Implementation Of An Intrusion Detection System
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, May 2012ISSN (Online): 1694-0814www.IJCSI.org420Implementation of an Intrusion Detection SystemSAIDI BEN BOUBAKER Ourida 11Computer Science Departement, Hifgh Institute of Management, University of Tunis44, Av. de la liberté , Bardo/Tunis, TunisaAbstractSecuring networks and data is among interesting issues ofcomputer science research and practice. Manyapproaches and techniques have been developed to securecomputer architectures, they addressed several layers, e.g,physical security, applications and encryption algorithms,etc. In this paper, we address the problem of securinglarge networks with complex architectures, based ions performed, we demonstrated theefficiency of our solution.Keywords: Information Systems Security, IntrusionDetection, Networks.1.Introduction:1.1. Definition of an intrusion detectionsystem:An intrusion detection system is a system that cananalyze in real time or delayed events from acomputer system. It detects overflows[1], amongother rights and prevents visible signs of attacksagainst information systems. It's sort of a device tomonitor the activity of a machine or network todetect intrusion attempts and generate alerts forpossible against reactions and procedures.1.3. Importance of intrusion detectionsystem in a computer architecture:An architecture is always likely to be attackedespecially when dealing with a network architecturein which information flows across all segments andthus presenting vulnerabilities allowing an attackerto enter and enforce illegal actions generatinganomalies in the network, hence the need toimplement a solution for analyzing network trafficto detect and thwart a possible intrusion.This system will detect portions malicious networktraffic from the Internet generally. It can also beused to detect viruses that try to attack computers ina LAN. It records the systematic attempts toconnect from outside, which often indicate thatsomeone is trying to find open ports on the host.The intrusion detection system stops the maliciouspacketsfortheseportsopen.The intrusion detection system analyzes the contentand information from the header of an IP packetand compares this information with signatures ofknown attacks. When information is similar oridentical to a known attack, the intrusion detectionsystem issues a warning and performs the actionplanned.2. Specification of the project addressed:2.1. Description of the network topology:The network has two different topologies:- A star topology built through a switch (switch)used for the interconnection of different parts ofnetworks also connected with a level-2 switch forlinking the physical positions of the segments.These connections using RJ45 connections for linesless than 85 meters and connections for fiber-opticlinesover100meters.- A Wireless Network that works around a numberof access points distributed over many locationsand connected physically to switches in order toaddress the problem of the scope which should notexceedfiftymeters.In addition to this topology, the network operatesasfollows:-The entire network has a dynamically assigned IPaddress through a DHCP server to avoid conflicts.- The network uses a firewall to block unauthorizedaccess and protect the internal network attacks.- A dematerialized zone (DMZ) is used to installinternal servers such as Web server and FTP serveraccessible from the internal and external network.Access to the Internet is through a remote proxyusedtoidentifythenetworkuser.Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, May 2012ISSN (Online): 1694-0814www.IJCSI.org421Figure 1: Network topology2.2. Security risks with this architecture:Due to the very high number of computersconnected to the network and benefiting fromaccess to the Internet, our architecture presented thefollowingsecurityissues:- Many passive attacks from the outside which canbe summarized by the port scan to detect those whoare open to change to active attacks.- The download free software via the Internet hascaused the infiltration of viruses into the network,which search for vulnerabilities in network andapplication layers in order to perform intrusions.- The use of WEP encryption keys is a weakstrategy which can be exploited by unregisteredusers because they can perform many intrusionssuch as scans of ports, retrieving addresses ofaccess points and use keysdecryption utilities.