Intrusion Detection Systems - Coursework Example

Intrusion Detection Systems Introduction The advent of Internet has drastically changed lifestyles. This change has taken its effect on individuals and businesses alike. Corporations are dependent on Internet for successful completion of various business activities. Electronic business also known as E Commerce is the latest revolution in Internet which companies to exploit the power of the Internet to boost their sales. It allows users to buy goods while sitting at the luxury of their home. It provides innumerable benefits to businesses; broadens the customer base, provides products a healthy brand equity, spreads the roots and reach of a company to name a few; which directly have a positive impact on the returns on investment of a company. Apart from the Internet, The availability of commodity priced IT systems, high speed and affordable communications infrastructure and ever increasing research and development in computer languages have swelled the utilization of networked computing power in from if Intranet and Extranets. However IT based operations is no panacea. As the dependence on the Internet increases, so do the pertinent risks that might hamper the profitability of a business due to computer criminals. Scott Barman, a professional on Corporate IT Security states that, “Hardly a week passes without hearing about a new virus, worm, or Trojan Horse that infects networks of computers” (Barman, 2001). There are various ways in which security can be assured in a network of computers. One of the classical approaches to tackle the issue of security which is being followed from a long time is the use of Intrusion Detection Systems (IDS). Intrusion Detection Systems “Intrusion Detection Systems (IDS) look for attack signatures which are specific patters that usually indicate malicious or suspicious intent” (Laing, 2000). Intrusion detection systems are an important component of defensive measures protecting computer systems and networks from abuse. According to John McHugh from the Carnegie Mellons CERT Institute, “Although Intrusion Detection Technology is immature and can not be considered as a complete defense, it plays a very significant role in the overall security architecture” (McHugh et al, 2000). The concept of Intrusion Detection has been the focus of research from quite a few years now, and various models of intrusion detection have been developed. However, all of these detection mechanisms fall under two major categories: Host-Based Intrusion Detection Systems (HIDS) and Network-Based Intrusion Detection Systems (NIDS). Each technique has a distinct approach to monitoring and securing data, and each has distinct advantages and disadvantages. Both the techniques are explained in brief in the coming section. Host Based Intrusion Detection System: As the name implies, an HIDS runs on a host in a network of connected systems. In this context a host is any system that acts as a provider of services to the other systems. A typical example of a host is a Web Server. HIDS programs are highly effective for detecting insider abuses. Residing on the trusted network systems themselves, they are close to the network’s authenticated users (Innella & McMillan, 2001). Some of the existing HIDS include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept ((Innella & McMillan, 2001). The general schematic of a HIDS is shown below. Figure: HIDS Implementation (windowssecurity.com, 2006) Network Based Intrusion Detection System: As opposed to the HIDS, an NIDS monitors the packets traveling across the entire network, rather than a particular network. An NIDS is best described as a standalone appliance that has network intrusion detection capabilities. As an alternative, an NIDS can also be a software package that is installed on dedicated workstation that is connected to the network or a device that has the software embedded and is also connected to the network. The NIDS then scans any traffic that is transmitted over that segment of the network; the NIDS functions in very much the same way as high-end anti-virus applications and it makes use of signature or pattern file method comparing each transmitted packet for patterns that may occur within the signature file (Magalhaes, 2006). Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler are some of the prominent examples of NIDS. The general schematic of NIDS implementation is shown below. Figure: NIDS Implementation (windowssecurity.com, 2006) Benchmarking Intrusion Detection Systems As it is with any other technology, benchmarking an IDS is extremely challenging with numerous possibilities of errors. Either accidentally or deliberately, there are numerous ways in which the benchmarking process can be carried out in a wrong manner. According to Roy Maxion, “ To measure is to appraise by a certain standard or rule, or by comparison with something else; to ascertain the different dimensions of a body; to gauge the abilities or character of; to estimate the amount, duration, value, etc. of something by comparison with some standard; a standard; a criterion or a test” (Maxion, 1998). Measuring or benchmarking a system allows us to characterize it, evaluate its performance levels, predict trends and to improve any inefficiencies found. There are various standards against which an IDS can be benchmarked. However the primary criterion for measurement is the ability to detect intrusions. The other factors that constitute as secondary criteria include False Positives, False Negatives and Performance Impact. The Software Engineering Institute of Carnegie Mellon University has maintained one of the most comprehensive databases to benchmark ID systems. Another research carried out by Fink, Chappell, Turner and Donoghue use the Scorecard Metrics to benchmarking Intrusion Detection Systems. According to the researchers, “The centerpiece of our testing and evaluation methodology is a “scorecard” containing the set of general metrics and their definitions. The metrics are general characteristics that we deemed relevant to any IDS. The metrics have been divided into three classes: Logistical (class 1), Architectural (class 2) and Performance (class 3) (Fink et al, 2002)”. At University of California, Santa Barbara, three Intrusion Detection Systems were evaluated against each other. The IDSs chosen were the most prominent IDSs existing today: SNOST, RealSecure and Bro. The results can be found online at the computer science department website of UCSB (UCSB, nd). Finally Markus Ranum provides us with one of the most effective Simulation Network for evaluating NDS. The schematic of the simulation is shown below. Figure: Simulation for IDS Evaluation (Markus Ranum, nd) According to this simulation, an NIDS is a part of the test network, and there is a control monitor to record attack and normal traffic. The control monitor also dumps the replayed packets back to the network. This way the effectiveness of the NIDS can be tested by just replacing an NIDS with another and running the simulation. Some Beneficial Tools Some tools are freely available that help in simulating the setup for evaluating IDS. Whisker for example is a tool that can be used to generate out-of-sequence packets. Using this an IDS can be tested if it can detect out-of-sequence packets which is an important criterion for its success. Pcap is another tool that can be used to generate packets based on certain time sequence. Using this an IDS can be tested if it can block traffic based on the time of the day. Fragrouter is another tool that can be used to generate fragmented packets. Many such tools with the help of a simulation network can be used to benchmark ID Systems. Conclusion Intrusion detection has been an active field of research for about two decades, and several hybrid versions of ID systems are being developed to secure real time large scale networks. Attacks on the computer infrastructures are a growing problem in every nation. To minimize this problem, an IDS can help in a considerable manner. The best way to decide which IDS is best for a particular network is to actually deploy it on the network and run simulations. References Scott Barman (2001), “Creating an Information Security Policy”, Pearson Education Press, SAMS Publishing. Brian Laing (2000), “Implementing a Network-Based Intrusion Detection System”, Internet Security Systems Press. John McHugh, Alan Christie & Julia Allen (2000), “The Role of Intrusion Detection Systems”, CERT Co-ordination center. Paul Innella, Oba McMillan (2001),”An Introduction to Intrusion Detection Systems”, Tetrad Digital Integrity, Found at: http://www.securityfocus.com/infocus/1520 [Online Source]. Ricky Magalhaes (2006), “Host Baed IDS Vs Network Based IDS”, Found at: http://www.windowsecurity.com/articles/Hids_vs_Nids_Part1.html [Online Source] Roy Maxion (1998), “Measuring Intrusion Detection Systems”, Presented to RAID-98 Fink, Chappell, Turner and Donoghue (2002), “A Metrics Based Approach to Intrusion Detection System Evaluation”, Information Transfer Technology Group, Naval Surface Warfare Center. UCSB (nd), “Project on: Evaluating Intrusion Detection Systems”, Found at: http://www.cs.ucsb.edu/~kemm/courses/CS595/TestingIDSs/ [Online Source] Read More