Topic: Intrusion Detection System
Sub: Security in Networks and Software Development
Submitted By:-> Himanshu Tayal (RA1511020010080)
-> Shivam Pandita (RA1511020010072)
-> Himanshu Garg (RA1511020010078)
-> Yash Umaretiya (RA1511020010080)
An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases, the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.
IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host-based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat. We’ll cover each of these briefly.
Components of Intrusion Detection System:
An Intrusion Detection system comprises of Management console and sensors. Management console is the management and reporting console. Sensors are agents that monitor hosts or networks on a real time basis. An Intrusion Detection System has a database of attack signatures. The attack signatures are patterns of different types of previously detected attacks.
If the sensors detect any malicious activity, it matches the malicious packet against the attack signature database. In case it finds a match, the sensor reports the malicious activity to the management console. The sensor can take different actions based on how they are configured. For example, the sensor can reset the TCP connection by sending a TCP FIN, modify the access control list on the gateway router or the firewall or send an email notification to the administrator for appropriate action.
Types of Intrusion Detection Systems:
There are broadly two types of Intrusion Detection systems. These are host based
Intrusion Detection System and network based Intrusion Detection System. A Host
based Intrusion Detection system has only host based sensors and a network based
Intrusion detection system has network-based sensor as explained in the Picture1
below. As shown in the picture1, a network based IDS sensor has two interfaces. One of the interfaces is manageable. The IDS management console communicates with the sensor through the management interface. The other interface of the IDS is in promiscuous (listening) mode.
This interface cannot be accessed over the network and is not
manageable. The monitoring interface is connected to the network segment, which is being monitored. The sensor examines every packet that crosses the network segment. Network based sensors apply predefined attack signatures to each frame to identify hostile traffic. If it finds a match against any signature, it notifies the management console. Some vendors offer network based sensors running off a workstation. Some vendors offer sensor appliances with proprietary operating system and sensor software.
In the picture1, the dotted line interface on each network based IDS sensor (shown as NIDS) is the management interface and the thick line interface is the monitoring
interface. As shown, the management interface connects to the management VLAN (VLAN0). The management console is also installed in the management VLAN in this example. The management console could be connected to any other VLAN, but it should be able to communicate with the other VLANs to which the management interfaces of the network based IDS sensors are connected. It is recommended to connect the management interfaces of the NIDS and the management console to the same VLAN
The host based Intrusion detection systems on the other hand works off the hosts. The host-based sensor is software running on the host being protected. It monitors system audit and event logs. When any of these files change, the IDS sensor compares the new log entry with attack signatures to see if there is a match. In case a match is found, the sensor notifies the management console. The host-based sensors do not do any packet level analysis. Instead, they monitor system level activities. For example, an unauthorized user (other than administrator)
changing registry files in a Windows NT system, or changing /etc/password or /etc/shadow file in a Unix system, a user trying to login at 7:00 pm, although he or she is allowed to login only between 9:00 am and 5:00 pm.
The host-based sensors monitor these kinds of activities and if it finds any anomaly,
respond with administrator alerts. Host based IDS have grown over the years. Some
hosts based IDS systems checks key system files and executables via checksums at
regular intervals for unexpected changes. Some products listen to port based activity
and alert administrators when specific ports are accessed.
Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally, you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.
Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected
A signature-based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time, your IDS would be unable to detect the new threat.
An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different than the baseline.
A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected an alert is generated and sent to the administrator or user and it is up to them to take action to block the activity or respond in some way.
A reactive IDS will not only detect suspicious or malicious traffic and alert the administrator but will take pre-defined proactive actions to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.
One of the most well known and widely used intrusion detection systems is the open source, freely available Snort. It is available for a number of platforms and operating systems including both Linux and Windows. Snort has a large and loyal following and there are many resources available on the Internet where you can acquire signatures to implement to detect the latest threats.
