20-04-2011, 11:43 AM
[attachment=12450]
Chapter 1
Introduction
Recent and anticipated changes in technology arising from the convergence of communications and computing are truly breathtaking, and have already had a significant impact on many aspects of life. Banking, stock exchanges, air traffic control, telephones, electric power, health care, welfare and education are largely dependent of information technology and telecommunications for their operation. We are moving towards the point where it is possible to assert that everything depends on software.
The increased capacities of information systems today come at the cost of increased vulnerability. Information technology has begun to produce criminal opportunities of a variety that the brightest criminals of yore couldn't even begin to dream about.
Intrusion-detection systems collect information from a variety of vantage points within computer systems and networks and analyze this information for symptoms of security breaches. Intrusion-detection and vulnerability-assessment technologies allow organizations to protect themselves from losses associated with network security problems. Intrusion-detection is the logical complement to network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response.
1.1 Cyber Crime
Cyber crime or e-crime or high-tech crime generally refers to criminal activity where network is the target or place of crime. The term cyber crime is used to describe criminal activity in which the computer or network is the necessary part of the crime.
Cyber crime can broadly be defined as criminal activity involving an information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), and data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery(ID theft), electronic fraud.
1.2 Cyber Criminals
The cyber criminals constitute of various groups/ category. This division may be justified on the basis of the object that they have in their mind. The following are the category of cyber criminals:-
• Children and adolescents between the age group of 6 – 18 years – The simple reason for this type of delinquent behavior pattern in children is seen mostly due to the inquisitiveness to know and explore the things. Other cognate reason may be to prove themselves to be outstanding amongst other children in their group. Further the reasons may be psychological even. E.g. the BAL Bharati (Delhi) case was the outcome of harassment of the delinquent by his friends.
• Organized hackers- These kinds of hackers are mostly organized together to fulfill certain objective. The reason may be to fulfill their political bias, fundamentalism, etc. The Pakistanis are said to be one of the best quality hackers in the world. They mainly target the Indian government sites with the purpose to fulfill their political objectives. Further the NASA as well as the Microsoft sites is always under attack by the hackers.
• Professional hackers / crackers – Their work is motivated by the color of money. These kinds of hackers are mostly employed to hack the site of the rivals and get credible, reliable and valuable information. Further they are unemployed to crack the system of the employer basically as a measure to make it safer by detecting the loopholes.
• Discontented employees- This group includes those people who have been either sacked by their employer or are dissatisfied with their employer. To avenge they normally hack the system of their employee.
1.3 Prevention Methods
• Firewalls- These are programs, which protect a user from unauthorized access attacks while on a network. They provide access to only known users, or people who the user permits.
• Frequent Password Changing- With the advent of multi-user systems, security has become dependent on passwords. Thus one should always keep passwords to sensitive data secure. Changing them frequently and keeping them sufficiently complex in the first place can do this.
• Safe Surfing- This is a practice, which should be followed by all users on a network. Safe surfing involves keeping ones e-mail address private, not chatting on open systems, which do not have adequate protection methods, visiting secure sites. Accepting data from only known users, downloading carefully, and then from known sites also minimizes risk.
• Frequent Virus Checks- One should frequently check ones computer for viruses and worms. Also any external media such as floppy disks and CD ROMs should always be virus checked before running.
• Email Filters- These are programs, which monitor the inflow of mails to the inbox and delete automatically any suspicious or useless mails thus reducing the chances of being bombed or spoofed.
Chapter 2
Intrusion Detection System
With the increasing dependence of the world economy, state structures, communications, industry and business on information technologies, the risk related to the ever pervasive intrusions in the electronic space also increases. Malicious intruders overcome protection systems, designed to limit access to the institution computer network resources installed in banks or companies. In order to reduce the risk and possible consequences, it is very important to identify intrusions at the initial stage of their realization and to respond to them appropriately.
For this purpose the intrusion detection systems can be applied. The Intrusion Detection System (IDS) is a protection system intended to identify and to respond to the malicious activities directed against the computer and computer network resources. It is important that the intrusion detection system should process all packets transmitted over the network irrespective of the network usage, i.e. it is necessary to reduce the number of dropped packets to the minimum.
2.1 Intrusion and Intrusion Detection
Intrusions are actions that attempt to bypass security mechanisms of computer systems. So they are any set of actions that threatens the integrity, availability, or confidentiality of a network resource. In short, an intrusion is an intentional violation of the security policy of a system. They are commonly referred to as penetrations.
Intrusion Detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions like unauthorized entrance, activity or file modification.
There are three steps in the process of intrusion detection which are
• Monitoring and analyzing traffic
• Identifying abnormal activities
• Assessing severity and raising alarm
2.2 Firewalls
Firewalls act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a security policy. Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Firewalls are too deep in the network hierarchy. The router may be affected even before the firewall gets the traffic. Firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
2.3 Why firewalls are not enough?
Firewalls act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a security policy. Thus, a firewall provides a good amount of security lest sufficient protection due to the following facts:
• Not all access to the Internet occurs through the firewall: Users, for a variety of reasons ranging from naiveté to impatience, sometimes set up unauthorized modem connections between their systems connected to the internal network and outside Internet access providers or other avenues to the Internet. The firewall cannot mitigate risk associated with connections it never sees.
