intrusion detection and prevention system in an enterprise network
TRANSCRIPT
INTRUSION DETECTION AND PREVENTION SYSTEMS IN ANENTERPRISE NETWORK
BY
OKEHIE, COLLINS OBINNA
(20091649415)
DEPARTMENT OF COMPUTER SCIENCE,
SCHOOL OF SCIENCE,
FEDERAL UNIVERSITY OF TECHNOLOGY, P. M. B. 1526, OWERRI,IMO STATE
OCTOBER, 2014
ii
INTRUSION DETECTION AND PREVENTION SYSTEMS IN ANENTERPRISE NETWORK
BY
OKEHIE, COLLINS OBINNA (20091649415)
A PROJECT REPORT
SUBMITTED TO
THE DEPARTMENT OF COMPUTER SCIENCE,SCHOOL OF SCIENCE,
FEDERAL UNIVERSITY OF TECHNOLOGY, P. M. B. 1526, OWERRI, IMOSTATE
IN PARTIAL FULFILMENT OF THE REQUIREMENTS FOR THE AWARDOF BACHELOR OF TECHNOLOGY (B.Tech) IN COMPUTER SCIENCE
OCTOBER, 2014
iii
CERTIFICATION
This is to certify that this project “INTRUSION DETECTION AND PREVENTION
SYSTEM IN AN ENTERPRISE NETWORK” was carried out by Okehie, Collins
Obinna with Registration number 20091649415, in the Department of Computer Science,
School of Science, Federal University of Technology, Owerri.
…………………………… …………………………………
OKEHIE COLLINS OBINNA DATE
(20091649415)
iv
APPROVAL
This project, “Intrusion Detection and Prevention Systems In an Enterprise Network”, by
Okehie, Collins Obinna, is hereby approved as a satisfactory project for the award of a
degree of Bachelor of Technology (B.Tech.) in Computer Science.
NAME: Dr. C.N Njoku
SIGN: . . . . . . . . . . . . . . . . . . . . . . . . DATE: …………………………….
(PROJECT SUPERVISOR)
NAME: Prof. S. C. Inyama
SIGN: . . . . . . . . . . . . . . . . . . . . . . . . DATE: …………………………….
(HEAD OF DEPARTMENT)
NAME: Prof. Inyiama
SIGN: . . . . . . . . . . . . . . . . . . . . . . . . . DATE: …………………………….
(EXTERNAL EXAMINER)
v
DEDICATION
This project is dedicated to the Almighty GOD, father of Heaven, the lord Jesus
Christ captain of my salvation and my parents and family members.
vi
ACKNOWLEDGEMENT
I want to appreciate the almighty God for the gift of life, preservation, unmerited
favor, academic success and for giving me the strength to complete this project work.
I want to also in a special way appreciate my Parents for the support and sponsorship
of my education from birth to date, for care, patience and love. I pray the almighty
God grants them long life on earth to enjoy the fruit of their labor
I want to in a special way acknowledge the Head of Department, Prof. S.C Inyama,
my course adviser Mrs. E.C Nwokorie, my lecturers; Mr. Diala Stanley, Dr. O.F.
Uzoh, Mr. J.E. Eke, Mr. Stanley Okolie, Mrs C. Ogilichukwu, Mrs. J.N. Odii, Mrs
Odilichukwu and Dr. C.N. Njoku who helped to impact knowledge in us throughout
our stay in school.
I appreciate also the efforts and support of my uncle, Mr. Simeon Chinagorom
Okehie, for his financial support and encouragement throughout my education.
I appreciate in a special way my course mates Nwanebu Darlington and Akujobi
Kenneth for their constructive criticisms and help during the course of this project.
Special thanks also geos to my pal, Erik Hjelmvik, for his ideas and
recommendations in the design of the software.
I appreciate all friends and well-wishers whose name were not mentioned. I say may
the good Lord reward you all in the name of Jesus.
vii
ABSTRACT
Intrusion Detection and Prevention System in an Enterprise Network is project which
involves the design of a desktop application designed to monitor a computer network
system for possible break-ins and also provide an interface for a network administrator
to monitor events occurring in his network. After analyzing the system, we assembled
the functional specification requirements which made it possible for us to design the
proposed system framework. The implementation of the system was carried out using
Waterfall Methodology and latest tools such as C# for the back-end and .NET for the
front-end with the Integrated Development Environment provided by Visual Studio
2013. The achieved result was able to monitor the devices connected to a wireless
network and provide details such as their operating systems, IP addresses, device
name and even show the files being transmitted across the network. The objectives of
this work has been realized and this improves the field of intrusion detection and
prevention.
viii
TABLE OF CONTENT
Title Page i
Certification ii
Approval iii
Dedication iv
Acknowledgement v
Abstract vi
Table of Content viii
List of Figures xii
CHAPTER ONE
INTRODUCTION
1.0 Introduction 1
1.1 Background of Study 1
1.2 Problem Statement 3
1.3 Objectives of Study 3
1.4 Significance of Study 4
1.5 Scope of Work 4
1.6 Limitation of Study 4
1.7 Definition of Terms 5
CHAPTER TWO
ix
LITERATURE REVIEW
2.0 Introduction 7
2.1 Enterprise Network 7
2.1.1 Network Topologies 8
2.1.2 OSI/ISO Model 10
2.2 Possible Network Threats in an Enterprise Network 13
2.2.1 Internal Threats: LAN Security 14
2.2.2 External Threats: Worms, Viruses, Trojan Horse 14
2.2.3 Denial of Service (DOS) 15
2.2.4 Distributed Denial of Service (DDOS) 15
2.3 Intrusion Detection Technology and Prevention Principles 17
2.3.1 IDPS Technologies: Components and Architecture 17
2.3.2 Major functions of Intrusion Detection System 19
2.3.3 Types of IDPS Technologies 21
2.3.4 Detection Methodologies Used By IDPS Systems 21
2.3.5 General Capabilities of IDPS Technologies 23
2.4 Network-Based IDPS 26
2.4.1 Components and Architecture 26
2.4.2 Security Capabilities of Network-Based IDPS 29
2.5 Wireless IDPS 32
2.5.1 Components and Architecture 32
2.5.2 Security Capabilities of Wireless IDPS 34
x
2.6 Host-Based IDPS 36
2.6.1 Components and Architecture 37
2.6.2 Security Capabilities of Wireless Host-Based IDPS 38
2.7 Network Behavior Analysis (NBA) System 39
2.7.1 Components and Architecture 40
2.7.2 Security Capabilities of Network Behavior Analysis System 42
CHAPTER THREE
SYSTEM ANALYSIS AND METHODOLOGY
3.0 Introduction 45
3.1 Analysis of the Existing System 45
3.2 Limitations of the Existing System 46
3.3 Analysis of the Proposed System 48
3.4 Features of the Proposed System 48
3.5 Benefits of the Proposed System 48
3.6 Framework of the Proposed System 48
3.7 Methods of Data Collection 50
3.8 System Methodology 50
3.8.1 Waterfall Methodology 50
3.8.2 Feasibility Study 51
3.9 Possible Capabilities of Future IDPS Systems 52
xi
CHAPTER FOUR
SYSTEM DESIGN AND IMPLEMENTATION
4.0 Introduction 54
4.1 System Design 54
4.2 Objectives of Design 54
4.3 Input Specification and Design 55
4.3.1 Input from the “Open” Menu 55
4.3.2 Input from Network Adapters 56
4.4 Output Specification and Design 57
4.5 System Testing 58
4.6 System Implementation 59
4.6.1 Front End (.NET) 60
4.6.2 Back End (C#) 60
4.6.3 Analyzing Data on the System 60
4.7 System Requirements 63
4.8 Choice of Programming Language 63
4.8.1 Tools Used 64
CHAPTER FIVE
SUMMARY AND CONCLUSION
5.1 Review of Achievement 65
5.2 Areas of Application of the Work 65
xii
5.3 Areas of further Work/Research 66
5.4 Recommendation 66
5.5 Conclusion 67
References 67
Appendix A: Sample Result Output 70
Appendix B: Source Code 71
LIST OF FIGURES
Fig 2.1.1(a): Bus Topology 8
Fig 2.1.1(b): Star Topology 9
Fig 2.1.1(c): Ring Topology 9
Fig 2.1.1(d): Tree Topology 9
Fig 2.1.1(e): Mesh Topology 10
Fig 2.1.2: OSI\ISO Model 11
Fig 2.2.3: Basics of a DDOS attack 16
Fig 2.4.1: Inline Network-based IDPS Sensor Architecture Example 28
Fig 5.1. Passive Network-Based IDPS Sensor Architecture Example 29
Fig 2.5.1: Wireless IDPS Architecture 33
Fig 2.6.1: Host-Based IDPS Agent Deployment Architecture Example 38
Fig 2.7.1: NBA Sensor Architecture Example 41
Fig. 3.6: Framework of the System 49
Fig 3.8.1: Waterfall Model of Systems analysis 51
Fig 4.3.1: Input From the "Open" Menu 56
xiii
Fig 4.3.2: Input from Network Adapters 57
Fig 4.4: Menu Design 58
Fig 4.6.1(a): Sample Output in the Frames Tab of the System 62
Fig 4.6.1(b): Sample Output From the Hosts Tab of System 62
1
CHAPTER ONE
Introduction
Intrusion detection and prevention systems in an enterprise network is a study into
the forms and techniques of prevention and detection of intrusions into an enterprise
computer network. Technological advancements in the twenty-first century witnessed an
increase in cyber-attacks. This is usually preceded by heavy expenditure in recovery of
lost data and possible lawsuits. This project aims to bring into limelight the various ways
of preventing and detecting hacks into a computer network. Computer network hacking
is not peculiar to the western world. There have been several cases of computer networks
being hacked in Nigeria. According to Thisdaylive.com, an online newspaper company,
a recent survey by Centrex Ethical Lab, a Nigerian cyber-security and intelligence
company shows that 23 government websites on the gov.ng domain were defaced out of
a total of 60 website defacements in 2012. The report also said the official websites of
the National Assembly and Economic and Financial Crimes Commission appeared to be
the most defaced government websites between 2010 and 2012. The company’s data
analysis stated that the defacement of government websites increased from one per cent
in 2009, to 10 per cent in 2010, and 60 per cent in 2012 [Thisdaylive14]. IDPS is an
acronym for Intrusion Detection and Prevention Systems, and will be used as such in the
context of this thesis.
1.1 Background of Study
This publication describes the characteristics of IDPS technologies and provides
recommendations for designing, implementing, configuring, securing, monitoring, and
maintaining them. The types of IDPS technologies are differentiated primarily by the
types of events that they monitor and the ways in which they are deployed.
