intrusion detection system (ids)

Intrusion Detection System (IDS)

© 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved.

Abstract

Abbreviations

IDS Overview

Principles & Assumptions in IDS

Components and Types of IDS

HIDS (Host-based Intrusion Detection Systems)

NIDS (Network-based Intrusion Detection Systems) NIDS (Network-based Intrusion Detection Systems)

Intrusion Detection in Virtualized Systems

Anomaly-based IDS

Limitations of Anomaly Detection

Misuse-based IDS

Limitations of Misuse Detection

Future Directions

Conclusion Conclusion

Reference

Author Info

3

3

4

4

4

5

66

6

8

9

9

9

9

1010

10

10

Table of Contents


Due to the phenomenal development of Networking technology, applications and other services, IP networks are preferred for communication, but are more vulnerable to attacks. To cope with the growing-menace of security threats, security systems have to be made more intelligent and robust by introducing Intrusion Detection Systems (IDS) in the security layers of a network. IDS monitor the use of computers and the networks over which they communicate, to detect unauthorized use and anomalous behavior by identify-ing activities that violate the security policy in the system. There are several reasons that make intrusion detection a necessary part of the entire defense system. More importantly,

Many legacy systems and applications were developed without keeping security in mind Computer systems or applications may have design flaws or bugs that can be used by an intruder to attack the system or applications

An IDS provides ways to monitor, identify and respond to attacks against these systems. The goal of IDS is not only to detect attacks accurately and notify network administrators, but detect them at an early stage to minimize the impact.

Sl.No

1

2

3

4

5

IDS

HIDS

NIDS

VMM

VMI

Intrusion Detection System

Host-based IDS

Network-based IDS

Virtual Machine Monitor

Virtual Machine Introspection

Full FormAcronyms

Abstract

Abbreviations

Intrusion Detection System (IDS) | 3


IDS is usually deployed as a second line of defense along with other security mechanisms, such as access control, authentication and firewalls. Though IDS are often used in conjunction with firewalls, the two tools have completely different functionalities. For example, think of IDS as a security guard in a factory premises and the fence surrounding the factory as the firewall. Nobody is allowed inside the factory without proper authentication and the fence keeps all unwanted visitors outside of the premises. But the holes in the fence can be used by unwanted visitors to enter the premises. This kind of intrusion event can be monitored by a securitysecurity guard who alerts the head security officer or prevents the person from entering into the premises. A firewall essentially protects a network and attempts to prevent intrusions by using network or application level filtering, whereas IDS detects any security breach in the system or when the network is under attack. IDS uses policies to define certain events as threats, raise alerts upon detection, and often responds to the events appropriately.

An IDS typically consists of three components:

DataData Preprocessor: This component collects user (audit) data and patterns from the desired source and converts it into a format comprehensible by the next component i.e. the ‘analyzer’. Data used for detecting © 2015, HCL Technologies. Reproduction Prohibited. This document is protected under Copyright by the Author, all rights reserved. intrusion ranges from user access patterns to network packet level features (source and destination IP, types of packets, etc.) along with the application and system level behaviors (sequence of system calls).

The system is assumed to be safe and healthy, if the following conditions are met for user actions. Conforms to statistically predictable patterns Does not include sequences that violate the security policy Corresponds to a set of specifications which describe what the process is allowed to do

If at least one of these conditions are not meet, then the system is assumed to be under attack. Further, intru-sion detection is based upon the following assumptions regardless of the methods adopted by the IDS. A security policy is defined to differentiate the normal and abnormal usage of every resource. The patterns generated for abnormal system usage are noticeably different from those of normal system usage, and results in different system behavior. This anomaly in behavior can be used to detect intrusions.

The detection mechanisms used by IDS are mainly categorized into two methodologies: Anomaly detection, and signature/misuse detection.

Principles & Assumptions in IDS

Components and Types of IDS

IDS Overview


Analyzer (Intrusion Detector): This is the core component in IDS, which analyzes the audit patterns such as machine learning, pattern matching, data mining and statistical techniques to detect an attack. Its capability to detect an attack often determines the strength of the overall system.

Response Engine: This component controls the reaction mechanism and determines the response when the analyzer detects an attack. Depending upon the security policy of the network, it decides whether to raise an alert or block the source temporarily. IDS can be either network-based, or host-based. Each has distinct approaches for monitoring and securing data.

HIDS prevents threats that arise from inside the network by collecting data originated on individual hosts and analyzing them by a dedicated system. These systems reside on trusted network systems and are accessible only to authenticated users. If one of these users attempt unauthorized activity, HIDS detects it and collects the most pertinent information in the quickest possible manner. For example, the Operating Systems audit logs are highly effective for detecting insider abuse. A typical HIDS architecture is represented in Figure 1. The blue colored machines represent HIDS that have been installed.

