Sachet - A Distributed Real-time Network-based Intrusion Detection System

While the increased inter-connectivity of the computer networks has brought a lot of benefits to the people, it also rendered networked systems vulnerable to malicious attacks from the headers. The failure of intrusion prevention techniques to adequately secure computer systems has led to the growth of the Intrusion Detection System. In this thesis, we have designed and implemented a distributed, network-based intrusion detection system - Sachet. The Sachet word is a Hindi word which means - Alert. The system uses an existing open source network based misuse detection system - snort. We have built upon snort to develop a heterogenous, scalable, distributed IDS that is completely controllable from a central location. Sachet comprises of multiple agents that use snort for misuse detection, a central server that stores all alerts and controls the agents, and a console for monitoring and viewing the activities of entire Sachet system by the system administrator. The agents and server communicates using a Sachet protocol that ensures reliability, mutual authentication, confidentiality, integrity and provides tolerance from agent and server crashes.

[attachment=15209]
Introduction
The widespread proliferation of computer networks has resulted in the increase of attacks on information systems. These attacks are used for illegalv gaining access to unauthorized information, misuse of information or to reduce the availiabilitv of the information to authorized users. This results in huge financial losses to companies besides losing their goodwill to customers as their informative services are severely disrupted. These attacks are increasing at a staggering rate and so is their com¬plexity, Thus there is a need for complete protection of organizational computing resources which is driving the attention of people towards intrusion prevention and detection systems.
We can effectively protect the computer systems, if we use three fundamental techniques against intrusions: prevention, detection and response. Earlier, intrusion prevention was widely considered as a complete and sufficient protection against the intrusions. Such preventive measures include user authentication (using passwords or biometrics), fencing around the network using firewalls, very tight access control mechanisms, avoiding programming errors etc. But, unfortunately these measures are not sufficient in adequately protecting the computer system due to many reasons. There will always be unknown programming flaws, design and architectural weak¬nesses in application programs, protocols and operating systems which can always be exploited by the attacker. The abuse of privileges by insiders (usually disgruntled employees) to gain unauthorized access, the failure of firewall to prevent many at¬tacks such as dictionary attacks and probes, the cracking of paswords are some of the other reasons that make preventive measures insufficient to protect computer sys¬tems, Hence, intrusion prevention is not a complete solution. If there are inveitable attacks on a system, we would like to detect them as soon as possible (preferably in real time) and take appropriate action. Moreover it should be possible to trace an attack to its source, and assess the extent of damage. The capability that provides these special features is known as intrusion detection. Intrusion detection tools are not preventive devices but they should be used as a second line of defense. Hence, they complement the protective mechanisms to improve system security,
1.1 What is an Intrusion Detection System?
An intrusion is defined as "any set of actions that attempt to compromise the in¬tegrity, confidentiality, or availability of a computer resource" [6], The definition disregards the success or failure of those actions, so it corresponds to attacks against the computer systems. Accordingly, intrusion detection is defined as "the problem of identifying actions that attempts to compromise the integrity, confidentiality, or availability of a computer resource" [6], Hence, an intrusion detection system (IDS) is a piece of software that monitors a computer system to detect any intrusions, and alerts a designated authority.
Intrusion Detection systems can be classified in several ways. Depending on the source of data, the intrusion detection systems are categorized into host-based or network-based systems. The network-based intrusion detection systems process the data that originates on the network, such as TCP/IP traffic. Malformed packets, packet flooding, probes are some of the attacks which can be detected by such sys¬tems, The host-based intrusion detection systems analyzes the data that originates on computers (hosts), such as application and operating system event logs, system call traces. Such systems are effective for insider threats. Abuse of privileges by insiders, accesses of critical data are some of the attacks which can be detected by these systems.
Intrusion detection systems can also be classified, depending on the detection model used, into misuse or anomaly detection models. Misuse detection systems look for well-defined patterns of known attacks. The known attacks are represented as patterns or signatures. Misuse Detection is therefore, simply a problem of matching patterns of attack in the given source of data. Such systems detect patterns of known attacks quite accurately and efficiently, and generate very few false alarms. The limitation of misuse detection is that it cannot detect novel, unknown attacks or variations of known attacks. In addition, misuse detection requires the nature of attacks to be well understood. This implies that human experts must work on the analysis and representation of attacks, which is usually time consuming and error prone. Anomaly detection is based on the normal behavior of the subject (e.g., a user, program or a system). Any action that significantly deviates from the normal behavior is considered as intrusive. Such systems build a statistical or machine learning model of normal behavior of the subject. The model is basically a list of metrics or patterns that capture the normal profile. The system flags an intrusion if any observed metrics or patterns of given behavior significantly deviate from the model. Such systems can detect previously unknown patterns of attacks but usually generate many false positives (normal behavior classified as intrusive). Another common problem is that since a subject's normal behavior is modeled on the basis of the audit data over the period of normal operation and if undiscovered intrusive activities occur during this period, they will be consider as normal activities.
Intrusion detection systems can also be classified by their mode of operation: real-time or off-line, A real-time IDS monitors the system continuously and reports intrusions as soon as they are detected. Such systems can substantially reduce the damage to the system, if the system administrator can be notified as early as possible. Moreover, there is a great chance of stopping the attack currently in progress and catching the intruder as intruder would not get much time to delete his trail (e.g., by erasing logs). An off-line IDS inspects system logs at periodic intervals and then discovers any suspicious activity that was recorded. Such systems are very effective in corelating attacks that span multiple hosts, slow probing attacks that span over hours and days, and for forensic analysis. An offline IDS typically reduces system overhead but gives much less timely notification of intrusions.
Lastly, intrusion detection systems can be categorized based on their architecture. The most common IDS architectures are: centralized, hierarchical or distributed systems. In centralized IDS, the data may be collected from various sources (hosts or networks) but is sent to a centralized location where it is analyzed. Such systems limit the system scalability as it could become bottleneck on increasing number of sources and also represent a single point of vulnerability. In hierarchical IDS, some of the data collected from multiple hosts or a single host is passed up through the layers and is analyzed to varying degree at each level. In Distributed IDS, the data is collected and analyzed across the entire network being monitored and results are then sent to a centralized location. Such systems are scalable and not subject to a single point of failure,
1.2 Desirable characteristics of an intrusion detec¬tion system
Crosbie and Spafford [3] define the following desirable characteristics of an intrusion detection systems:
• It must run continually with minimal human supervision,
• It must be fault tolerant by being able to recover from accidental system crashes and re-initializations,
• It must resist subversion. The intrusion detection system must be able to monitor itself and detect if it has been attacked or modified by an attacker,
• It must impose a minimal overhead on the system where it is running, to avoid interfering with the system's normal operation,
• It must be scalable to monitor a large number of hosts while providing results accurately and without degradation of performance.
• It must provide graceful degradation of service. The failure of any component of the intrusion detection system should not immediately fail the entire system,
• It must allow dynamic reconfiguration, allowing the system administrator to make changes in it's configuration without restarting the whole intrusion de¬tection system.
While building a new intrusion detection system, these above characteristics of IDS should always be kept in mind. It would not be easy to include all the charac¬teristics as there will always exist some trade-offs between these characteristics