2
Intrusion detection is the process of monitoring the events occurring in a computer system
or network and analyzing them for signs of possible incidents, which are violations or
imminent threats of violation of computer security policies, acceptable use policies, or
standard security practices.
An intrusion into a system is an attempt by an outsider to the system to illegally gain
access to the system. Intrusion prevention, on the other hand, is the art of preventing an
unauthorized access of a system’s resources.
The two processes are related in a sense that while intrusion detection passively detects
system intrusions, intrusion prevention actively filters network traffic to prevent intrusion
attempts.
There are six types of intrusions:
- Attempted break-ins, which are detected by typical behavior profiles or violations
of security constraints. An intrusion detection system for this type is called
anomaly-based IDPS.
- Masquerade attacks, which are detected by a typical behavior profiles or violations
of security constraints. These intrusions are also detected using anomaly-based
IDPS.
- Penetrations of the security control system, which are detected by monitoring for
specific patterns of activity.
- Leakage, which is detected by a typical use of system resources.
- Denial of service, which is detected by a typical use of system resources.
- Malicious use, which is detected by a typical behavior profiles, violations of
security constraints, or use of special privileges.
Intrusion prevention is the process of performing intrusion detection and attempting to
stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are
3
primarily focused on identifying possible incidents, logging information about them,
attempting to stop them, and reporting them to security administrators. Many IDPSs can
also respond to a detected threat by attempting to prevent it from succeeding. They use
several response techniques, which involve the IDPS stopping the attack itself, changing
the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
In conclusion, it is expected that at the end of this thesis, the reader is expected to be
conversant with the various methods of securing a company network system and be able
to prevent any source of intrusions from accessing or disrupting company activities.
1.2 Problem Statement
This project aims to solve the problems encountered by network administrators in
managing their networks in order to prevent and detect intrusions which may come in the
form of virus, Trojans, hack attacks, Denial of Service (DOS) attacks or Distributed
Denial of Service (DDOS) attacks all of which might lead to sensitive information being
compromised.
The system designed provides an easy-to-use interface for a network administrator to
monitor his network and check for anomalies.
1.3 Objectives of Study
To create a system to facilitate easy monitoring of the events occurring on an
enterprise network system.
To determine the challenges facing computer network security in the twenty-first
century.
To determine ways of detecting and preventing computer network intrusions.
To assess the current trends in intrusion detection and prevention.
To prescribe possible updates for existing IDPS Systems.
4
1.4 Significance of Study
This project seeks to assist in the understanding of intrusion detection system (IDS) and
intrusion prevention system (IPS) technologies and in designing, implementing,
configuring, securing, monitoring, and maintaining intrusion detection and prevention
systems (IDPS). The project also provides an overview of complementary technologies
that can detect intrusions, such as security information and event management software
and network forensic analysis tools. It focuses on enterprise IDPS solutions, but most of
the information in the project is also applicable to standalone and small-scale IDPS
deployments.
With the development of network technologies and applications, network attacks are
greatly increasing both in number and severity. As a key technique in network security
domain, Intrusion Detection System (IDS) plays vital role of detecting various kinds of
attacks and secures the networks. With the tremendous growth of network-based services
and sensitive information on networks, network security is becoming more and more
important than ever before.
1.5 Scope of Work
This study deals with the intrusion and detection systems available for use in an enterprise
computer network and more recent ways of combating the threats faced by any computer
network in the modern era. Since intrusion detection and prevention involves networks,
we will come in contact with various aspects of networking.
1.6 Limitation of the Study
Some of the major limitations during the course of the study were as follows;
i. Financial constraint to provide adequate funding for the research
ii. Reluctance of some firms to provide information pertaining to the IDPS
technologies they use
5
iii. Poor network reception for online research.
iv. Short time duration provided for the research.
1.7 Definition of Terms
Intrusion Detection: The process of monitoring the events occurring in a computer system
or network and analyzing them for signs of possible incidents
Intrusion Prevention: The process of performing intrusion detection and attempting to
stop detected possible incidents.
Enterprise Network: An enterprise's communications backbone that helps connect
computers and related devices across departments and workgroup networks, facilitating
insight and data accessibility.
Intrusion Detection and Prevention System (IDPS): The systems set up by an enterprise
to identify possible incidents, log information about them, attempt to stop them, and
report them to security administrators.
Denial of Service (DoS): The interruption of service either because the system is
destroyed or because it is temporarily unavailable.
Distributed Denial of Service (DDoS): A variant of DOS in which a single is used to
control multiple computers and used to generate multiple data streams at the intended
victim.
Media Access Layer (MAC): A network layer responsible for controlling how computers
in the network gain access to data and permission to transmit it.
Point-to-Point Protocol: A data link protocol used to establish connection between two
nodes
6
Segmentation/ Desegmentation: The processes of dividing and recompiling data packets
for transmission over a network.
Worms: Type of malicious software (malware) that self-replicates and distributes copies
of itself to its network without intervention from and unknown to computer users.
Virus: A malware program that, when executed, replicates by inserting copies of itself
(possibly modified) into other computer programs
Trojans: A Trojan horse is a seemingly benign program that when activated, causes harm
to a computer system
Virtual Local Area Network (VLAN): A logical group of servers, workstations and
network devices that appear to be on the same network despite their geographical
distribution.
Blacklists: A blacklist is a list of discrete entities, such as hosts, TCP or UDP port
numbers, ICMP types and codes, applications, usernames, URLs, filenames, or file
extensions, that have been previously determined to be associated with malicious activity.
Whitelists: A list of discrete entities that are known to be benign.
Demilitarized Zone: A firewall configuration for securing local area networks.
STA (Station): a device that is capable of using the 802.11 protocol. This may be a laptop,
phone etc.
SSID: A case sensitive, 32 alphanumeric character unique identifier attached to the
header of packets sent over a wireless local-area network (WLAN) that acts as a password
when a mobile device tries to connect to the basic service.
7
CHAPTER TWO
LITERATURE REVIEW
2.0 Introduction
A literature review is an evaluative report of information found in the literature related to
the selected area of study.
The topic of this project, Intrusion Detection and Prevention Systems in an Enterprise
Network encompasses the various ways of preventing and detecting network intrusions.
In this chapter, we will deal with a basic introduction to an enterprise network and
possible threats that can affect the network, we will also look at the principles of intrusion
detection and prevention including the components and functions of an IDPS, its major
functions, types and the detection methodologies of IDPS systems.
2.1 Enterprise Network
According to technology website, Technopedia, an enterprise network is an enterprise's
communications backbone that helps connect computers and related devices across
departments and workgroup networks, facilitating insight and data accessibility. An
enterprise network reduces communication protocols, facilitating system and device
interoperability, as well as improved internal and external enterprise data management.
The key purpose of an enterprise network is to eliminate isolated users and workgroups.
All systems should be able to communicate and provide and retrieve information.
Additionally, physical systems and devices should be able to maintain and provide
satisfactory performance, reliability and security. Enterprise computing models are
developed for this purpose, facilitating the exploration and improvement of established
enterprise communication protocols and strategies.
8
In scope, an enterprise network may include local and wide area networks (LAN/WAN),
depending on operational and departmental requirements. An enterprise network can
integrate all systems, including Windows and Apple computers and operating systems
(OS), UNIX systems, mainframes and related devices like smartphones and tablets. A
tightly integrated enterprise network effectively combines and uses different device and
system communication protocols. [Wikipedia.com]
2.1.1 Network Topologies
Network topology refers to the physical or logical layout of a network. It defines the way
different nodes are placed and interconnected with each other; alternately, network
topology may describe how the data is transferred between these nodes. There are two
types of network topologies: physical and logical. Physical topology emphasizes the
physical layout of the connected devices and nodes, while the logical topology focuses
the pattern of data transfer between network nodes.
The physical and logical network topologies of a network do not necessarily have to be
identical. However, both physical and network topologies can be categorized into five
basic models:
Bus Topology: All the devices/nodes are connected sequentially to the same
backbone or transmission line. This is a simple, low-cost topology, but its single
point of failure presents a risk.
Fig 2.1.1(a): Bus Topology
9
Star Topology: All the nodes in the network are connected to a central device like
a hub or switch via cables. Failure of individual nodes or cables does not
necessarily create downtime in the network but the failure of a central device can.
Fig 2.1.1(b): Star Topology
Ring Topology: All network devices are connected sequentially to a backbone as
in bus topology except that the backbone ends at the starting node, forming a ring
Fig 2.1.1(c): Ring Topology
Tree Topology: A root node is connected to two or more sub-level nodes, which
themselves are connected hierarchically to sub-level nodes. Physically, the tree
topology is similar to bus and star topologies; the network backbone may have a
bus topology, while the low-level nodes connect using star topology.
Fig 2.1.1(d): Tree Topology
Mesh Topology: The topology in each node is directly connected to some or all
the other nodes present in the network. This redundancy makes the network highly
10
fault tolerant but the escalated costs may limit this topology to highly critical
networks. [Technopedia.com]
Fig 2.1.1(e): Mesh Topology
2.1.2 OSI/ISO Model
The Open Systems Interconnection model (OSI) is a conceptual model that characterizes
and standardizes the internal functions of a communication system by partitioning it into
abstraction layers. The model groups communication functions into seven logical layers.
A layer serves the layer above it and is served by the layer below it. For example, a layer
that provides error-free communications across a network provides the path needed by
applications above it, while it calls the next lower layer to send and receive packets that
make up the contents of that path. Two instances at one layer are connected by a
horizontal connection on that layer. [Webopedia.com]
11
Fig 2.1.2: OSI\ISO Model
Layer 1: Physical Layer
The physical layer has the following major functions:
it defines the electrical and physical specifications of the data connection. It defines
the relationship between a device and a physical transmission medium (e.g., a
copper or fiber optical cable).
it defines the protocol to establish and terminate a connection between two directly
connected nodes over a communications medium.
it may define the protocol for flow control.
Layer 2: Data Link Layer
The data link layer provides a reliable link between two directly connected nodes, by
detecting and possibly correcting errors that may occur in the physical layer. The data
link layer is divided into two sub-layers:
12
Media Access Control (MAC) layer - responsible for controlling how computers
in the network gain access to data and permission to transmit it.
Logical Link Control (LLC) layer - control error checking and packet
synchronization.
The Point-to-Point protocol (PPP) is an example of a data link layer in the TCP/IP
protocol stack.
Layer 3: Network Layer
The network layer provides the functional and procedural means of transferring variable
length data sequences (called datagrams) from one node to another connected to the same
network. In addition to message routing, the network may (or may not) implement
message delivery by splitting the message into several fragments, delivering each
fragment by a separate route and reassembling the fragments, report delivery errors, etc.
