they are deployed:

• Network-Based, which monitors network traffic for particular network

segments or devices and analyzes the network and application protocol

activity to identify suspicious activity. It can identify many different

types of events of interest. It is most commonly deployed at a boundary

between networks, such as in proximity to border firewalls or routers,

Virtual Private Network (VPN) servers, remote access servers, and

wireless networks. Section 4 contains extensive information on

network-based IDPS technologies.

• Wireless that monitors wireless network traffic and analyzes its

wireless networking protocols to identify suspicious activity involving

the protocols themselves. It cannot identify suspicious activity in the

application or higher-layer network protocols (e.g., TCP, UDP) that the

wireless network traffic is transferring. It is most commonly deployed

within range of an organization’s wireless network to monitor it, but

can also be deployed to locations where unauthorized wireless

networking could be occurring.

• Network Behavior Analysis (NBA), which examines network traffic to

identify threats that generate unusual traffic flows, such as Distributed

Denial of Service (DDoS) attacks, certain forms of malware (e.g., worms,

backdoors), and policy violations (e.g., a client system providing

network services to other systems). NBA systems are most often

deployed to monitor flows on an organization’s internal networks, and

are also sometimes deployed where they can monitor flows between an

organization’s networks and external networks (e.g., the Internet,

business partners’ networks).

• Host-Based, which monitors the characteristics of a single host and the

events occurring within that host for suspicious activity. Examples of



the types of characteristics a host-based IDPS might monitor are

network traffic (only for that host), system logs, running processes,

application activity, file access and modification, and system and

application configuration changes. Host-based IDPSs are most

commonly deployed on critical hosts such as publicly accessible servers

and servers containing sensitive information.

Some forms of IDPS are more mature than others because they have been in

use much longer. Network-based IDPS and some forms of host-based IDPS

have been commercially available for over ten years. Network behavior

analysis software is a somewhat newer form of IDPS that evolved in part

from products created primarily to detect DDoS attacks, and in part from

products developed to monitor traffic flows on internal networks. Wireless

technologies are a relatively new type of IDPS, developed in response to the

popularity of Wireless Local Area Networks (WLAN) and the growing threats

against WLANs and WLAN clients.

3.4 Introduction to Intrusion in MANET

Mobile ad hoc networks are complex distributed systems that comprise

wireless mobile nodes that can freely and dynamically self-organise into

arbitrary and temporary, “ad hoc‟ network topologies. They allow people and

devices to seamlessly internet work with no pre-existing communication

infrastructure and central administration [191].

Ad hoc networks are a new wireless networking paradigm for mobile hosts.

Unlike traditional mobile wireless networks, ad hoc networks do not rely on

any fixed infrastructure. Instead, hosts rely on each other to keep the

network connected. The military tactical and other security-sensitive

operations are still the main applications of ad hoc networks, although there

is a trend to adopt ad hoc networks for commercial uses due to their unique

properties. One main challenge in design of these networks is their

vulnerability to security attacks. The goal is to investigate the development

of a suite of protocols and algorithm that enables to securely collaborate



over mobile ad hoc networks as well as the wired backbone. Collaboration

requires secure information sharing and communication among a large

number of academic, governmental, and military sites. A series of

experiments in key management, malicious intruder identification, and

detection of denial of service attacks will be conducted to provide the secure

networking.

Ubiquitous access to information anywhere, anywhere, and anytime, will

characterize completely new kinds of information systems in the 21st

Century. These are being enabled by rapidly emerging wireless

communication systems, based on radio and infrared transmission

mechanisms, and utilizing such technologies as cellular telephony, personal

communication systems, wireless PBXs, and wireless local area networks.

These systems have the potential to dramatically change society as workers

become “untethered” from their information sources and communication

mechanisms. While there is a rich body of knowledge associated with radio

system engineering, the needed expertise must build upon this to

encompass network management, integration of wireless and wire line

networks, system support for mobility, computing system architectures for

wireless nodes/base stations/servers. User interface appropriate for small

handheld portable devices and new application that can exploit mobility and

location information.

Enormous amounts of data are collected from the network for network

based intrusion detection. This poses a great challenge. Raw network traffic

needs to be summarized into higher-level events, described by some

features, such as connection records before feeding the data to a machine-

learning algorithm. Selecting relevant features is a crucial activity and

requires extensive domain knowledge.

3.4.1 Intrusion Detection

The concept behind intrusion detection is a surprisingly simple one: Inspect

all network activity (both inbound and outbound) and identify suspicious



patterns that could be evidence of a network or system attack. Nowadays,

network based computer plays an important role in society. There are many

advantages of network: one can easily connect anyone on the network, one

can share and use the files, folders, and data, and they can call their loved

once on the net. At the same time, there are many disadvantages of it too.

