Intrusion Detection Methods and Resolutions James Logan jlogan
advertisement
Intrusion Detection Methods and Resolutions James Logan jlogan@uccs.edu Abstract—This document provides The network setup rests on the information in regards to network shoulders of the network administrators. intrusion detection techniques and It is their responsibility to ensure that the resolutions. It is recommended that network is secure. Normally, the the reader have a familiarity with following actions are taken when basic network technology and installing and maintaining a network: architectures. - Install the system I. INTRODUCTION The responsibility of the a - Configure the system - Constantly check the configuration network system’s architecture, hardware, - Set correct permissions software, security and the integrity of - Bring the system online and monitor those components falls in the hands of any user or process that may be running the system’s administrator or network - Protect the system from unauthorized operator. In terms of security it and malicious users necessary to protect these systems from - Check data integrity intrusions. An intrusion is defined as - Repair the system if broken actions that attempt to compromise the integrity, confidentiality, or availability The system administrator should also of a particular resource [1]. In the consider using the Least Privilege following sections of this paper, the Principle. This idea dictates that a user focus will be on the techniques and or program should only operate using the resolutions for network intrusion minimum set of privileges needed to detection. perform their/its job. In addition, it is necessary for the administrators to be II. THE SYSTEM ADMINISTRATOR informed about security bugs and issues and hope they can be discovered and Cons: resolved quickly. - Compromise between security and III. THE FIREWALL The fire wall is seen as the first usability due to too much control or blocking line of defense when it comes to - Is unable to prevent insider attacks intrusion detection. It controls - Could be a source of a bug or exploit if connections and traffic leaving and installed on a server coming in to a network. However it - If a port is not under the control of the does have a downside. The first issue is firewall, it can be used to hack the that it can cause a substantial increase to system. the load of the system which can cause a decrease in performance and efficiency. IV. INTRUSION DETECTION However, this would not be a problem if SYSTEM the network device was only a firewall. The implementation of an The second reason is that no program is intrusion detection system (IDS) can be perfect. Eventually an attacker can find considered a defense in depth approach some kind flaw in the program and to securing a network when a firewall exploit it. Overall the firewall does have has been already established. The its pros and cons which are: addition of an IDS adds security to a network where the firewall cannot. This Pros: includes protection from internal attacks and network channels that are not - Can filter connections before they are established monitored by the firewall. An IDS implementation has a - Can log, filter, redirect, discard, and simple technique basis that it uses when reject packets based on rule set. it comes to controlling a system’s - Can be modified in real time to adapt security and reliability when working to different situations even if it has to be with a firewall: done manually. - Prevent Intrusions – System policies should not be too restrictive nor should they cause an overload to the system. If will block the traffic, thereby effectively the firewall is bypassed or a flaw allows rendering the alarm a false one [2]. an attacker to exploit and penetrate the Internal Deployments are firewall the IDS will act as the back up designed such that all links are to the firewall. monitored within the network which in - Detect the Intruder – An IDS needs to return adds additional security. The be to trace the movements, actions, and IDSs are placed at switching nodes in the source IP of the intruder. the local network and near the access - Response to Intrusions – An IDS routers at the network boundaries. The needs to be able to respond to intrusions advantage of this setup is that it will by either blocking rogue traffic or reduce the false alarms posed by Early automatically or notifying an Warning Mode setup since it does not administrator to handle the issue [1]. have to monitor the traffic blocked by With these three basic concepts comes the firewalls. However the major three basic network architectures when drawback is that multiple instances of a configuring and IDS system which are IDS will require a greater effort in Early Warning Mode, Internal regards to maintenance. The Internal Deployments, and Every Host. Deployments of IDSs are popular in Early Warning Mode applies an ecommerce back end networks that IDS to the outside perimeter of the consist of web, mail, storage, and network firewall. The major benefit of database servers because it adds this approach is that the IDS is able to increased security to the local network. see all network traffic on the high speed In addition, it has the ability to keep an links. In addition, management, infected server to infect other servers on signature updates, and configuration are the network [2]. much easier for the network The final basic IDS configuration administrator. However, the major is the Every Host configuration. This drawback to this setup is that it cannot setup basically states that every host on detect internal attacks within