INTRUSION DETECTION SYSTEM
-
Upload
sikiruolayinka -
Category
Education
-
view
42 -
download
2
Transcript of INTRUSION DETECTION SYSTEM
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
1.0 INTRODUCTION
Nowadays the database is the only professional structure for storing and elaborating
complex information and huge amount of data. The database structure brings about
several advantages, like: quick and real time access, high security, standards
establishment, automated reports and statistics etc. It is the most popular format that
organizations, banks, government establishments, universities, industries and many other
institutions all over the world are using for storing data and information concerning their
activities. Many schools in the world have already installed their information
management system and are efficiently using advantages of Information Technology. A
School Management System is a large database system which can be used for managing
the school's day to day business. But with information storage, comes the risk of
information insecurity as vital important information could be compromised. This
seminar is targeted towards highlighting the importance of computer security in a
campus.
1
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
2.1 DESCRIPTION
An intrusion-detection system acquires information about an information system to
perform a diagnosis on the security status of the latter. The goal is to discover breaches of
security, attempted breaches, or open vulnerabilities that could lead to potential breaches.
A typical intrusion-detection system is shown below
2
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
An intrusion-detection system can be described at a very macroscopic level as a detector
that processes information coming from the system to be protected. This detector can also
launch probes to trigger the audit process, such as requesting version numbers for
applications. It uses three kinds of information: long-term information related to the
technique used to detect intrusions (a knowledge base of attacks, for example),
configuration information about the current state of the system, and audit information
describing the events that are happening on the system. The role of the detector is to
eliminate unneeded information from the audit trail. It then presents either a synthetic
view of the security-related actions taken during normal usage of the system, or a
synthetic view of the current security state of the system. A decision is then taken to
evaluate the probability that these actions or this state can be considered as symptoms of
an intrusion or vulnerabilities. A countermeasure component can then take corrective
action to either prevent the actions from being executed or change the state of the system
back to a secure state.
2.2 EFFICIENCY OF AN INTRUSION-DETECTION SYSTEM
To evaluate the efficiency of an intrusion-detection system, we have proposed the
following three parameters:
Accuracy: Accuracy deals with the proper detection of attacks and the absence of
false alarms. Inaccuracy occurs when an intrusion-detection system flags a
legitimate action in the environment as anomalous or intrusive.
3
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
Performance: The performance of an intrusion-detection system is the rate at
which audit events are processed. If the performance of the intrusion-detection
system is poor, then real-time detection is not possible.
Completeness: Completeness is the property of an intrusion-detection system to
detect all attacks.
Incompleteness occurs when the intrusion-detection system fails to detect an attack. This
measure is much more difficult to evaluate than the others because it is impossible to
have a global knowledge about attacks or abuses of privileges.
2.2.1 PROPERTIES OF AN INTRUSION DETECTION SYSTEM
Fault tolerance: An intrusion-detection system should itself be resistant to attacks,
especially denial-of- service-type attacks, and should be designed with this goal in
mind. This is particularly important because most intrusion-detection systems run
above commercially available operating systems or hard- ware, which are known
to be vulnerable to attacks.
Timeliness: An intrusion-detection system has to perform and propagate its
analysis as quickly as possible to enable the operator react to it before much
damage has been done, and also to prevent the attacker from subverting the audit
source or the intrusion-detection system itself. This implies more than the
measure of performance because it does not only encompasses the intrinsic
4
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
processing speed of the intrusion-detection system, but also the time required to
propagate the information and react to it.
2.3 MOTIVATION
Computer networking is a developing technology that is gaining widespread acceptance
and popularity in the commercial sector as a result of standardized protocols and
specifications.
To truly secure a network a second line of defense is also needed: an Intrusion Detection
System that can detect a third party that tries to exploit the security of the network, even
if this attack has not been experienced before. If the intruder is detected soon enough, it
can take any appropriate measures before any damage is done or any data is
compromised. Thus, intrusion detection presents a second wall of defense and it is a
necessity in a high survivability network.
2.3.1 AIM AND OBJECTIVES
The aim of this seminar is to study the use of an Intrusion Detection and Prevention
System in a School Campus infrastructure-based network and try to use anomaly-
detection techniques to detect different types of attacks within the network.
The following objectives that is to be achieved is outlined below:
To study how a Network Intrusion Detection System that will detect abnormal
network traffic in a campus school network based on data such as header fields,
logical addresses and secure port numbers.