Layer 4: Transport Layer
The transport layer provides the functional and procedural means of transferring variable-
length data sequences from a source to a destination host via one or more networks, while
maintaining the quality of service functions.
An example of a transport-layer protocol in the standard Internet protocol stack is TCP,
usually built on top of the IP protocol.
Layer 5: Session Layer
The session layer controls the dialogues (connections) between computers. It establishes,
manages and terminates the connections between the local and remote application. It
provides for full-duplex, half-duplex, or simplex operation, and establishes
checkpointing, adjournment, termination, and restart procedures.
13
Layer 6: Presentation Layer
This layer provides independence from data representation (e.g., encryption) by
translating between application and network formats. The presentation layer transforms
data into the form that the application accepts. This layer formats and encrypts data to be
sent across a network. It is sometimes called the syntax layer.
Layer 7: Application Layer
The application layer is the OSI layer closest to the end user, which means both the OSI
application layer and the user interact directly with the software application. This layer
interacts with software applications that implement a communicating component. Such
application programs fall outside the scope of the OSI model. Application-layer functions
typically include identifying communication partners, determining resource availability,
and synchronizing communication. [wikipedia.com]
2.2 Possible Threats in an Enterprise Network
Today, there is an ever-growing dependency on computer networks for business
transactions. With the free flow of information and the high availability of many
resources, managers of enterprise networks have to understand all the possible threats to
their networks. These threats take many forms, but all result in loss of privacy to some
degree and possibly malicious destruction of information or resources that can lead to
large monetary losses. Knowing which areas of the network are more susceptible to
network intruders and who the common attacker is useful in protecting an enterprise
network from attacks.
14
2.2.1 Internal Threats: LAN Security
The common trend in the past has been to trust users internal to the corporate network
and to distrust connections originating from the Internet or from remote access networks
using virtual private networks (VPNs), dial-in modems, and Integrated Services Digital
Network (ISDN) lines. It is important to place trust in the employees internal to the
network and in authorized people trying to use internal network resources from outside
the corporation. However, trust must also be weighed with reality.
According to some sources, at least 60 percent or more attacks are perpetrated by
corporate insiders, and there is an increasing trend not to trust internal users and have
stricter security measures in place. Wireless networks are becoming in more wide-spread
use, and more stringent security considerations are often required in these instances.
Restricted use of network infrastructure equipment and critical resources is necessary.
Limiting network access to only those who require access is a smart way to deter many
threats that breach computer network security. [Scarfone07]
2.2.2 External Threats: Worms, Viruses, Trojans
Most known computer worms, viruses and trojans are spread in one of the following
ways:
Files sent as email attachments
Via a link to a web or FTP resource
Via a link sent in an ICQ or IRC message
Via P2P (peer-to-peer) file sharing networks
Some worms are spread as network packets. These directly penetrate the computer
memory, and the worm code is then activated.
An Internet worm is type of malicious software (malware) that self-replicates and
distributes copies of itself to its network. These independent virtual viruses spread
15
through the Internet, break into computers, and replicate without intervention from and
unbeknownst to computer users. Unlike Trojans or other viruses that require user
intervention to spread, Internet worms can spread on their own.
A computer virus is a malware program that, when executed, replicates by inserting
copies of itself (possibly modified) into other computer programs, data files, or the boot
sector of the hard drive; when this replication succeeds, the affected areas are then said
to be "infected". Viruses often perform some type of harmful activity on infected hosts,
such as stealing hard disk space or CPU time, accessing private information, corrupting
data, displaying political or humorous messages on the user's screen, spamming their
contacts, or logging their keystrokes. A Trojan horse is a seemingly benign program that
when activated, causes harm to a computer system. [Scarfone07]
2.2.3 Denial of Service (DOS)
Denial of Service (DoS) is an interruption of service either because the system is
destroyed or because it is temporarily unavailable. Examples include destroying a
computer’s hard disk, severing the physical infrastructure, and using up all available
memory on a resource. Some DoS attacks can be avoided by applying vendor patches to
affected software. For example, many vendors have patched their IP implementations to
prevent intruders from taking advantage of the IP reassembly bugs. A few DoS attacks
cannot be stopped, but their scope of affected areas can be constrained.
2.2.4 Distributed Denial of Service (DDOS)
Distributed Denial of Service (DDoS) is a variant of a DoS attack that has caused even
more problems in recent years. In this attack, multiple machines are used to launch a DoS
attack. The basics of a DDoS attack is shown in the figure below
16
Fig 2.2.4: Basics of a DDOS attack
The DDoS client is used by the person who orchestrates an attack as the initial starting
point. The handler is a compromised host with a special program running on it. Each
handler is capable of controlling multiple agents. An agent is a compromised host that is
also running a special program. Each agent is responsible for generating a stream of
packets that is directed toward the intended victim. [Wikipedia.com]
17
2.3 Intrusion Prevention Technology and Prevention Principles
An intrusion detection system (IDS) is software that automates the intrusion detection
process. An intrusion prevention system (IPS) is software that has all the capabilities of
an intrusion detection system and can also attempt to stop possible incidents [Bace01]
IDS and IPS technologies offer many of the same capabilities, and administrators can
usually disable prevention features in IPS products, causing them to function as IDSs.
Accordingly, for brevity the term intrusion detection and prevention systems (IDPS) is
used throughout the rest of this guide to refer to both IDS and IPS technologies. Any
exceptions are specifically noted.
Some IDPSs are also able to change their security profile when a new threat is detected.
For example, an IDPS might be able to collect more detailed information for a particular
session after malicious activity is detected within that session. An IDPS might also alter
the settings for when certain alerts are triggered or what priority should be assigned to
subsequent alerts after a particular threat is detected. [Bace01]
2.3.1 IDPS Technologies: Components and Architectures
The typical components in an IDPS solution are as follows:
Sensor or Agent: Sensors and agents monitor and analyze activity. The term
sensor is typically used for IDPSs that monitor networks, including network-based,
wireless, and network behavior analysis technologies. The term agent is typically
used for host-based IDPS technologies.
Management Server: A management server is a centralized device that receives
information from the sensors or agents and manages them. Some management
servers perform analysis on the event information that the sensors or agents provide
and can identify events that the individual sensors or agents cannot.
18
Database Server: A database server is a repository for event information recorded
by sensors, agents, and/or management servers.
Console: A console is a program that provides an interface for the IDPS’s users
and administrators. Console software is typically installed onto standard desktop
or laptop computers. Some consoles are used for IDPS administration only, such
as configuring sensors or agents and applying software updates, while other
consoles, such as IDPSsystem software included with this project, are used strictly
for monitoring and analysis. Some IDPS consoles provide both administration and
monitoring capabilities. [Northcutt00]
For a typical network architecture of an IDPS, IDPS components can be connected to
each other through an organization’s standard networks or through a separate network
strictly designed for security software management known as a management network. If
a management network is used, each sensor or agent host has an additional network
interface known as a management interface that connects to the management network.
Also, each sensor or agent host is unable to pass any traffic between its management
interface and any of its other network interfaces. The management servers, database
servers, and consoles are attached to the management network only. This architecture
effectively isolates the management network from the production networks. The benefits
of doing this are to conceal the existence and identity of the IDPS from attackers; to
protect the IDPS from attack; and to ensure that the IDPS has adequate bandwidth to
function under adverse conditions (e.g., worm attack or distributed denial of service
[DDoS] on the monitored networks). Disadvantages of using a management network
include the additional costs in networking equipment and other hardware (e.g., PCs for
the consoles) and the inconvenience for IDPS users and administrators of using separate
computers for IDPS management and monitoring.
19
If an IDPS is deployed without a separate management network, another way of
improving IDPS security is to create a virtual management network using a virtual local
area network (VLAN) within the standard networks. Using a VLAN provides protection
for IDPS communications, but not as much protection as a separate management network.
For example, misconfiguration of the VLAN could lead to the exposure of IDPS data.
Another concern is that under adverse conditions, such as DDoS attacks or major malware
incidents, the network devices shared by the organization’s primary networks and VLAN
might become completely saturated, negatively impacting the availability and
performance of the IDPS. [Northcutt00]
2.3.2 Major Functions Of Intrusion Detection And Prevention Systems
In addition to monitoring and analyzing events to identify undesirable activity, all types
of IDPS technologies typically perform the following functions:
i. Recording information related to observed events: Information is usually recorded
locally, and might also be sent to separate systems
ii. Notifying security administrators of important observed events: This notification,
known as an alert, occurs through any of several methods, including the following:
e-mails, pages, messages on the IDPS user interface, syslog messages, and user-
defined programs and scripts. A notification message typically includes only basic
information regarding an event; administrators need to access the IDPS for
additional information.
iii. Producing reports: Reports summarize the monitored events or provide details on
particular events of interest.
iv. Some IDPSs are also able to change their security profile when a new threat is
detected. For example, an IDPS might be able to collect more detailed information
20
for a particular session after malicious activity is detected within that session
[Bace01]
v. The IPS stops the attack itself: Examples of how this could be done are as follows:
- Terminate the network connection or user session that is being used for the attack
- Block access to the target (or possibly other likely targets) from the offending user
account, IP address, or other attacker attribute
- Block all access to the targeted host, service, application, or other resource.
vi. The IPS changes the security environment: The IPS could change the
configuration of other security controls to disrupt an attack. Common examples
are reconfiguring a network device (e.g., firewall, router, switch) to block access
from the attacker or to the target, and altering a host-based firewall on a target to
block incoming attacks
vii. The IDPS changes the attack’s content: Some IPS technologies can remove or
replace malicious portions of an attack to make it benign. A simple example is an
IPS removing an infected file attachment from an e-mail and then permitting the
cleaned email to reach its recipient.
viii. Another common attribute of IDPS technologies is that they cannot provide
completely accurate detection. When an IDPS incorrectly identifies benign
activity as being malicious, a false positive has occurred. When an IDPS fails to
identify malicious activity, a false negative has occurred. It is not possible to
eliminate all false positives and negatives; in most cases, reducing the occurrences
of one increases the occurrences of the other [Bace01]
21
2.3.3 Types of IDPS Technologies
There are many types of IDPS technologies, which are differentiated primarily by the
types of events that they can recognize and the methodologies that they use to identify
possible incidents. This publication discusses the following four types of IDPS
technologies:
i. Network-Based which monitors network traffic for particular network segments
or devices and analyzes the network and application protocol activity to identify
suspicious activity.
ii. Wireless, which monitors wireless network traffic and analyzes it to identify
suspicious activity involving the wireless networking protocols themselves.
iii. Network Behavior Analysis (NBA), which examines network traffic to identify
threats that generate unusual traffic flows, such as DDoS attacks, scanning, and
certain forms of malware.
iv. Host-Based, which monitors the characteristics of a single host and the events
occurring within that host for suspicious activity.