the the network will have IDS software firewall. It is also possible that the IDS and/or hardware running on the machine. will raise an alarm while the firewall However, there more drawbacks than there are benefits. The only key benefit matching or pattern matching with is that that IDS is not integrated into the regular expressions to determine the operating system and that it can be payloads content. The algorithm for the remotely managed from a central IP packet header parsing is based on the location. In contrast, the first drawback concept of Deterministic Finite is that management of the IDS systems Automaton (DFA) or Ternary Content especially on a large network can be Addressable Memories (TCAM) [2] complex. It is also possible that the host where as the payload parsing requires itself will be unaware of network traffic more over head due to the fact that the going through other links which could every byte in the payload must be lead to Distributed Denial if Service examined and compared to a string or attacks. Another disadvantage is the regex matching rule. extensive use of access gateways that One of the earliest algorithms for dynamically assign IPs to local hosts. IDS is the Aho-Corasick algorithm. It is The limited scope of the IP addresses, designed to be an efficient algorithm that sometimes can make it difficult for the can perform multiple string matches in a host based IDS to effectively trace the time linear to the size of the input. The route of the packet which affects its algorithm has two basic detection mechanism and capability [2]. implementations. The first type is the Deterministic Finite Automaton (DFA) V. SIGNATURE BASED IDS Packets inbound or circulating which is straight forward. A set of comparison strings is used to create a around a network are normally scanned state machine by which a character by against a database of known malicious character evaluation is performed against signatures contained by the IDS. The a packet’s content. The Non- signatures contain information that is Deterministic Finite Automaton (NFA) compared to a packet header and its implementation of the algorithm has a content. For the packet’s header, the similar premise but has a little more IDS inspects the source and destination flexibility since it allows character IPs as well as the ports. With the comparisons to be done in multiple packet’s content, an IDS will do string stages. The idea is that on a failure to transition to the next state a link is added minimal impact to resources on the to the current node to a failure point on network. The hardware devices used another path based on the longest prefix would have two major characteristics: of the node. This adds an additional - limited amounts of on chip storage amount of freedom in how the string is require that an NFA be used to keep the processed. number of transition status used to a The second type of Signature minimum. Bases IDS is the regular expression. - the hardware would exploit a high Regular expressions seem to be the degree of parallelism by encoding preferred method when it comes to automata in the parallel logic resources examining a packet’s content. This is [2]. because regular expressions are more efficient and offer more flexibility than other exact string matching algorithms. VI. ANOMALY BASED IDS As a contrast to signature based The increase in flexibility comes from a IDS methods, Anomaly Based IDS high degree of expressiveness achieved methods focus on pattern recognition, by using character classes, union, deviations in network traffic analysis, operational elements, and closures [2]. and machine learning. With this notion, The efficiency increase comes from the comes three basic concepts: effective schemes to perform string - Statistically Based Detection matching [2]. However there is a - Machine Learning performance issue when using the - Data Mining Algorithms. regular expressions on a network IDS. Statistically anomaly based The regular expressions use tremendous detection focuses on deviations in amounts memory and can drastically network traffic based in terms of volume slow down network with all of string of number of bytes, packets, IP matching operations be executed addresses, and ports. This type of simultaneously. Therefore individuals mechanism is useful to detect significant have proposed specialized hardware to network traffic changes. One of the key implement automata algorithms to features of the statistically based enable high parse rates while keeping a detection is that it can be easily augmented to a signature based detection everyday operational uses. The system. However, its major drawback is characteristics are forms of benefits, that it can produce many false positives. limitations, and exploitations. Machine learning is based on an IDS benefits consist of being application automatically learning able to measure and analyze abnormal through input and feedback from the traffic patterns such as high volume network. One of the key factors is that flows, load imbalances, and changes in the algorithms used are focused on demands of certain ports being used. improving the reductions in false Other benefits include detection of positives and increasing performance in known worms, viruses, and security network traffic analysis. One of the holes. In addition advanced IDSs can most used methods in the Bayesian use pattern recognition as a means to network model. It is a graphical model detect security threats or false positives that assigns a probabilistic relationship before they occur. Overall, one of the between variable of interests. most important