One welcomes one’s enemy, hackers, criminals. There may be chance of

misuse of the data. When an intrusion (defined as “any set of actions that

attempt to compromise the integrity, confidentially, or availability of a

resource [190]) takes place, intrusion prevention technique such as

encryption and authentication (e.g., using passwords or biometrics) are

usually the first line of defence [55]. An intrusion detection system (IDS)

inspects all inbound and outbound network activity and identifies

suspicious patterns that may indicate a network or system attack from

someone attempting to break into or compromise a system.

3.4.2 Wireless v/s Wired Intrusion

Wired – Physically attached: Intruder/attacker needs to plug directly into

the network Wireless – Intruder can stay anywhere and intrude unseen

No exact “border” between internal and external network-losing exact

classification to insider and outsider attacks

Sometimes people assume that host based systems prevent insider attacks

where as network based system invites outsider attacks. We may not agree

with this practice, but as soon as you add a Wi-Fi signal, the border of

defence becomes unclear and not sharply defined. The primary assumptions

of intrusion detection are: user and program activities are observable, for

example via system auditing mechanism; and more importantly, normal and

intrusion detection activities have distinct behaviour. In the network based

IDS, normally, it runs on the gateway of a network packets that go through

the network hardware interface.



In misuse detection, the IDS analyze the information it gathers and

compares it to large databases of attack signatures. Essentially, the IDS look

for a specific attack that has already been documented. Like a virus

detection system, misuse detection software is only as good as the database

of attack signatures that it uses to compare packets against. In anomaly

detection, the system administrator defines the baseline, or normal, state of

the network traffic load, breakdown, protocol, and typical packet size. The

anomaly detector monitors network segments to compare their state to the

normal baseline and look for anomalies [156].

3.4.3 Problems of Current IDS Techniques

There are two different types of networks - wireless and wired network.

There has always been having problem of security, collaboration,

management and integration. Thus, there is a need of intrusion detection

system as there may be chances of misusing of data while communicating

between these two. There is a big problem to fix IDS between Wired and

Wireless network as the wireless network perhaps may not have fix

infrastructure.

There is a big difference between how the data transfer in Wireless Ad-Hoc

network and wired network. There is always some limitation while

communicating through wireless Ad hoc network. One may face the problem

of bandwidth; data may be loss, high cost, slower links etc. Intrusion

detection in MANETs, however, is challenging for a number of reasons [116,

158, 135].

The major limitations with the current Intrusion Detection Systems are [84]

• Noise can severely limit Intrusion detection systems effectiveness. Bad

packets generated from software bugs, corrupt DNS data, and local

packets that escaped can create a significantly high false-alarm rate.

• It is not uncommon for the number of real attacks to be far below the

false-alarm rate. Real attacks are often so far below the false-alarm rate

that they are often missed and ignored.



• Many attacks are geared for specific versions of software that are usually

outdated. A constantly changing library of signatures is needed to

mitigate threats. Outdated signature databases can leave the IDS

vulnerable to new strategies.

3.4.4 NIDS Performance Issues

An independent platform identifies intrusions by examining network traffic

and monitors multiple hosts. Network intrusion detection systems NIDS

[34,134,89] gain access to network traffic by connecting to a network hub,

network switch configured for port mirroring, or network tap. In an NIDS as

shown in Figure 3-2, sensors are located at choke points in the network to

be monitored, often in the Demilitarized Zone (DMZ) or at network borders.

Sensors capture all network traffic and analyze the content of individual

packets for malicious traffic [31]. An example of an NIDS is Snort.

Network Intrusion Detection Systems are usually deployed as a dedicated

component on a network segment. There is some debate as to where to place

a single NIDS (inside or outside of a firewall), but most agree that multiple

NIDS are better. It will then compare captured network data to a file of

known malicious signatures. If there is a match, the IDS will log and send

an alert according to how it was configured by the network or security

administrator [32].

(Figure 3-2: A Network Based IDS)

A major difficulty is that true performance statistics are very hard to obtain,

especially in a lab. However, a recent test by NSS Labs is probably one of the



best [33]. The issue is not how many attacks that an NIDS can detect that is

the most important factor (and often the only bench mark used in lab tests),

but how effectively the NIDS can pick out one attack in a mass of normal

background traffic. It is often not the mass of attacks that an NIDS has

problems dealing with, but the proverbial “finding a needle in a haystack”.

This becomes especially difficult when SSL (Secure Socket Layer) traffic is

involved, because the NIDS cannot read encrypted traffic. It wastes valuable

CPU cycles realizing that it cannot do anything with the traffic and then

discards it!

A second core performance element to consider is the size of packets. In

tests, NIDS vendors usually look at an average packet size of 1024 bytes,

however if the packet sizes are smaller, the NIDS will run a lot slower (e.g.

consider the negative impact when monitoring a large DNS server).

A third key driver in how fast an NIDS can run is the actual policy that is

running on the NIDS. Typically, NIDS have hundreds of attack signatures

that they are looking for at any given time. The more signatures they are

looking for in a stream of data, the longer it will take to look at the next

stream. This is more critical for pattern matching based systems than those

that utilize protocol analysis.

