Chapter 4

INTRUSION DETECTION TECHNIQUE (IDT)

4.1 Introduction to Intrusion Detection (ID)
It is a type of security management system for computers and networks. An ID
system gathers and analyzes information from various areas within a computer or a
network to identify possible security breaches, which include both intrusions (attacks
from outside the organization) and misuse (attacks from within the organization). ID uses
vulnerability assessment (sometimes referred to as scanning), which is a technology
developed to assess the security of a compute system or network. This field of research is
called Intrusion Detection (ID) [7].
An intruder is a person who enters a territory that does not belong to him.
Intruders may also be thieves or robbers. They mostly enter a territory in order to steal
things. However, in the case of animals, intrusion mostly involves stealing food and
testing the strength of the animals the territory belongs to.
There are different types of intruders:
• Masquerader: Not authorized to use computer system penetrates system
protection by way of legitimate user account, usually an outsider.
• Misfeasor: A legitimate user who accesses assets that he is not authorized to, or
who is authorized but misuses his privileges, usually an insider.
• Clandestine user: A user who gains supervisory access to the system, can be
either an insider or outsider.
The functions of Intrusion Detection are
• Monitoring and analyzing both user and system activities.
• Analyzing system configuration and vulnerabilities.
• Assessing system and file integrity.
• Ability to recognize patterns typical of attacks.
• Analysis of abnormal activity patterns.
• Tracking user policy violations.
48
 The safeguarding of security is becoming increasingly difficult because the possible
technologies of attack are becoming ever more sophisticated; at the same time, less
technical ability is required for the novice attacker, because proven past methods are
easily accessed through the Web.
Typically, an ID system follows a two-step process. The first procedures are host
based and are considered the passive component. These include: inspection of the
system's configuration files to detect inadvisable settings; inspection of the password
files to detect inadvisable passwords; and inspection of other system areas to detect
policy violations. The second procedures are network-based and are considered as the
active component; mechanisms are set in place to re-enact known methods of attack and
to record system responses.
4J Typical IDS
As information systems have become more comprehensive and a higher value
asset of organizations, intrusion detection systems have been incorporated as elements of
operating systems, although not typically applications. Intrusion detection involves
determining that some entity, an intruder, has attempted to gain, or worse, has gained
unauthorized access to the system.
Intruders are classified into two groups. External intruders do not have any
authorized access to the system they attack. Internal intruders have at least some
authorized access to the system. Internal intruders are further subdivided into the
following three categories. Masqueraders are external intruders who have succeeded in
gaining access to the system and are acting as an authorized entity. Legitimate intruders
have access to both the system and the data but misuse this access (misfeasors).
Clandestine intruders have or have obtained supervisory (root) control of the system and
as such can either operate below the level of auditing or can use the privileges to avoid
being audited by stopping, modifying, or erasing the audit records [AndersonSO].
Intrusion detection systems (IDS) have a few basic objectives. Among these
objectives are Confidentiality, Integrity, Availability, snd. Accountability.
Intrusion detection has traditionally been performed at the operating system (OS)
level mostly by comparing expected and observed system resource usage. OS intrusion
detection systems (OS IDS) can only detect intruders, internal or external, who perform

49
specific system actions in a specific sequence known to constitute an intrusion or those
intruders whose behavior pattern statistically varies from a norm. Internal intruders are
said to comprise at least fifty percent of intruders [ODS99], but OS intrusion detection
systems are frequently insufficient to catch such intruders since they neither perform the
specific intrusive actions because they are already legitimate users of the system, nor
significantly deviate from expected behavior.
We hypothesize that application specific intrusion detection systems can use the
semantics of the application to detect more subtle attacks such as those carried out by
internal intruders who possess legitimate access to the system and its data and act within
their bounds of normal behavior, but who are actually abusing the system. This research
will explore the opportunities and limits of utilizing application semantics to detect
internal intruders through general discussion and extensive exeimples. We will also
investigate the potential for application intrusion detection systems (AppIDS) to
cooperate with OS intrusion detection systems (OS IDS) to further increase the level of
defense offered by the collective intrusion detection system.

4.3 Types of IDS Techniques

For the purpose of dealing with IT, the following are the different types of IDS:
4.3.1 Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network
fraffic and monitors multiple hosts. Network intrusion detection systems gain access to
network traffic by connecting to a network hub, network switch configured for port
mirroring, or network tap. In a NIDS, sensors are located at choke points in the network
to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors
captures all network traffic and analyzes the content of individual packets for malicious
traffic. An example of a NIDS is Snort.

4.3.2 Host-based intrusion detection system (HIDS)

It consists of an agent on a host that identifies intrusions by analyzing system
calls, application logs, file-system modifications (binaries, password files, capability
databases. Access control lists, etc.) and other host activities and state. In a HIDS, sensors

50
usually consist of a software agent. Some application-based IDS are also part of this
category. An example of a HIDS is OSSEC.

