chapter-3 intruder detection and intruder...
TRANSCRIPT
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network
Chapter-3
Intruder Detection
and Intruder Identification
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 67
3.1 Introduction
3.1.1 1998 DARPA Intrusion Detection System Evaluation
Heavy reliance on networked computer resources and the increasing
connectivity of these networks has greatly increased the potential damage
that can be caused by attacks launched against computers from remote
sources. These attacks are difficult to prevent with firewalls, security
policies, or other mechanisms because system and application software is
changing at a rapid pace, and this rapid pace often leads to software that
contains unknown weaknesses or bugs. Intrusion detection systems are
designed to detect those attacks that inevitably occur despite security
precautions. Some intrusion detection systems detect attacks in real time
and can be used to stop an attack in progress. Others provide after-the-fact
information about attacks that can be used to repair damage, understand
the attack mechanism, and reduce the possibility of future attacks of the
same type [105].
Many parties are working on the development of intrusion detection
systems, including universities, commercial software companies, and
organizations within the Department of Defence. As these groups explore
different methods and develop various new systems for intrusion detection,
it is clearly advantageous to have a means of evaluating the success of these
systems in detecting attacks. The best environment for testing and
evaluation of an intrusion detection system is the actual environment in
which it will be used. However, research groups often do not have access to
operational networks on which to test their systems, and these systems
(especially while they are still in early development) are tested in a simulated
environment. The ability to perform accurate testing and evaluation in a
simulated environment requires high-quality data that is similar to the
traffic (including attacks) that one finds on operational networks. In general,
this data is difficult to acquire because it contains private information and
reveals potential vulnerabilities of the networks from which the data is
collected. These factors led to DARPA sponsorship of MIT Lincoln
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 68
Laboratory’s 1998 intrusion detection evaluation, which created the first
standard corpus for the evaluation of intrusion detection systems.
The 1998 intrusion detection evaluation was the first of an ongoing series of
yearly evaluations conducted by MIT Lincoln Laboratory under DARPA ITO
and Air Force Research Laboratory sponsorship. These evaluations
contribute significantly to the intrusion detection research field by providing
direction for research efforts and calibration of current technical
capabilities. The 1998 evaluation was designed to be simple, to focus on
core technology issues, and to encourage the widest possible participation
by eliminating security and privacy concerns and by providing data types
that are used by the majority of intrusion detection systems. Data for the
first evaluation was made available in the summer of 1998. The evaluation
itself occurred towards the end of the summer. A follow-up meeting for
evaluation participants and other interested parties was held in December
1998 to discuss the results of the evaluation.
3.1.2 The Development of Attacks for the 1998 DARPA Evaluation
This section describes the computer attacks that were included in the 1998
DARPA intrusion detection evaluation. A large sample of actual computer
attacks was needed to accurately test the performance of intrusion detection
systems. These attacks needed to cover the different classes of attack types.
Many of the attacks used in the evaluation were drawn from public sources,
but some novel attacks were developed specifically for use in this evaluation.
In all cases, these attacks had to be adapted to work reliably in the largely
automated simulation network from which the 1998 DARPA evaluation data
were collected. Later sections of this thesis discuss the methods that were
developed to create realistic simulations of computer intrusion scenarios,
and the methods that were developed to vary the degree of attack stealthiest.
People who attack computer networks often have goals beyond simply
gaining access to a system. Some attackers break into computers simply for
the challenge, others are interested in collecting information and some are
motivated by the desire to cause damage. Attackers are also vary in their
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 69
level of sophistication and an accurate evaluation of intrusion detection
systems require testing how well the systems are able to detect attacks from
all types of attackers—from the relative novice who is not aware that an
intrusion detection system is monitoring a network to the sophisticated,
experienced cracker who knows about intrusion detection systems and
takes steps to avoid being caught.
3.2 Background Details
3.2.1 Overview of Computer Attacks
In its broadest definition, a computer attack is any malicious activity
directed at a computer system or the services it provides. Examples of
computer attacks are viruses, use of a system by an unauthorized
individual, denial-of-service by exploitation of a bug or abuse of a feature,
probing of a system to gather information, or a physical attack against
computer hardware. Subsets of the possible types of computer attacks were
included in the 1998. DARPA intrusion detection system evaluation
including:
i. Attacks that allow an intruder to operate on a system with more
privileges than are allowed by the system security policy,
ii. Attacks that deny someone else access to some service that a
system provides, or
iii. Attempts to probe a system to find potential weaknesses
The following paragraphs provide some examples of the many ways that an
attacker can either gain access to a system or deny legitimate access by
others.