2.3.4 Detection Methodologies Used By IDPS Systems
Most IDPSs use multiple detection methodologies, either separately or integrated, to
provide more broad and accurate detection. The primary classes of detection
methodologies are as follows:
i. Signature-based, which compares known threat signatures to observed events to
identify incidents. A signature based IDPS maintains a collection of signatures,
each of which characterizes the profile of a known security threat (e.g. a virus, or
a DoS attack). These signatures are used to parse the data streams of various flows
traversing through the network link; when a flow matches a signature, appropriate
22
action is taken (e.g. block the flow or rate limit it). Security signatures are classed
into string signature, port signature and header condition signature.
- String signatures are a string of ASCII symbols that characterizes a known
attack. For example, such a string signature in UNIX can be "cat "+ +" >
/.rhosts", which if executed, can cause the system to become extremely
vulnerable to network attack.
- Port signatures commonly probes for the connection setup attempts to well
known, and frequently attacked ports. Obvious examples include telnet
(TCP port 23), FTP (TCP port 21/20), IMAP (TCP port 143). If these ports
aren't being used by the network at a point in time, then the incoming packets
directed to these ports are considered suspicious.
- Header signatures are designed to watch for dangerous or illegitimate
combinations in packet headers fields. The most famous example is
Winnuke, in which a packet's port field is NetBIOS port and one of the
Urgent pointer, or Out Of Band pointer is set. In earlier version of Windows,
this resulted in the "blue screen of death". [Sailesh07]
ii. Anomaly-based detection, which compares definitions of what activity is
considered normal against observed events to identify significant deviations. This
method uses profiles that are developed by monitoring the characteristics of
typical activity over a period of time. The IDPS then compares the characteristics
of current activity to thresholds related to the profile. It is highly subjective to
decide what can be considered normal and what an anomaly, but a widely accepted
rule of thumb is that, any incident which occurs on a frequency greater than two
standard deviations from the statistical norm should be considered suspicious. An
example of such behavior would be if a normal user logs on and off of a machine
20 times a day instead of the normal course of 1 or 2 times. Anomaly-based
detection methods can be very effective at detecting previously unknown threats.
23
Common problems with anomaly-based detection are inadvertently including
malicious activity within a profile, establishing profiles that are not sufficiently
complex to reflect real-world computing activity, and generating many false
positives. [Scarfone07]
iii. Stateful Protocol Analysis, which compares predetermined profiles of generally
accepted definitions of benign protocol activity for each protocol state against
observed events to identify deviations. Unlike anomaly-based detection, which
uses host or network-specific profiles, stateful protocol analysis relies on vendor-
developed universal profiles that specify how particular protocols should and
should not be used. It is capable of understanding and tracking the state of
protocols that have a notion of state, which allows it to detect many attacks that
other methods cannot. Problems with signature-based detection include that it is
often very difficult or impossible to develop completely accurate models of
protocols, it is very resource-intensive, and it cannot detect attacks that do not
violate the characteristics of generally acceptable protocol behavior. [Ilgun]
2.3.5 General Capabilities of IDPS Technologies
Most IDPS technologies can provide a wide variety of security capabilities. They can
generally be divided into four categories: information gathering, logging, detection, and
prevention.
Information Gathering Capabilities:
Some IDPS technologies offer information gathering capabilities, such as collecting
information on hosts or networks from observed activity. Examples include identifying
hosts and the operating systems and applications that they use, and identifying general
characteristics of the network.
24
Logging Capabilities:
IDPSs typically perform extensive logging of data related to detected events. This data
can be used to confirm the validity of alerts, investigate incidents, and correlate events
between the IDPS and other logging sources. Data fields commonly used by IDPSs
include event date and time, event type, importance rating (e.g., priority, severity, impact,
confidence), and prevention action performed (if any). Specific types of IDPSs log
additional data fields, such as network-based IDPSs performing packet captures and host-
based IDPSs recording user IDs.
Detection Capabilities:
IDPS technologies typically offer extensive, broad detection capabilities. Most products
use a combination of detection techniques, which generally supports more accurate
detection and more flexibility in tuning and customization. The types of events detected
and the typical accuracy of detection vary greatly depending on the type of IDPS
technology. Most IDPSs require at least some tuning and customization to improve their
detection accuracy, usability, and effectiveness, such as setting the prevention actions to
be performed for particular alerts. Technologies vary widely in their tuning and
customization capabilities. Typically, the more powerful a product’s tuning and
customization capabilities are, the more its detection accuracy can be improved from the
default configuration. Organizations should carefully consider the tuning and
customization capabilities of IDPS technologies when evaluating products. Examples of
such capabilities are as follows:
THRESHOLDS: A threshold is a value that sets the limit between normal and
abnormal behavior. Thresholds usually specify a maximum acceptable level, such
25
as x failed connection attempts in 60 seconds, or x characters for a filename length.
Thresholds are most often used for anomaly-based detection and signature-based
detection.
BLACKLISTS AND WHITELISTS. A blacklist is a list of discrete entities, such
as hosts, TCP or UDP port numbers, ICMP types and codes, applications,
usernames, URLs, filenames, or file extensions, that have been previously
determined to be associated with malicious activity. A whitelist is a list of discrete
entities that are known to be benign.
ALERT SETTINGS: Most IDPS technologies allow administrators to customize
each alert type. Examples of actions that can be performed on an alert type include
the following:
– Setting a default priority or severity level
– Specifying what information should be recorded and what notification methods
(e.g., e-mail, pager) should be used
– Specifying which prevention capabilities should be used.
Prevention Capabilities:
Most IDPSs offer multiple prevention capabilities; the specific capabilities vary by IDPS
technology type. IDPSs usually allow administrators to specify the prevention capability
configuration for each type of alert. This usually includes enabling or disabling
prevention, as well as specifying which type of prevention capability should be used.
[Scarfone07]
26
2.4 Network-Based IDPS
Network-Based IDPS monitors network traffic for particular network segments or
devices and analyzes the network and application protocol activity to identify suspicious
activity. It can identify many different types of events of interest. It is most commonly
deployed at a boundary between networks, such as in proximity to border firewalls or
routers, virtual private network (VPN) servers, remote access servers, and wireless
networks. This section provides a detailed discussion of network-based IDPS
technologies. It covers the major components of network-based IDPSs and explains the
architectures typically used for deploying the components. It also examines the security
capabilities of the technologies in depth, including the methodologies they use to identify
suspicious activity. [Scarfone07]
2.4.1 Components And Architecture
The components of a typical network-based IDPS are mainly sensors, one or more
management servers, multiple consoles, and optionally one or more database servers (if
the network-based IDPS supports their use). All of these components are similar to other
types of IDPS technologies, except for the sensors. A network-based IDPS sensor
monitors and analyzes network activity on one or more network segments. The network
interface cards that will be performing monitoring are placed into promiscuous mode,
which means that they will accept all incoming packets that they see, regardless of their
intended destinations.
Most IDPS deployments use multiple sensors, with large deployments having hundreds
of sensors. Sensors are available in two formats:
Appliance: An appliance-based sensor is comprised of specialized hardware and
sensor software. The hardware is typically optimized for sensor use, including
27
specialized NICs and NIC drivers for efficient capture of packets, and specialized
processors or other hardware components that assist in analysis.
Appliances often use a customized, hardened operating system (OS) that administrators
are not intended to access directly.
Software Only: Some vendors sell sensor software without an appliance.
Administrators can install the software onto hosts that meet certain specifications.
The sensor software might include a customized OS, or it might be installed onto
a standard OS just as any other application would.
In addition to choosing the appropriate network for the components, administrators also
need to decide where the IDPS sensors should be located. Sensors can be deployed in
one of two modes:
Inline: An inline sensor is deployed so that the network traffic it is monitoring must
pass through it, much like the traffic flow associated with a firewall. In fact, some
inline sensors are hybrid firewall/IDPS devices, while others are simply IDPSs.
The primary motivation for deploying IDPS sensors inline is to enable them to stop
28
attacks by blocking network traffic.
Fig 2.4.1: Inline Network-based IDPS Sensor Architecture Example
Passive. A passive sensor is deployed so that it monitors a copy of the actual
network traffic; no traffic actually passes through the sensor. Passive sensors are
typically deployed so that they can monitor key network locations, such as the
divisions between networks, and key network segments, such as activity on a
demilitarized zone (DMZ) subnet. [Scarfone07]
29
Figure 2.4.2: Passive Network-Based IDPS Sensor Architecture Example
2.4.2 Security Capabilities of Network-Based IDPS
Network-based IDPS products provide a wide variety of security capabilities. The
common security capabilities can be divided into four categories: information gathering,
logging, detection, and prevention, respectively. Some network-based IDPS products
also provide some security information and event management (SIEM) capabilities;
Information Gathering Capabilities: Some network-based IDPSs offer limited
information gathering capabilities, which means that they can collect information
30
on hosts and the network activity involving those hosts. Examples of information
gathering capabilities are as follows:
Identifying Hosts: An IDPS sensor might be able to create a list of hosts on the
organization’s network arranged by IP address or MAC address. The list can be
used as a profile to identify new hosts on the network
Identifying Operating Systems: An IDPS sensor might be able to identify the OSs
and OS versions used by the organization’s hosts through various techniques.
Identifying Applications: For some applications, an IDPS sensor can identify the
application versions in use by keeping track of which ports are used and monitoring
certain characteristics of application communications. Information on application
versions can be used to identify potentially vulnerable applications, as well as
unauthorized use of some applications.
Identifying Network Characteristics: Some IDPS sensors collect general
information about network traffic related to the configuration of network devices
and hosts, such as the number of hops between two devices. This information can
be used to detect changes to the network configuration. [Scarfone07]
Logging Capabilities: Network-based IDPSs typically perform extensive logging
of data related to detected events. This data can be used to confirm the validity of
alerts, to investigate incidents, and to correlate events between the IDPS and other
logging sources. Data fields commonly logged by network-based IDPSs include
the following:
- Timestamp (usually date and time)
- Connection or session ID (typically a consecutive or unique number
assigned to each TCP connection or to like groups of packets for
connectionless protocols)
- Event or alert type
- Rating (e.g., priority, severity, impact, confidence)
31
- Network, transport, and application layer protocols
- Source and destination IP addresses
- Source and destination TCP or UDP ports, or ICMP types and codes
- Number of bytes transmitted over the connection
- Decoded payload data, such as application requests and responses
- State-related information (e.g., authenticated username). [Scarfone07]
Detection Capabilities: Network-based IDPSs typically offer extensive and broad
detection capabilities. Most products use a combination of signature-based
detection and anomaly-based detection techniques to perform in-depth analysis of
common protocols; organizations should use network-based IDPS products that
use such a combination of techniques. [Scarfone07]
Prevention Capabilities: Network-based IDPS sensors offer various prevention
capabilities, including the following (grouped by sensor type):
• Passive Only
- Ending the Current TCP Session: A passive sensor can attempt to end
an existing TCP session by sending TCP reset packets to both endpoints;
this is sometimes called session sniping
- Performing Inline Firewalling: Most inline IDPS sensors offer firewall
capabilities that can be used to drop or reject suspicious network activity.
