Tuesday, October 22, 2019
Intrusion Detection Systems Essays
Intrusion Detection Systems Essays Intrusion Detection Systems Paper Intrusion Detection Systems Paper Intrusion Detection Systems In 1980, James Andersonââ¬â¢s paper, Computer Security Threat Monitoring and Surveillance, bore the notion of intrusion detection. Through government funding and serious corporate interest allowed for intrusion detection systems(IDS) to develope into their current state. So what exactly is IDS? An IDS is used to detect malicious network traffic and computer usage through attack signatures. The IDS watches for attacks not only from incoming internet traffic but also for attacks that originate in the system. When a potential attack is detected the IDS logs the information and sends an alert to the console. How the alert is detected and handled at is dependent on the type of IDS in place. Through this paper we will discuss the different types of IDS and how they detect and handle the alerts, the difference between a passive and a reactive system and some general IDS intrusion invasion techniques. First lets go over what the difference is between a passive and a reactive IDS. In a passive IDS the sensor of detects an potential threat then logs the information and sends an alert to the console. With a reactive IDS, also known as an intrusion prevention system(IPS), the threat would be detected and logged. Then the reactive IDS would either reset the connection or reprogram the firewall to block network traffic from the suspected source, which could be automatic or at the control of an operator. Therefore a reactive system will act in response to the threat were as a passive system will only log and send an alert to the console informing the operator of a threat. There are many types of intrusion detection systems, network intrusion detection, host based, protocol based, application protocol based, anomaly based and hybrid. The first one we are going to discus is network intrusion detection systems or NIDS. With NIDS the system attempts to detect threats and attacks, such as denial of service attacks, port scans and attempts to hack into computers by monitoring the network traffic in real time through a promiscuous connection. It does so by first filtering out all known non-malicious traffic and then analyzing the remaining incoming packets for suspicious patterns that could be threats. It is not however limited to just analyzing incoming packets, the system also analyzes the outgoing local traffic, in case of an attack/threat that originates inside of the local network. Snort is an example of this. Host based intrusion detection systems unlike network intrusion detection systems, which focus on a computing systemââ¬â¢s external interfaces, host based systems focus on the monitoring and examination of the computing systemââ¬â¢s internals. Host based systems are more concerned with the changes in state of a computing system. It detects these changes by analyzing system specific logs either in real time or periodically. When there is any change in the logs the IDS will compare the current configuration of the security policy to the changes and react accordingly. An example of this would be tripwire. Protocol based intrusion detection systems (PIDS) monitor the dynamic behavior and state of the protocol. In a typical setup there is a system or agent sitting at the front end of the server. This agent or system monitors the communication protocol between the computing system, it is trying to protect, and a connected device. The main goal of protocol based IDS is to impose the proper use of the protocol used between the protected computing system and all connected devices. Bro and sort are examples of protocol based intrusion detection systems. Application protocol based intrusion detection systems (APIDS) are used to monitor the protocols specific to certain applications and protocols being used by the computing system. The typical setup, similar to protocol based IDS, consists of a system or agent that sits in front of a group of servers where it will monitor and analyze the communication protocols specific to applications. An example would be to have an APIDS between a web server and a database system where the APIDS monitors the SQL protocol being used between them. Anomaly based intrusion detection systems detect attacks and threats through the monitoring of system activity and classifying it based on heuristic or rules instead of patterns and signatures. The IDS classifies activity as either normal or anomalous based on its analysis. Since the classification is determined by heuristic or rules it has a significant advantage over systems that use signatures. In signature based detection the signature has to have been previously created where in anomaly based any type of use that doesnââ¬â¢t coincide with the normal use of the system will be detected malicious or not. Snort is an example of this type of system. Hybrid intrusion detection systems consist of a combination of one or more approaches to intrusion detection systems. Typically you would use a host based IDS and a network IDS to develop an extensive overview of the entire network. The biggest benefit that a hybrid IDS has over any single type of IDS is the large amount of sensors it has to detect malicious activity. Prelude is an example of an hybrid IDS. As with any other type of security device there will always be some one looking for holes in the fence. Intrusion detection systems are no different. Through many intrusion invasion techniques people are able to avoid detection by changing the states of the IDS and the targeted computing system by manipulating the attack or the network traffic that contains the attack. Some of the techniques we will cover in this paper are obfuscating attack payload fragmentation and small packets, overlapping fragments, protocol violations, inserting traffic at the IDS, denial of service. Obfuscating attack payload is simply what it means, which is to encode the attack so that the IDS will be unable to reverse the packets but the target computer can. A way to do this is through encoding attack packets with a Unicode character in which an IDS recognize but an IIS server will be able decode thus being attacked. You can also use polymorphic code in so that you can trick signature-based IDSs by creating unique attack patterns so there is not a distinct attack signature that can be easily detected. Another technique used to evade IDS is through fragmentation and small packets. With this technique you simply just split the packets up into smaller packets or create packets with a small payload also known as ââ¬Ësession splicingââ¬â¢. Although small packets alone, will not be enough to evade an IDS with a packet reassembler. Hope is not lost though you can still modify the packets to complicate reassembly. One way to confuse the reassembler is to pause between sending parts of the attack in hope that the reassembler will time out but not the target computer. Another way is to send the packets out of order so that the reasssembler gets confused but the target computer does not. An IDS evasion technique, known as overlapping fragments, uses TCP sequence numbers to confuse the IDS. It basically creates a series of packets with TCP sequence numbers configured to overlap. So for example you send the first packet that includes 80 bytes you then send the second packet with a sequence number of 76 bytes after the start of the first packet. The target computer, when it tries to reassemble the TCP stream, has to decide how to handle the 4 bytes that overlapping. Some systems take it from the older data and some from the newer data, it is dependent on the operating system of the target computer. Protocol violations are another technique of IDS intrusion invasion. Using protocol violations you simply exploit known violations to a protocol that will be interpreted differently by the IDS than by the target computer. An example of this would be to use the TCP Urgent Pointer that is handled differently by different operating systems and the IDS may not handle it correctly. Another evasion technique is inserting traffic at the IDS. This is where you send packets that the IDS will see but the target computer will not. This is accomplished by simply crafting packets whose time to live fields have been configured to reach the IDS but not the target computer. This creates a situation where the IDS is in a different state than the target computer. Denial of service attacks or DoS attacks, are used to evade detection by overloading and disabling the IDS. To achieve this the attack will exploit a known bug in the IDS using up computational resources needed by the IDS. This can also be accomplished by intentional generating a large number of alerts to set up a front to hide the real attack. Utilities such as stick and snot are designed to send a large amount of attack signatures across a network to spawn a large number of IDS alerts. However this will only work on IDSs that do not maintain application protocol context. As you can see with the numerous ways around intrusion detection systems, as with any network security system, there is no complete security solution. Even with this there will always be a need for intrusion detection systems. The best of which would be a combination of network and host based IDSs, in other words a hybrid IDS. These will give you the benefits of both worlds of IDS and allow for greater security. Whatever your opinion on which solution is right for you, intrusion detection systems are here to stay and are a valuable tool in network security. Resources securityfocus. com/infocus/1514
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.