• Social Engineering: An attacker can gain access to a system by
fooling an authorized user into providing information that can be used
to break into a system. For example, an attacker can call an
individual on the telephone impersonating a network administrator in
an attempt to convince the individual to reveal confidential
information (passwords, file names, details about security policies).
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 70
Alternatively, an attacker can deliver a piece of software to a user of a
system which is actually a Trojan horse containing malicious code
that gives the attacker system access.
• Implementation Bug: an attacker to gain unauthorized access to a
computer system can exploit Bugs in trusted programs. Specific
examples of implementation bugs are buffer overflows, race conditions
and mishandled of temporary files.
• Abuse of Feature: There are legitimate actions that one can perform
that when taken to the extreme can lead to system failure. Examples
include opening hundreds of telnet connections to a machine to fill its
process table, or filling up a mail spool with junk e-mail.
• System Misconfiguration: An attacker can gain access because of an
error in the configuration of a system. For example, the default
configuration of some systems includes a “guest” account that is not
protected with a password.
• Masquerading: In some cases, it is possible to fool a system into
giving access by misrepresenting oneself. An example is sending a TCP
packet that has a forged source address that makes the packet appear
to come from a trusted host.
3.2.2 Intrusion Detection Systems
Intrusion detection systems gather information from a computer or network
of computers and attempt to detect intruders or system abuse. Generally, an
intrusion detection system will notify a human analyst of a possible
intrusion and take no further action, but some newer systems take active
steps to stop an intruder at the time of detection [136].
Although there are many possible sources of data an intrusion detection
system can use, three types of data were provided to participants in the
1998 Lincoln Laboratory intrusion detection evaluation. Most intrusion
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 71
detection systems in existence today use one or more of these three types of
data. The first of these data sources is traffic sent over the network. All data
that is transmitted over an ethernet network is visible to any machine that
is present on the local network segment. Because this data is visible to every
machine on the network, one machine connected to this ethernet can be
used to monitor traffic for all the hosts on the network. During the DARPA
evaluation, network traffic was sniffed using a single machine running the
tcpdump program [91] to save the network traffic. A second source of data
for an intrusion detection system is system-level audit data. Most operating
systems offer some level of auditing of operating system events. The amount
of data that is collected could be as limited as logging failed attempts to log
in, or as verbose as logging every system call. Basic Security Module (BSM)
[159] data from a Solaris victim machine was collected and distributed as
part of the DARPA evaluation data. A third source of data distributed to the
evaluation participants was information about file system state. Daily file
system dumps were collected from each of the machines used in the
simulation. An intrusion detection system that examines this file system
data can alert an administrator whenever a system binary file (such as the
ps, login, or ls program) is modified. Normal users have no legitimate reason
to alter these files, so a change to a system binary file indicates that the
system has been compromised. Although there are many other potential
sources of data that can be used by an intrusion detection system to find
attacks (such as real-time process lists, logfiles, processor loads, etc.), these
three sources (sniffed network traffic, host-level audit files, and file-system
state) were provided to participants in the 1998.
After the three types of data were collected and aggregated, the data was
distributed to participants via CD-ROM. Once participants obtained this
data, each group used its particular intrusion detection system to the find
intrusions and abuses that were inserted into the collected traffic. Although
the 1998 DARPA evaluation tested only the ability to find attacks offline,
some intrusion detection systems can evaluate data in real-time, allowing
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 72
administrators (or the system itself) to take defensive action against the
intruder.
3.2.3 Strategies for Intrusion Detection
The different approaches that have been pursued to develop intrusion
detection systems are described in many papers, including [30][106][160].
Figure 3-1 shows four major approaches to intrusion detection and the
different characteristics of these approaches. The lower part of this figure
shows approaches that detect only known attacks, while the upper part
shows approaches that detect novel attacks. Simpler approaches are shown
on the left and approaches that are both computationally more complex and
have greater memory requirements are shown towards the right.