5
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
To present the test results of the Intrusion Detection System to ensure that it is
performs the outlined intrusion detection and bandwidth management functions
To showcase the use of the intrusion detection system to protect information in a
public institution.
2.3.2 PREVENTION OF AN INTRUSION DETECTION SYSTEM
When an intrusion-detection system is deployed, it becomes the natural primary target of
hostile attacks, with the aim of disabling the detection feature and allowing an attacker to
operate without being detected. Disabling the intrusion-detection system can happen in
the following ways:
Denial-of-service attacks. Denial-of-service attacks are a powerful and relatively
easy way of temporarily disabling the intrusion-detection system. The attack can
take place against the detector, by forcing it to process more information than it
can handle (for example by saturating a network link). This usually has the effect
of delaying detection of the attack or, in the worst case, of confusing the detector
enough so that it misses some critical element of the attack. A second possibility
is to saturate the reaction capability of the operator handling the intrusion-
detection system. When the operator is presented with too many alarms, he can
easily miss the important one indicating penetration, even if it is present on the
screen.
6
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
Evasion of the detection. Several techniques have been developed to evade
detection of an attack by intrusion-detection systems. Network-based tools, the
most popular tools today, particularly suffer from these attacks involving hand-
crafted network packets:
i.) Attack by IP fragmentation: Intrusion-detection systems have difficulties reassembling
IP packets. Therefore, splitting an attack artificially into multiple packets creates a
mismatch between the data in the packet and the signature, thus hiding the attack.
ii.) Attack via the TTL (Time to Live): By altering the TTL of IP packets, it is possible to
make the intrusion-detection system see packets that will not arrive at the target of the
attack. By inserting fake data into the communication stream, an attacker can interleave
the attack with bogus information, thus hiding the attack from the intrusion detection
system while the target correctly reconstructs this attack data and reacts to it.
A good description of various attack techniques and how intrusion-detection systems
react to them. Intrusion-detection systems are beginning to protect themselves from these
attacks, but little information is released by vendors as to the effectiveness of these
protection measures. In addition, it is often difficult to assert the configuration of an
intrusion-detection system, as in most cases there is no easy way to check the
configuration and the proper detection of the attacks.
7
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
3.0 INFORMATION SECURITY
Information security is the process of protecting the availability, privacy, and integrity of
data. While the term often describes measures and methods of increasing COMPUTER
SECURITY, it also refers to the protection of any type of important data, such as
personal diaries or the classified plot details of an upcoming book. No security system is
foolproof, but taking basic and practical steps to protect data is critical for good
information security (wise Geek, 2012).
The CIA triad (confidentiality, integrity and availability) is one of the core principles of
information security (ISACA, 2006).
There is continuous debate about extending this classic trio. Other principles such as
Accountability have sometimes been proposed for addition – it has been pointed out that
issues such as Non-Repudiation do not fit well within the three core concepts, and as
regulation of computer systems has increased (particularly amongst the Western nations)
Legality is becoming a key consideration for practical security installations (Aceituno,
2005)
In 1992 and revised in 2002 the OECD's Guidelines for the Security of Information
Systems and Networks proposed the nine generally accepted principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and
Implementation, Security Management, and Reassessment. Building upon those, in 2004
8
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
the NIST's Engineering Principles for Information Technology Security proposed 33
principles. From each of these derived guidelines and practices (Harris, 2003)
In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he
called the six atomic elements of information. The elements are confidentiality,
possession, integrity, authenticity, availability, and utility. The merits of the Parkerian
hexad are a subject of debate amongst security professionals.