Figure-1: HIDS Architecture


HIDS (Host-based Intrusion Detection Systems)


NIDS analyze data packets that travel over the actual network and often compares with empirical data to verify their nature. NIDS are placed at strategic points within the network to monitor it, and are best at detect-ing the following activities:

Denial of service: NIDS notices the packets that initiate attacks from outside of the network and singles out network resources for abuse or overload.

Unauthorized outsider access: Detects unauthorized login attempts by users before the actual login. NIDS typical architecture is represented in Figure 2. The traffic has been funneled through the NIDS device in the network. It does not isolate any single host machine for intrusion detection.

Figure-2: NIDS Architecture

The virtualized environment provides protection to systems with the help of a Virtual Machine Monitor (VMM) or Hypervisor by using the best of both host- and network-based IDS. The VMM pulls the IDS outside of the monitored host into a completely different hardware protection domain; this property of VMM is known as isolation. The VMM provides a huge barrier between the IDS and the attacker’s malicious code,which ensures that the IDS can’t be tampered with even if the monitored host is compromised. The ability to directly inspect the hardware state of a Virtual Machine (VM) that a monitored host is running, and thereby provide monitor-inging of both hardware and software level events, is called inspection. Any attempt to modify a register can easily be detected by the VMM; this is called the interposition property of VMM.


NIDS (Network-based Intrusion Detection Systems)

Intrusion Detection in Virtualized Systems


The OS Interface Library, which provides an OS-level view of the virtual machine’s state in order to facilitate easy policy development and implementation. It interprets low level machine states from the VMM in terms of higher level OS structures, by using knowledge about the guest OS implementation to interpret the VM’s machine state, which is exported by the VMM.

TheThe Policy Engine executes IDS policies by using the OS interface library and the VMM interface. It provides an interface for making high-level queries about the OS of the monitored host, and interpretssystem state and events from the VMM interface and OS interface library for any security breach. The policy engine responds appropriately in case of threats and is considered to be the heart of IDS.

Figure 3 shows how the VM runs, the host being monitored, and the VMI-based IDS with its major com-ponents.

Virtual Machine Introspection (VMI) inspects a VM from outside and analyzes the software running on it. The VMI IDS implements intrusion detection policies by analyzing the machine state and the events through the VMM interface. VMI-IDS uses the properties of the VMM to provide a very robust architecture for intrusion detection.

IDs

Policy Modules

Pobey Framework

OS Interface Lib

Policy Engine

Monitored Host

Guest Apps

Guest OS

Virtual Machine

H/W State

Virtual Machine Monitor

Response

Command

Query Response

Figure-3: VMI-based IDS


The VMI-IDS is divided into two parts:


This is designed to uncover abnormal patterns. The IDS establishes a baseline of normal usage patterns, which is modeled on the basis of audit data collected over a period through ‘training’. Anything that widely deviates from it gets flagged as a possible intrusion. What is considered to be anomaly can vary, but normally different parameters such as bandwidth, protocols, ports and devices, etc. are compared with the baseline to see if it crosses a threshold, and then an anomaly is detected. Anomaly detection can alsoinvestigate user patterns by profiling the programs executed daily. The algorithms in this approach use ‘system call sequence’ andand ‘program counters’ to calculate the anomaly score. It raises an alarm if the anomaly score deviates from the threshold.

Isolation: Software running in a virtual machine cannot access or modify anything running in VMM or other VMs. Even if an intruder has completely subverted the monitored host, he still cannot tamper with the IDS.

Inspection: Being able to directly inspect the virtual machine’s CPU, memory and I/O status, there is no state in the monitored system that IDS cannot see.

Interposition: VMI-IDS leverages the functionality of VMM to interpose virtual machine operations, so that any attempts to modify a hardware register can be easily detected.

AA VMI completely encapsulates the state of a VM in software, and collects the checkpoints of a VM easily. This capability can be used to compare the state of a ‘VM under observation’ for performing offline analysis, or cap-turing the entire state of the compromised machine for forensic purposes.

A VMI IDS offers a more robust view of the system and utilizes the property of VMM to directly observehard-ware states and events of a virtual machine. It uses the information to extrapolate the software state of the host similar to that of HIDS. A tampered sshd process can be detected by periodically performing integrity checks on its code segment. A VMM can provide access to pages of physical memory / disk blocks in a VM, but discovering the contents of sshd’s code segment requires answering queries about machine state in the context of OS running in the VM.

VMI-basedVMI-based IDS are strongly isolated from the host they are monitoring, giving a high degree of attack resis-tance, providing complete protection to hardware access, and maintaining the constraints imposed by the OS even if the host has been compromised. VMI-based IDS suspend the hosts while the IDS restarts in case of a fault, providing an easy model for fail-safe fault recovery.