The most common approach to intrusion detection, denoted as “signature
verification” is shown on the bottom of Figure 3-1. Signature verification
schemes look for an invariant sequence of events that match a known type
of attack. For example, a signature verification system that is looking for a
Ping of Death denial-of-service attack (an oversize ping packet that causes
some machines to reboot) would have a simple rule that says, “Any ping
packet of length greater than 64 kilobytes is an attack.” Attack signatures
can be devised that detect attempts to exploit many possible system
vulnerabilities, but a large drawback of this strategy is that it is difficult to
establish rules that identify novel types of attacks. The Network Security
Monitor (NSM) was an early signature-based intrusion detection system that
found attacks by searching for keywords in network traffic captured using a
sniffer. Early versions of the NSM [100][68] were the foundation of many
government and commercial intrusion detection systems, including
NetRanger [46] and NID [104]. Signature verification systems are popular
because one sniffer can monitor traffic to many workstations, the
computation required to reconstruct network sessions, and search for
keywords is not excessive. In practice, these systems can have high false-
alarm rates (e.g. 100’s of false alarms per day) because it is often difficult to
select keywords by hands that successfully detect real attacks without
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 73
creating false alarms for normal traffic. In addition, signature verification
schemes must be updated frequently to detect new attacks as they are
discovered. Recent research on systems, which rely on signature
verification, includes BRO[128] and NSTAT[90].
(Figure 3-1: Approaches to Intrusion Detection)
The approaches shown in the upper half of Figure 3-1 can be used to find
novel attacks. This capability is essential to protect critical hosts because
new attacks and attack variants are constantly being developed.
Anomaly detection, shown in the upper right of Figure 3-1, is one of the
most frequently suggested approaches to detect novel new attacks. Anomaly
detection schemes construct statistical models of the typical behaviour of a
system and issue warnings when they observe actions that deviate
significantly from those models. NIDES were one of the first statistical-based
anomaly detection systems used to detect unusual user [131] and unusual
program [23] behaviour. The statistical component of NIDES forms a model
of a user, system, or network activity during an initial training phase. After
training, anomalies are detected and flagged as attacks. Of course,
anomalous behaviour does not always signal that an attack is taking place,
so anomaly detection systems need to be carefully tuned to avoid high false
alarm rates. This level of tuning is only possible if normal user or system
activity is stable over time and does not overlap with attacker activity. A
user with very regular habits will be easy to model, and any intruder
attempting to masquerade as such a user would likely exhibit behaviour
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 74
that deviated significantly from the user’s normal activity. The actions of a
system administrator, however, might be more irregular and harder to
distinguish from the actions of an attacker. In addition, a hacker may be
able to slowly change the characteristics that an anomaly detection system
considers “normal” by deviating only slightly from normal behaviour over a
long period. After the anomaly detection system had been trained to
consider more actions “normal” the attacker could mount an attack and
avoid detection. A second disadvantage of anomaly detection schemes is the
large computation and memory resources required to maintain the
statistical model. Recent research on anomaly detection includes the
development of EMERALD [127], which combines statistical anomaly
detection from NIDES with signature verification.
Specification-based intrusion detection [91] is a second approach that can
be used to detect new attacks. It detects attacks that make improper use of
system or application programs. This approach involves first writing security
specifications that describe the normal intended behaviour of programs.
Host-based audit records are then monitored to detect behaviour that
violates the security specifications. This approach was applied to UNIX
system programs and successfully found many attacks [91]. Specification-
based intrusion detection has the potential to provide very low false alarm
rates and detect a wide range of attacks including many forms of malicious
code such as Trojan horses, viruses, attacks that take advantage of race
conditions, and attacks that take advantage of improperly synchronized
distributed programs. Unfortunately, it is difficult to apply because security
specifications must be written for all monitored programs. This is difficult
because system and application programs are constantly updated.
Specification based intrusion detection is thus best applied to a small
number of critical user or system programs that might be considered prime
targets for an attack.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 75
The final strategy shown in Figure 3-1 is bottleneck verification. The
bottleneck verification approach applies to situations where there are only a
few, well-defined ways to transition between two groups of states.
3.3 Intrusion Detection and Prevention Principles
Intrusion detection is the process of monitoring the events occurring in a
computer system or network and analyzing them for signs of possible
incidents, which are violations or imminent threats of violation of computer
security policies, acceptable use policies, or standard security practices.
Incidents have many causes, such as malware (e.g., worms, spyware),
attackers gaining unauthorized access to systems from the Internet, and
authorized users of systems who misuse their privileges or attempt to gain
additional privileges for which they are not authorized. Although many
incidents are malicious in nature, many others are not; for example, a
person might mistype the address of a computer and accidentally attempt to
connect to a different system without authorization.