3.1 HISTORY
Since the early days of writing, politicians, diplomats and military commanders
understood that it was necessary to provide some mechanism to protect the
confidentiality of correspondence and to have some means of detecting tampering. Julius
Caesar is credited with the invention of the Caesar cipher ca. 50 B.C., which was created
in order to prevent his secret messages from being read should a message fall into the
wrong hands, but for the most part protection was achieved through the application of
procedural handling controls. Sensitive information was marked up to indicate that it
should be protected and transported by trusted persons, guarded and stored in a secure
environment or strong box. As postal services expanded governments created official
organizations to intercept, decipher, read and reseal letters (Dhillon, 2007)
In the mid 19th century more complex classification systems were developed to allow
governments to manage their information according to the degree of sensitivity. The
9
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
British Government codified this, to some extent, with the publication of the Official
Secrets Act in 1889 and by the time of the First World War multi-tier classification
systems were used to communicate information to and from various fronts. The war and
wider use of electronic communications systems encouraged greater use of code making
and breaking sections in diplomatic and military headquarters. In the United Kingdom
this led to the creation of the Government Codes and Cypher School in 1919. Encoding
became more sophisticated between the wars as machines were employed to scramble
and unscramble information. The volume of information shared by the Allied countries
during the Second World War necessitated formal alignment of classification systems
and procedural controls. An arcane range of markings evolved to indicate who could
handle documents (usually officers rather than men) and where they should be stored as
increasingly complex safes and storage facilities were developed. Procedures evolved to
ensure documents were destroyed properly and it was the failure to follow these
procedures which led to some of the greatest intelligence coups of the war (Dhillon,
2007)
The end of the 20th century and early years of the 21st century saw rapid advancements
in telecommunications, computing hardware and software, and data encryption. The
availability of smaller, more powerful and less expensive computing equipment made
electronic data processing within the reach of small business and the home user. These
10
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
computers quickly became interconnected through a network generically called the
Internet (Dhillon, 2007).
The rapid growth and widespread use of electronic data processing and electronic
business conducted through the Internet, along with numerous occurrences of
international terrorism, fueled the need for better methods of protecting the computers
and the information they store, process and transmit. The academic disciplines of
computer security and information assurance emerged along with numerous professional
organizations – all sharing the common goals of ensuring the security and reliability of
information systems (Dhillon, 2007).
3.2 BASIC CONCEPTS
Three basic security concepts important to Information Security:
Confidentiality
Integrity
Availability
These are discussed below:
CONFIDENTIALITY
Confidentiality is the term used to prevent the disclosure of information to unauthorized
individuals or systems. For example, a credit card transaction on the Internet requires the
11
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
credit card number to be transmitted from the buyer to the merchant and from the
merchant to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, by limiting the places
where it might appear (in databases, log files, backups, printed receipts, and so on), and
by restricting access to the places where it is stored. If an unauthorized party obtains the
card number in any way, a breach of confidentiality has occurred.
Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people
whose personal information a system holds (Perrin, 2012).
INTEGRITY
In information security, integrity means that data cannot be modified undetectably. This
is not the same thing as referential integrity in databases, although it can be viewed as a
special case of Consistency as understood in the classic ACID model of transaction
processing. Integrity is violated when a message is actively modified in transit.
Information security systems typically provide message integrity in addition to data
confidentiality (Perrin, 2012).
AVAILABILITY
For any information system to serve its purpose, the information must be available when
it is needed. This means that the computing systems used to store and process the
12
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
information, the security controls used to protect it, and the communication channels used
to access it must be functioning correctly. High availability systems aim to remain
available at all times, preventing service disruptions due to power outages, hardware
failures, and system upgrades. Ensuring availability also involves preventing denial-of-
service attacks (Perrin, 2012)
Concepts relating to the people who use that information are:
Authentication
Authorization
Nonrepudiation
AUTHENTICATION
In computing, e-Business, and information security, it is necessary to ensure that the data,
transactions, communications or documents (electronic or physical) are genuine. It is also
important for authenticity to validate that both parties involved are who they claim to be
(Perrin, 2012)
NON-REPUDIATION
In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It
also implies that one party of a transaction cannot deny having received a transaction nor
can the other party deny having sent a transaction.
13
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
Electronic commerce uses technology such as digital signatures and public key
encryption to establish authenticity and non-repudiation (Perrin, 2012).
4.0 IMPLEMENTATION OF INFORMATION SECURITY ON CAMPUS
NETWORK
The section of this seminar presentation will look at an implementation of computer
security on campus network using intrusion detection systems.
14
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
CAMPUS INTRUSION DETECTION SYSTEM
The aim of the Campus Intrusion Detection and Prevention System is to protect network
data on a School Campus infrastructure-based network and try to use anomaly-detection
techniques to detect different types of attacks within the network.
The following objectives that the system achieves are outlined below:
Design and develop a Network Intrusion Detection System that will detect
abnormal network traffic in a campus school network based on data such as
header fields, logical addresses and secure port numbers.
