17-03-2011, 09:44 AM
Submitted by:
Ms. Sonali Satapathy
[attachment=10357]
INTRODUCTION
In the last few years, the networking revolution has finally come of age. More than ever before, we see that the Internet is changing computing, as we know it. The possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of malicious intrusions.
It is very important that the security mechanisms of a system are designed so as to prevent unauthorized access to system resources and data. However, completely preventing breaches of security appear, at present, unrealistic. We can, however, try to detect these intrusion attempts so that action may be taken to repair the damage later. This field of research is called Intrusion Detection.
INTRUSION DETECTION SYSTEM
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
Organizations use intrusion detection and prevention system(IDPSs) for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.
An intrusion detection system (IDS) is essentially a burglar alarm system for the network. It enables us to monitor our network for intrusive activity. When intrusive activity occurs, our IDS generates an alarm to let us know that the network is possibly under attack. Like regular burglar alarms, however, IDS can generate "false positives" or "false alarms".
What is false positives/false alarms and false negatives?
A false positive occurs when IDS generates an alarm from normal user activity. If IDS generates too many false positives, then we will lose confidence in the capability of IDS to protect the network.
Example:- If a burglar alarm that continually goes off incorrectly, the police will become conditioned to the fact that the establishment is prone to false alarms. During an actual break-in, the police may not respond as quickly, thinking that the alarm is just another false alarm. Therefore, it is crucial that IDS configured to minimize the number of false positives that it generates.
False negatives is a situation in which an attack occurs against the network, and IDS fails to alarm even though it is designed to detect such an attack. IDS should almost never generate false negatives. In fact, it is preferable for IDS to actually generate more false positives rather than generating any false negatives.
THREATS OF SECURITY
Threats can be seen as potential violations of security and exist because of vulnerabilities, i.e. weakness, in a system. There are two basic types of threats: accidental threats and intentional threats.
Accidental Threat:
An accidental threat can be manifested and the result is either an exposure of confidential information or cause of an illegal system state to occur i.e. modification of an object.
Exposures can emerge from both hardware and software failures as well as from user and operational mistakes thus resulting in the violation of confidentiality.
It can also be manifested as modification of an object, which is the violation of object integrity. An object here can be both information and resource.
Intentional Threat:
An intentional threat is an action performed by an entity with the intention to violate security. Examples of attacks are interruption, modification, interception and fabrication of data.
NEED FOR INTRUSION DETECTION
Due to increased connectivity (especially on the Internet), and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders. These subversion attempts try to exploit flaws in the operating system as well as in application programs and resulted in spectacular incidents.
There are two ways to handle subversion attempts.
Prevent subversion itself by building a completely secure system.
Protect data by various cryptographic methods and very tight access control mechanisms.
However this is not really feasible because:
1. In practice, it is not possible to build a completely secure system. Designing and implementing a totally secure system is an extremely difficult task.
2. Cryptographic methods have their own problems. Passwords can be cracked, users can lose their passwords, and entire crypto-systems can be broken.
3. Even a truly secure system is vulnerable to abuse by insiders who abuse their privileges.
4. Relationship between the level of access control and user efficiency is an inverse one, which means that the stricter the mechanisms, the lower the efficiency becomes.
So if there are attacks on a system, it is required to detect them as soon as possible and take appropriate action. This is essentially what an Intrusion Detection System (IDS) does.
TRIGGERING MECHANISM
To protect the network, IDS must generate alarms when it detects intrusive activity on the network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:
• Anomaly detection
• Misuse detection
Besides implementing a triggering mechanism, IDS must somehow watch for intrusive activity at specific points within the network. Monitoring intrusive activity normally occurs at the following two locations:
• Host-based
• Network-based
a) Anomaly Detection
With anomaly detection, its required to create a profile for each user group on the system. These profiles can be built automatically or created manually. How the profiles are created is not important as long as the profiles accurately define the characteristics for each user group or user on the network. These profiles are then used as a baseline to define normal user activity. If any network activity deviates too far from this baseline, then the activity generates an alarm. Because this type of IDS is designed around user profiles, it is also sometimes known as profile-based detection.
