Presented by
PRAVEEN. R

---

[attachment=12090]
Introduction
Traditional Intrusion Detection Systems offer security to a single host, or a group of interconnected systems in the network. The IDS provided for a single host are called as host-based intrusion detection systems and that for an entire network is called as network-based intrusion detection system. The drawback of the host-based intrusion detection system is that it is not able to detect new types of attacks in the system. The network-based intrusion detection system is difficult to maintain, it cannot detect encrypted packets, and transmitting the log information over the entire network is time-consuming and may result in enormous traffic which would in turn affect the performance of the entire system. Hence a spy-based intrusion detection system is used which combines the efficacies of the two networks and reduces the disadvantages of these two networks defined before.
Anomaly Intrusion Detection
An anomaly intrusion detection system records users’ activities on the system and builds statistical profiles from these records. It considers any activity remarkably different as intrusions.
Misuse Intrusion Detection
The misuse intrusion detection refers to any intrusion that follows well defined intrusion patterns as intrusions. It may not act or identify any new type of intrusion detection.
Basic Components:
The spy-based intrusion detection system consists of
 Controller
 Honeypots
 Sensors to connect to the network
 Spy
 Log files
 Tracer
 Database
Controller:
The controller is the central unit of the proposed IDS system. It is centralized and runs in the system which may be present next to a personal firewall. The controller is responsible for maintaining information about the intruders in the network. It is connected to the transmission line through the sensor. The controller maintains information about the list of signatures which may lead to the threat in the network. It also holds information about the intruder who was banned or disconnected from the system due to his previous intrusion attempt.
Honeypots:
Honeypots are programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. A honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack. In some cases, a honeypot is simply a "box". From the outside it appears vulnerable, while it logs traffic and also analyzes it. Thus, because Honeypots appear vulnerable and no connections should be created every connection to the honeypot is seen as suspicious.
Sensors:
The sensors are the physical interface through which the IDS system is connected to the network. The sensors are designed so that in runs in the promiscuous mode. In the promiscuous mode the sensor is transparent to any in the network and it captures all the packets that are traveling through the network either it is addressed to it or not. The sensor is controlled by the Central Controller which analyses the packets. Thus it acts as a gateway to the network.
Spy:
The spy is a program which runs in the distributed environment over the network. This may be implemented as a thread which travels through the network and periodically contacting the server program. The client runs a part of the security software which just analyses the traffic, looks for any suspicious packets, and maintains an entry in the log file about the packet. The client program also monitors any change to the system files (e.g. /etc/passwd, /etc/shadow, /etc/hosts/.equiv, .rhosts) and records the previous value and the value updated in the system file. The spy travels through the network and monitors the log file and detects any anomaly in the local system. It can then inform the server in case of any possibility of severe attack tried to impose on the system.
Log file:
The log file is the file which is maintained and updated by the client program which contains information about any suspicious packet and the time when the system file was tried to be modified by the intruder.
Tracer:
The tracer is the utility which is used to trace back the intruder of the system. The intruder may conceal information about himself by changing the Source IP Address field in the packets that he may transmit. In case of Ping-Sweep attacks the intruder may replace the IP address of the Source machine as the IP address of the Destination machine itself in the ping-request packet so that the ping-reply is sent by the destined machine to itself thereby increasing the traffic in the system. In more severe cases, this ping-sweep is amplified by more than one destination machine which increases the traffic in the end system causing system failure. The tracer tracks the intruder by means of backtracking through the path traveled by the packet which can thus allow undertaking legal action against the intruder.
Database:
The database is the repository of information collected from previous attack attempts or contains signatures that must not be allowed into the system to execute. The database thus allows in detecting in the same attempt in the future and can be dynamically updated by the Spy to include information about any fraudulent attempts made by the intruder.
Structure of the IDS System:
Tracing the intruder in the system:
When the sensor detects the intruder in the system, the information is sent to the target machine, and the target machine is instructed to collect relevant information about the sender of the particular packet. Then a spy is called to propagate through the network looking for similar packets or the source machine from which these packets arrive. It maintains a list of all the routers it encounters in the path and it uses this information to backtrack in case if the machine it reached is the dead-end. It may be used along with a collection of similar spies and detect the machine through which it can search for the intruder. The spy may periodically inform about its status to the Controller which can guide the spies and provide sufficient information.
Identifying any threat to the system:
 Buffer Overflow attempt
 Executing root shell
 Attempt to change any system files(e.g. /etc/passwd, /etc/shadow, /etc/hosts/.equiv, .rhosts)
 Any attempt to get the privileges of the super-user (e.g. su command in UNIX environment)
 Any DoS or DDoS attacks made to the system
 Any malicious CGI script(e.g. | mail < /etc/passwd)
 Port scanning to find any open port
 Attempt to change the file mode
Implementing the honeypot:
The honeypot can be implemented by means of having open promiscuous ports on the network on intent of trapping the intruder. These ports can be allowed to support a duplicate shell running on the system. It may pretend to have fake system files like /etc/passwd. The honeypot can be used as a trap to find the intruder. The intruder can be monitored by means of logging into a file his continuous activity on the server. It thus allows detecting the different modes of security features he likes to tweak in and thus allow the system manager to detect the flaws that may be present in the system.
Implementation of Traffic Sniffer:
The traffic sniffer connects to the node in the network and receives the packets traveling through the network. It is connected to the network in the promiscuous mode, and therefore is transparent to the network. It simply receives the packets and creates a log file about the type of the packet received, the time of arrival, the source and the destination address and denotes whether any threat is being noticed in the packet.
It consists of the following modules:
 Sniffing module
 Analysis module
 Decision module
Sniffing module:
The Sniffing module is responsible for gathering all the packets traveling in the network. It operates in the promiscuous mode which may be present along with a fire wall. It checks whether the incoming packet follows any of the valid protocols like TCP/UDP/ICMP. If the packet belongs to any of these protocol structures then it is allowed to travel through the network. Thus it ensures that the valid packets alone are transmitted in the network. Then it forwards the packets to the analysis module