4.3.3 Virtual based Intrusion Detection System

An intrusion detection system deployed inside of a Virtual Machine. Intrusion
detection systems can also be system-specific using custom tools and honeypots. In the
case of physical building security, IDS is defined as an alarm system designed to detect
unauthorized entry.

4.3.4 Passive and/or reactive systems

In a passive system, the intrusion detection system (IDS) sensor detects a
potential security breach, logs the information and signals an alert on the console and or
owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS
auto-responds to the suspicious activity by resetting the connection or by reprogramming
the firewall to block network traffic from the suspected malicious source. The term IDPS
is commonly used where this can happen automatically or at the command of an operator;
systems that both "detect" (alert) and/or "prevent."

4.3.5 Comparison with firewalls

Though they both relate to network security, an intrusion detection system (IDS)
differs from a firewall in that a firewall looks outwardly for intrusions in order to stop
them from happening. Firewalls limit access between networks to prevent intrusion and
do not signal an attack from inside the network. An IDS evaluates a suspected intrusion
once it has taken place and signals an alarm. An IDS also watches for attacks that
originate from within a system. This is traditionally achieved by examining network
communications, identifying heuristics and patterns (often known as signatures) of
common computer attacks, and taking action to alert operators. A system that terminates
connections is called an intrusion prevention system, and is another form of an
application layer firewall.

51
4.4 Statistical anomaly and signature based IDSs
All Intrusion Detection Systems use one of two detection techniques:
4.4.1 Statistical anomaly-based IDS
A statistical anomaly-based IDS determines normal network activity like what
sort of bandwidth is generally used, what protocols are used, what ports and devices
generally connect to each other- and alert the administrator or user when traffic is
detected which is anomalous(not normal). [9]
4.4.2 Signature-based IDS
Signature based IDS monitors packets in the Network and compares with
preconfigured and predetermined attack patterns knovra as signatures. The issue is that
there will be lag between the new threat discovered and Signature being applied in IDS
for detecting the threat .During this lag time your IDS will be unable to identify the
threat. [2]
4.5 Generic Characteristics of IDS
After analyzing the approaches taken by IDS at the operating system and network
levels, some generic characteristics of intrusion detection became apparent. To
characterize OS ID and then compare it to Application Intrusion Detection (App ID), we
first need to define some terminology that will allow us to discuss the characteristics of
both more precisely[9]. This terminology is similar to that used for prior software and
hardware error detection research.
A relation is an expression of how two or more values are associated. An
observable entity is any object, such as a user, data object, or system device that has or
produces a value in the monitored system that can be used in defining a relation.
Examples of operating system level observable entities include CPU time usage, the
number of files associated with a user, and the timestamp of the last modification to a
file. There are two basic types of relations although some blending between the two is
possible[9]. Statistical relations can be used to compare the current value of an
observable entity to a profile, a collection of statistical and other relevant information
characterizing normal or anomalous behavior. These are most often used in anomaly

52
detection. Rule-based relations relate the immediate or accumulated value to a
predefined expected value and are most often used in misuse detection.
Thresholds can be set for the relations regardless of whether they are statistical or
rule-based. Thresholds determine how the result of the relation will be interpreted;
results outside of the threshold will be considered anomalous and results within the
threshold will be considered normal. Thresholds are normally characterized by a certain
number of standard deviations for statistical distributions or by a range, either fixed in
size or as a percentage of the expected value, for rule-based analysis.
Setting the thresholds will impact the effectiveness of the IDS in detecting
intrusions. Tighter thresholds, permitting less discrepancy, allow for greater detection
but at the risk of more false alarms, an indication of an intrusion in the absence of an
intrusion. Looser thresholds produce fewer false alarms but potentially at the cost of
diminished detection.
The frequency with which a relation is evaluated can also impact the effectiveness
of the intrusion detection system. It is possible for the IDS to evaluate all relations
immediately after each event, the results of actions taken by users, processes, or devices
that may be related to a potential intrusion. However, this may place an intolerable
processing burden on the IDS. Therefore, events are typically collected in audit records
over a period of time. Audit records entries can be reduced by combining some events
into a single entry for analysis. For example, a single, failed log-in attempt is most likely
insignificant, but many failed log-in attempts over a relatively short period of time may
indicate a possible intrusion. The period of time between audit record analysis may be
determined using real time or logical time where the relations are evaluated after a certain
number of events have occurred. Audit records only deal with notions defined by the OS.
Many aspects of the application are not visible to the OS and thus are not in the audit
records.

