Intrusion Detection Systems

CMIT368
August 12, 2006

Introduction
As technology has advanced, information systems have become an integral part of every day life. In fact, there are not too many public or private actions that can take part in today’s society that do not include some type of information system at some level or another. While information systems make our lives easier in most respects, our dependency upon them has become increasingly capitalized upon by persons with malicious intent. Therefore, security within the information systems realm has introduced a number of new devices and software to help combat the unfortunate results of unauthorized network access, identity theft, and the like – one of which is the intrusion detection system, or IDS.
Intrusion detection systems are primarily used to detect unauthorized or unconventional accesses to systems and typically consist of a sensor, monitoring agent (console), and the core engine. The sensor is used to detect and generate the security events, the console is used to control the sensor and monitor the events/alarms it produces, and the engine compares rules against the events database generated by the sensors to determine which events have the potential to be an attack or not (Wikipedia, 2006, para. 1-3).
IDS generally consist of two types – signature-based and anomaly-based. Signature-based IDS operate by comparing network traffic against a known database of attack categories. In fact, signature-based IDS work much in the same way that antivirus software does, except network traffic is examined instead of files. This type of IDS is extremely effective against known attack types. Anomaly-based IDS observe actual system behavior against “baselined” behavior. Any activities that contradict otherwise standard system use may be considered an attack and generate an alert. This is considered a heuristic approach to intrusion detect and is effect against unknown attacks (Foster, 2005, para. 2 & 6).
The purpose of this paper is to delve a little deeper into intrusion detection systems and briefly describe the three different device types of IDS that are currently available – Host-based, network-based, and application-based. The following sections will give insight to how each of these IDS work, their advantages, and their disadvantages.
Host-based IDS
Host-based IDS, or HIDS, are just what the name implies – IDS that reside on a host system. This system can be a server, workstation, or even a decoy (honeypot) configured to lure intruders in so that they can be safely monitored to study their intrusion techniques or intent. HIDS are generally platform-specific, therefore often software-based and having both Microsoft Windows and UNIX-compatible versions. HIDS work by examining log files, hardware usage, critical data files or data stores, and even the actions of processes running on the system. HIDS then compare this data to a specified system state either determined by the security administrator, or by a strict security policy established from extensive baselining. Whenever the system encounters activity, either internal or external, that varies from the baseline or security policy by a certain percentage, it is determined to be an attack (Ciampa, 2005, p. 163).
HIDS are most beneficial in providing detection capabilities for the internal environment of an organization. Unauthorized accesses by employees, trespassers, etc. are almost always the most abundant kind of attack and are usually the most costly. HIDS help defend against this by allowing centralized monitoring of all HIDS within the network, generating local or remote alarms when suspicious activity is detected, and also by providing some security-related reactions such as file/data quarantining, locking out questionable user accounts, and disabling compromised services and/or processes. HIDS are also somewhat cost-effective in comparison to other IDS types since they are most commonly software-based on not a hardware appliance.
Unfortunately, there are a number of disadvantages to HIDS, as well. The most significant problem with HIDS is that the majority are software-based and operate on the system itself. What this can lead to is controlling the HIDS if the system becomes entirely compromised. HIDS can also be difficult to manage if spread across many systems without an efficient administration plan in place. Finally, HIDS use the same resources the server it resides on uses. Depending on the activity of the server, a HIDS can be quite a burden to an already busy system. This can lead to bottlenecks, costly hardware upgrades, and other technical issues (Shimonski, 2004, para. 6).
Network-based IDS
Network-based IDS, or NIDS, are normally hardware-based devices (or dedicated systems) that reside at critical points of the network – capturing all incoming (and sometime outgoing and localized) packet traffic and analyzing it for suspicious patterns in accordance with the signature or rule database. Specifically, NIDS capture IP datagrams and TCP streams, reassemble them, and then use one of these techniques in order to determine malicious patterns:
1. Protocol stack verification checks underlying protocols for specific attack types associated with individual protocols such as those associated with Denial-of- Service (DoS) attacks, SYN sweeps, invalid ICMP traffic, etc.
2. Application protocol verification detects invalid application-level protocol usage such as those used in DNS cache poisoning, out of band (OOB) NetBIOS traffic, and some types of buffer overflow attacks that utilize application-level protocols.