An Intrusion Detection System (IDS) is software that automates the
intrusion detection process. An Intrusion Prevention System (IPS) is
software that has all the capabilities of an intrusion detection system and
can attempt to stop possible incidents. This section provides an overview of
IDS and IPS technologies as a foundation for the rest of the publication. It
first explains how IDS and IPS technologies can be used. Next, it describes
the key functions that IDS and IPS technologies perform and the detection
methodologies that they use. Finally, it provides an overview of the major
classes of IDS and IPS technologies.
IDS and IPS technologies offer many of the same capabilities, and
administrators can usually disable prevention features in IPS products,
causing them to function as IDSs. Accordingly, for brevity the term Intrusion
Detection and Prevention Systems (IDPS) is used throughout the rest of this
thesis to refer to both IDS and IPS technologies.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 76
3.3.1 Uses of IDPS Technologies
IDPSs are primarily focused on identifying possible incidents. For example,
an IDPS could detect when an attacker has successfully compromised a
system by exploiting vulnerability in the system. The IDPS could then report
the incident to security administrators, who could quickly initiate incident
response actions to minimize the damage caused by the incident. The IDPS
could also log information that could be used by the incident handlers [121].
Many IDPSs can also be configured to recognize violations of security
policies. For example, some IDPSs can be configured with firewall rule set
like settings, allowing them to identify network traffic that violates the
organization’s security or acceptable use policies. In addition, some IDPSs
can monitor file transfers and identify ones that might be suspicious, such
as copying a large database onto a user’s laptop.
Many IDPSs can also identify reconnaissance activity, which may indicate
that an attack is imminent. For example, some attack tools and forms of
malware, particularly worms, perform reconnaissance activities such as host
and port scans to identify targets for subsequent attacks. An IDPS might be
able to block reconnaissance and notify security administrators, who can
take actions if needed to alter other security controls to prevent related
incidents. Because reconnaissance activity is so frequent on the Internet,
reconnaissance detection is often performed primarily on protected internal
networks.
In addition to identifying incidents and supporting incident response efforts,
organizations have found other uses for IDPSs, including the following:
• Identifying security policy problems. An IDPS can provide some
degree of quality control for security policy implementation, such as
duplicating firewall rule sets and alerting when it sees network traffic
that should have been blocked by the firewall but was not because of a
firewall configuration error.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 77
• Documenting the existing threat to an organization. IDPSs log
information about the threats that they detect. Understanding the
frequency and characteristics of attacks against an organization’s
computing resources is helpful in identifying the appropriate security
measures for protecting the resources. The information can also be
used to educate management about the threats that the organization
faces.
• Deterring individuals from violating security policies. If individuals
are aware that their actions are being monitored by IDPS technologies
for security policy violations, they may be less likely to commit such
violations because of the risk of detection.
Because of the increasing dependence on information systems and the
prevalence and potential impact of intrusions against those systems, IDPSs
have become a necessary addition to the security infrastructure of nearly
every organization.
3.3.2 Key Functions of IDPS technologies There are many types of IDPS technologies, which are differentiated
primarily by the types of events that they can recognize and the
methodologies that they use to identify incidents. In addition to monitoring
and analyzing events to identify undesirable activity, all types of IDPS
technologies typically perform the following functions:
• Recording information related to observed events. Information is
usually recorded locally, and might be sent to separate systems such as
centralized logging servers, Security Information and Event
Management (SIEM) solutions, and enterprise management systems.
• Notifying security administrators of important observed events.
This notification, known as an alert, occurs through any of several
methods, including the following: e-mails, pages, messages on the IDPS
user interface, Simple Network Management Protocol (SNMP) traps,
syslog messages, and user-defined programs and scripts. A notification
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 78
message typically includes only basic information regarding an event;
administrators need to access the IDPS for additional information.
• Producing reports. Reports summarize the monitored events or
provide details on particular events of interest.
Some IDPSs are also able to change their security profile when a new threat
is detected. For example, an IDPS might be able to collect more detailed
information for a particular session after malicious activity is detected
within that session. An IDPS might also alter the settings for when certain
alerts are triggered or what priority should be assigned to subsequent alerts
after a particular threat is detected.
