Intrusion detection is the detection of inappropriate, incorrect, or anomalous activity. An intrusion can include a network attack from the outside (intruder) or from an internal network user (misuse). IDSs monitor network systems detecting these types of attacks. IDSs collect information from several points within networks and analyze this information for signs of intrusion and misuse.
Intruders are unauthorized users, and they are classified as follows:
External Users not authorized to use the system, also known as intruders. External intruders are the focus of physical security and firewalls.
Internal Users not authorized to use some resources, often referred to as misuse.
Masquerades Users who impersonate other users.
Clandestine Users who evade auditing and are a threat to weak operating systems and mismanaged systems.
Misfeasors Users who misuse their privileges.
IDSs must protect network and system integrity from several different types of attacks and users. All users are considered possible threats, regardless of origin or how the users were authenticated.
IDSs use various techniques to trace unauthorized use of network and system resources. These techniques include the analysis of audit trail data and network traffic, either real-time or off-line (after-the-fact). The goal of intrusion detection is catching the intruder in the act. Real-time testing and monitoring of audit data is the most prevalent technique used to catch intruders.
IDSs use two methodologies to detect unauthorized use of a network or system:
Signature analysis matches network traffic against known rules containing known attack traces and protocol uses. If a match is detected, the traffic is flagged for notification to the network administrator or security manager.
Statistical profiling is performed on host-based intrusion detection systems. Statistical profiling monitors the characteristics of the users using the system, developing sophisticated profiles over time.
Characteristics of users include the following:
- Application
- Amount of data
- Time of usage
- Protocols used
- Source and destination addresses
Once a profile is completed, subsequent uses are compared to the user's original profile. If the system detects a change in user activities, the user is flagged by the system. For example, a user who regularly edits documents in Microsoft Word, but opens UNIX vi to edit a remote host password file, should be flagged.
Statistical profiling also can be performed at the network level by developing the activity profiles of web servers. For example, if a web server begins receiving remote commands and file uploads, these are not normal processes and are thus flagged.
IDSs are implemented in one of two ways: host-based or network-based.
Detection software is loaded on the host the IDS will be monitoring, and data is audited from this single host. Each network host will need the intrusion detection software running in order to be effective in identifying attacks. Host-based IDSs monitor system, event, and security logs on Windows NT and syslog in UNIX environments. If any changes in these files are detected by the IDS, the IDS compares the new log entry with attack signatures to see whether a match exists. If a match is found, the system alerts the administrator.
There are two classes of host-based intrusion detection software:
Host wrappers/personal firewalls Configured to look at all network packets, connection attempts, or login attempts to the monitored machine. Personal firewalls can detect software on the host that may be trying to connect to the network as well.
Agent-based software Monitors access, changes to critical system files, and changes in user privilege.
Packets on the network and audit data from several hosts are monitored on the particular segment the NIDS is covering. As the packets pass the sensor, they are examined for their similarities to a signature. NIDs are primarily concerned with remote intrusion from an external source outside of the network. If an attack is detected, the NIDS will notify the administrator, terminate the connection, and/or record the session for forensic analysis and evidence collection.
NOTEMore information regarding Cisco Systems IDS (formerly NetRanger) platform can be found at http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml. |
Signatures represent an activity pattern required to gain access to a computer network or system. Signatures enable the IDS to verify whether the monitored sequence of events is a threat to the integrity of the network or system.
The following is a list of signatures monitored by IDSs:
Attack, or string signatures Look for specific and well-known patterns of activity logged by the system, indicating malicious or suspicious intent. The most common attack signatures include these:
OS identification Sending of illegal/strange ICMP or TCP packets identifying the OS by the way in which the OS responds to the packets.
Account scans Look for accounts with no passwords, common word passwords, or passwords that are the same as the user name.
Exploits Intruders will take advantage of hidden features, holes, or bugs to gain access to the system. Common exploits include:
- CGI scripts
- Web server attacks
- Web browser attacks
- SMTP attacks
- IP spoofing
- Buffer overflows
- DNS attacks
DoS attacks The intruder attempts to crash a service or host machine, overload network links, overloaded the CPU, or fill up the disk, preventing legitimate users from accessing services. Common DoS attacks include:
- Ping-of-Death
- SYN Flood
- WinNuke (targeting older Microsoft Windows 95/NT machines)
NOTEThe Web site http://www.jtan.com/resources/winnuke.html can be used to test a PC for vulnerability to the WinNuke attack. |
Port signatures Look for connection attempts to well-known and frequently attacked ports.
Header condition signatures Look for illogical or dangerous combinations in packet headers.
As you can see, the list of signatures for which IDSs watch is quite extensive. Network attackers change and/or update their attack methods on a continuing basis, in turn requiring IDS vendors to update their signature databases to watch for these attacks.