- Throttling Bandwidth Usage: If a particular protocol is being used
inappropriately, such as for a DoS attack, malware distribution, or peer-
to-peer file sharing, some inline IDPS sensors can limit the percentage of
network bandwidth that the protocol can use.
• Both Passive and Inline
- Reconfiguring Other Network Security Devices: Many IDPS sensors
can instruct network security devices such as firewalls, routers, and
32
switches to reconfigure themselves to block certain types of activity
or route it elsewhere.
- Running a Third-Party Program or Script: Some IDPS sensors can
run an administrator-specified script or program when certain
malicious activity is detected. This could trigger any prevention
action desired by the administrator, such as reconfiguring other
security devices to block the malicious activity. [Scarfone07]
2.5 Wireless IDPS
A wireless IDPS monitors wireless network traffic and analyzes its wireless networking
protocols to identify suspicious activity involving the protocols themselves. This section
provides a detailed discussion of wireless IDPS technologies. First, it contains a brief
overview of wireless networking, which is background material for understanding the
rest of the section. Next, it covers the major components of wireless IDPSs and explains
the architectures typically used for deploying the components. It also examines the
security capabilities of the technologies in depth, including the methodologies they use
to identify and stop suspicious activity. [Scarfone07]
2.5.1 Components and Architecture
The typical components in a wireless IDPS are the same as a network-based IDPS:
consoles, database servers (optional), management servers, and sensors. All of the
components except sensors have essentially the same functionality for both types of
IDPSs. Wireless sensors perform the same basic role as network-based IDPS sensors,
but they function very differently because of the complexities of monitoring wireless
communications. Unlike a network-based IDPS, which can see all packets on the
33
networks it monitors, a wireless IDPS works by sampling traffic. There are two
frequency bands to monitor (2.4 GHz and 5 GHz), and each band is separated into
channels.
For architecture, wireless IDPS components are typically connected to each other through
a wired network, as shown in Figure 2.8. As with a network-based IDPS, a separate
management network or the organization’s standard networks can be used for wireless
IDPS component communications. Because there should already be a strictly controlled
separation between the wireless and wired networks, using either a management network
or a standard network should be acceptable for wireless IDPS components. Also, some
wireless IDPS sensors (particularly mobile ones) are used standalone and do not need
wired network connectivity. [Scarfone07]
Fig 2.5.1: Wireless IDPS Architecture
Sensor Locations: If the organization uses WLANs, wireless sensors should be
deployed so that they monitor the RF range of the organization’s WLANs (both
34
APs and STAs), which often includes mobile components such as laptops and
PDAs.
Physical Security: Sensors are often deployed into open locations (e.g., hallway
ceilings, conference rooms) because their range is much greater there than in closed
locations (e.g., wiring closets). Sensors are sometimes deployed outdoors as well.
Sensor Range: The actual range of a sensor varies based on the surrounding
facilities (e.g., walls, doors).
Cost: Ideally, an organization could deploy sensors throughout its facilities to
perform full wireless monitoring. However, the number of sensors needed to do
so can be quite large, especially in wide open campus environments.
AP and Wireless Switch Locations: If a bundled solution (e.g., wireless IDPS
software on an AP) would meet the organization’s other requirements, then the
locations of APs and wireless switches are particularly important because the
wireless IDPS software could potentially be deployed onto those devices.
[Scarfone07]
2.5.2 Security Capabilities of Wireless IDPS
Wireless IDPSs provide several types of security capabilities. Because wireless IDPS is
a relatively new form of IDPS, capabilities currently vary widely among products; over
time, product capabilities should become more consistent.
Information Gathering Capabilities: Most wireless IDPSs can collect
information on wireless devices. Examples of these information gathering
capabilities are as follows:
- Identifying WLAN Devices. Most IDPS sensors can create and maintain an
inventory of observed WLAN devices, including APs, WLAN clients, and ad
hoc (peer-to-peer) clients.
35
- Identifying WLANs. Most IDPS sensors keep track of observed WLANs,
identifying them by their SSIDs. Administrators can then tag each entry as
being an authorized WLAN, a benign neighboring WLAN (e.g., another
organization in the same building), or a rogue WLAN.
Logging Capabilities: Wireless IDPSs typically perform extensive logging of data
related to detected events. This data can be used to confirm the validity of alerts,
to investigate incidents, and to correlate events between the IDPS and other logging
sources. Data fields commonly logged by wireless IDPSs include the following:
- Timestamp (usually date and time)
- Event or alert type
- Priority or severity rating
- Source MAC address (the vendor is often identified from the address)
- Channel number
- ID of the sensor that observed the event
- Prevention action performed (if any).
Detection Capabilities: Wireless IDPSs can detect attacks, misconfigurations, and
policy violations at the WLAN protocol level, primarily examining IEEE 802.11a,
b, g, and i protocol communication. The types of events most commonly detected
by wireless IDPS sensors include the following:
- Unauthorized WLANs and WLAN devices: Through their information gathering
capabilities, most wireless IDPS sensors can detect rogue APs, unauthorized STAs,
and unauthorized WLANs (both infrastructure mode and ad hoc mode).
- Poorly secured WLAN devices: Most wireless IDPS sensors can identify APs and
STAs that are not using the proper security controls. This includes detecting
misconfigurations and the use of weak WLAN protocols and protocol
implementations.
36
- Denial of service (DoS) attacks and conditions: DoS attacks can often be detected
through signature-based detection and anomaly detection methods, which can
determine if the observed activity is consistent with the expected activity. Many
denial of service attacks are detected by counting events during periods of time and
alerting when threshold values are exceeded.
- Impersonation and man-in-the-middle attacks. Some wireless IDPS sensors can
detect when a device is attempting to spoof the identity of another device. This is
done by identifying differences in the characteristics of the activity, such as certain
values in frames. [Scarfone07]
Prevention Capabilities: Wireless IDPS sensors offer two types of intrusion
prevention capabilities:
- Wireless: Some sensors can terminate connections between a rogue or
misconfigured STA and an authorized AP or between an authorized STA and a
rogue or misconfigured AP through the air.
- Wired: Some sensors can instruct a switch on the wired network to block network
activity involving a particular STA or AP based on the device’s MAC address or
switch port. [Scarfone07]
2.6 Host-Based IDPS
A host-based IDPS monitors the characteristics of a single host and the events occurring
within that host for suspicious activity. Examples of the types of characteristics a host-
based IDPS might monitor are wired and wireless network traffic (only for that host),
system logs, running processes, file access and modification, and system and application
configuration changes. This section provides a detailed discussion of host-based IDPS
technologies. First, it covers the major components of the technologies and explains the
architectures typically used for deploying the components. It also examines the security
37
capabilities of the technologies in depth, including the methodologies they use to identify
suspicious activity. [Scarfone07]
2.6.1 Components and Architecture
The typical components of an IDPS involve detection software known as agents installed
on the hosts of interest. Each agent is typically designed to protect one of the following:
- A server: Besides monitoring the server’s operating system (OS), the agent may
also monitor some common applications.
- A client host (desktop or laptop): Agents designed to monitor users’ hosts usually
monitor the OS and common client applications such as e-mail clients and Web
browsers.
- An application service: Some agents perform monitoring for a specific application
service only, such as a Web server program or a database server program. This
type of agent is also known as an application-based IDPS.
The network architecture for host-based IDPS deployments is typically very simple.
Because the agents are deployed to existing hosts on the organization’s networks, the
components usually communicate over those networks instead of using a separate
management network. Figure 2.9 shows an example of a host-based IDPS deployment
architecture. [Scarfone07]
38
Fig. 2.6.1: Host-Based IDPS Agent
Deployment Architecture Example
2.6.2 Security Capabilities Of Wireless Host-Based IDPS
Logging Capabilities: Host-based IDPSs typically perform extensive logging of
data related to detected events. This data can be used to confirm the validity of
alerts, to investigate incidents, and to correlate events between the host-based IDPS
and other logging sources. Data fields commonly logged by host-based IDPSs
include the following:
- Timestamp (usually date and time)
- Event or alert type
- Rating (e.g., priority, severity, impact, confidence)
39
- Event details specific to the type of event, such as IP address and port
information, application information, filenames and paths, and user IDs
Prevention action performed (if any).
Detection Capabilities: Most host-based IDPSs have the capability to detect
several types of malicious activity. They often use a combination of signature-
based detection techniques to identify known attacks, and anomaly-based detection
techniques with policies or rule-sets to identify previously unknown attacks.
Prevention Capabilities: Host-based IDPS agents offer various intrusion
prevention capabilities. Because the capabilities vary based on the detection
techniques used by each product, the following items describe the capabilities by
detection technique.
- Code Analysis: The code analysis techniques can prevent code from being
executed, including malware and unauthorized applications.
- Network Traffic Filtering: Working as a host-based firewall, this can stop
unauthorized access and acceptable use policy violations (e.g., use of
inappropriate external services).
- File system Monitoring: This can prevent files from being accessed,
modified, replaced, or deleted, which could stop malware installation,
including Trojan horses and rootkits, as well as other attacks involving
inappropriate file access. [Scarfone07]
2.7 Network Behavior Analysis (NBA) System
A network behavior analysis (NBA) system examines network traffic or statistics on
network traffic to identify unusual traffic flows, such as distributed denial of service
(DDoS) attacks, certain forms of malware (e.g., worms, backdoors), and policy violations
(e.g., a client system providing network services to other systems). This section provides
40
a detailed discussion of NBA technologies. First, it covers the major components of the
NBA technologies and explains the architectures typically used for deploying the
components. It also examines the security capabilities of the technologies in depth,
including the methodologies they use to identify suspicious activity. [Scarfone07]
2.7.1 Components and Architecture
NBA solutions usually have sensors and consoles, with some products also offering
management servers (which are sometimes called analyzers). NBA sensors are usually
available only as appliances. Some sensors are similar to network-based IDPS sensors in
that they sniff packets to monitor network activity on one or a few network segments.
