Protecting The Network And Detecting System Attacks Computer Science

In this assignment I have researched about NIDS, IDS/ IPS. I have written about their roles and importance in the computer network. Also I have written about their strengths and weakness compared with traditional mechanisms like malware and firewall and what makes them most powerful in the network security environment and why organizations are using them as reliable agents.

2. Network Intrusion Detection Systems

NIDS is an independent platform which examines the network traffic and monitors multiple hosts and identifies the intrusions. By connecting to a hub or network switch board configured for port mirroring it gains access to the network traffic .An example of NIDS is Snort. It reads all the incoming packets and look for the suspicious patterns known as rules or signatures. It is not only limited to incoming traffic but it does have the ability to check outgoing traffic to avoid any intrusion either way.

3. Intrusion Detection Systems

Intrusion Detection System is a process where we detect if any unknown third party has remotely gained access of our computer or network. IDS can be performed manually by checking the log files or network / internet traffic and look for suspected or real intrusions but this is time consuming and requires expertise. IDS falls into 3 broad categories: anomaly based, pattern based and specification based.

Anomaly based IDS treats all unknown exposed behavior of systems or the network as potential attack. They require extensive training of IDS to distinguish between good from the bad traffic.

Pattern based IDS cannot detect new attack as they assumed the previous attacks are known and they can be detected.

Specification based IDS looks for the undesirable state of the system and upon detection of this state they report an intrusion.

An ID system follows two-step process. The first one is host-based considered as passive component. It includes the inspection of the system's configuration files to detect inadvisable settings, password and other areas to detect policy violations. The second one is network-based and it is considered as the active component and the mechanism is set in place to know attacks and record system responses.

The top 5 Intrusion Detection Systems are.

Snort.

OSSEC HDS.

Fragroute/ Fragrouter.

BASE.

Sguil.

4. Intrusion Prevention Systems

Intrusion Prevention System is a device which monitors the network and helps to identify potential threats and react on them in a network. IPS takes immediate action based on the set of rules established by the network administrator if any exploit carried out quickly after attacker gains access. An IPS is basically like a firewall which detect anomaly in the network traffic and stop the malicious activities. Already large organizations are using IPS because it protects denial service attacks and critical exposures found in any software e.g. Microsoft Windows. IPSs can drop suspicious packets or disconnect ports before reaching the host and focuses what attack does like its behavior. IPS is of two types Host-based IPS and Network-based IPS. In the HIPS they are on the single computer and reside on specific ip address. They don't require continuous updates and if they find any suspicious activity in the computer they will notify and prevent the attack. Whereas NIPS are located on computer network and examining the network traffic and detect the threats or any malicious activity based on their configuration or security policy.

IPS Classification

IPS classification is divided into 4 types:

Network-based Intrusion Prevention Systems: It monitors the entire network and look for the suspicious traffic by analyzing the protocol activity.

Wireless Intrusion Prevention Systems: It monitors the wireless network by analyzing wireless networking protocols and look for the suspicious activity.

Network behavior Analysis: It examines the network traffic and identifies threats which are unusual like distributed denial of service, certain malware and any policy violations.

Host-based Intrusion Prevention Systems: It is a software which is installed on a single host and look for the suspicious activity and analyses events occurring in that host.

Detection Methods in IPS

1. Signature based-Detection: In this method signatures which are already preconfigured and predetermined for the attack patterns and monitors the network to match with these signatures. If any match found between the attacks and signatures, it takes appropriate action.

2. Statistical Anomaly based-Detection: In this method a baseline is created and the system use statistical analysis and compare the sample set to the baseline by using samples network traffic. Intrusion prevention takes action if the activity is outside baseline parameters.

3. Stateful Protocol Analysis Detection: In this method the deviation of protocols states by comparing observed events with the predetermined profiles of accepted activities.

5. Anti-Malware

Malware is software designed to enter into a computer system without the owner's knowledge. It includes viruses, worms, spywares, Trojan viruses, adware. Malware are developed for purposes like hacking someone's machine and get all the information like their bank accounts or emails or any private confidential data. The best known malware are viruses and worms. A computer virus is bad executable software which spreads in the computer rapidly and attack system executable file and crash the computer. The best example of computer virus is an email containing malicious attachment by clicking on it immediately it starts multiplication on the system or it may be transferred to other people if this email gets forward to another user. Where as worm transfers automatically on a network and infects other computers which is a serious damage and it may cause loss of data in an organization.

Anti-malware programs are developed because of frequent malware attacks. Anti-malware protects the system by scanning all incoming network traffic data and blocks any malware threat. It is used for the detection and removal of the malware from the software installed on the machine as it scans windows registry, any programs installed on the machine and operating system files. It displays list of threats found on the machine and a user can then decide which file should be deleted or saved on the machine. There are various types of anti malware in the market like MacAfee, Norton, Zone Alarm etc.

6. Firewall

Firewall is software which is designed to restrict access to unauthorized access and permit access to authorized communication in a computer or in a network based on set of rules. It is used to prevent internet users who are not authorized to access private networks connected via internet. Firewall act as a gate between protected and unprotected network which means no malicious things comes or any private data goes out. The basic task of firewall is to regulate flow of traffic between computer networks of different trust level e.g. internet which is a zone with no trust. A firewall is asoftware running on a computer and continuously inspecting network traffic and denies threats based on set of rules.Several types of firewall techniques are:

1. Packet Filter: It inspects each packet passing the network and based on user defined set of rules it accepts or rejects them. It is transparent to user, difficult to configure and susceptible to ip spoofing.