There is a fine line between a firewall and an IDS. There is also a technology called IPS – Intrusion Prevention System. An IPS is essentially a firewall which combines network-level and application-level filtering with a reactive IDS to proactively protect the network. It seems that as time goes on firewalls, IDS and IPS take on more attributes from each other and blur the line even more.
Essentially, your firewall is your first line of perimeter defence. Best practices recommend that your firewall be explicitly configured to DENY all incoming traffic and then you open up holes where necessary. You may need to open up port 80 to host websites or port 21 to host an FTP file server. Each of these holes may be necessary from one standpoint, but they also represent possible vectors for malicious traffic to enter your network rather than being blocked by the firewall.
That is where your IDS would come in. Whether you implement a NIDS across the entire network or a HIDS on your specific device, the IDS will monitor the inbound and outbound traffic and identify suspicious or malicious traffic which may have somehow bypassed your firewall or it could possibly be originating from inside your network as well.
An IDS can be a great tool for proactively monitoring and protecting your network from malicious activity, however, they are also prone to false alarms. With just about any IDS solution you implement you will need to “tune it” once it is first installed. You need the IDS to be properly configured to recognize what is normal traffic on your network vs. what might be malicious traffic and you, or the administrators responsible for responding to IDS alerts, need to understand what the alerts mean and how to effectively respond.
Advantages of Network based Intrusion Detection Systems:
1. Lower Cost of Ownership: Network based IDS can be deployed for each network segment. An IDS monitors network traffic destined for all the systems in a network
segment. This nullifies the requirement of loading software at different hosts in the
network segment. This reduces management overhead, as there is no need to maintain sensor software at the host level.
2. Easier to deploy: Network based IDS are easier to deploy as it does not affect
existing systems or infrastructure. The network-based IDS systems are Operating
system independent. A network based IDS sensor will listen for all the attacks on a
network segment regardless of the type of the operating system the target host is
3. Detect network based attacks: Network based IDS sensors can detect attacks,
which host-based sensors fail to detect. A network based IDS checks for all the packet headers for any malicious attack. Many IP-based denial of service attacks like TCP SYN attack, fragmented packet attack etc. can be identified only by looking at the packet headers as they travel across a network. A network based IDS sensor can quickly detect this type of attack by looking at the contents of the packets at the real time.
4. Retaining evidence: Network based IDS use live network traffic and does real time intrusion detection. Therefore, the attacker cannot remove evidence of attack. This data can be used for forensic analysis. On the other hand, a host-based sensor detects attacks by looking at the system log files. Lot of hackers are capable of making changes in the log files so as to remove any evidence of an attack.
5. Real Time detection and quick response: Network based IDS monitors traffic on a real time. So, network based IDS can detect malicious activity as they occur. Based on how the sensor is configured, such attack can be stopped even before they can get to a host and compromise the system. On the other hand, host based systems detect attacks by looking at changes made to system files. By this time critical systems may have already been compromised.
6. Detection of failed attacks: A network based IDS sensor deployed outside the
firewall (as shown in picture1 above) can detect malicious attacks on resources behind the firewall, even though the firewall may be rejecting these attempts. This information can be very useful for forensic analysis. Host based sensors do not see rejected attacks that could never hit a host inside the firewall.
Advantages of Host based Intrusion Detection Systems:
1. Verifies success or failure of an attack: Since a host based IDS uses system logs
containing events that have actually occurred, they can determine whether an attack
occurred or not with greater accuracy and fewer false positives than a network based
system. Network based IDS sensors although quicker in response than host based IDS
sensors, generate a lot of false positives because of the very fact that it detects
malicious packets on the real time and some of these packets could be from a trusted
2. Monitors System Activities: A host based IDS sensor monitors user and file access
activity including file accesses, changes to file permissions, attempts to install new
executables etc. A host based IDS sensor can also monitor all user logon and logoff
activity, user activities while connected to the network, file system changes, activities
that are normally executed only by an administrator. Operating systems log any event
where user accounts are added, deleted or modified. The host based IDS can detect an
improper change as soon as it is executed. A network-based system cannot give so
much detailed information about system activities