IPS technologies are differentiated from IDS technologies by one
characteristic: IPS technologies can respond to a detected threat by
attempting to prevent it from succeeding. They use several response
techniques, which can be divided into the following groups:
• The IPS stops the attack itself. Examples of how this could be done are
as follows:
– Terminate the network connection or user session that is being used
for the attack
– Block access to the target (or possibly other likely targets) from the
offending user account, IP address, or other attacker attribute
– Block all access to the targeted host, service, application, or other
resource.
• The IPS changes the security environment. The IPS could change the
configuration of other security controls to disrupt an attack. Common
examples are reconfiguring a network device (e.g. firewall, router, switch)
to block access from the attacker or to the target, and altering a host-
based firewall on a target to block incoming attacks. Some IPSs can even
cause patches to be applied to a host if the IPS detects that the host has
vulnerabilities.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 79
• The IPS changes the attack’s content. Some IPS technologies can
remove or replace malicious portions of an attack to make it benign. A
simple example is an IPS removing an infected file attachment from an e-
mail and then permitting the cleaned email to reach its recipient. A more
complex example is an IPS that acts as a proxy and normalizes incoming
requests, which means that the proxy repackages the payloads of the
requests, discarding header information. This might cause certain attacks
to be discarded as part of the normalization process.
Another common attribute of IDPS technologies is that they cannot provide
completely accurate detection. When an IDPS incorrectly identifies benign
activity as being malicious, a false positive has occurred. When an IDPS fails
to identify malicious activity, a false negative has occurred. It is not possible
to eliminate all false positives and negatives; in most cases, reducing the
occurrences of one increases the occurrences of the other. Many
organizations choose to decrease false negatives at the cost of increasing
false positives, which means that events that are more malicious are
detected but more analysis resources are needed to differentiate false
positives from true malicious events. Altering the configuration of an IDPS to
improve its detection accuracy is known as tuning.
Most IDPS technologies also offer features that compensate for the use of
common evasion techniques. Evasion is modifying the format or timing of
malicious activity so that its appearance changes but its effect is the same.
Attackers use evasion techniques to try to prevent IDPS technologies from
detecting their attacks. For example, an attacker could encode text
characters in a particular way, knowing that the target understands the
encoding and hoping that any monitoring IDPSs do not. Most IDPS
technologies can overcome common evasion techniques by duplicating
special processing performed by the targets. If the IDPS can “see” the
activity in the same way that the target would, then evasion techniques will
generally be unsuccessful at hiding attacks.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 80
3.3.3 Types of IDPS Technologies
There are many types of IDPS technologies. For the purposes of this
document, they are divided into the following four groups based on the type
of events that they monitor and the ways in which they are deployed:
• Network-Based, which monitors network traffic for particular network
segments or devices and analyzes the network and application protocol
activity to identify suspicious activity. It can identify many different
types of events of interest. It is most commonly deployed at a boundary
between networks, such as in proximity to border firewalls or routers,
Virtual Private Network (VPN) servers, remote access servers, and
wireless networks. Section 4 contains extensive information on
network-based IDPS technologies.
• Wireless that monitors wireless network traffic and analyzes its
wireless networking protocols to identify suspicious activity involving
the protocols themselves. It cannot identify suspicious activity in the
application or higher-layer network protocols (e.g., TCP, UDP) that the
wireless network traffic is transferring. It is most commonly deployed
within range of an organization’s wireless network to monitor it, but
can also be deployed to locations where unauthorized wireless
networking could be occurring.
• Network Behavior Analysis (NBA), which examines network traffic to
identify threats that generate unusual traffic flows, such as Distributed
Denial of Service (DDoS) attacks, certain forms of malware (e.g., worms,
backdoors), and policy violations (e.g., a client system providing
network services to other systems). NBA systems are most often
deployed to monitor flows on an organization’s internal networks, and
are also sometimes deployed where they can monitor flows between an
organization’s networks and external networks (e.g., the Internet,
business partners’ networks).
• Host-Based, which monitors the characteristics of a single host and the
events occurring within that host for suspicious activity. Examples of
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 81
the types of characteristics a host-based IDPS might monitor are
network traffic (only for that host), system logs, running processes,
application activity, file access and modification, and system and
application configuration changes. Host-based IDPSs are most
commonly deployed on critical hosts such as publicly accessible servers
and servers containing sensitive information.