Other NBA sensors do not monitor the networks directly, but instead rely on network
flow information provided by routers and other networking devices. Flow refers to a
particular communication session occurring between hosts.
Architecture for a network-based IDPS involves a separate management network or the
organization’s standard networks. If sensors that collect network flow data from other
devices are used, the entire NBA solution can be logically separated from the standard
networks. . Figure 2.7.1 below shows an example of an NBA network architecture.
41
Figure 2.7.1. NBA Sensor Architecture Example
In addition to choosing the appropriate network for the components, administrators also
need to decide where the sensors should be located. Most NBA sensors can be deployed
in passive mode only, using the same connection methods (e.g., network tap, switch
spanning port) as network-based IDPSs. Passive sensors that are performing direct
network monitoring should be placed so that they can monitor key network locations,
such as the divisions between networks, and key network segments, such as demilitarized
zone (DMZ) subnets. [Scarfone07]
42
2.7.2 Security Capabilities of Network Behavior Analysis System
NBA products provide a variety of security capabilities which can be divided into four
categories: information gathering, logging, detection, and prevention.
Information Gathering Capabilities: NBA sensors can automatically create and
maintain lists of hosts communicating on the organization’s monitored networks.
They can monitor port usage, perform passive fingerprinting, and use other
techniques to gather detailed information on the hosts.
Logging Capabilities: NBA technologies typically perform extensive logging of
data related to detected events. This data can be used to confirm the validity of
alerts, to investigate incidents, and to correlate events between the NBA solution
and other logging sources. Data fields commonly logged by NBA software include
the following:
- Timestamp (usually date and time)
- Event or alert type
- Rating (e.g., priority, severity, impact, confidence)
- Network, transport, and application layer protocols
- Source and destination IP addresses
- Source and destination TCP or UDP ports, or ICMP types and codes
- Additional packet header fields (e.g., IP time-to-live [TTL])
- Number of bytes and packets sent by the source and destination hosts for the
connection
- Prevention action performed (if any).
Detection Capabilities: NBA technologies typically have the capability to detect
several types of malicious activity. Most products use primarily anomaly-based
detection, along with some signature-based detection techniques, to analyze
43
network flows. The types of events most commonly detected by NBA sensors
include the following:
- Denial of service (DoS) attacks: (including distributed denial of service
[DDoS] attacks). These attacks typically involve significantly increased
bandwidth usage or a much larger number of packets or connections to or
from a particular host than usual
- Scanning: This can be detected by a typical flow patterns at the application
layer (e.g., banner grabbing), transport layer (e.g., TCP and UDP port
scanning), and network layer (e.g., ICMP scanning).
- Worms: Worms spreading among hosts can be detected in more than one
way. Some worms propagate quickly and use large amounts of bandwidth.
Worms can also be detected because they can cause hosts to communicate
with each other that typically do not, and they can also cause hosts to use
ports that they normally do not use.
- Unexpected application services (e.g., tunneled protocols, backdoors, use of
forbidden application protocols). These are usually detected through
signature-based detection methods, which can determine if the activity
within a connection is consistent with the expected application protocol.
Detection Accuracy: Because NBA sensors work primarily by detecting
significant deviations from normal behavior, they are most accurate at detecting
attacks that generate large amounts of network activity in a short period of time
(e.g., DDoS attacks) and attacks that have unusual flow patterns (e.g., worms
spreading among hosts). NBA sensors are less accurate at detecting small-scale
attacks, particularly if they are conducted slowly and if they do not violate the
administrator-set policies (e.g., the attack uses common ports and protocols).
Prevention Capabilities: NBA sensors offer various intrusion prevention
capabilities, including the following (grouped by sensor type):
44
- Passive Only:
o Ending the Current TCP Session. A passive NBA sensor can attempt
to end an existing TCP session by sending TCP reset packets to both
endpoints. Inline Only
o Performing Inline Firewalling. Most inline NBA sensors offer
firewall capabilities that can be used to drop or reject suspicious
network activity. Both Passive and Inline
o Reconfiguring Other Network Security Devices. Many NBA sensors
can instruct network security devices such as firewalls and routers to
reconfigure themselves to block certain types of activity or route it
elsewhere, such as a quarantine virtual local area network (VLAN).
45
CHAPTER THREE
SYSTEM ANALYSIS AND METHODOLOGY
3.0 Introduction
According to Wikipedia, System Analysis is a scientific study into a problem with aims
of identifying its goals and purposes and designing projects and procedures to solve such
problems with the help of a methodology. The development of an intrusion detection and
prevention system includes a system analysis phase which produces or enhances the data
model which itself is a precursor to creating or maintaining a software. This chapter
provides detailed information on the analysis of the existing and proposed system, the
limitations of the existing system, features and strengths of the proposed system and
finally the methods of collecting the data and finally the methodology used
3.1 Analysis of The Existing System
This section details existing work on Intrusion Detection and Prevention Systems.
Current enterprise networks or companies are faced with the issues of protecting their
networks from various threats ranging from viruses and trojans to Denial of Service
(DOS) attacks and thereby effectively securing the company’s files and services. Existing
IDPS systems detect intrusions through various means such as using signatures to define
the outline of known threats, comparing events to determine deviations and checking
harmless protocol state against observed events to identify deviations. Current IDPS
software include systems such as Snort and ModSecurity who’s developers provide the
software and documentation needed to deploy the software in a network.
46
3.2 Limitations of The Existing System
a) The problems encountered with existing IDPS systems include:
i. A mere work-around:
A number of researchers have argued that IDPS is more or a less a workaround for the
flaws and weak or missing security mechanisms in an operating system, an application,
and/or a protocol.
ii. False Positives:
IDPS comes with a bane, i.e. false positives. A false positive is an event when an IDPS
falsely raises a security threat alarm for harmless traffic. Signatures can be tuned precisely
to reduce such false positives, however fine signatures create a significant performance
bottleneck, which is the next limitation of IDPS. Current Anomaly based algorithms lead
to even higher false positives [Kim04] [Lakhina05].
iii. Performance issues:
Current signature based IDPS systems use regular expressions signatures which creates
a significant performance bottleneck. In order to reduce false positives long signatures
are required which further reduces the performance. The data throughput of current IDPS
systems is limited to a few gigabit per second [Kumar05] [Yu06].
iv. Encryption:
The ultimate threat to the very existence of the signature based IDPS systems is the
increasing use of data encryption. Everybody dreams to encrypt their data before
transmission. Once the packet payloads are encrypted, the existing signatures will
become completely useless in identifying the anomalous and harmful traffic [Tanase02].
v. New and sophisticated attacks:
47
Commercial IDPS which are signature based are unable to detect new attacks whose
signatures are not yet devised. Anomaly based IDPS can detect such attacks but due to
the limitations of the current anomaly detection algorithms, an intelligent attacker can
always develop attacks that remain undetected.
vi. Human intervention:
Almost all IDPS systems require a constant human supervision, which slows down the
detection and the associated actions. Some recent Systems [Cisco] can automatically take
pre-programmed actions but these are limited only to the well-known attacks.
vii. Evasion of signatures:
A number of researchers have argued that it is not difficult for an attacker to evade a
signature [Varghese06]. Additionally there has been an increase in polymorphic worms
[Kolesnikov04] [Newsome05] which can automatically change their propagation
characteristics thereby effectively changing their signatures. Such worms also pose a
critical threat to the current IDPS.
3.3 Analysis of The Proposed System
The proposed system will provide an interface for a network administrator to monitor the
devices connected to a company network for the purpose of identifying threats and
detecting anomalies to enable him take decisive actions pertaining to mitigating such
attacks. It will provide an interface that will be easily usable and understandable to both
experienced network administrators and laymen and provide needed information on
network traffic. The proposed system should be able to work with existing system
infrastructure and should be able to provide most of the details needed by a network
administrator to ensure security of the enterprise network.
48
3.4 Features of The Proposed System
The proposed system will have features which will make it easy for a network
administrator to have an overview of all activities going on in his network. These features
include:
i. Ability to work with existing network analytics software such as wireshark
ii. The proposed system will be able to work with file formats such as .pcap,
.cap, .dum etc.
iii. The proposed system will be easy to use and easily understood
iv. The proposed system will be able to monitor activity on various network
interfaces such as Wireless Local Area Network (WLAN) available on the
computer.
v. The proposed system will be able to capture data from the various network
adapters for perusal by the network administrator.
3.5 Benefits of The Proposed System
The proposed system has the following benefits:
i. The creation of a software to enable easy monitoring of a network interface
to determine possible anomalies
ii. Easy to use interface.
iii. Low system load
3.6 Framework of The Proposed System
The system is deployed on a computer system that serves as the management server,
where network activities of the enterprise is monitored. The system is built to have a
49
Graphical User Interface (GUI) where hosts connected to the network can be monitored
and managed. Details about connected devices are collected and displayed on the
monitor. These details include
Operating systems
IP addresses
Ports
DNS
Data packet utilization
Files transmitted across the network
Hosts connected to the network etc.
Fig. 3.6: Framework of the system
50
3.7 Methods of Data Collection
A thorough investigation of the current system was made in order to obtain detailed facts
about the application area to be re-designed. Investigation also covered looking at the
functional requirement of the present system and finding out whether the
requirements and objective of the present system are being achieved. In the investigation
proper, several methods of data collection were employed which includes
i. Interviewing of office representatives: semi-structured interviews were conducted.
In this type of interview, there is a free flow of conversation.
ii. Evaluation/ inspection: inspection was carried out on the IDPS systems of some
networking firms
iii. Internet: Data was also sourced online.
3.8 System Methodology
System methodology involves the framework that is used to plan, structure and control
the process of developing an intrusion detection and prevention system. Various
frameworks have evolved over the years, along with their strengths and weaknesses. The
methodology used for one system may not necessarily be useful for another system. Each
of the available methodologies is best suited for specific kinds of projects, based on
various organizational, technical, team and project considerations. System methodology
generally aims to achieve these aims:
a) The development of a feasibility study to determine if the project is feasible.
b) Conducting fact-finding measures to ascertain the requirements of the system’s
end-users. This involves interviews, visual observations of work on the existing
system etc.
51
c) Gauging how the end-users would operate the system (in terms of general
experience in using computers)
d) What the system would be used for etc.
3.8.1 Waterfall Methodology
This is a sequential design process used in software development process in which
progress is seen as flowing steadily downwards (like a waterfall) through the stages of
conception, initiation, analysis, design, construction, testing and maintenance. The
waterfall model proceeds from one completed phase to the next in a sequential manner.