- While a firewall is in place to block a lot ofmalicious traffic, no functionality to alerts in caseof existence of a new intrusion. In addition, thefirewall installed operates on the lower layers of theOSI model and does not take into account thevulnerabilities of the application layer, whichremains an important source of intrusion.2.3.ProposedSolution:IDS:In order to improve the security capabilities of ourarchitecture and to ensure a more save network, wedecided to implement an intrusion detection system.In what follows, we detail our solution.3.3.1.Implementation of the IDS:Techniques used:The implementation of an intrusion detector :According to its internal architecture, an intrusiondetection system is based on a well-definedapproach. There are here are two main approaches:BehavioralApproach:This approach is based on tracking the behavior of auser, service or any application to infer a probableintrusion. If any of the entities mentioned abovechanges its behavior or the habits of its operation,the detector deduced that There's suspiciousbehavior and eventually transmit early warning.This approach itself uses either a probabilisticmethod in order to estimate a suspect traffic or astatistical method whose principle is to comparequantitatively the behavior of parameters related tothe user such as the occupancy rate of bandwidth orthe number of network access per day.scenariobasedapproach:Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, May 2012ISSN (Online): 1694-0814www.IJCSI.orgThe principle of this approach is based on knowntechniques used by hackers to perform intrusions,already enrolled in a signature, for comparison withthe behavior of the user in question withoutrecourse to its history and determine if this behavioris legal or not. The signature is actually a series ofrules for analyzing packets that flow through thenetwork (pattern matching) or the compliance of theprotocol(protocolapproach).The use of both approaches in parallel will serve asa powerful solution for intrusion detection.3.1.TypesofIDS:Intrusion detectors can operate in three possiblemethods[2]:- H-IDS is a detector which, when installed on alocal host, it operates as a service core to analyzetraffic to that host, or to identify intrusion attempts.- N-IDS is a detector which analyzes passively allincoming and outgoing traffic flowing through thenetwork to detect the end of packet supposedlydangerousandgeneratealerts.- Hybrid IDS: This is a sensor whose objective is tocollect information via the various nodes placed onthe network and hosts for analysis purposes.Using both H-IDS and N-IDS is a robust itecture:in the networkIt all depends on what you want to protect thelocation of the intrusion detector can be done inthreepossiblepositions:- Upstream: This position is used to detect frontalattacks coming from outside and beyond thefirewall to attack the internal network. It has thedisadvantages of the large number of alerts thatmay occur to and are not detected by thefirewall[5]. Downstream: With this position, the intrusiondetector is placed before the firewall allowing todetect intrusions from the outside but the problem isthat the attacks on the internal network will not bedetected. Before the DMZ: This position allows the IDS to422detect intrusions that were not filtered by thefirewall and protects the area against intruders. Thedownside is that the internal network is open tointrusion.3.3.Technologies used to implementThe implementation of an intrusion detectionsystem and after a study of existing software, theuse of two types of intrusion detectors was anadequate solution to protect the network and itscomponents. The solution is to install an antivirusinternet security with the functionality of intrusiondetection (IDS-H), which operates on the client /server architecture and a network intrusion detector(N-IDS) like Snort that uses the scenario approachand installed according to the three possiblepositionsmentionedabove.3.4. Detailed steps of implementation:The implementation of the IDS required the mainfollowingtwosteps- Step 1: This step is to install an antivirus internetsecurity on a central server. This antivirus hasbuilt-in intrusion detection system and its databasealert rules are updated automatically through theofficial website. All computers connected to thenetwork operate as clients and retrieve updates fromthe server including intrusion detection signatures.In this way, it provides the functionality of anintrusion detector host-reaction with H-IDS as it isnot only to alerts but to intervene to block possibleattacksonacomponent.- Step 2: This step is to install an intrusion detectionSNORT as alert nodes on different zones of thenetwork in order to collect all the intrusion attemptsthat are logged to a log file. If this attempt isblocked automatically by the firewall, Snort doesnot, else, the intrusion detector alerts the attempt byplacing an entry in the log file. By adding thesesignatures of intrusions into a guardian of activenetwork that operates in parallel with SNORT, allattempts with the same signature will be blocked orrejected. The nodes are installed according to thefollowingfigure:Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, May 2012ISSN (Online): 1694-0814www.IJCSI.org423Figure 2: Positioning of nodes SNORTWith this localization, intrusion detection willensure[4]:a. Intrusions from the Internet are detected beforethey are filtered by the firewall. This is the positionupstreamb. Intrusions that exceed the firewall and whosedirection is the internal network. This is thepositiondownstreamc. Intrusions from the Internet and the internalnetwork and