1.1.

INTRODUCTION

Internet is forcing organizations into an era of open and trusted communications. This
openness at the same time brings its share of vulnerabilities and problems such as financial
losses, damage to reputation, maintaining availability of services, protecting the personal
and customer data and many more, pushing both enterprises and service providers to take
steps to guard their valuable data from intruders, hackers and insiders. Intrusion Detection
System has become the fundamental need for the successful content networking. IDS
provide two primary benefits: Visibility and Control [1]. It is the combination of these two
benefits that makes it possible to create and enforce an enterprise security policy to make
the private computer network secure. Visibility is the ability to see and understand the
nature of the traffic on the network while Control is the ability to affect network traffic
including access to the network or parts thereof. Visibility is paramount to decision making
and makes it possible to create a security policy based on quantifiable, real world data.
Control is key to enforcement and makes it possible to enforce compliance with security
policy.

1.2. BRIEF HISTORY OF IDS

The idea of detecting the intrusions or system misuses by looking at some
kind malicious patterns in the network or user activity was initially conceived by
James Anderson in his report titled Computer Security Threat Monitoring and
Surveillance [2] to US Air Force in the year 1980.
In the year 1984, the first prototype of Intrusion Detection System which
monitors the user activities, named Intrusion Detection Expert System (IDES)
was developed. In the year 1988, Haystack became the first IDS to use patterns
and statistical analysis for detecting malicious activities, but it lacked the capabilities of
real time analysis.

Meanwhile, there were other significant advances occurring at University of

California Davis' Lawrence Livermore Laboratories. In the year 1989, they built a
IDS called Network System Monitor (NSM) for analyzing the network traffic.
This project was subsequently developed into IDS named Distributed Intrusion
Detection System (DIDS). Stalker based on DIDS became the first commercially
available IDS and influenced the growth and trends of future IDS. In the Mid 90s,
SAIC developed Computer Misuse Detection System (CMDS), a host based IDS.
US Air Forces Cryptographic support centre developed Automated Security
Incident Measurement (ASIM), which addressed the issues like scalability and
portability.
 The intrusion detection market began to gain in popularity and truly
generate revenues around 1997. In that year, the security market leader, ISS,
developed a network intrusion detection system called Real Secure. A year later,
Cisco recognized the importance of network intrusion detection and purchased
the Wheel Group, attaining a security solution they could provide to their
customers. Similarly, the first visible host-based intrusion detection company,
Centrax Corporation, emerged as a result of a merger of the development staff
from Haystack Labs and the departure of the CMDS team from SAIC. From there,
the commercial IDS world expanded its market-base and a roller coaster ride of
start-up companies, mergers, and acquisitions ensued.
Martin Roesch, in the year 1998 launched a light weight open source
Network IDS named SNORT [3], which has since then gained much popularity.
In year 1999 Okena Systems worked out the first Intrusion Prevention System
(IPS) under the name Storm Watch. IPS are the systems which not only detect
the intrusions but also are able to react on alarming situation. These systems can
co-operate with firewall without any intermediary applications.

1.3. TYPES OF IDS

Depending upon the level of analysis IDS is classified into two major types:

Network based IDS (NIDS):

Monitors and analyzes the individual packets passing around a network for
detecting attacks or malicious activities happening in a network that are designed
to be overlooked by a firewalls simplistic filtering rules.

Host based IDS (HIDS):

Examines the activity on individual computer or host on which the IDS is

installed. The activities include login attempts, process schedules, system files
integrity checking system call tracing etc. Sometimes two kinds of IDS are combined
together to form a Hybrid IDS. Generally IDS has two components

Central Administration (Management) Module:

Provides centralized facility for managing and monitoring of all the

installations of Intrusion Detection System and hence centralized way of analyzing
and detecting the intrusions. It has the complete view of the various activities and
events occurring in different segments of the organizational network. Moreover
 the policy settings, actions to be triggered, patches/signature updation, fine tuning of
sensors can be achieved with this module.

IDS Sensors (Agents):

Analyses the network traffic and identifies attacks and security breaches,
which take place by exploiting the technology of network implementation, reports
the alerts to the Management module and performs the preset actions. IDS Agents
are more autonomous in their functions as compared to the Sensors.

1.4. DETECTION TECHNIQUES

Various techniques are in place for intrusion detection which can be broadly
classified as follows.

Signature/pattern based Detection:

In this technique, the sensors which are placed in different LAN segments
filter and analyse network packets in real time and compares them against a
database of known attack signatures. Attack signatures are known methods that
intruders have employed in the past to penetrate a network. If the packet contents
match an attack signature, the IDS can take appropriate countermeasure steps as
enabled by the network security administrator. These countermeasures can take
the form of a wide range of responses. They can include notifications through
simple network management protocol (SNMP) traps or issuance of alerts to an
administrators email or phone, shutting down the connection or shutting down
the system under threat etc.

An advantage of misuse detection IDS is that it is not only useful to detect

intrusions, but it will also detect intrusion attempts; a partial signature may
indicate an intrusion attempt. Furthermore, the misuse detection IDS could detect
port scans and other events that possibly precede an intrusion.