53
4.6 Intrusion Detection Technique
In our system IDS is installed on the server side, which serves local hosts and
users over internet as shovra in Figure 4.1. There are four actors in the system namely
monitor, user, network £ind system administrator. User sends request to the server over
the internet or LAN and IDT will analyze the packets received by the server. This IDT
detects both internal and external intrusions. If it detects any intrusion then it alerts
system administrator.

system IDS User AppI

Server
Administrator

U.ser Ann2

Router

Host 1 Host 2 Host n User Appn

Figure 4.1 Intrusion Detection System Description

Network Intrusion Detection system (NIDS) is a system which monitors network

intrusion. Intrusion may be detected by techniques like anomaly detection, signature
pattern matching etc. Anomaly detection is a method in which normal network behavior
is captured and any abnormality in the network is detected such as a sudden increase in
network traffic rate (number of IP packets per second). Signature pattern matching is a
method in which network data is compared with the known attack techniques that are
saved in a database. For example an IDS that watches web servers might be programmed
to look for string "phf as an indicator for a CGI program attack.

54
 Intrusion is detected and system administrator is alerted about the kind of
intrusion when any one of the following events takes place:

1. If a foreign entity has been detected in a log entry.

2. If user tries to access information which is beyond his/her access.
3. Baseline for critical system resources is measured such as cpu utilization, file
entries, disk activity, user logins etc. Then the system can trigger when there
is a deviation from this baseline.

4.7 The Need for IDS

There are several reasons to acquire and use IDS:
* To prevent problem behaviors.
* To detect attacks and other security violations.
* To detect and deal with the preambles to attacks.
* To document the existing threat to an organization.
* To act as quality control for security design and administration.
* To provide useful information about intrusion that is to take
place, allowing improved diagnosis, recovery and correction of causative factors.
A computer system should have confidentiality, integrity and assurance against
denial of service. However, due to increased connectivity (especially on the Internet) and
the vast spectrum of financial possibilities that are opening up, more and more systems
are subject to attack by intruders. These subversion attempt try to exploit flaws in the
operating system as well as in application programs and have resulted in spectacular
incidents like the Internet Worm incident of 1988.

There are two ways to handle subversion attempts. One way is to prevent
subversion itself by building a completely security system. We could, for example,
require all users to identify and authenticate themselves; we could protect data by various
cryptographic methods and very tight access control mechanisms. However, this is not
really feasible because of the following reasons:

55
 1. In practice, it is not possible to build a completely secure system. Miller
gives a compelling report on bugs in popular programs and operating
systems that seems to indicate that (a) bug free software is still a dream
and (b) no one seems to make the effort to try to develop such software.
Apart from the fact that we do not seem to be getting our money's worth
when we buy software, there are also security implications when our e-
mail software, for example, can be attacked. Designing and implementing
a totally secure system is thus an extremely difficult task.
2. The vast installed base of systems worldwide guarantees that any
transaction to a secure system (if it ever developed) will be long in
coming.
3. Cryptographic methods have their own problems. Passwords can be
cracked, user can lose their passwords, and entire crypto-systems can be
broken.
4. Even a truly secure system is vulnerable to abuse by insiders who abuse
their privileges.
5. It has been seen that the relationship between the level of access control
and user efficiency is an inverse one, which means that the stricter the
mechanisms, the lower the efficiency becomes.

We thus see that we are struck with systems that have vulnerabilities for a while
to come. If there are attacks on a system, we could like to detect them as soon as possible
(preferably in real-time) and take appropriate action. This is essentially what an IDS
does. An IDS does not usually take preventive measures when an attack is detected; it is a
reactive rather than proactive agent. It plays the role of an informant rather than a police
officer.
The most popular way to detect intrusion has been by using the audit data
generated by the operating system. An audit trail is a record of activities on a system that
are logged to a file in chronologically sorted order. Since almost all activities are logged
on a system, it is possible that a manual inspection of these logs would allow intrusions to
be detected. However, the incredibly large sizes of audit data generated (on the order of

56
100 Megabytes a day) make the manual analysis impossible. IDSs automate the drudgery
of wading through the audit data jungle. Audit trails are particularly useful because they
can be used to establish guilt of attackers, and they are often the only way to detect
unauthorized but subversive user activity.
Many times, even after an attack has occurred, it is important to analyze the audit
data so that the extent of damage can be determined, the tracking down of the attackers is
facilitated, and steps may be taken to prevent such attacks in fiiture. An IDS can also be
used to analyze audit data for such insights. This makes IDSs valuable as real-time as
well as post-mortem analysis tools.
Spafford (The COAST Project, Department of Compute Science, Purdue
University, IN) reports:
• Information theft is up over 250% in the last five years.
• 99% of all major companies report at least one major incident.
• Telecom and computer fraud totaled $ 10 billion in the US alone.
It is thus more important than ever before that since it seems obvious that we
cannot prevent subversion, we should at least try to detect it and prevent similar attacks in
ftiture.
4.8 Chapter Summary
In this chapter we discuss the need for ID and different types of IDs techniques in the
first four sections. The general characteristics of IDs, different of IDTs and the need for
IDs are discussed clearly in the subsequent chapters.

57