In: Categories » Electronics and communication » Network security » An Introduction to Intrusion Detection
|
The term intrusion detection means many things to many people; however, for the sake of clarity we're going to define it as the act of detecting a hostile user or intruder who is attempting to gain unauthorized access. Assuming this definition, a number of popular methods are used to detect intruders—for example, inspecting system, Web, application, firewall, and router logs for hostile or unusual activity. Some system administrators will implement binary integrity checkers such as AIDE or Tripwire, in hopes of catching successful attackers when they deposit Trojan code on compromised servers. Other administrators will simply monitor event logs looking for failed user login attempts. Although all these methods are helpful, they become difficult, if not impossible, to perform on a daily basis. Introduce a few hundred machines, and the task becomes downright overwhelming. Enter: the intrusion detection system. The roots of modern-day intrusion detection systems lie in the Intrusion Detection Expert System (IDES) and Distributed Intrusion Detection System (DIDS) models that were developed by the U.S. Department of Defense (DOD) back in the late '80s and early '90s. These were some of the first automated systems to be deployed. Today, most intrusion detection (ID) systems are de signed with the same goal in mind: to help automate the process of looking for intruders. This can be as simple as the real-time parsing of firewall logs looking for port scans, or as complex as applying inspection routines to raw network traffic looking for buffer overflow attempts. Traditional IDS classification schemes put most systems into two distinct camps: misuse detection models and anomaly-based detection models. There are two implementations of the misuse detection model: network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Readers should note that many other intrusion detection models do exist, but are less popular. However, most modern-day IDS implementations can be grouped into one of these categories: · Network-based IDS. In their current form, NIDS devices are raw packet-parsing engines—glorified sniffers on steroids. They capture network traffic and compare the traffic with a set of known attack patterns or signatures. NIDS devices compare these signatures every single packet that they see, in hopes of catching intruders in the act. NIDS devices can be deployed passively, without requiring major modifications to systems or networks. · Host-based IDS. These systems vary from vendor to vendor, but they are usually system centric in their analysis. Most host-based IDSs will have components that parse system logs and watch user logins and processes. Some of the more advanced systems will even have built-in capabilities to catch Trojan code deployments. Host-based systems are agent-based—that is, they require the installation of a program on the systems they protect. This allows them to be more thorough on some levels, but also more of a headache to deploy and administer. · Anomaly-based IDS. Anomaly-based systems are a bit more obscure, and are often times referred to as more of a "concept" than an actual model. The philosophy behind anomaly-based approaches is to understand the patterns of users and traffic on the network, and find deviations in those patterns. For example, a user who normally logs in Monday through Friday but is now logging in at 3 a.m. on a Sunday might be flagged as a potential problem by an anomaly IDS. In theory, an anomaly-based IDS could detect that something was wrong without knowing specifically what the source of the problem was. The most common IDS types, both commercial and deployed, are HIDS and NIDS models. Although working models of anomaly-based IDSs exist, they are rarely deployed outside of government and academic circles. Note Many people unfamiliar with the intrusion detection system field confuse the technology with access control devices such as firewalls. Intrusion detection systems, in their current form, do not serve as a method of access control. While a number of them can be config ured to interact with firewalls, this is not their primary purpose. Beginners should think of intrusion detection systems as a type of burglar alarm, and not as a lock or door.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
This section takes a few steps to describe the basic principles of the AAA methodology, which is considered to be the fundamental structure behind the Remote Authentication Dial-In User Service (RADIUS). Additionally we briefly identify the functionality and principles of the RADIUS protocol. In the middle of the section we go through the steps required to install, configure, maintain, and monitor your RADIUS services. We conclude with practical implementations of the RADIUS protocol in relation to user authentication on wirele...
2. PDAs Versus Laptops
The first question that beginners ask before assembling their kit is whether a laptop or a PDA should be used for wireless penetration testing of any kind. Our answer is to use both if you can. The main advantage of PDAs (apart from size) is decreased power consumption, letting you cover a significant territory while surveying the site. The main disadvantage is the limited resources, primarily nonvolatile memory. The CPU horsepower is not that important here as we are not cracking AES. Other disadvantages are the limited amount...
3. Cryptographic Hash Functions
Can symmetric cryptography meet the requirements of the Biba model, based on the data integrity checks and proper authentication? The answer is "yes," but in a very inefficient way. Recall the practical authentication example with the UNIX (well, Linux in our case) password encryption flaw when DES in ECB is used. Of course, any of the feedback modes or 128-bit block ciphers can be used instead of DES, with the obvious performance penalties. However, in our example, MD5 scales very well. A cryptographic hash function i...
4. 802.11i Wireless Security Standard and WPA
Thus, the main hope of the international 802.11 community and network administrators lies with the 802.11i standard development. Sometimes 802.11i is referred to as the Robust Security Network (RSN) as compared to traditional security network (TSN). The "i" IEEE task group was supposed to produce a new wireless security standard that should have completely replaced legacy WEP by the end of 2003. In the meantime, some bits and pieces of the incoming 802.11i standard have been implemented by wireless equipment and software vendor...
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...
6. Penetration Testing as Your First Line of Defense
It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteris...
7. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...