02-06-2012, 04:11 PM
An Intrusion detection system (IDS)
ids.doc (Size: 78 KB / Downloads: 34)
Introduction:
An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDs cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, Trojan horses, and worms).
An IDs can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and use a system of rules to generate alerts from security events received. There are several ways to categorize IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance
ABSTRACT:
This Project discusses the use of Intrusion Detection Systems (IDS), especially related to evasion (which hits or crosses our IP) attacks. Important characteristics of this type of attacks are presented and attacking packets are captured. Further along, characteristics of network and host based IDS systems are compared, and some aspects of distributed approach to architecture of IDS are analyzed. On the basis of such discussion, the project proposes the use of distributed network based IDS systems, which are client based.
HARDWARE SPECIFICATION:
Processor Type : Pentium -IV
Speed : 2.4 GHZ
Ram : 256 MB RAM
Hard disk : 80 GB HD
SOFTWARE SPECIFICATION:
Operating System : WindowsXp
Front End : ASP.NET
Code Behind : C#
Database : SQL Server
Service : Web Service
Server : IIS
EXISTING SYSTEM:
These systems are today common in large networks which are connected to Internet. On the other hand, some of the attacks are more sophisticated than in years before. This class of attacks has the following characteristic: attacker is aware of the existence of the IDS system in the target network, and is trying to evade IDS detection. There are several means attacker can use to achieve evasion. Here we summarize them as:
1. Lack of knowledge regarding network topology.
2. Lack of knowledge regarding configuration of protected communications protocol stack
3. Lack of knowledge regarding version of protected communications protocol stack
Another important class of evasion attacks is related to the application level processing of received packet. In that case we talk about lack of knowledge.
PROPOSED SYSTEM:
Our paper proposes use of distributed network based IDS systems, which are client based, in detection of evasion attacks. Proposed model is compared to host based Intrusion Prevention Systems. There have been several attempts to answer the problem of evasion, mostly based on passive fingerprinting techniques.
Distribution is an important principle because of two reasons. First is that distributed systems are better suited to cope with higher network speeds. Second is that in a distributed system, there are less (or no) single points of failure. There have been several proposals for DIDS (Distributed IDS) architectures, and most commercial systems today support distribution of sensors. Our approach differs in that it is a client based system.
Today's intrusion detection systems (IDS) are in great percent network-based. Encryption at application level, high speeds, and switched networks present significant problems for this type of systems. Also, network based systems are susceptible to evasion
attacks. In the case of network based systems IDS should know what is the OS installed at each target host, so IDS can focus on the group of attack signatures relevant to that host.
MODULES:
SNIFFING ADDRESS:
Shared medium: On traditional Ethernet, all you have to do is put a Sniffer on the wire to see all the traffic on a segment. This is getting more difficult now that most corporations are transitioning to switched Ethernet.
Server sniffing: However, on switched networks, if you can install a sniffing program on a server (especially one acting as a router), you can probably use that information to break into client machines and trusted machines as well. For example, you might not know a user's password, but sniffing a Telnet session when they log in will give you that password.
Remote sniffing: A large number of boxes come with RMON enabled and public community strings. While the bandwidth is really low (you can't sniff all the traffic), it presents interesting possibilities.
PING:
ping is a computer network tool used to test whether a particular host is reachable across an IP network. It works by sending ICMP “echo request” packets to the target host and listening for ICMP “echo response” replies. Ping estimates the round-trip time, generally in milliseconds, and records any packet loss, and prints a statistical summary when finished.
FUNCTION:
"Looping ping”: send ping until you click the "Stop" button (usefull when to check network connection when you're modifying computer network configuration or routing configuration). By using this Ping we can give your Ip-address or any Ip-address and its use to trace your reply time between each and every raw packets and also what ever you can receive packets, send packets and lost packets.
"More than one host can reply”: use this option when you're broadcasting. In normal mode.
TRACEROUTE:
Traceroute is a computer network tool used to determine the route taken by packets across an IP network.
Traceroute works by increasing the "time-to-live" value of each successive batch of packets sent. The first three packets have a time-to-live (TTL) value of one (implying that they make a single hop). The next three packets have a TTL value of 2, and so on. When a packet passes through a host, normally the host decrements the TTL value by one, and forwards the packet to the next host. When a packet with a TTL of one reaches a host, the host discards the packet and sends an ICMP time exceeded (type 11) packet to the sender. The traceroute utility uses these returning packets to produce a list of hosts that the packets have traversed en route to the destination. The three timestamp values returned for each host along the path are the delay (aka latency) values typically in milliseconds (ms) for each packet in the batch. If a packet does not return within the expected timeout window, a star (asterisk) is traditionally printed. traceroute may not list the real hosts. It indicates that the first host is at one hop, the second host at two hops, etc. IP does not guarantee that all the packets take the same route. Also note that if the host at hop number N does not reply, the hop will be skipped in the output.