To prevent the case of intrusion by disconnecting from the network if a
connection is made to a suspicious IP address.
POSSIBLE NETWORKS DATA ATTACKS
Most of the routing protocols proposed for computer network are not designed to handle
security related issues. Therefore, there is lot of scope for attacks on them. Different
possible attacks on the flow of data and control information can be categorized as
follows:
• Spoofed, altered, or replayed routing information
• Selective forwarding attack
• Sinkhole attack
• Sybil attack
15
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
• Wormholes attack
• HELLO flood attack
• Acknowledgement spoofing
• Sniffing attack
• Data integrity attack
• Black hole attack
• Denial of Service attack
Some of these attacks are highlighted below:
Denial-of-Service attack: A Denial-of-Service attack (DOS) can cause a network to
slow down or become unusable. A DOS attack may occur if the attacker generates a lot
of traffic on the network, which may block the server for hours or by attacking the
resource itself. Another form of DOS attack is the use of a strong radio signal. This
denies legitimate users from accessing a resource. Distributed Denial-of-Service attacks
(DDOS) occurs when many computers are used against the target. A single master
program can be loaded onto a commandeered computer via an insecure network; the
master program can communicate to "agent" computers anywhere on the Internet infected
with the agent program and initiate an attack.
Data Integrity Attack: Data integrity attacks compromise the data traveling among the
nodes in the computer network by changing the data contained within the packets or
injecting false data. The attacker node must have more processing, memory and energy
16
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
than the receiving nodes. The goals of this attack are to falsify computer data and by
doing so compromise the victim’s research. It also falsifies routing data in order to
disrupt the network’s normal operation, possibly making it useless. This is considered to
be a type of denial of service attack. This attack can be defended by adapting asymmetric
key system that is used for encryption or that can use digital signatures, but this requires a
lot of additional overhead and is difficult to adapt in the computer network.
SNAPSHOT OF THE CAMPUS INTRUSION DETECTION SYSTEM
Below are discussed the several user interfaces that make up the Campus Intrusion
Detection System.
This is where the users will be able to gain access into the system by providing their
usernames and passwords.
VIEW INTRUDER INFO MODULE:
This module is used to view the info of ip addresses of intruders that have been added to
the Campus IDS database.
17
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
NETWORK TRAFFIC MONITOR MODULE:
This module is used to monitor the network traffic on the system (i.e. the User PC). It
checks for incoming IP addresses and if an intruding IP address from the database is
detected it ensures network optimization by preventing the attacking agent to have access
to the system.
18
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
TRAFFIC LOG MODULE:
The Traffic Log Module shows info on incoming internet traffic monitored by the
system.
19
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
5.0 CONCLUSION
The importance of securing information cannot be underemphasized as a compromise of
that would lead to serious consequences. This seminar is focused on highlighting the need
for intrusion detection system and data security. The concept of Information Security was
20
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
treated and a solution to the problem was presented as well as also in the form of a
campus network intrusion detection system.
REFERENCES
"What Is Information Security?”Wise Geek. [Online]. Available From
<http://www.wisegeek.com/what-is-information-security.htm> [22 December 2012]
21
SIKIRU, HAMMED OLAYINKAFUO/NAS/10079
Perrin, Chad (2012)"The CIA Triad". Techrepublic. [Online]. Available From
<http://www.techrepublic.com/blog/security/the-cia-triad/488> [1 May 2012]
Dhillon, Gurpreet (2007). Principles of Information Systems Security: text and cases.
NY: John Wiley & Sons.
Linda Pesante (2008)"Introduction to Information Security". [Online]. Available From
<http://www.us-cert.gov/reading_room/infosecuritybasics.pdf> [1 January 2008]
Harris, Shon (2003). All-in-one CISSP Certification Exam Guide (2nd Ed. ed.).
Emeryville, California: McGraw-Hill/Osborne. ISBN 0-07-222966-7.
Aceituno, V., "On Information Security Paradigms", ISSA Journal, September, 2005.
"Symantec buys encryption specialist PGP for $300M". Computerworld. 2010-04-29.
Retrieved 2010-04-29.ISACA (2006). CISA Review Manual 2006. Information Systems
Audit and Control Association. pp. 85. ISBN 1-933284-15-3.
Newsome, J. Shi, E. Song, D. and Perrig A,(2004) The Sybil attack in sensor networks:
analysis & defenses.
22