Intrusion Detection
How will a hacker possibly act when performing his “black deed”. He will surely install a “rootkit”(malware) which can be obtained via Internet. A rootkit is software that gives the intruder a privileged hidden access to a computer by destroying standard operating system functionality or other applications. The rootkit is essentially a program or sequence of programs, that is interpreted or carried out by another program rather than by the computer processor which makes a quick work of modifying the system so the intruder is in control. So this is carried out by installing modified twofolds of common system tools falsifying log files or special kernels by means of which similar results are achieved. As a result the most trivial commands can me be modified so as to not show where the files have been stored. Very Smart Indeed!!!
Thus to defeat this malware an intrusion detection system (IDS) has been developed. IDS is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station. Intrusion detection is a monitoring process that have become a necessary addition to the security infrastructure of nearly every organization. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.
In other words, Network intrusion detection system (NIDS) is a device or software application that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic, producing reports to a Management Station.
A NIDS reads all the incoming packets and tries to find suspicious moments known as signatures or rules. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all.
It also (mostly) tries to detect incoming shellcodes in the same manner that an ordinary intrusion detection system does. A NIDS is not limited to inspecting only incoming network traffic. For sure it is an independent platform that identifies intrusions by examining network traffic and monitors multiple guests. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors captures all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort. Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS), created by Martin Roesch in 1998. Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. We acknowledge 2 main types of IDS: those protecting networks, and those protecting individual hosts.
For host based IDS, it is performed by means of tools that monitor the filesystem for changes. System files that have been somewhat altered, but should not have without our interruption are a dead give away that something is amiss. Anyone who gets in, will evidently make changes to the system. Here is the first but not the only step. Now he can get back in through a backdoor, or to attack someone else, in this aspect having to change or add files to the system. For home desktops and home LANs, this is assumably not a quite necessary component of security policy. And here a tool called tripwire appears to save the situation. This is a tool which is apt to monitor various aspects of the filesystem by means of comparison against a database detecteing any dangerous points. Tools like tripwire are designed to be installed only on a known “clean” systemfile.
To deter such kind of malware, we should turn to ShareAlarmPro network tool that allows network administrators and users easily perform network shares monitoring. Using ShareAlarmPro you can monitor users attempting to access secured shares and confidential files, detect and log network access to shared folders, monitor security events, monitor accessed files, disconnect users from open files or deny network users access, monitor sharing permission changes. ShareAlarmPro includes intrusion detection system based on security events log analyzer. Security Event Log Monitor monitors the security event logs of Windows NT/2000/XP servers or workstations and notifies user on selected events detection.
ShareAlarmPro also monitors your shares permissions and alerts if “Everyone”, “Domain Users” or other selected broad access group is added to the permissions of a share. With ShareAlarmPro you can monitor files or folders creation, deletion or any attribute change in your shares. Program keeps log for all detected events (access to shared folders, security events, folder watcher events) in HTML format.
Often, network intrusion detection systems works with other systems as well. They can for example update some firewalls’ blacklist with the IP addresses of computers used by (suspected) crackers. The term firewall originally referred to a wall intended to confine a fire or potential fire within a building such as firewall (construction).
A firewall is a Network Security device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass.
Many personal Computer Operating Systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions. A Router is a device that forwards data packets across computer networks thus performing the data “traffic directing” functions on the Internet.
There are four different types of intrusion prevention systems :
1. Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity.
2. Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
3. Network Behavior Analysis (NBA): examines network traffic to define threats that bring about unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
4. Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events within that host
The majority of intrusion prevention systems make use of one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.
1. Signature-based Detection: This method of detection uses signatures, which are preconfigured and predetermined attack patterns. A signature-based intrusion prevention system manages the network traffic for matches to these signatures. As soon as a match is found, the intrusion prevention system takes the appropriate measure. Signatures can be classified into exploit-based or vulnerability-based signatures. Exploit-based signatures refer to patterns in exploits which are protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions necessary for exploiting vulnerability.
2. Statistical Anomaly-based Detection is a method of detection which monitors baselines activity of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic by means of using statistical analysis to compare the sample to the set baseline. Accordingly if the activity is outside the baseline parameters, the intrusion prevention system acts accordingly.
3. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.
So as an author of this article I come to the conclusion that since well-known antivirus and personal firewall solutions are no longer effective enough to protect endpoint systems against well-organized attacks, and we can’t keep our systems accordingly”equipped” an changed as quickly as new vulnerabilities come about. The best solution to Intrusion prevention is building a safe and profound basis first for detecting and then for eliminating it. Just Beware ill and malicious Network Structures.