• Not all threat originates outside the firewall: A vast majority of loss due to security incidents is traced to insiders. These include the users who misuse privileges or impersonate higher privileges. The firewall only sees traffic at the boundaries between the internal network and the Internet. If the traffic reflecting security breaches never flows past the firewall, it cannot see the problems. Organizations utilize strong encryption mechanisms to secure files and network connections. In securing the network from the outside threat, the threat from within the network is almost completely forgotten. Intrusion detection systems are the only part of the infrastructure that is privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve.
• Firewalls are subject to attack themselves: Firewalls are not completely foolproof. A firewall generally makes pass-deny decision on the basis of allowable network addresses. Intelligent firewalls may analyze the contents of packets of certain protocols but they may only identify the anomaly related to that protocol.
A common attack strategy is to utilize tunneling to bypass firewall protections. Tunneling is the practice of encapsulating a message in one protocol (that might be blocked by firewall filters) inside a second message. Thus the inside message gets through as the firewall considers outer, encapsulating message harmless.
In order to strengthen the security, one cannot rely on any single tool. Hence a firewall must be complemented by Intrusion Detection Tools.
2.4 Intrusion Detection Systems
2.4.1 Definition: Intrusion Detection is the unrelenting active attempts in discovering or detecting the presence of intrusive activities. It refers to all processes used in discovering unauthorized uses of network or computer devices. This is achieved through specifically designed software with a sole purpose of detecting unusual or abnormal activity. Such software is called Intrusion Detection System.
Intrusion Detection System or IDS is software, hardware or combination of both used to detect intruder activity. Intrusion Detection System is software that automates the intrusion detection process and detects possible intrusions.
2.4.2 Why do we require IDS?: To answer this question, we need to understand why intruders can get into the system. There are various reasons of which the prominent ones are:
• Software bugs – they can be buffer overflows, unexpected combinations, unhandled inputs, race conditions etc. Software has bugs because programmers cannot track down and eliminate all possible holes.
• Password Cracking – hackers have over the time developed numerous ways to break into systems by knowing passwords that were really weak, or by making dictionary & brute force attacks.
• Design flaws – many systems that were developed early were never designed to handle the wide scale intrusion that is there today. These include TCP/IP protocol flaws, operating system flaws etc.
• Sniffing unsecured traffic – traffic on the Internet is not encrypted. Hackers can use programs that can get sensitive information from packets over the network. These include the packet sniffers, port scanners etc.
Chapter 1
Introduction
Recent and anticipated changes in technology arising from the convergence of communications and computing are truly breathtaking, and have already had a significant impact on many aspects of life. Banking, stock exchanges, air traffic control, telephones, electric power, health care, welfare and education are largely dependent of information technology and telecommunications for their operation. We are moving towards the point where it is possible to assert that everything depends on software.
The increased capacities of information systems today come at the cost of increased vulnerability. Information technology has begun to produce criminal opportunities of a variety that the brightest criminals of yore couldn't even begin to dream about.
Intrusion-detection systems collect information from a variety of vantage points within computer systems and networks and analyze this information for symptoms of security breaches. Intrusion-detection and vulnerability-assessment technologies allow organizations to protect themselves from losses associated with network security problems. Intrusion-detection is the logical complement to network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response.
1.1 Cyber Crime
Cyber crime or e-crime or high-tech crime generally refers to criminal activity where network is the target or place of crime. The term cyber crime is used to describe criminal activity in which the computer or network is the necessary part of the crime.
Cyber crime can broadly be defined as criminal activity involving an information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), and data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery(ID theft), electronic fraud.
1.2 Cyber Criminals
The cyber criminals constitute of various groups/ category. This division may be justified on the basis of the object that they have in their mind. The following are the category of cyber criminals:-
• Children and adolescents between the age group of 6 – 18 years – The simple reason for this type of delinquent behavior pattern in children is seen mostly due to the inquisitiveness to know and explore the things. Other cognate reason may be to prove themselves to be outstanding amongst other children in their group. Further the reasons may be psychological even. E.g. the BAL Bharati (Delhi) case was the outcome of harassment of the delinquent by his friends.
• Organized hackers- These kinds of hackers are mostly organized together to fulfill certain objective. The reason may be to fulfill their political bias, fundamentalism, etc. The Pakistanis are said to be one of the best quality hackers in the world. They mainly target the Indian government sites with the purpose to fulfill their political objectives. Further the NASA as well as the Microsoft sites is always under attack by the hackers.
• Professional hackers / crackers – Their work is motivated by the color of money. These kinds of hackers are mostly employed to hack the site of the rivals and get credible, reliable and valuable information. Further they are unemployed to crack the system of the employer basically as a measure to make it safer by detecting the loopholes.
• Discontented employees- This group includes those people who have been either sacked by their employer or are dissatisfied with their employer. To avenge they normally hack the system of their employee.
1.3 Prevention Methods
• Firewalls- These are programs, which protect a user from unauthorized access attacks while on a network. They provide access to only known users, or people who the user permits.
