An intrusion is a deliberate

unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable.
The person who intrudes is an intruder.

Three classes of intruders (hackers or crackers): Masquerader

An unauthorized user who penetrates a computer systems access control and gains acccess to user accounts.
Misfeasor
A legitimate user who accesses resources he is not

authorized to access. Who is authorized such access but misuses his privileges.
Clandestine user

A user who seizes the supervisory control of the system and uses it to evade auditing and access control.

 You spend great money on concrete walls (firewalls) but they

are of no use if someone can dig through them.

RelTunnel ICMP Tunnel

 Its a software that automates the

intrusion detection process. The primary responsibility of an IDS is to detect unwanted and malicious activities. These are two models of intrusion detection mechanisms: anomaly-based detection, signature-based detection.

 Anomaly based systems are learning systems in a sense that

they work by continuously creating norms of activities. These norms are then later used to detect anomalies that might indicate an intrusion.
There are two types of anomaly detection:
1. 2.

Static anomaly detection Dynamic anomaly detection

 A static anomaly detection system is based on the assumption

that there is a static portion of the system being monitored. Static portions of the system can be represented as a binary string or a set of binary strings. If the static portion of the system ever deviates from its original form, either an error has occurred or an intruder has altered the static portion of the system. Examples of static anomaly detectors are Tripwire and virusspecific checkers.

 Tripwire functions as a host-based intrusion detection system.

Rather than attempting to detect intrusions at the network interface level, Tripwire detects changes to file system objects. When first initialized, Tripwire scans the file system as directed by the administrator and stores information on each file scanned in a database. At a later date the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database.

 Also known as Statistical-Based IDS. More difficult than

detecting static string changes. Define profiles for each user to characterize normal behavior User choices: Log-in Time, favorite programs User sequence of actions User CPU usage / network activity Profiles can be gradually changed to reflect user behavioral changes over time

 Next-Generation Intrusion Detection Expert System Builds statistical profiles of users by taking measures that fall

into three classes: Audit record distributions types of audit records generated over a period of time Categorical user name, names of files accessed Continuous any measure in which the outcome is how often something occurred: total number of open files, number of pages read off secondary storage

 An insider could slowly modify their

behavior from over time until it is possible to mount an attack without being flagged as anomalous Users with erratic schedules or hours can be difficult to profile Determining the deviation threshold can be difficult

 The misuse detection concept assumes that each intrusive

activity is represent able by a unique pattern or a signature so that slight variations of the same activity produce a new signature and therefore can also be detected. Misuse detection systems, are therefore, commonly known as signature systems. They work by looking for a specific signature on a system. Identification engines perform well by monitoring these patterns of known misuse of system resources. This system uses state transition diagrams and model-based rule organizations.

Intrusion detection systems are classified based on their monitoring scope. They are: host-based intrusion detection and network-based intrusion detection.

Host-Based Intrusion Detection Systems (HIDS)

This local inspection of systems is called host-based

intrusion detection systems (HIDS). Host-based intrusion detection is the technique of detecting malicious activities on a single computer. It is deployed on a single target computer and it uses logs including system, event, and security logs on Windows systems and syslog in Unix environments to monitor sudden changes in these logs.

 NIDSs have the whole network as the

monitoring scope. They monitor the traffic on the network to detect intrusions. They are responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized and harmful occurring on a network. There are striking differences between NIDS and firewalls.

 Both NIDS and HIDS are each patrolling its own area of the

network for unwanted and illegal network traffic. They, however, complement each other. Both bring to the security of the network their own strengths and weaknesses that nicely complement and augment the security of the network. Hybrids are new and need a great deal of support to gain on their two cousins. However, their success will depend to a great extent on how well the interface receives and distributes the incidents and integrates the reporting structure between the different types of sensors in the HIDS and NIDS spheres. Also the interface should be able to smartly and intelligently gather and report data from the network or systems being monitored.

 Although NIDS and HIDS and their hybrids are the most

widely used tools in network intrusion detection, there are others that are less used but more targeting and, therefore, more specialized.
Because many of these tools are so specialized, many are still

not considered as being intrusion detection systems but rather intrusion detection add-ons or tools.

 System Integrity Verifiers (SIVs)

SIVs monitor critical files in a system, such as system files, to find whether an intruder has changed them. They can also detect when a normal user somehow acquires root/administrator level privileges.
Log File Monitors (LFM)

LFMs first create a record of log files generated by network services. Then they monitor this record, just like NIDS, looking for system trends, tendencies, and patterns in the log files that would suggest an intruder is attacking.
Honeypots
A honeypot is a system designed to look like something that

an intruder can hack. They are built for many purposes but the overriding one is to deceive attackers and learn about their tools and methods.

 Although IDS have been one of the

cornerstones of network security, they have covered only passive component which only detects and reports without preventing. A promising new model of intrusion is developing and picking up momentum. It is the intrusion prevention system (IPS) which, is to prevent attacks.

 The IPS stops the attack itself:

Terminate the network connection or user session that is being used for the attack. Block access to the target from the offending user account, IP address, or other attacker attribute.
The IPS changes the security environment:

The IPS changes the attacks content:

The IPS could change the configuration of other security controls to disrupt an attack. Such as reconfiguring a network device (e.g., firewall, router, switch) to block access from the attacker or to the target, and altering a host-based firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. An example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient.

 Intrusion Detection Systems and

Intrusion Prevention System are only one piece of the whole security puzzle
These must be supplemented by the user

effort as well.

 User must have a good firewall and also IDS and IPS to protect

the system. User should not replay to unknown E-mails by providing with legitimate data. User must protect his data or accounts by providing strong password which must include (A,a,1,$) and should not be any personal data or something related to the user. His safety question should not be easy to find out since the intruder(hacker) may have access to your personal life.

By J.Gautham (08m31a1226)