29-08-2016, 11:44 AM
1451370864-prjrept.doc (Size: 1.72 MB / Downloads: 6)
INTRODUCTION
Intrusion detection is a type of security management system for computers and networks. An ID system gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions such attacks from outside the organization and misuse such attacks from within the organization.ID uses vulnerability assessment which is a technology developed to assess the security of a computer system or network. An intrusion detection system inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break to break into or compromise a system.
1.1 SYSTEM THREATS
As the number of cyber attacks against social network and large internet enterprises continues to rise, organization are questioning the safety of moving their computational assets toward the cloud .An intrusion detection system is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. IDPS typically record information related to observed events notify security administrators of important observed events and produce reports. Many IDPS can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment or changing the attack's content.
Every attack on a network can comfortably be placed into one of these groupings,
• Denial of services ( DoS ) : A DoS attack is a type of attack in which the hacker makes a computing or memory resources too busy or too full to serve legitimate networking requests and hence denying users access to a machine e.g. apache, smurf, Neptune, ping of death, back, mail bomb, UDP storm etc, are all DoS attacks.
• Remote to User Attacks (R2L): A remote attack is a malicious action that targets one or a network of computers. The remote attack does not affect the computer the attacker is using. Instead, the attacker will find vulnerable points in a computer or network's security software to access the machine or system. The main reasons for remote attacks are to view or steal data illegally, introduce viruses or other malicious software to another computer or network or system, and cause damage to the targeted computer or network.
• User to Root Attacks (U2R): These attacks are exploitations in which the hacker starts off on the system with a normal user account and attempts to abuse vulnerabilities in the system in order to gain super user privileges e.g. Perl, xterm.
• Probing attack: Probing is an attack in which the hacker scans a machine or a networking device in order to determine weakness or vulnerabilities that may later be exploited so as to compromising the system. This technique is commonly used in data mining e.g saint, mscan, nmap etc.
1.2 DETECTING INTRUSIONS
Intrusion detection systems are of two main types, network based (NIDS) and host based (HIDS) intrusion detection systems.
Network Intrusion Detection Systems
Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks.
Host Intrusion Detection Systems
Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.
1.3 FAILURE OF SECURITY MEASURES
Even though the above measures such as having strong security policies or defining appropriate security techniques are the suggested remedies, these measures are not totally successful at eliminating intrusions. Security and privacy of an organisation also depends majorly upon the sensible usage of systems and the network by the employees. Social engineering is a simple method to steal passwords and information from a person without having to endure the process of intruding.
The other ways in which an attack can be initiated is by guessing an easy password
by using dictionary attack . One of the most common software used for a dictionary attack is John the Ripper. This software easily discovers passwords consisting of common names or dictionary words. Ciphers can also be deciphered within a couple of days with the help of computerised machines unless the key size or block size is large. IP Address Spoofing can easily overrule the security policy by faking an IP address to perform malicious activities. A simple ICMP ping packet can be turned into the ping of death attack by continuously flooding a server with ping packets. This is a well-known denial of service attack, which most attackers implement to intrude and collapse a server.
Buffer Overflow is an attack planted as a result of vulnerability spotted in a program or a piece of software code that has not been checked or tested. The attacker who spots the vulnerability before the programmer or the software developer (zero-day exploit) can rewrite the actual return address of the program with another value so that a malicious code is fetched and executed instead. The malicious code that was injected into the actual program is also known as the shell code.
Another attack that can escape the clutches of the security measures is the malware. Inserting a virus or a Trojan in software is the easiest way to take control of the system and further perform malicious activities. These are some of the attacks that have been implemented beyond the restrictions of the security measures implemented in an organisation. Since these security measures can fail, an Intrusion Detection system tends to be an additional protection and can be utilised to determine any symptoms of a possible intrusion.
LITERATURE REVIEW
A.Valdes and K. Skinner, “Probabilistic alert correlation,” in Proc. RAID Symp., 2001, pp. 54–68, This approach correlates attacks over time, correlates reports from heterogeneous sensors, and correlates multiple attack steps. This a reduction of one-half to two-thirds in alert volume in a live environment, and approach a fiftyfold reduction in alert volume in a simulated attack scenario, 2001.
Frédéric Cowpens Alexandre Miège ,” Alert Correlation in a Cooperative Intrusion Detection Framework “ in CEDEX university of nottingham, France., CRIM(This moduleimplements functions to manage, cluster, merge and correlate alerts), This paper is centralized, due to technical constraints ,it was not practical to directly create communication between IDS,2002.
Urko Zurutuza, Roberto Uribeetxeberria ,” Intrusion Detection Alarm Correlation” in Mondragon University , The techniques used in this area aim to help the detectors discern between alarms generated by real attacks and legitimate traffic, This literature is that there is not an agreement about the terminology utilized for the different steps of the correlation process,2003.
Oliver M. Dain and Robert K. Cunningham, “Building Scenarios from a Heterogeneous Alert Stream”,in Institute of Technology Lincoln Laboratory , presented a probabilistic approach for fusing alerts from multiple intrusion detection sensors into scenarios Once an alert has been assigned to the wrong scenario this scenario is corrupted,2004.
S. Katti, B. Krishnamurthy, and D. Katabi, “Collaborating against common enemies,” in Proc. IMC, Berkeley, CA, USA, pp. 34–34, Spyware exhibit similar behavior to Trojans. However, the type of activity triggering this behavior is totally different. The vast majority of the observed communication attempts are redirections to third-party web-sites, 2005.
Guofei Gu1, Phillip Porras2, Vinod Yegneswaran2, Martin Fong2, Wenke Lee1 Detecting Malware Infection Through IDS-Driven Dialog Correlation In SRI International We refer to this analytical strategy of matching the dialog flows between internal Infection failures, Data corruption failures, policy failures assets and the broader Internet as dialog-based correlation, and contrast this strategy to other intrusion detection and alert correlation methods, A fundamental limitation of an IDS is that it can only detect known attacks with existing signatures. Besides, it cannot inherently identify social engineering or browser attacks, such as drive-by-downloads and cross-site scripting.2008.
Safaa O.Al-Mamory , Hongli Zhang ,” Intrusion detection alarms reduction using root cause analysis and clustering “,in Elsevier , In this paper, we use root cause analysis to discover the root causes making the IDS triggers these false alarms, The averaged reduction ratio of future alarm load was about 74% of the total alarms ,2008.
L.Etienne and J.-Y. Le Boudec ,” Malicious Traffic Detection In Local Networks With Snort “,École Polytechnique Fédérale de Lausanne , Proposed to significantly improve the amount of traffic that can be analyzed, and snort’s multithreading possibilities are explore, There is a clear lack of classification in the default rule-sets available. It has been seen that a better classification will help many users to get the best out of their Snort sensor, 2009.
Massimo Ficco and Luigi Roman0, “A Correlation Approach to Intrusion Detection , Consorzio Interuniversity per Information , Propose a hierarchical event correlation approach to overcome limitations of intrusion detection system, we will aim to define mechanisms for unknown attack patterns identification,2010.
From the above literature review, it is clear that the detection of attacks or suspicious activities is not clearly identified by the detection techniques and there is no any information about the malicious actions happened inside the network. The detection of suspicious activity can be identified by using the IDS technique and can have prior information about the malicious actions.