The outcome of one phase acts as the input for the next phase sequentially.
Fig.3.8.1:
Waterfall model of system analysis
3.8.2 Feasibility Study
A feasibility study was carried out for the proposed system. Most interviewed individuals
bought the idea of the proposed system due to its provision of a solution to the problems
with the existing system.
52
Technical Feasibility:
The available and existing technology should be able to implement and develop
the proposed system with upgrades of previously released technologies.
Operational Feasibility:
Whoever is to use this system should possess the knowhow for using computer
programs effectively.
Economic Feasibility:
The cost and benefits associated with the proposed system compared with the
project is economically feasible. The level of financial commitment is also
considered feasible
3.9 Possible Capabilities of Future IDPS Systems
IDPS of the future will be able to perform these functions amongst others:
a) IDPSs monitor the Internet to detect possible attacks:
By performing the ongoing task of monitoring the Internet to detect possible attacks,
intrusion detection systems allow security personnel to accomplish other essential
security functions. [Weins14]
b) IDPSs help organizations to develop and implement an effective security policy:
They help to enforce the security policy by detecting prohibited traffic and/or activities,
and they play an active role in the identification of incidents for which the security policy
outlines specific responses. [Weins14]
c) IDPSs allow non-technical project members to perform comprehensive security
management:
53
Intrusion detection systems allow security features to be performed by personnel with
low or moderate security management experience [Weins14]
d) IDPSs use file integrity assessment tools:
These tools utilize strong cryptographic checksums to detect unauthorized changes in the
files and, in the case of a tampering problem, quickly ascertain the extent of damage
[Weins14]
e) IDPSs trace user activity from the point of entry to the point of exit or impact:
IDPSs enhance the protection provided by perimeter protections, such as firewalls. Expert
attackers can often penetrate firewalls. Therefore, the ability to correlate observed activity
with a particular user will improve security within the boundaries of a network.
[Weins14]
f) IDPSs make sense of complex system information sources:
IDPSs allow administrators and managers to tune, organize, and comprehend information
from operating system audit trails and logs, often revealing problems before loss occurs.
[Weins14]
g) IDPSs lend a greater degree of integrity to the rest of the security infrastructure:
This is because they monitor the operation of firewalls, encrypting routers, key
management servers and files that are critical to other security mechanisms, intrusion
detection systems provide additional layers of protection to a secured system. [Weins14]
h) IDPSs can also help network managers to be aware of suspicious activity:
For instance, all SNMP devices should send "Authentication Failure" traps and
management consoles should alert administrators when these go off. [Weins14]
54
CHAPTER FOUR
SYSTEM DESIGN AND IMPLEMENTATION
4.0 Introduction
This chapter gives a detailed overview of the system design and its implementation which
consists of software requirements, flowchart diagrams and design interfaces. This chapter
also describes the workability if the new system and the research verification. System
implementation is a method of installing all the necessary software and facilities with all
directives to be followed in order to achieve the desired goals and objectives of the
designer and it involves the practical methods of putting all the theoretical design into
work and putting the new system into operation. The specification for the system
requirement is stated at this stage and thus a programming language is used to implement
the design or framework of the system.
4.1 System Design
System design contains logical and physical designing. Logical designing describes the
structure and characteristics or features. These features include input, output, files,
database and procedures. The physical design which precedes the logical design is the
actual software or the working system and this gives detailed information of the
framework of hosts connected to the network.
4.2 Objectives of Design
The system aimed at developing a network forensics program which can be used to
scrutinize traffic passing through an enterprise network to check for irregularities. The
objectives of the design include to design a software that can be able to:
55
scan a network
produce an output which can be saved by the network administrator for subsequent
access.
ensure accuracy in handling of data.
produce output which can be exported to other network analysis tools such as
Wireshark
be able to use input produced from other network analysis tools.
be easy enough to be used by a layman.
4.3 Input Specification and Design
This system would have several inputs from a user; pcap files which include *.pcap,
*.cap, *.dum, *.log or *.nmine which can be inputted into the system from the “open”
menu. These file formats will contain the information and necessary data required by the
application for its functioning.
Another medium of input is from data captured from network devices including WiFi
adapters and Bluetooth devices.
4.3.1 Input From The “Open” Menu
The input menu requires users to open a previously saved file which could have been
saved from the IDPSsystem software or from another network analysis software. The file
formats which can be opened by the software include .pcap, .cap, .dum, .log or .nmine.
The input can be fed into the software by these steps:
Click the file menu
Click open
56
Browse to the location of the saved file
Click on the file and click open.
The software will then display the contents of the file.
Fig 4.3.1: Input from the "Open" Menu
4.3.2 Input From Network Adapters
Input can also be gotten from network adapters. This is meant to be the major source of
input because the system was designed to be used for network monitoring. The network
adapters used depends on the configuration of the computer and on the available
hardware. The software reads the network configuration of the Windows Device Manager
and brings up a list of available network adapters. The network adapters used by the
software are the WiFi adapter and most other network adapters. The user selects the
57
adapter from the “select a network adapter in the list” dropdown list as shown in the
diagram below;
Fig 4.3.2: Input from Network Adapters
4.4 Output Specification and Design
The output display is designed to generate results from the data gotten from inputted files
or from the data captured from wireless networks. The output can be viewed on the
screen. The output is placed on a grid on the Graphical User Interface (GUI) and different
tabs can be clicked to display different information captured from the network. The
58
functions of the various tabs are covered in the “Analyzing Data on IDPSsystem
Software” section of this project. The menu designs are shown below:
Fig 4.4: Menu Design
4.5 System Testing
Testing is the process of testing the newly developed system to ensure the hardware and
the operating software is properly installed and configured ensuring other system
parameters are properly established.
The system’s feasibility is demonstrated and some initial experiments preformed on the
prototype system developed to access the majority of the features mentioned in this work.
The developed system will be subjected to various forms of testing to check if it satisfies
the stated requirements. Some of these tests include:
IDPSsystem
File Tools Help
Open Exit StartCapturing
StopCapturing
DeleteCapturedData
AboutIDPSsystem
59
Acceptance Testing: The system is checked to determine if it is able to execute
its requirements. Here, the software is integrated to the overall product and is
tested.
Volume Testing: The system is tested to determine if it works on the intended
platform and with the expected data volume.
4.6 System Implementation
System implementation is the process of defining the user requirements and designing a
system to meet them.
To test-run the implantation system:
Install WinPcap. WinPcap means Windows Packet Capture. It is the software
framework which installs the libraries needed by Windows operating system to
capture data packets from a network. This software can be downloaded from
http://winpcap.org/install
Open Visual Studio 2013 and load the project design.
Save all unsaved changes made to the coding.
Click on Start button. Visual studio will compile the source code and run the
program. It usually stores the compiled program and program files in a subfolder,
of the folder from where the program was compiled. In our case, the compiled
program was saved in IDPSsystem/bin/debug/IDPSsystem.exe
Select the network interface for which the data has to be captured. By default, the
Hosts tab is selected. You can sort hosts by IP address, MAC address, hostname,
operating system, number of data connections, number of sent and received
60
packets, number of sent and received bytes, number of open TCP ports or router
hops distance.
Press the start button to begin the sniffing process.
4.6.1 Front End (.NET)
The front-end for the software was developed using .net framework which was
implemented using Mono. Mono is an Integrated Development Environment (IDE) from
Microsoft. It is used to develop computer programs for Windows Operating System. It
provides a compatible set of tools for running .net applications. Net framework is a
software framework developed by Microsoft. It includes a large class library and can
easily use codes written in other languages. The system developed for this project made
use of .net because .net framework provides a good user interface, data access, numeric
algorithms and network communications.
4.6.2 Back End (C#)
The back-end for the software was developed using C# which was implemented using
Visual Studio and Notepad++. C# is a simple, modern, general-purpose, modern, object-
oriented programming language. Visual Studio is an Integrated Development
Environment (IDE) from Microsoft. It is used to develop computer programs for
Windows Operating System. It includes a form designer for building Graphical User
Interface of programs, web designer, class designer and database schema designer.
Notepad++ is an advanced text editor which can be used to edit the codes of almost all
the programming languages including C, C#, C++, PHP, HTML, Java, Fortran etc. It
cannot be referred to as an Integrated Development Environment because it doesn’t
enable the developer to debug or run the program.
61
4.6.3 Analyzing Data on The System
The Hosts tab shows a list of hosts connected to the network. You can expand any
host to see detailed information like its MAC address, hostname, Operating
System, TTL, Open ports, packets sent, received etc. A good network admin
always has an overview of what data is being transmitted to and from his network.
The list of hosts will give you a better idea of what type of network traffic you are
using. If you find a suspicious host, you can always block it through your firewall.
The firewall should be the one from where all network traffic passes before
reaching the destinations. If you block the host on your system firewall, it will only
be blocked on your system. If a network administrator wants to track down who or
what is hogging network traffic, Click on the Hosts tab, and then click “Hostname”
in the “Sort Hosts on” dropdown box. This will sort by hosts so that he can find all
the hosts that are on the enterprise network. He then finds the ones with the same
subnet as the enterprise network. He can expand this to see data transfers and for
more information to help identify the device, he can expand the “Host Details”
branch.
The Frames tab shows the direct connections between hosts. It helps to identify
which device on the network is connected to a remote host with huge bandwidth
consumption.
The Images and Files tabs shows the images and files flowing across a network
The Credentials tab shows credentials such as usernames and unencrypted
passwords transmitted across the network. This can be used to gain more
information about the person or personal illegally accessing files on the network.
The Sessions tab shows you the current connection session of each host connected
to the enterprise network.
62
The DNS tab uses DNS lookup from Alexa.com website to determine the Domain
Name Service to translate the IP address into a sequence of words.
The Keywords tab enables the network administrator to search for text or
hexadecimals.
The Cleartext tab shows a list of all English words transmitted across the network.
The Anomalies tab shows all uncommon occurrences on the network.
The Parameters tab shows the parameter values.
Fig 4.6.1(a): Sample Output in the Frames Tab of the System
63
Fig Fig 4.6.1(b): Sample Output From the Hosts Tab of IDPSsystem Software
4.7 System Requirements
The minimum hardware requirements for effective and efficient operation of the new
system are:
Pentium IV processor
1GB RAM
Supported WiFi adapter
LaserJet or DeskJet printer
A Coloured monitor.
The software requirements include:
Windows XP or higher operating system
WinPcap software
64
Properly installed drivers for network adapters
Administrator user account
4.8 Choice of Programming Language
The new system is implemented using C# programming language and .Net. This is
because the language has the advantage of easy development, flexibility, easily
communicates with computer hardware and the Windows Operating System, provides
the programmer with hints and also enables him produce a graphical user interface.