that management is the DMZ aredetected via the sensor installed before entering thearea.This facility provides an intrusion detection on allzones of the network and connected computers.To be updated with the new intrusions anddetecting their signatures, updating the rules is veryimportant and is available through the officialwebsite snort.org charge provided that is registeredon this site. This record can acquire a code calledOink code used as an identifier and must beinserted on this page to be eligible for tions:In order to test the firewall rules, intrusion sensor(Snort) and the controller of the network, somesimulated attacks were performed. Normallyintrusion attempts are filtered by the firewall rulesin the first place and once they exceed theseattempts, they will be analyzed by the detector ofintrusions and subsequently filtered by thecontrollerofthenetwork.This intrusion is detected by the signaturesnmp.ruleshavingasfilterrule:alert tcp EXTERNAL NET any - HOME NET161 (msg: "SNMP request tcp"; stateless;reference: cve, CAN-20014-0012; reference: cve,CAN-20014-0013; sid: 1418, rev: 3; classtype :attempted-recon;)Ports Scan detected bu SNORTAttack block by the network controller3.5.2. Intrusion by netw ork sniffer (NMAP5.21)The sniffer NMAP is designed to detectvulnerabilities of a machine on the network bycollecting all the information on the MAC addressand open ports through which we can make anactiveattack.This intrusion is detected by the signaturescan.ruleshavingasfilterrule:alert tcp EXTERNAL NET any - HOME NETany (msg: "SCAN NMAP XMAS"; flags: FPU,reference: arachnids, 30; classtype: attemptedrecon;sid:1228,rev:1;)3.5.1. Intrusion with portscanner(Advancedport scanner)This is a network sniffer that detects open ports.Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, May 2012ISSN (Online): 1694-0814www.IJCSI.org424ReferencesIntrusion detected by SNORTAttempt blocked by network Controller3.5.3. External intrusion attempt detect edThis intrusion of type ICMP PING CyberKit 2.2Windows comes from an external network and wasdetected by Snort and blocked by the controller ofthe network. Although this attempt is not verydangerous but it was possible to verify the properoperation of intrusion detection and response of theguardianofthenetwork[1] Denning D.“An Intrusion-Detection Model.” IEEETransactions on Software Engineering, Vol. SE-13, No 2,1987.[2] ALAN BIVENS, CHANDRIKA PALAGIRI,“networkbased intrusion detection using neuralNetworks”, 2005.[3] Hamdan.O.Alanazi, Rafidah Md Noor, B.B Zaidan,A.A Zaidan, “Intrusion Detection System: Overview”, inJOURNAL OF COMPUTING, VOLUME 2, ISSUE 2,FEBRUARY 2010[4] Botha.M, Solms R, Perry K, Loubser E, Yamoyany G“The utilization of Artificial Intelligence in a HybridIntrusion Detection System”, SAICSIT, 149-155 2002[5] Peter Lichodzijewski A.Nur Zincir-Heywood, Malcolm I.Heywood “Host-based Intrusion Detection using Self Organizingmaps” IEEE Communications 2002.The rule allowed the detection of this attempt isincluded in the Snort signature database with SIDNo. 483 and which exists in the file icmp.rules.alert icmp EXTERNAL NET any - HOME NET any (msg: "ICMP PING CyberKit 2.2Windows", itype: 8; content: " AA AA AA AA AAAA AA AA AA AA AA AA AA AA AA AA ", depth:32, reference: arachnids, 154; classtype: miscactivity;sid:483,rev:5;)4.Conclusion:To protect a network against attacks includingintrusion, we must study its architecture, analysevulnerabilities, up to date with new threats, apurpose to minimize the risks that may occur.In this paper, we proposed and implemented asolution for securing a network based on intrusiondetection systems. We performed severalexperiments to validate our solution.Copyright (c) 2012 International Journal of Computer Science Issues. All Rights Reserved.
the server including intrusion detection signatures. In this way, it provides the functionality of an intrusion detector host-reaction with H-IDS as it is not only to alerts but to intervene to block possible attacks on a component. - Step 2: This step is to install an intrusion detection SNORT as alert nodes on different zones of the
c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.
Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,
called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion
There exists a number of intrusion detection systems particularly those that are open-source. These intrusion detection systems have their strengths and weaknesses when it comes to intrusion detection. This work compared the performance of open-source intrusion detection systems namely Snort, Suricata and Bro.
Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210
threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are
2. Evaluation of a Single Intrusion Detection System (IDS) A computer intrusion detection system (IDS) is con-cerned with recognizing whether an intrusion is being attempted into a computer system. An IDS provides some type of alarm to indicate its assertion that an intrusion is present. The alarm may be correct or incor-rect.
