Host-based Intrusion Detection Systems

Intrusion is an occasion when someone goes into a situation or place where they are not wanted or allowed. It refers to the action of intruding or an unwelcome visit, interjection in someone’s matter and forcible entry in any situation. In information security, Intrusion is the any unauthorized access into the network.

Intruders

In information security, one of the two most publicized threats to security is the intruder generally referred to as a hacker or cracker. Intruders are the one that try to intrude into the privacy of a network

Classes of intruders:

Generally, the intruders are classified into three categories.

1. 1. Masquerader:
      • An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
      • The masquerader is likely to be an outsider
   2. Misfeasor:

A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges the misfeasor generally is an insider

1. Clandestine user:
   • An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
   • The clandestine user can be either an outsider or an insider.

Intrusion detection system(IDS)

An IDS is a device or software application that monitors a systems or network for malicious activity or policy violations.

Any detected activity or violation is typically reported to a network administrator. There is a wide range of IDS, varying from antivirus software to hierarchical systems that monitor the traffic of an entire network.

Types Of IDS:

The most common classifications are:

• network intrusion detection systems (NIDS)
• host-based intrusion detection systems (HIDS)

Host-based intrusion detection systems (HIDS):

A system that monitors important operating system files is an example of a HIDS.

Host intrusion detection systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.

Network intrusion detection systems (NIDS):

A system that analyzes incoming network traffic is an example of a NIDS.

Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. Snort is commonly used tool for network intrusion detection systems. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS.

When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not.

Techniques used in IDS:

It is also possible to classify IDS by detection approach, the most well-known variants are:

• signature-based detection (recognizing bad patterns, such as malware)
• anomaly-based detection (detecting deviations from a model of “good” traffic, which often relies on machine learning).

Signature Base Detection:

Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.[2] This terminology originates from anti-virus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.

Anomaly Base Detection:

Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives, previously unknown legitimate activity may also be classified as malicious.

Uses Of IDS:

Intrusion detection system can be referred as management system for both computers and networks. It is combination of architected devices and software applications with the purpose of detecting malicious activities and violation of policies and produce report on that.

Intrusion detection system can monitor a network for any kind of abusive, abnormal or malicious activity. It keeps to log of every single malicious or abusive activity. These logs are very important for security professionals to take any steps or to set any rules against these activities.

The logs kept by IDS can be used against an abuser as an evidence to take any legal step.

Weaknesses In Detection

Often intrusion detection systems often produce false report of malicious activity. Sometimes this makes the real malicious activity ignored.

One of the key features of most intrusion detection system is they operate upon packets which are encrypted. These encrypted packets are complicated for analysis There are various ways that attacks can avoid being detected by an IDS.

Signature based must be kept up to date. If the signature is too specific, the attack can be altered to avoid detection. Too much traffic to analyze everything.

IPS

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent intrusions. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPS have become a necessary addition to the security infrastructure of nearly every organization.[6]

IDPS typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPS can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack’s content.[6]

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it.[7].

The IPS take actions if some intrusion is detected in a system. these actions include:

Sending an alarm to the administrator (as would be seen in an IDS) Dropping the malicious packets Blocking traffic from the source address Resetting the connection

Tools for IDS and IPS:

• Snort
• Suricata
• ACARM-ng
• AIDE
• Bro NIDS
• Fail2ban
• OSSEC HIDS
• Prelude Hybrid IDS
• Sagan
• Samhain