Some forms of IDPS are more mature than others because they have been in
use much longer. Network-based IDPS and some forms of host-based IDPS
have been commercially available for over ten years. Network behavior
analysis software is a somewhat newer form of IDPS that evolved in part
from products created primarily to detect DDoS attacks, and in part from
products developed to monitor traffic flows on internal networks. Wireless
technologies are a relatively new type of IDPS, developed in response to the
popularity of Wireless Local Area Networks (WLAN) and the growing threats
against WLANs and WLAN clients.
3.4 Introduction to Intrusion in MANET
Mobile ad hoc networks are complex distributed systems that comprise
wireless mobile nodes that can freely and dynamically self-organise into
arbitrary and temporary, “ad hoc‟ network topologies. They allow people and
devices to seamlessly internet work with no pre-existing communication
infrastructure and central administration [191].
Ad hoc networks are a new wireless networking paradigm for mobile hosts.
Unlike traditional mobile wireless networks, ad hoc networks do not rely on
any fixed infrastructure. Instead, hosts rely on each other to keep the
network connected. The military tactical and other security-sensitive
operations are still the main applications of ad hoc networks, although there
is a trend to adopt ad hoc networks for commercial uses due to their unique
properties. One main challenge in design of these networks is their
vulnerability to security attacks. The goal is to investigate the development
of a suite of protocols and algorithm that enables to securely collaborate
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 82
over mobile ad hoc networks as well as the wired backbone. Collaboration
requires secure information sharing and communication among a large
number of academic, governmental, and military sites. A series of
experiments in key management, malicious intruder identification, and
detection of denial of service attacks will be conducted to provide the secure
networking.
Ubiquitous access to information anywhere, anywhere, and anytime, will
characterize completely new kinds of information systems in the 21st
Century. These are being enabled by rapidly emerging wireless
communication systems, based on radio and infrared transmission
mechanisms, and utilizing such technologies as cellular telephony, personal
communication systems, wireless PBXs, and wireless local area networks.
These systems have the potential to dramatically change society as workers
become “untethered” from their information sources and communication
mechanisms. While there is a rich body of knowledge associated with radio
system engineering, the needed expertise must build upon this to
encompass network management, integration of wireless and wire line
networks, system support for mobility, computing system architectures for
wireless nodes/base stations/servers. User interface appropriate for small
handheld portable devices and new application that can exploit mobility and
location information.
Enormous amounts of data are collected from the network for network
based intrusion detection. This poses a great challenge. Raw network traffic
needs to be summarized into higher-level events, described by some
features, such as connection records before feeding the data to a machine-
learning algorithm. Selecting relevant features is a crucial activity and
requires extensive domain knowledge.
3.4.1 Intrusion Detection
The concept behind intrusion detection is a surprisingly simple one: Inspect
all network activity (both inbound and outbound) and identify suspicious
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 83
patterns that could be evidence of a network or system attack. Nowadays,
network based computer plays an important role in society. There are many
advantages of network: one can easily connect anyone on the network, one
can share and use the files, folders, and data, and they can call their loved
once on the net. At the same time, there are many disadvantages of it too.
One welcomes one’s enemy, hackers, criminals. There may be chance of
misuse of the data. When an intrusion (defined as “any set of actions that
attempt to compromise the integrity, confidentially, or availability of a
resource [190]) takes place, intrusion prevention technique such as
encryption and authentication (e.g., using passwords or biometrics) are
usually the first line of defence [55]. An intrusion detection system (IDS)
inspects all inbound and outbound network activity and identifies
suspicious patterns that may indicate a network or system attack from
someone attempting to break into or compromise a system.
3.4.2 Wireless v/s Wired Intrusion
Wired – Physically attached: Intruder/attacker needs to plug directly into
the network Wireless – Intruder can stay anywhere and intrude unseen
No exact “border” between internal and external network-losing exact
classification to insider and outsider attacks
Sometimes people assume that host based systems prevent insider attacks
where as network based system invites outsider attacks. We may not agree
with this practice, but as soon as you add a Wi-Fi signal, the border of
defence becomes unclear and not sharply defined. The primary assumptions
of intrusion detection are: user and program activities are observable, for
example via system auditing mechanism; and more importantly, normal and
intrusion detection activities have distinct behaviour. In the network based
IDS, normally, it runs on the gateway of a network packets that go through
the network hardware interface.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 84
In misuse detection, the IDS analyze the information it gathers and
compares it to large databases of attack signatures. Essentially, the IDS look
for a specific attack that has already been documented. Like a virus
detection system, misuse detection software is only as good as the database
of attack signatures that it uses to compare packets against. In anomaly
detection, the system administrator defines the baseline, or normal, state of
the network traffic load, breakdown, protocol, and typical packet size. The
anomaly detector monitors network segments to compare their state to the
normal baseline and look for anomalies [156].