benefit of IDSs is their The third basic anomaly based IDS is Data Mining. The Data Mining algorithms take input which is either real ability to enforce security policies in a network. However, IDSs do have time or archived and performs analysis limitations. It has been argued that IDSs on the data set. The analysis usually are just mere workarounds for security consists of patter matching and deviation flaws and weak or missing security detect of network traffic. One of the mechanisms [2]. IDSs tend to also benefits of this approach is that it can create false positives depending on construct profiles of normal and which kind of basic network architecture anomaly based traffic patterns. is being implemented. There are also performance issues in regards to regex VII. KNOWN BENEFITS, LIMITATIONS, AND COMPUTER VULNERABILITIES IDS systems overall have their own characteristics when it comes to mechanisms that examine a packet’s content. They can create bottlenecks in the system and decrease throughput. Another limitation that IDSs have is with packets whose content is encrypted. The IDSs’ signatures more or less become these issues if properly implemented. useless and the system does not know However, there is a drawback. An IDS how to handle the packet. In addition, would have to be aware of what types there is evidence that attackers can programs are running on computers all manipulate attacks in such way by the time. This would create a bottle varying the frequency that packets are neck in the system which decrease sent so that the IDS can not match throughput of network traffic. against a probability or statistical model. Finally, IDSs do have the ability to apply preventative maintenance to VIII. SNORT SNORT is an open source IDS systems on a network that have that was developed by Martin Roesch vulnerabilities . One of them is buffer 1998. Over there years through overflow. Another is the Input community involvement, SNORT has Validation Error. This is where the evolved into an enterprise like IDS. It Computer does not check the packets has the ability to perform real time content for correctness or integrity traffic analysis and packet logging on IP which can lead to an unauthorized access networks. In addition, it can perform to system. There is also the Boundary protocol analysis, content Condition Error which is similar to a matching/searching, and can be used to Input Validation Error whereby the detect attacks and probes such as stealth system crosses over a security boundary port scans and CGI attacks [4]. which results in a system crash. Some SNORT uses a high performance examples are divisions by zero and multi-rule inspection engine for malformed SQL statements. The other detecting rule matches during packet major concern is the Access Control processing. The inspection of the Vulnerability. The access control packets in performed in three stages: implemented by the computer may be - Rule optimization to produce rule sets faulty which could lead to unauthorized for inspection access by users and access to remote - Set based inspection algorithms that machines in other domains. A well perform high speed multi-pattern content equipped IDS has the ability to deal with searches - Parameterized inspection techniques Overall an IDS can improve the which allow for complicated parameter security of a network. However the inspections [3] network administrator must realize that The preferred pattern matching there is a potential cost for having an algorithm that SNORT uses is the Wu- IDS. The greatest potential cost is Manber. The algorithm uses less performance vs security. The tradeoff memory than the Aho-Corasick but lacks will dictate how secure or fast the a little bit in performance by network is (improved security for lower comparison. It uses a hashing to create performance and vice versa). In sub-groups of rules, and set based Bad addition, the network administrator must Word Shifts to accelerate the search by take into account the type of network providing a byte skipping feature [3]. In architecture to be used in order to obtain addition the Bad Word Shift feature can the capability of an IDS. On that note, improve the algorithms performance an IDS is not perfect. They are complex when rule sets have a larger minimum systems that use sophisticated algorithms pattern size [3]. In general, when to determine security risks to a network. choosing the pattern matching algorithm They can create false positives and be the developers took into account the totally useless when it comes to following issues: encrypted traffic depending on the - Intrinsic Algorithmic Performance algorithm used. However, IDSs can Characteristics (Performance is rule always be updated with new profiles and driven or data driven) performance features that give an extra - CPU Architecture Performance edge when dealing with a network’s (Memory access costs, cache miss costs, security. relative shift/add/compare/jump operation costs) - Compiler and Optimizations Used - Application Memory Requirements and Platform Limits [3]. IX. CONCLUSION REFERENCES [1] Stefano Marinelli, Analysis of Intrusion Detection Tools and Tecjniques, December 12, 2002, Available: http://dragas.dyndns.org/~draga/articles/ IDS/index.php [2] Sailesh Kumar, Survey of Current Network Intrusion Detection Techniques, Available: http://www.cs.wustl.edu/~jain/cse57107/ftp/ids.pdf [3] Marc Norton and Daniel Roelker, SNORT 2.0 Hi-performance Multi-rule Inspection Engine, April 2004, Available:http://www.cs.ucdavis.edu/~w u/ecs236/sf_snort20_HPMRIE.pdf [4] About SNORT, Available:http://www.snort.org/about_sn ort/
