Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

VIII- Intrusion Detection System &

Intrusion Prevention System
Objectives Prerequisites
To be able to understand this lesson, students need notions on :
At the end of this lesson, students will be able to: • Network architecture
• Understand and explain IDS and IPS concepts • Iptables
• Describe IDS types: NIDS, HIDS, Honeypots, SIV, LFM, IRT

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

Keywords

Intrusion detection, intrusion

prevention, anomaly-based
Monitoring, Reconnaissance,
Physical Intrusion, Denial of Service,
Anomaly-based detection, behavior-based
detection, Signature-based detection,
misuse-based detection, Hybrid detection,
System Integrity Verifiers, Log File
Monitors, Honeypots, Incident Response
Team, Network-Based Intrusion
Prevention Systems, Host-Based Intrusion
Prevention Systems

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

Literature

Kizza, J. M. : Guide to Computer Network Security, Third Edition. Computer Communications and Networks.
Springer 2015
Stallings, W.: Cryptography and Network Security: Principles and Practice, Sixth Edition. Pearson, USA 2014

Further readings

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

1. Definitions

Intrusion detection is a technique of detecting unauthorized

access to a computer system or a computer network.

Intrusion detection passively detects system intrusions,

intrusion prevention actively filters network traffic to prevent
intrusion attempts.

An intrusion into a system is an attempt by an outsider to the

system to illegally gain access to the system.

Intrusion prevention, on the other hand, is the art of

preventing an unauthorized access of a system’s
resources.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

2. Concepts (1)
James Anderson’s (1980): Computer Security Threat Monitoring and Surveillance
Intrusions into six types
• Attempted break-ins, which are detected by atypical behavior profiles or violations
of security constraints. An intrusion detection system for this type is called anomaly-based IDS.
• Masquerade attacks, which are detected by atypical behavior profiles or violations of security constraints.
These intrusions are also detected using anomaly-based IDS.
• Penetrations of the security control system, which are detected by monitoring for specific patterns of activity.
• Leakage, which is detected by atypical use of system resources.
• Denial of service, which is detected by atypical use of system resources.
• Malicious use, which is detected by atypical behavior profiles, violations of security constraints, or use of special privileges.

The Intrusion Process into a System

• Reconnaissance: process of gathering information about the target system and the details of its workings and weak points.
• Physical Intrusion: intruders also can enter an organization network masquerading as legitimate users: escalation of
privileges.
• Denial of Service: intruder attempts to crash a service (or the machine), overload network links, overload the CPU, or fill up
the disk.

The Dangers of System Intrusions : Loss of personal data - Compromised privacy - Legal liability

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

3. Concepts (2) Unlike anomaly detection where we labelled every intrusive

activity anomalous, the misuse detection concept assumes
Greek legend of the Trojan horse that each intrusive activity is representable by a unique
Now: Dogs, flood lights, … to be able to detect intrusions. pattern or a signature so that slight variations of the same
activity produce a new signature and therefore can also be
detected.
Three models of intrusion detection mechanisms:
• Anomaly-based detection or behavior-based detection: the focus is to detect the behavior that is not normal or
behavior that is not consistent with normal behavior. Theoretically, this type of detection requires a list of what is
normal behaviour. In most environments, this is not possible, however. In real-life models, the list is determined from
either historical or empirical data. Also known rule-based detection because they use rules. Profiles (user, group,
resources, executable). Computationally expensive -> Machine Learning

• Signature-based detection or misuse-based detection: the focus is on the signature of known activities. This model
also requires a list of all known unacceptable actions or misuse signatures. Since there are an infinite number of
things that can be classified as misuse, it is not possible to put all these on the list and still keep it manageable
(Unauthorized access, Unauthorized modification, Denial of service). Using these classifications, it is then possible to
have a controlled list of misuse whose signatures can be determined. Hint: can detect only previously known attacks.