3. Creating new loggable events by capitalizing on preexisting audit capabilities that exist on the network by associating the NIDS’ logging abilities with the logs collected by other systems on the network (TICM, 2000, para. 2.2).
NIDS offer excellent secondary protection to firewalls for a network. If placed correctly, any and all traffic that passes in and out of a firewall can be analyzed for potential attack attempts. Additional NIDS can also be placed throughout the network for even more protection at critical points. NIDS ability to reconstruct TCP/IP traffic alone make it one of the most valuable IDS types available.
Despite NIDS excellent abilities to detect potential attacks at even the lowest protocol levels, there are still some glaring weaknesses NIDS posses. One of these weaknesses happens to consist of its networking abilities in the first place. Considering NIDS are most effective capturing all traffic passed, NIDS can either become a congestion point or fail to capture all traffic if there is an extremely large amount of data passing over the wire. This can lead to poor network performance or DoS effect on the NIDS itself – causing it to miss what could be malicious traffic with absolutely no warning. NIDS also can generate excessive false positives, unless properly configured. False positives are triggers that resemble an attack, but in actuality are legitimate traffic. An improperly configured NIDS can make examining logs a very tedious event due to the large number of these false positives. False negatives, the opposite of false positives, are also an even more serious problem with NIDS. Finally, most current NIDS in system are incapable of analyzing encrypted traffic. Considering more and more organizations, and users, are turning to data encryption, a serious threat is at hand since intruders have the same capabilities to carry out their attacks using encryption as anyone else (Spitzner, 2003, para. 10).
Application-based IDS
Application-based IDS (AIDS) are fairly self-explanatory – they operate on a system like HIDS do, but monitor specific applications for malicious activity. This type of IDS is especially useful for protecting critical services such as Email, Web, FTP, and others because of its specialization in the application that provide these services. AIDS scan log files, monitor user interaction, collect usage patterns, and analyze application layer traffic. The AIDS uses this information in the same manner as the HIDS – it compares it against an established baseline to determine what legitimate application interaction is, and what is not. One of the most important aspects of AIDS are that most are capable of analyzing encrypted data through the use of services already present on the system.
The disadvantages of AIDS are quite similar to that of the HIDS. However, most of those disadvantages are somewhat magnified due to the fact that the entire system need not be compromised to take control over an AIDS – only the AIDS itself needs to be captured. AIDS usually do not consume as many resources as HIDS, but if the AIDS is used to analyze large concentrations of encrypted traffic, it can be a direct contributor to the reduced availability of system resources since dealing with encryption induces a large amount of overhead. Finally, the specialization AIDS exhibit can be its own downfall. Because AIDS are targeted to protect a specific application, an attack on the rest of the system can easily go undetected – ultimately leading to the application, AIDS, and system to become compromised without warning (Posey, 2005, para. 5).
Conclusion
Intrusion detection systems are becoming commonplace in most networks for obvious reasons. Specialized variations of the IDS types discussed within this paper also exist – protocol and application protocol-based IDS, as well as hybrid IDS which encompass two or more of the available IDS types. While IDS are no substitute for solid access control lists on routers and firewalls, excellent security policy management, and sound network design, they do offer an excellent second line of defense for network and security administrators. The availability of passive IDS to generate alerts and/or reactive IDS which can actually configure firewalls and routers at the detection of a possible intrusion, are giving more and more combinations of providing network security. Despite the disadvantages presented in this paper of the various IDS available, the only real disadvantage is not having one on your network.

References
Ciampa, M. (2005). Security + guide to network security fundamentals (2nd Ed.). Thomson Course Technology.
Foster, J. (2005, May). IDS: Signature versus anomaly detection. Retrieved July 20, 2006, from http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1092691,00.html
Posey, B. (2005, April). Choosing an intrusion detection system: Network, host or application-based IDS. Retrieved July 20, 2006, from http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1083969,00.html
Shimonski,R. (2004, July). What you need to know about intrusion detection systems. Retrieved July 20, 2006, from http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html
Spitzner, L. (2003, April). Honeypots: Simple, cost-effective detection. Retrieved July 20, 2006, from http://www.securityfocus.com/infocus/1690
TICM. (2000, March). FAQ: Network intrusion detection systems. Retrieved July 20, 2006, from http://www.ticm.com/kb/faq/idsfaq.html#2.2
Wikipedia. (2006, July). Intrusion detection systems. Retrieved July 20, 2006, from http://en.wikipedia.org/wiki/Intrusion_detection_systems