2. Proxy Server: The function of proxy server is to hide true network address and intercepts all the incoming and outgoing traffic.

3. Application Gateway: The security mechanism applies to specific applications like telnet servers and ftp.

7. IDS VS IPS

IDS & IPS today are commonly in use by most of the companies to protect their network for the maximum protection.

IDS is a passive device which watches the data packet from a monitoring port, comparing traffic to user defined set of rules and set alarm if it detects anything suspicious. It detect various types of malicious traffic which even slipped from a typical firewall which includes network attacks against services, unauthorized login, data driven attacks on applications, viruses and worms. There are several ways to detect threats like anomaly-based detection, signature-based detection or stateful protocol analysis. Its engine records the incidents logged by the sensors in a database which generates alerts and send it to the network administrator.IDS is helpful to pinpoint problems with in organization's documents existing threats, security policy or prevent users violating organizations security policy.

IPS is considered as good IDS with all the features. It sits inline with traffic flow on a network and shut down attacks which are sent over the wire. It actually terminates the attack or the user session who is attempting to attack by blocking the user account, ip address or any attribute associated with that user. It also shutdowns all the services, application on the targeted machine by blocking all the access point. In two ways IPS can respond to a threat either by reconfiguring router or firewall as they are the security controls and block the attack or apply patches if the host has vulnerabilities. IPS does help to remove any malicious attachment from an email before it reaches to the user.

8. Strengths & Weakness of IDS over Malware Compared with traditional Malware, Antivirus, Antispyware

IDS are designed as their main aim is to detect attacks, threats and send alerts upon the detection. It is installed on a computer network to find any intruder and sets an alert and protect the network by having a deep check whether there was any intruder in the network or not and provides a complete security to the system network. IDS when used with security policy, data encryption, user authentication, firewalls and access controls they enhance the network safety. IDS are successful because of their three main reasons as they monitor, detect and respond to unauthorized access outside company's network. IDS have capability to sent these alerts to the computer network administrator to have a check on this and keep the network environment safe but before this they may shut down all the services, access points or block the ip address or the port which seems to be malicious and suspicious intruder.

When it comes to firewall/antivirus/antispyware they act like a fence between the computer and the network. They don't have the capability to shut down all the services or block suspicious ports and even if they get corrupted there won't be any alarm to the network administrator whether they are up and running. This is the main disadvantage of them and that's why they are not very successful when it comes to organization security and they cannot perform any automated task which is very much compatible and secured when it comes to IDS. That's why these days all the organizations are already using IDS and keeping their network safe and protected.

9. Host-based vs. Network-based IDS

Host-based IDS are installed on local host machines to identify the intrusion by analyzing application logs, system calls, access control, and file-system modifications. The sensors in HIDS is basically software agent and only look for pre defined rules to match the attacks and threats if an intruder is found. Whereas NIDS they are installed on a computer network and examine the network traffic and monitors multiple hosts. The gain access by connecting to network switch, network tap or network hub. The sensors in NIDS in the network are on choke points where they monitor all the network traffic by analyzing each packet and make sure it's not malicious thus keeping both host and network safe from the intruders in an organization.

10. Signature-based vs. Anomaly-based IDS

Signatures are easy to develop once the network behavior is known and what we are trying to identify using these signatures. With the help of signatures it is easy to understand alerts sent by the events generated as it attach every packet captured with that particular event. The rules in signature-based IDS are based on pattern matching which is easy to perform checks by matching them with system patterns. But Signature-based IDS are actually slow as for every attack a new signature has to be created. They are not compatible or powerful to great attacks as they are pattern based.

Anomaly-based IDS doesn't require any signature creation and have the ability to detect 0-day attacks and they do not send false alerts. But this is very expensive method of detection as the detection engine needs to decode, process network controls in order to understand its goal. Every protocol has to be defined, baseline and tested for specific thresholds. Its engine doesn't detect malicious activity of the normal usage p

11. Signature to identify attacks on 1st assignment

Signature which was used in the first assignment may be DPI as they are effective against buffer overflow attacks. DPI packets actually searches for virus, worms or any intrusion packet or predefined rules and then decide what action has to be taken on the malicious packet injected by collecting statistical information. They have the capability to block the packets which have the signature of known attack. DPI actually combines the functionality of IDS & IPS which makes it more powerful. DPI does enables advanced network management, user service, security functions, data mining and censorship.

12. Snort

Snort is a free open source NIDS & NIPS created by Martin Roesch in 1998. It is now developed by Sourcefire and named as one of the most open source software. It has the ability to perform packet logging on internet protocol and real time traffic analysis. It is used to detect attacks which are not limited to buffer overflow, operating system fingerprinting attempts, block probes, common gateway interference, stealth port scans and server message block probes. It is configured in three modes; sniffer, packet logger and network intrusion detection. It read network packets and displays them on the console when it's in sniffer mode. It logs packets to the disk when it is in packet logger mode where as it monitors the network traffic and analyzes it in network intrusion detection mode and if it doesn't come under the rule set defined by the user it goes against it. Being an open source it brings many advantages as the security experts which continuously test, reviews and look for the improvement of the code. Also specialists and security engineers write rules every hour of the day for new threats and threats which are already harming the network environment and keep the network safe.