The VMI-IDS leverages three properties of a virtualized environment:


Anomaly-based IDS


The cons of this approach are the baseline collected through training. A subject’s normal behavior usually changes over time and the IDS that uses this approach usually allows the subject’s profile to change gradually. An intruder can use this loophole to train the IDS and make an intrusive activity acceptable. Addi-tionally, it can give a series of false alarms in case of a noticeable change in the system environment. False positive alerts are issued when normal behavior is incorrectly identified as abnormal, and falsenegative alerts are issued when abnormal behavior is incorrectly identified as normal. Moreover, during the training, thethe input parameters often do not contain all the features related to intrusion detection. These missing features make it difficult to distinguish attacks from normal activities.


Limitation of Anomaly Detection

This is complementary to anomaly detection. The known attack patterns can be detected more effectivelyby using the knowledge about them. This will monitor packets on the network and compare them against adata-base of signatures or attributes from known malicious threats. Misuse detection will look for well-defined patterns of known attacks or vulnerabilities, even a very trivial intrusive activity that is usually ignored by anomaly detection can be detected by these systems. The detection algorithm usually followsdirectly from the representation mechanisms. Rule-based expert systems are used in misuse-based algorithms, in which rules are applied to audit records, to detect intrusion.which rules are applied to audit records, to detect intrusion.

Misuse-based IDS

This model cannot detect unknown attacks. A system protected by this method may face the risk of beingcom-promised without detecting the attacks. Misuse detection requires explicit representation of attacks which is not an easy task, and the nature of the attacks also needs to be thoroughly understood to raise an alert. This requires human / expert intervention for analysis, which is both time consuming and error prone.

Limitations of Misuse Detection

Intrusion detection is still a fledgling field of research. The growth of the Internet, the possibilities opening up in electronic trade and the lack of truly secure systems makes it an important field of research. To detect unknown patterns of attacks without generating too many false alarms, still remains an unre-solved problem. Future research trends seem to be converging towards a model that is a hybrid of anomaly and misuse detection, since neither of the models can detect all intrusion attempts on their own.

The drastic increase in the number of intrusion incidents in business networks has pushed enterprises to increase their IT security budgets by adapting to new advanced security technologies, which eventually-boosted the market of IDS to a great extent. The market related to IDS is expected to grow from $2.716bil-lion in 2014 to $5.042 billion by 2019, an estimated growth rate of 13.2%.

Future Directions and Business Relevance


For more details contact: [email protected] us on twitter: http://twitter.com/hclers andOur blog http://www.hcltech.com/blogs/engineering-and-rd-servicesVisit our website: http://www.hcltech.com/engineering-rd-services

Hello, I’m from HCL’s Engineering and R&D Services. We enable technology led organizations to go to market with innovative products and solutions. We patner with our customers in building world class products and creating associated solution delivery ecosystems to help bring market leadership. We develop engineering products, solutions and platforms across Aerospace and Defense, Automotive, Consumer Electronics, Software, Online, Industrial Manufacturing, Medical Devices, Networking and Telecom, Office Automation, Semiconductor and Servers & Storage for our customers.

This whitepaper is published by HCL Engineering and R&D Services.

The views and opinions in this article are for informational purposes only and should not be considered as a substitute for professional business advice. The use herein of any trademarks is not an assertion of ownership of such trademarks by HCL nor intended to imply any association between HCL and lawful owners of such trademarks.

For more information about HCL Engineering and R&D Services,Please visit http://www.hcltech.com/engineering-rd-services

Copyright@ HCCopyright@ HCL TechnologiesAll rights reserved.

Saumendra DashHCL Engineering and R&D Services

Reference

Conclusion

Author Info

[1]http://packetstorm.igor.onlinedirect.bg/papers/IDS/nids/A-Framework-For-An-Adaptive-Intrusion-Detection-System.pdf

[2]http://static.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf

[3] https://iseclab.org/papers/driveby.pdf

[4]http://www.cse.iitm.ac.in/~ravi/papers/Ranga_COMSNETS_12.pdf

Last, but not the least, by providing a secure infrastructure with both Host- and Network-based IDS for our esteemed clients in HCL, apprehensions about the security vulnerabilities will mitigate, boost their confi-dence, and create a win-win atmosphere for new opportunities.

Intrusion detection has become a necessary addition to the security infrastructure of almost every orga-nization. The criticality of detecting intrusion in networks and applications leaves no margin for errors. The effective cost of a successful intrusion overshadows the cost of developing IDS, and hence, it becomes critical to identify the best possible approach for developing a better IDS. Every network and application is differently designed, so it becomes extremely difficult to develop single generic solution that works for all. To keep pace with the ever changing networks and applications, the IDS must be in sync with them both. IDS must integrate withwith wireless technologies, removable and mobile devices, and provide support in a comprehensible manner. Evaluation and benchmarking of IDS are important areas of concern for organizational decision makers and end users. Moreover, reconstructing attack scenarios from intrusionalerts and integrating IDS will improve both its usability and performance. We expect IDS to become a practical and effective solution, using both host- and network-based IDS that provide complete defense to information systems.


intrusion detection system (ids)

Business

applicationsand otherservices

butd atanearlystageto