3.4.3 Problems of Current IDS Techniques
There are two different types of networks - wireless and wired network.
There has always been having problem of security, collaboration,
management and integration. Thus, there is a need of intrusion detection
system as there may be chances of misusing of data while communicating
between these two. There is a big problem to fix IDS between Wired and
Wireless network as the wireless network perhaps may not have fix
infrastructure.
There is a big difference between how the data transfer in Wireless Ad-Hoc
network and wired network. There is always some limitation while
communicating through wireless Ad hoc network. One may face the problem
of bandwidth; data may be loss, high cost, slower links etc. Intrusion
detection in MANETs, however, is challenging for a number of reasons [116,
158, 135].
The major limitations with the current Intrusion Detection Systems are [84]
• Noise can severely limit Intrusion detection systems effectiveness. Bad
packets generated from software bugs, corrupt DNS data, and local
packets that escaped can create a significantly high false-alarm rate.
• It is not uncommon for the number of real attacks to be far below the
false-alarm rate. Real attacks are often so far below the false-alarm rate
that they are often missed and ignored.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 85
• Many attacks are geared for specific versions of software that are usually
outdated. A constantly changing library of signatures is needed to
mitigate threats. Outdated signature databases can leave the IDS
vulnerable to new strategies.
3.4.4 NIDS Performance Issues
An independent platform identifies intrusions by examining network traffic
and monitors multiple hosts. Network intrusion detection systems NIDS
[34,134,89] gain access to network traffic by connecting to a network hub,
network switch configured for port mirroring, or network tap. In an NIDS as
shown in Figure 3-2, sensors are located at choke points in the network to
be monitored, often in the Demilitarized Zone (DMZ) or at network borders.
Sensors capture all network traffic and analyze the content of individual
packets for malicious traffic [31]. An example of an NIDS is Snort.
Network Intrusion Detection Systems are usually deployed as a dedicated
component on a network segment. There is some debate as to where to place
a single NIDS (inside or outside of a firewall), but most agree that multiple
NIDS are better. It will then compare captured network data to a file of
known malicious signatures. If there is a match, the IDS will log and send
an alert according to how it was configured by the network or security
administrator [32].
(Figure 3-2: A Network Based IDS)
A major difficulty is that true performance statistics are very hard to obtain,
especially in a lab. However, a recent test by NSS Labs is probably one of the
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 86
best [33]. The issue is not how many attacks that an NIDS can detect that is
the most important factor (and often the only bench mark used in lab tests),
but how effectively the NIDS can pick out one attack in a mass of normal
background traffic. It is often not the mass of attacks that an NIDS has
problems dealing with, but the proverbial “finding a needle in a haystack”.
This becomes especially difficult when SSL (Secure Socket Layer) traffic is
involved, because the NIDS cannot read encrypted traffic. It wastes valuable
CPU cycles realizing that it cannot do anything with the traffic and then
discards it!
A second core performance element to consider is the size of packets. In
tests, NIDS vendors usually look at an average packet size of 1024 bytes,
however if the packet sizes are smaller, the NIDS will run a lot slower (e.g.
consider the negative impact when monitoring a large DNS server).
A third key driver in how fast an NIDS can run is the actual policy that is
running on the NIDS. Typically, NIDS have hundreds of attack signatures
that they are looking for at any given time. The more signatures they are
looking for in a stream of data, the longer it will take to look at the next
stream. This is more critical for pattern matching based systems than those
that utilize protocol analysis.
The nature of mobile computing environment makes it very vulnerable to an
adversary's malicious attacks. First, the use of wireless links renders the
network susceptible to attacks ranging from passive eavesdropping to active
interfering. Unlike wired networks where an adversary must gain physical
access to the network wires or pass through several lines of defence at
firewalls and gateways, attacks on a wireless network can come from all
directions and target at any node. Damages can include leaking secret
information, message contamination, and node impersonation. All these
mean that a wireless ad-hoc network will not have a clear line of defence,
and every node must be prepared for encounters with an adversary directly
or indirectly.
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 87
3.4.5 New Architecture
Though many IDS architecture have been designed for infrastructure-based
networks, they are not applicable in Mobile Environment. Motivated by this
consideration, we propose the modified architecture based on a conceptual
model for an IDS agent proposed by Yongguang Zang and Wenke Lee [55].