Unauthorised Access Detection:

In unauthorised access detection, the IDS detects attempts of any access

violations. It maintains an access control list (ACL) where access control policies
for different users based on IP addresses are stored. User requests are verified
against the ACL to check any violations
 Behavioural Anomaly (Heuristic based) Detection:

In behavioural anomaly detection method, the IDS is trained to learn the

normal behavioural pattern of traffic flow in the network over an appropriate
period of time. Then it sets a baseline or normal state of the networks traffic,
protocols used and typical packet sizes and other relevant parameters of network
traffic. The anomaly detector monitors different network segments to compare
their state to the normal baselines and look for significant deviations.

Protocol Anomaly Detection:

With this technique, anomaly detector alerts administrator of traffic that

does not conform to known protocol standards. As the protocol anomaly detection
analyzes network traffic for deviation from standards rather than searching for
known exploits there is a potential for protocol anomaly to serve as an early
detector for undocumented exploits.

1.5. DEPLOYMENT SCENARIOS OF IDS

There exist three strategic locations where NIDS can be installed in the
network for effective monitoring of the network, as depicted in the diagrams
below.

Before the Gateway firewall:

In this point, the NIDS can keep track of all network events of interests, even
those attacks which subsequently may fail. As it has to handle large traffic, NIDS
ought to be installed on a faster machine so that analysis is done in real time. Also
it has to be configured correctly so that number of false alarms can be reduced.
Figure 1 shows such a configuration.
 Figure 1: Network IDS placed before the Gateway Firewall

In the DMZ (De-Militarized Zone):

Placing IDS within the DMZ enables it to monitor the traffic which is already
partly filtered off through the gateway firewall as depicted in figure 2. This
reduces the burden on the IDS but also limits its visibility

Figure 2: Network IDS in the DMZ

Inside the private corporative network:

The last possibility where NIDS can be stationed is within the corporate
network as shown in figure 3. Such a location aims at monitoring the attacks
emerging from the local networks and also those which are transmitted via
firewall. As the number of attacks possible in this place is lesser than the
preceding cases, this makes the application demands smaller. In this case IDS
generates few false alarms. The scope of visibility is limited to within the corporate
network, thus will not be able to detect the failed attacks as in the previous cases.
 Figure 3: Network IDS within the private network

It is always advisable to install NIDS on systems other than firewall so that

attacker using the fact that firewall together with the IDS on a single computer can
pump in malicious traffic to generate too many false alerts, and at the same time
consuming system resources affecting the operations of firewall.

1.6. SNIFFING THE NETWORK TRAFFIC WITH IDS

In order to monitor the network, the traffic in that segment of the network
has to be made available to the Network IDS. There exists several ways to
eavesdrop the network packets without obstructing their normal flow across the
network as mentioned below.

Sniffing the network packets in a Hub environment

 Figure 4: Network IDS sniffing the network in a Hub environment

A network Hub is a physical layer device, hence whenever data frames

arrive, it simply broadcasts them to all other ports. Only the destination system
processes the data while other machines discard. In such an environment, IDS can
be connected to one of the Hub ports with its NIC in promiscuous or general
mode which enables it to get all the network packets moving around the network.
Such a configuration is depicted in figure 4.

Eavesdropping via port mirroring or SPAN (Switched Port ANalyser) port in a

switched environment:

In a switched network, the packets from a source machine are forwarded

only to the respective destination machine as specified by the IP address unlike in
the case of a network connected via Hub where packets are broadcasted to every
other machine in the network. In such an environment, sniffing is made possible
by a technique called Port Mirroring or Switched Port Analyzer where the
mirrored port gets a copy of packet from all other ports. Machine with IDS is
connected to the mirrored port or SPAN port in promiscuous mode so that it can
process all the packets irrespective of their destination. Because of the aggregation
of traffic on a single SPAN port, there are chances of packet drop.

Sniffing the traffic using Network TAP (Test Access port):

 Figure 5: Network IDS sniffing the network using TAP device

Network TAPs [4] are the hardware devices having three interfaces, entry,
exit and test port. IDS is connected to the test port where it can see the entire
network traffic as shown in figure 5. TAPs does not introduce any delay or affect
the data movement in the network and operates transparently as it doesnt possess
IP and hardware address.

Stealth mode operation

The Network IDS has to operate transparently to avoid the intruders from
targeting the IDS itself. So generally the IDS is configured to work in a special
mode called Stealth mode. In this arrangement, the IDS sniffing interface is put
in promiscuous mode without assigning the IP address, thus only listening to the
packets flowing across the network keeping its presence transparent from network
users.
Usually the IDS has two Network interfaces, one to monitor the network and
the second one for administrative purposes, like configuring IDS, updating
signatures, communication with IDS sensors/Manager ,dispatching alerts etc.
Attacker can easily detect the configuration and location of IDS by analyzing these
messages in the network. It is possible therefore to guard the IDS by encoding its
messages or to create a separate network for management as shown in the
diagram. The advantage of having a separate network between IDS Manager and
IDS Sensors is not only to provide security but also to ensure out of band
communication, meaning no bandwidth of the existing network is utilized for its
communication.
 Figure 6: Deployment scenario of NIDS with sensors in strategic points

It is generally recommended to use IDS sensors inside and outside the

firewall or between each firewall in a multi-layered environment and host based
IDS on all critical or key hosts. IDS Management Module and its sensors
communicate via zero bandwidth LAN segment in a transparent or stealth
operation mode. This kind arrangement enables the IDS to have complete view of
the organizational network and can even detect the failed attempts of attacks
while reducing the chances of being compromised. Figure 6 depicts a complete
deployment scenario of Network IDS.