INTRUSION DETECTION SYSTEM
A Programmer Perspective
As
Mentioned In previous Doc Here is another article dedicated towards writing a IDS. First of all I would like to give an introduction
behind what are my goals and what all I expect from the project.
VISION
At
this moment it would be foolish to say that I want to develop a system that
will be perfect and revolutionize the IDS technology. What I propose is that in
order to understand network security and to get a practical approach toward
perfecting the art I want to develop an IDS. For the
start I will just analyze the conventional technique (discussed later) but as
the project progress I will surely try to develop some innovative technique.
I
am firm supporter of Open-source software and this project will be available
GNU Public license.
“People see things as they are and
say why? I dream things which are not there and say why not.” – George Bernard Shaw
Why IDS?
Some
of you may be wondering why develop an IDS? How about
developing other solution like a Firewall.
IDS
are intelligent system and using advanced A.I technique an
IDS can be designed which is near to perfection. An IDS
is a dynamic system and can make to adapt to 0-day attack. Where as firewall is
static it may be effective against known attack and one way or other intruders
would be able to bypass the firewall .
Choices!!!
For
designing a IDS we need to take some decisions about
the available technique
Choice OF IDS:
1. Network-based intrusion detection
vs Host-based intrusion detection
A NIDS monitors the
traffic on its network segment as a data source. This is generally accomplished
by capturing all network traffic that crosses its network segment.
A HIDS involves loading
a piece or pieces of software on the system to be monitored. The loaded
software uses log files and/or the system's auditing agents as sources of data.
For HIDS, there appears to be three main categories:
·
Monitoring the host's file system.
·
Monitoring the host's network
connections.
·
Monitoring the host's log files.
Here
is a comparison between NIDS and HIDS from www.windowsecurity.com
|
Function |
HIDS |
NIDS |
Comments |
|
Protection on LAN |
**** |
**** |
Both systems protect you on your LAN |
|
Protection off LAN |
**** |
- |
Only HIDS protects you when you are off the LAN |
|
Ease of Administration |
**** |
**** |
The admin of NIDS and HIDS is equal from a central admin perspective. |
|
Versatility |
**** |
** |
HIDS are more versatile systems. |
|
Ease of Implementation |
**** |
**** |
Both NIDS and HIDS are equal form a central control perspective |
|
Bandwidth requirements on
(LAN) |
0 |
2 |
NIDS uses up LAN bandwidth. HIDS does not. |
|
Network overhead |
1 |
2 |
The NIDS has double the total network bandwidth requirements
from any LAN |
|
Spanning port switching requirements |
- |
**** |
NIDS requires that port spanning be enabled to ensure that your
LAN traffic is scanned. |
|
Update frequency to clients |
**** |
- |
HIDS updates all of the clients with a central pattern file. |
|
Cross platform compatibility |
** |
**** |
NIDS are more adaptable to cross platform environments. |
|
Local machine registry scans |
**** |
- |
Only HIDS can do these types of scans. |
|
Logging |
*** |
*** |
Both systems have logging functionality |
|
Alarm functions |
*** |
*** |
Both systems alarm the individual and the administrator. |
|
PAN scan |
**** |
- |
Only HIDS scan you personal area networks. (unless you have the
$ to get a NIDS for your home) |
|
Packet rejection |
- |
**** |
Only NIDS functions in this mode. |
|
Specialist knowledge |
*** |
**** |
More knowledge is required when installing and understanding how
to use NIDS from a network security perspective. |
|
Central management |
** |
*** |
NIDS are more centrally managed. |
|
Disable risk factor |
* |
**** |
NIDS failure rate is much higher than HIDS failure rate. NIDS has one point of failure. |
Looking
at the table we can conclude that HIDS is useful when we have to protect both
Internal and External Attacks. But the advantages of NIDS cannot be ignored so
the best solution will be to Use HIDS in Integration with NIDS.
2. knowledge-based intrusion detection vs
behavior-based intrusion detection
Knowledge-based
intrusion detection techniques apply the knowledge accumulated about
specific attacks and system vulnerabilities. These are specified as rules
against which the verifications are made.
Today most of the IDS are knowledge based. There advantages and
disadvantage are:
Advantages:
a. they have the
potential for very low false alarm
b. Contextual analysis
done by these systems are detailed hence it easy to find remedial solution
Disadvantage:
a. They may be affective
against known attacks but they cant handle 0-day
attacks.
b. Difficulty of
gathering the required information on the known attacks and keeping it up to date.
c. Maintenance of the
knowledge base is a time-consuming task.
d. Knowledge about
attacks is very focused, dependent on the operating
system, version, platform, and application.
e. Detection of insider
attacks involving an abuse of privileges is deemed more difficult.
Behavior-based
intrusion detection techniques assume that an intrusion can be detected by observing
a deviation from normal or expected behavior of the system or the users. The
model of normal or valid behavior is extracted from reference information
collected by various means. The intrusion detection system later compares this
model with the current activity. When a deviation is observed, an alarm is
generated.
Advantages:
All the disadvantages
of Knowledge-based intrusion detection system.
Disadvantages:
a. False Alarms.
b. Here we need to create
a learning System which learns from previous attacks, these systems are quite
difficult to design that’s why almost all the intrusion detection system are
knowledge based.
Choice OF Programming Language:
1.
c++ vs
Java:
C++ is the most powerful language around but it lack GUI
feature thus come Java which has GUI and quite a vast built-in library. If
developing for UNIX based system C++ will be the best option.
2.
.NET:
For developing IDS VC++ can also be considered and beside
this other language like VB and C# can also be used as they are quite a bit
simple and they provide great deal of ease when handling big projects. Using
these we can easily handle the event-log for NT based system.
Choice of Methodology
1. Packet Sniffer.
2. System Integrity checker.
3. Security log analyzer.
4. Analysis of known format ( like TCP Dump).
5. Build an Intrusion detection system taking an existing firewall as
backbone.
6. Take all available resources like Snort, Tripwire, syslog and generate custom reports.
Project Plans:
1.
Knowledge Acquisition – 15th JAN
2. Analysis of existing decision – 31st JAN
3. Decisions taking – 5th FEB
4. Beginning Coding -31st MARCH
5. Testing & Packaging -1st APRIL
As I am developing this for college
project and all of the work can’t be done within time limits(At this point I am
assuming) so I will try to develop a system that can provide protection against
some types of attack. So I will proceed with detecting Port scanners, ping
sweepers and then detecting DDOS attack
(at this point I will be satisfied).
My
IDS will definitely based on GUI as I consider simplicity as an important
factor of Software development.
Some Available IDS
NIDS:
v Open-source
o
Snort
o
Bro
o
ACID
v Snort-related:
o
IDS centre
o
Snort-Panel
v Commercial:
o
CISCO's IDS appliances
o
McAffee's IntruShield.
o
ISS
RealSecure Network Sensor
HIDS
v
Open-Source
o
Samhain
o
LIDS
o
AIDE
v
Commercial
o
Tripwire
o
eEye Blink
o
Symantec
Host IDS
FINAL WORD
This
is just the beginning and there will be more changes.
I
will love to hear from all of those have read it.(whether
it is to criticize, appreciate or motivate).
Feel free to contact me at
If U are interested in development of IDS and want to keep
your self updated regarding development u can join group:
http://groups.yahoo.com/group/ids_dev/