Ms. Sonali Satapathy
[attachment=10357]
INTRODUCTION
In the last few years, the networking revolution has finally come of age. More than ever before, we see that the Internet is changing computing, as we know it. The possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of malicious intrusions.
It is very important that the security mechanisms of a system are designed so as to prevent unauthorized access to system resources and data. However, completely preventing breaches of security appear, at present, unrealistic. We can, however, try to detect these intrusion attempts so that action may be taken to repair the damage later. This field of research is called Intrusion Detection.
INTRUSION DETECTION SYSTEM
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
Organizations use intrusion detection and prevention system(IDPSs) for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.
An intrusion detection system (IDS) is essentially a burglar alarm system for the network. It enables us to monitor our network for intrusive activity. When intrusive activity occurs, our IDS generates an alarm to let us know that the network is possibly under attack. Like regular burglar alarms, however, IDS can generate "false positives" or "false alarms".
What is false positives/false alarms and false negatives?
A false positive occurs when IDS generates an alarm from normal user activity. If IDS generates too many false positives, then we will lose confidence in the capability of IDS to protect the network.
Example:- If a burglar alarm that continually goes off incorrectly, the police will become conditioned to the fact that the establishment is prone to false alarms. During an actual break-in, the police may not respond as quickly, thinking that the alarm is just another false alarm. Therefore, it is crucial that IDS configured to minimize the number of false positives that it generates.
False negatives is a situation in which an attack occurs against the network, and IDS fails to alarm even though it is designed to detect such an attack. IDS should almost never generate false negatives. In fact, it is preferable for IDS to actually generate more false positives rather than generating any false negatives.
THREATS OF SECURITY
Threats can be seen as potential violations of security and exist because of vulnerabilities, i.e. weakness, in a system. There are two basic types of threats: accidental threats and intentional threats.
Accidental Threat:
An accidental threat can be manifested and the result is either an exposure of confidential information or cause of an illegal system state to occur i.e. modification of an object.
Exposures can emerge from both hardware and software failures as well as from user and operational mistakes thus resulting in the violation of confidentiality.
It can also be manifested as modification of an object, which is the violation of object integrity. An object here can be both information and resource.
Intentional Threat:
An intentional threat is an action performed by an entity with the intention to violate security. Examples of attacks are interruption, modification, interception and fabrication of data.
NEED FOR INTRUSION DETECTION
Due to increased connectivity (especially on the Internet), and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders. These subversion attempts try to exploit flaws in the operating system as well as in application programs and resulted in spectacular incidents.
There are two ways to handle subversion attempts.
Prevent subversion itself by building a completely secure system.
Protect data by various cryptographic methods and very tight access control mechanisms.
However this is not really feasible because:
1. In practice, it is not possible to build a completely secure system. Designing and implementing a totally secure system is an extremely difficult task.
2. Cryptographic methods have their own problems. Passwords can be cracked, users can lose their passwords, and entire crypto-systems can be broken.
3. Even a truly secure system is vulnerable to abuse by insiders who abuse their privileges.
4. Relationship between the level of access control and user efficiency is an inverse one, which means that the stricter the mechanisms, the lower the efficiency becomes.
So if there are attacks on a system, it is required to detect them as soon as possible and take appropriate action. This is essentially what an Intrusion Detection System (IDS) does.
TRIGGERING MECHANISM
To protect the network, IDS must generate alarms when it detects intrusive activity on the network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:
• Anomaly detection
• Misuse detection
Besides implementing a triggering mechanism, IDS must somehow watch for intrusive activity at specific points within the network. Monitoring intrusive activity normally occurs at the following two locations:
• Host-based
• Network-based
a) Anomaly Detection
With anomaly detection, its required to create a profile for each user group on the system. These profiles can be built automatically or created manually. How the profiles are created is not important as long as the profiles accurately define the characteristics for each user group or user on the network. These profiles are then used as a baseline to define normal user activity. If any network activity deviates too far from this baseline, then the activity generates an alarm. Because this type of IDS is designed around user profiles, it is also sometimes known as profile-based detection.