4.8.1 Tools Used
The hardware tools used to achieve this project include a computer system, printer,
modem and scanner.
The software tools used to achieve this project include Microsoft Visual Studio 2013,
Notepad ++, WinPcap, Microsoft Paint and Adobe Photoshop, Microsoft Word.
65
CHAPTER FIVE
SUMMARY AND CONCLUSION
5.1 Review of Achievement
In this project, we described the design, architecture and security capabilities of a number
of different IDPSs and the various configurations, in which they are employed in the
network. Specifically we focus on four important classes of IDPS: network-based, host-
based, wireless and network behavior analysis systems. We also discussed their detection
methodologies which are signature-based and anomaly-based methodologies. We
thoroughly investigate their benefits and drawbacks, and discuss a number of attack and
vulnerabilities that they can combat. Finally we discuss the future trends in this space,
where we argue that a more distributed version of IDPS is on the horizon and that the
IDPS mechanisms need to be standardized.
This project addresses the problems faced everyday by network administrators in a
rapidly developing world where existing and emerging threats threaten network
infrastructure and data of enterprise networks.
5.2 Areas of Application of The Work
The contents of this thesis can be applied in the development of a concise security system
for a company’s network to prevent intrusion and the resultant data loss, breach of trust
and possible loss of customer base. It is expected that after going through this report, even
a layman will be able to understand the basics of Intrusion Detection and Prevention,
which is why the author tried to use basic language and provided a definitions for more
advanced terminologies. This thesis can also provide network administrators with
information on the type of IDPS that would suit an organization’s needs.
66
5.3 Areas of Further Work / Research
Further research will be needed in various aspects related to reducing false positives
which is a situation in which an IDPS raises a security alert for harmless traffic.
More research will also need to be carried out on the effects of data encryption on IDPS
systems since this is the ultimate threat to the very existence of IDPS. Once packets of
data are encrypted, the existing signatures become completely useless in identifying
harmful traffic. [Tanase02].
Full automation of IDPS systems should also be researched upon to reduce human error.
Some recent systems can automatically take pre-programmed actions but these are only
limited to well-known attacks.
Polymorphic worms which can automatically change their propagation characteristics
and thereby effectively changing their characteristics pose a threat to current IDPS
systems. [Kolesnikov04] [Newsome05] Further research will also need to be carried out
on them to determine how to mitigate their effects.
5.4 Recommendation
Currently in Nigeria, IDPS systems are only implemented in the networks of large
organizations such as banks and other organizations where security is a top priority. This
should not be the case. The software has the scope to be developed as a distributed
application where each implementation of the software in an organization can be
connected and communicate with each other. In such a scenario, a system deployed in
First Bank of Nigeria, Owerri branch will be able to communicate with another
deployment at another branch of the bank to share information. Such upgraded systems
will be able to store data on a centralized database thereby increasing their ability.
67
5.5 Conclusion
At the end of this project, we were able to elaborate on Intrusion Detection and Prevention
Systems. We looked at the possible sources of network intrusions and on the various
types of IDPS systems including their capabilities, their components and their
architecture. We analyzed existing IDPS systems and also looked at the factors limiting
their usage. A system was proposed and designed to correct the deficiencies of the
existing system and the new system was successfully tested and was working perfectly
in monitoring the network.
References
WEBSITES
CGI Security: http://www.irt.org
Full-duplex/half-Duplex: http://www.webopedia.com/TERM/F/full_duplex.html
31/8/2014
ICMP: http://en.wikipedia.org/wiki/User_Datagram_Protocol
VLAN (Virtual LAN): http://www.techopedia.com/definition/4804/virtual-local-area-
network-vlan
Realistic expectations for future IDPS systems:
www.symantec.com/connect/articles/realisic-expectations-intrusion-detection-systems
23/10/2014
[Thisdaylive14]: thisdaylive.com/articles/deji-government-should-invest-in-cyber-
security-enlightenment/164857
68
Books
1. [Northcutt00] S. Northcutt and J. Novak, “Network Intrusion Detection: An
Analyst’s Handbook,” 2nd Edition, New Riders Publishing, Berkeley, 2000.
2. [Scarfone07] K. Scarfone and P. Mell, “Guide to Intrusion Detection and
Prevention Systems (IDPS),” NIST Special Publication, February 2007, pp.800-
94
3. [Ilgun] K. Ilgun, R. A. Kemmerer and P. A. Porras, “State Transition Analysis: A
Rule-Based Intrusion Detection Approach,”
4. IEEE Transactions on Software Engineering, Vol. 21, No. 3, March 1995, pp.
181-199. doi:10.1109/32. 372146
5. M. Crosbie and E. Spafford, “Applying Genetic Programming to Intrusion
Detection,” GECCO '96 Proceedings of the First Annual Conference on Genetic
Programming 1996.. 379535
6. El-Semary, J. Edmonds, J. Gonzalez and M. Papa, “A Framework for Hybrid
Fuzzy Logic Intrusion Detection Systems,” 14th IEEE International Conference
on fuzzy Systems, May 2005, pp. 325-330. doi:10.1109/FUZZY.2005.1452414
7. [Bace01] R. Bace and P. Mell, “Intrusion Detection Systems,” 2001.
http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf
8. [Kephart] J. O. Kephart, et al., “Blueprint for a Computer Immune System" A
survey of intrusion detection techniques - Lunt - 1993
9. Realistic Expectations for Intrusion Detection Systems by Richard Wiens.
www.symantec.com/connect/articles/realisic-expectations-intrusion-detection-
systems (23/10/2014)
10.[Lakhina05] A. Lakhina, et al., "Mining Anomalies Using Traffic Feature
Distributions," Proc. ACM SIGCOMM
2005.www.sigcomm.org/sigcomm2005/paper-LakCro.pdf
69
11.[13] [Estan03] C. Estan, S. Savage, and G. Varghese, "Automatically Inferring
Patterns of Resource Consumption in Network Traffic," In ACM SIGCOMM,
Karlsruhe, August 2003. www.sigcomm.org/sigcomm2003/papers/p137-
estan.pdf
12.[OSHIDS07] Open Source Host-based intrusion detection system, 2007.
13.http://www.ossec.net/
14.[Tanase02] Matthew Tanase, The Future of IDS, 2002.
http://www.securityfocus.com/infocus/1518
15.[Yu05] Fang Yu, et al., "Fast and Memory-Efficient Regular Expression
Matching for Deep Packet Inspection", UCB tech. report, EECS-2005-8.
Www.eecs.berkeley.edu/Pubs/TechRpts/2006/EECS-2006-76.pdf
16.[Cisco] Cisco IOS IPS Deployment Guide. www.cisco.com
17.[Varghese06] G. Varghese, A. Fingethut, and F. Bonomi, "Detecting Evasion
Attacks at High Speeds without Reassembly," Proc. ACM SIGCOMM, 2006.
portal.acm.org/citation.cfm?id=1159951
18.[Kolesnikov04] Oleg Kolesnikov, and Wenke Lee, "Advanced Polymorphic
Worms: Evading IDS by Blending in with Normal Traffic," 2004.
citeseer.ist.psu.edu/678163.html
19.[Newsome05] J. Newsome, B. Karp, D. Song, "Polygraph: automatically
generating signatures for polymorphic worms," Proc. IEEE Security and Privacy,
2005. www.cs.berkeley.edu/~dawnsong/papers/polygraph.pdf
20.[Sailesh07] Sailesh Kumar, "Survey of current intrusion detection techniques".
2007 www.cse.wustl.edu/~jain/cse571-07/ftp/ids
70
Appendix A: Sample Result Output
71
Appendix B: Sample Source Code
namespace IDPSsystem {
partial class LoadingProcess {
/// <summary>
/// Required designer variable.
/// </summary>
private System.ComponentModel.IContainer components = null;
</param>
protected override void Dispose(bool disposing) {
if(disposing && (components != null)) {
components.Dispose();
}
base.Dispose(disposing);
}
#region Windows Form Designer generated code
private void InitializeComponent() {
System.ComponentModel.ComponentResourceManager resources = new
System.ComponentModel.ComponentResourceManager(typeof(LoadingProcess));
this.progressBar1 = new System.Windows.Forms.ProgressBar();
this.percentLabel = new System.Windows.Forms.Label();
this.textLabel = new System.Windows.Forms.Label();
this.SuspendLayout();
//
72
// progressBar1
//
this.progressBar1.Cursor = System.Windows.Forms.Cursors.Default;
this.progressBar1.ForeColor = System.Drawing.Color.Purple;
this.progressBar1.Location = new System.Drawing.Point(12, 25);
this.progressBar1.Name = "progressBar1";
this.progressBar1.Size = new System.Drawing.Size(249, 22);
this.progressBar1.Step = 1;
this.progressBar1.Style = System.Windows.Forms.ProgressBarStyle.Continuous;
this.progressBar1.TabIndex = 0;
//
// percentLabel
//
this.percentLabel.AutoSize = true;
this.percentLabel.Location = new System.Drawing.Point(267, 30);
this.percentLabel.Name = "percentLabel";
this.percentLabel.Size = new System.Drawing.Size(36, 13);
this.percentLabel.TabIndex = 2;
this.percentLabel.Text = "100 %";
//
// textLabel
//
this.textLabel.AutoSize = true;
73
this.textLabel.Location = new System.Drawing.Point(12, 9);
this.textLabel.Name = "textLabel";
this.textLabel.Size = new System.Drawing.Size(102, 13);
this.textLabel.TabIndex = 3;
this.textLabel.Text = "Loading [something]";
//
// LoadingProcess
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
this.ClientSize = new System.Drawing.Size(302, 59);
this.Controls.Add(this.textLabel);
this.Controls.Add(this.percentLabel);
this.Controls.Add(this.progressBar1);
this.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedToolWindow;
this.Icon = ((System.Drawing.Icon)(resources.GetObject("$this.Icon")));
this.MaximizeBox = false;
this.MinimizeBox = false;
this.Name = "LoadingProcess";
this.Opacity = 0.75D;
this.SizeGripStyle = System.Windows.Forms.SizeGripStyle.Hide;
this.StartPosition = System.Windows.Forms.FormStartPosition.CenterParent;
this.Text = "Loading PCAP file";
74
this.TopMost = true;
this.FormClosing += new
System.Windows.Forms.FormClosingEventHandler(this.LoadingProcess_FormClosing);
this.ResumeLayout(false);
this.PerformLayout();
}
#endregion
private System.Windows.Forms.ProgressBar progressBar1;
private System.Windows.Forms.Label percentLabel;
private System.Windows.Forms.Label textLabel;
}
}