The nature of mobile computing environment makes it very vulnerable to an

adversary's malicious attacks. First, the use of wireless links renders the

network susceptible to attacks ranging from passive eavesdropping to active

interfering. Unlike wired networks where an adversary must gain physical

access to the network wires or pass through several lines of defence at

firewalls and gateways, attacks on a wireless network can come from all

directions and target at any node. Damages can include leaking secret

information, message contamination, and node impersonation. All these

mean that a wireless ad-hoc network will not have a clear line of defence,

and every node must be prepared for encounters with an adversary directly

or indirectly.



3.4.5 New Architecture

Though many IDS architecture have been designed for infrastructure-based

networks, they are not applicable in Mobile Environment. Motivated by this

consideration, we propose the modified architecture based on a conceptual

model for an IDS agent proposed by Yongguang Zang and Wenke Lee [55].

The model is extended by introducing two novel ideas, the Data collection is

divided in two parts and one Global Data Collection Module is introduced as

the outer most layer of the model.

IDS should be both cooperative and distributed to satisfy the need of the

wireless Ad-Hoc network. In the proposed architecture, every node in the

wireless Ad-Hoc network participates in intrusion detection and response.

Each of these nodes is responsible for signalling the intrusion locally and

independently. In addition, this IDS model identifies the black list and white

list requests.

The internal of an IDS agent can be complex, but conceptually it can be

structured in eight pieces as shown in Figure 3-3. The data collection

module is responsible for gathering local audit trace and activity logs. Next,

the Identifier will use this data to identify the detection; notification will take

the appropriate action if the intrusion occurs. The Global Data Collection

will store all the calls, which have been occurred.

A. Data Collection Module

This has been further divided into black list and white list. It gathers all the

necessary streams of the data that has been arrive at a time of request. The

black list Module stores all the details of the source that may lead to

misuse. That is there may be chance of intrusion. Whereas the white list

module will store all the details of the most frequently calls and which are

authentic. Depending on the intrusion detection algorithms, these useful

data streams can include system and user activity within the mobile node.

Multiple data collection modules cab consists in one IDS agent to provide



multiple audit streams for a multi-layer integrated intrusion detection

method.

(Figure 3-3: A conceptual model for IDS Agent)

B. Identifiers

Identifiers can be a local Identifier or Group detection. The local Identifier

uses the data from the Data Collection module and identifies whether the

intrusion is occurred or not. If yes, then, it sends the signal to the

Notification module where it will be proceed. As the days going, there will

always been created a newer attacks for the system and to secure a system

is not an easy task even more and more devices become wireless so security

must be increased accordingly. To establish a new and best security for the

mobile Ad-Hoc network is not so easy. Therefore, IDS model should be used

different statistical and mathematical model to solve the problems.

C. Notification

Notification can be local notification or universal notification. According to

the type of network, the notification has been made to the system. When the

system is in the network at that time it will notified universally i.e. it will

broadcast the message to its neighbour along with the details of the

intrusion description and the address of that particular system which

initiates the intrusion. In this case, all the system updates their data

System calls

Global Data Collection Module

Neighboring IDS Agent

Local Notification Universal Notification

Local Identifier Group detection

Data Collection

Black listed

White listed

Secure Communication



collection module and put this description in the black list of that module.

In addition, they can refer it in the future to identify the intrusion.

In the Local Notification, it will notify itself that the intrusion has occur then

it will terminate the connection with that particular system and update the

black list data collection module.

When an intrusion occurs, at that time, it will send the intrusion state

information to its neighbouring node. Then each node can update the Data

Collection module and can initiate appropriate action against that Intruder.

D. Global Data Collection Module

The core and the heart of the new Intrusion detection system as it is

centralized and stores all the streams and actions carried out by the system

in the network. When any system initiates, the request, at that time, first it

will store in this module, which can be further used to identify the intrusion

by the Data collection module. This module also implements the cache

concepts as it is updated at every interval by itself. The cross checking will

be done for every instance of the node to secure the Ad-hoc network and to

identify the unauthorized user.

3.5 Conclusion

Here the argument is that any system on the network may find intrusion

and their privacy may be exploited. This is especially true for wireless Ad-

hoc network. Intrusion detection can help intrusion prevention technique to

improve intrusion technique. So that new technique must be developed to

solve this problem.

By the continuous investigation, it is shown that how a new model can be

developed and how a Global Data Collection module will help IDS Agent to

identify the occurrences of the intrusion. Firstly when any system initiates

the request, it will be checked in the Global Data Collection Module if it will

not found in that it will be put in the Black list and the broadcast of the



message is made thus all the neighbouring node can know the intrusion

point, and can take appropriate action.

At present time, the investigation of the architecture issues is still going on

to solve it, implementing it practically and studying its performance issues.

In short we are focuses more on the issues that rise in the IDS and try to

identify the best solution among all.

In future, the algorithm, which supports the model, will be developed to

identify the Intrusion in cost effective way.

chapter-3 intruder detection and intruder...

Documents