• Frequent Password Changing- With the advent of multi-user systems, security has become dependent on passwords. Thus one should always keep passwords to sensitive data secure. Changing them frequently and keeping them sufficiently complex in the first place can do this.
• Safe Surfing- This is a practice, which should be followed by all users on a network. Safe surfing involves keeping ones e-mail address private, not chatting on open systems, which do not have adequate protection methods, visiting secure sites. Accepting data from only known users, downloading carefully, and then from known sites also minimizes risk.
• Frequent Virus Checks- One should frequently check ones computer for viruses and worms. Also any external media such as floppy disks and CD ROMs should always be virus checked before running.
• Email Filters- These are programs, which monitor the inflow of mails to the inbox and delete automatically any suspicious or useless mails thus reducing the chances of being bombed or spoofed.
Chapter 2
Intrusion Detection System
With the increasing dependence of the world economy, state structures, communications, industry and business on information technologies, the risk related to the ever pervasive intrusions in the electronic space also increases. Malicious intruders overcome protection systems, designed to limit access to the institution computer network resources installed in banks or companies. In order to reduce the risk and possible consequences, it is very important to identify intrusions at the initial stage of their realization and to respond to them appropriately.
For this purpose the intrusion detection systems can be applied. The Intrusion Detection System (IDS) is a protection system intended to identify and to respond to the malicious activities directed against the computer and computer network resources. It is important that the intrusion detection system should process all packets transmitted over the network irrespective of the network usage, i.e. it is necessary to reduce the number of dropped packets to the minimum.
2.1 Intrusion and Intrusion Detection
Intrusions are actions that attempt to bypass security mechanisms of computer systems. So they are any set of actions that threatens the integrity, availability, or confidentiality of a network resource. In short, an intrusion is an intentional violation of the security policy of a system. They are commonly referred to as penetrations.
Intrusion Detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions like unauthorized entrance, activity or file modification.
There are three steps in the process of intrusion detection which are
• Monitoring and analyzing traffic
• Identifying abnormal activities
• Assessing severity and raising alarm
2.2 Firewalls
Firewalls act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a security policy. Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Firewalls are too deep in the network hierarchy. The router may be affected even before the firewall gets the traffic. Firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
2.3 Why firewalls are not enough?
Firewalls act as a barrier between corporate (internal) networks and the outside world (Internet), and filter incoming traffic according to a security policy. Thus, a firewall provides a good amount of security lest sufficient protection due to the following facts:
• Not all access to the Internet occurs through the firewall: Users, for a variety of reasons ranging from naiveté to impatience, sometimes set up unauthorized modem connections between their systems connected to the internal network and outside Internet access providers or other avenues to the Internet. The firewall cannot mitigate risk associated with connections it never sees.
• Not all threat originates outside the firewall: A vast majority of loss due to security incidents is traced to insiders. These include the users who misuse privileges or impersonate higher privileges. The firewall only sees traffic at the boundaries between the internal network and the Internet. If the traffic reflecting security breaches never flows past the firewall, it cannot see the problems. Organizations utilize strong encryption mechanisms to secure files and network connections. In securing the network from the outside threat, the threat from within the network is almost completely forgotten. Intrusion detection systems are the only part of the infrastructure that is privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve.
• Firewalls are subject to attack themselves: Firewalls are not completely foolproof. A firewall generally makes pass-deny decision on the basis of allowable network addresses. Intelligent firewalls may analyze the contents of packets of certain protocols but they may only identify the anomaly related to that protocol.
A common attack strategy is to utilize tunneling to bypass firewall protections. Tunneling is the practice of encapsulating a message in one protocol (that might be blocked by firewall filters) inside a second message. Thus the inside message gets through as the firewall considers outer, encapsulating message harmless.
In order to strengthen the security, one cannot rely on any single tool. Hence a firewall must be complemented by Intrusion Detection Tools.
2.4 Intrusion Detection Systems
2.4.1 Definition: Intrusion Detection is the unrelenting active attempts in discovering or detecting the presence of intrusive activities. It refers to all processes used in discovering unauthorized uses of network or computer devices. This is achieved through specifically designed software with a sole purpose of detecting unusual or abnormal activity. Such software is called Intrusion Detection System.
Intrusion Detection System or IDS is software, hardware or combination of both used to detect intruder activity. Intrusion Detection System is software that automates the intrusion detection process and detects possible intrusions.
2.4.2 Why do we require IDS?: To answer this question, we need to understand why intruders can get into the system. There are various reasons of which the prominent ones are:
• Software bugs – they can be buffer overflows, unexpected combinations, unhandled inputs, race conditions etc. Software has bugs because programmers cannot track down and eliminate all possible holes.
• Password Cracking – hackers have over the time developed numerous ways to break into systems by knowing passwords that were really weak, or by making dictionary & brute force attacks.
• Design flaws – many systems that were developed early were never designed to handle the wide scale intrusion that is there today. These include TCP/IP protocol flaws, operating system flaws etc.
• Sniffing unsecured traffic – traffic on the Internet is not encrypted. Hackers can use programs that can get sensitive information from packets over the network. These include the packet sniffers, port scanners etc.