The model is extended by introducing two novel ideas, the Data collection is
divided in two parts and one Global Data Collection Module is introduced as
the outer most layer of the model.
IDS should be both cooperative and distributed to satisfy the need of the
wireless Ad-Hoc network. In the proposed architecture, every node in the
wireless Ad-Hoc network participates in intrusion detection and response.
Each of these nodes is responsible for signalling the intrusion locally and
independently. In addition, this IDS model identifies the black list and white
list requests.
The internal of an IDS agent can be complex, but conceptually it can be
structured in eight pieces as shown in Figure 3-3. The data collection
module is responsible for gathering local audit trace and activity logs. Next,
the Identifier will use this data to identify the detection; notification will take
the appropriate action if the intrusion occurs. The Global Data Collection
will store all the calls, which have been occurred.
A. Data Collection Module
This has been further divided into black list and white list. It gathers all the
necessary streams of the data that has been arrive at a time of request. The
black list Module stores all the details of the source that may lead to
misuse. That is there may be chance of intrusion. Whereas the white list
module will store all the details of the most frequently calls and which are
authentic. Depending on the intrusion detection algorithms, these useful
data streams can include system and user activity within the mobile node.
Multiple data collection modules cab consists in one IDS agent to provide
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 88
multiple audit streams for a multi-layer integrated intrusion detection
method.
(Figure 3-3: A conceptual model for IDS Agent)
B. Identifiers
Identifiers can be a local Identifier or Group detection. The local Identifier
uses the data from the Data Collection module and identifies whether the
intrusion is occurred or not. If yes, then, it sends the signal to the
Notification module where it will be proceed. As the days going, there will
always been created a newer attacks for the system and to secure a system
is not an easy task even more and more devices become wireless so security
must be increased accordingly. To establish a new and best security for the
mobile Ad-Hoc network is not so easy. Therefore, IDS model should be used
different statistical and mathematical model to solve the problems.
C. Notification
Notification can be local notification or universal notification. According to
the type of network, the notification has been made to the system. When the
system is in the network at that time it will notified universally i.e. it will
broadcast the message to its neighbour along with the details of the
intrusion description and the address of that particular system which
initiates the intrusion. In this case, all the system updates their data
System calls
Global Data Collection Module
Neighboring IDS Agent
Local Notification Universal Notification
Local Identifier Group detection
Data Collection
Black listed
White listed
Secure Communication
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 89
collection module and put this description in the black list of that module.
In addition, they can refer it in the future to identify the intrusion.
In the Local Notification, it will notify itself that the intrusion has occur then
it will terminate the connection with that particular system and update the
black list data collection module.
When an intrusion occurs, at that time, it will send the intrusion state
information to its neighbouring node. Then each node can update the Data
Collection module and can initiate appropriate action against that Intruder.
D. Global Data Collection Module
The core and the heart of the new Intrusion detection system as it is
centralized and stores all the streams and actions carried out by the system
in the network. When any system initiates, the request, at that time, first it
will store in this module, which can be further used to identify the intrusion
by the Data collection module. This module also implements the cache
concepts as it is updated at every interval by itself. The cross checking will
be done for every instance of the node to secure the Ad-hoc network and to
identify the unauthorized user.
3.5 Conclusion
Here the argument is that any system on the network may find intrusion
and their privacy may be exploited. This is especially true for wireless Ad-
hoc network. Intrusion detection can help intrusion prevention technique to
improve intrusion technique. So that new technique must be developed to
solve this problem.
By the continuous investigation, it is shown that how a new model can be
developed and how a Global Data Collection module will help IDS Agent to
identify the occurrences of the intrusion. Firstly when any system initiates
the request, it will be checked in the Global Data Collection Module if it will
not found in that it will be put in the Black list and the broadcast of the
Chapter 3: Intruder Detection and Intruder Identification
Development of Protocols and Algorithms to Secure Integration of Ad hoc Network and Wired Network Page 90
message is made thus all the neighbouring node can know the intrusion
point, and can take appropriate action.
At present time, the investigation of the architecture issues is still going on
to solve it, implementing it practically and studying its performance issues.
In short we are focuses more on the issues that rise in the IDS and try to
identify the best solution among all.
In future, the algorithm, which supports the model, will be developed to
identify the Intrusion in cost effective way.