• Hybrid detection: Because of the difficulties with both the anomaly-based and signature-based detections, a hybrid
model is being developed.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

4. Types - Network-Based Intrusion Detection Systems (NIDSs) (1)

• They have the whole network as the monitoring scope.
• They monitor the traffic on the network to detect intrusions.
• They are responsible for detecting anomalous, inappropriate, or other data that may be considered
unauthorized and harmful occurring on a network.
• They can either be run as an independent stand-alone machine where it promiscuously watches over all
network traffic or they can just monitor itself as the target machine to watch over its own traffic.

Firewall vs NIDS
Firewalls are configured to allow or deny access to a particular service or host based
on a set of rules. Only when the traffic matches an acceptable pattern is it permitted
to proceed regardless of what the packet contains.

An NIDS also captures and inspects every packet that is destined to the network
regardless of whether it is permitted or not. If the packet signature based on the
contents of the packet is not among the acceptable signatures, then an alert is
generated.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

5. Types - Network-Based Intrusion Detection Systems (NIDSs) (2)

Network Tap/Load Balancer: gathers data from the network and distributes it to all network sensors.

Network Sensor/Monitoring: the sensors (an agent or programs) receive traffic from the balancer separate it between
suspicious and normal traffic. They are either anomaly based or signature based.

Analyzer: determines the threat level based on the nature and threat of the suspicious traffic.
It receives data from the sensors. The traffic is then classified as either safe or an attack.

Alert Notifier: It contacts the security officer responsible for handling incidents whenever a threat is severe enough
according to the organization’s security policy

Command Console/Manager: act as the central command authority for controlling the entire system.

Response Subsystem: provides the capabilities to take action based on threats to the target systems: reconfiguring a router
or a firewall and shutting down a connection.

Database: The database is the knowledge repository for all that the intrusion detection system has observed. This can
include both behavioral and misuse statistics.
Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017
Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

6. Types - Host-Based Intrusion Detection Systems (HIDS) (1)

Technique of detecting malicious activities on a single computer.

A host-based intrusion detection system is, therefore, deployed on a single target computer, and it uses software that
monitors operating system specific logs, including system, event, and security logs on Windows systems and syslog
in Unix environments to monitor sudden changes in these logs. When a change is detected in any of these files, the
HIDS compares the new log entry with its configured attack signatures to see if there is a match. If a match is
detected, then this signals the presence of an illegitimate activity.

The biggest problem with HIDSs is that given the amount of data logs generated, the analysis of such raw data
can put significant overhead not only on the processing power needed to analyze this data but also on the
security staff needed to review the data.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

7. Types - The Hybrid Intrusion Detection System (2)

A need for both NIDS and HIDS, each patrolling its own area of the network for unwanted and illegal network traffic.

A need to complementary these two intrusion detection systems

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

8. Types – Others (1)

System Integrity Verifiers (SIVs)

They monitor critical files in a system, such as system files, to find whether an
intruder has changed them. They can also detect other system components’ data;
for example, they detect when a normal user somehow acquires
root/administrator level privileges. In addition, they also monitor system
registries in order to find well-known signatures
Honeypots
A honeypot is a system designed to look like something that
Log File Monitors (LFM) an intruder can hack. They are built for many purposes, but
the overriding one is to deceive attackers and learn about
Log file monitors (LFMs) first create a record of log files
their tools and methods. Honeypots are also add-on/tools
generated by network services. Then they monitor this
that are not strictly sniffer-based intrusion detection systems
record, just like NIDS, looking for system trends, tendencies,
like HIDS and NIDS.
and patterns in the log files that would suggest that an
intruder is attacking.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

9. Types – Others (2)

Honeypots
• The simplest honeypot is a port monitor which is a simple
socket-based program that opens up a listening port. The
program can listen to any designed port.
• NukeNabber, for Windows, listens on ports typically
scanned for by hackers. It then alerts the administrator
whenever such designated ports are being scanned.
• The second type of honeypot is the deception system,
which, instead of listening quietly on a port, interacts with
the intruder, responding to him or her as if it were a real
server with that port number.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

10. Types - Response to System Intrusion

A good intrusion detection system alert should produce a corresponding response.

The type of response is relative to the type of attack.

IDS Logs as Evidence

Incident Response Team

An incident response team (IRT) is a primary and centralized

group of dedicated people charged with the responsibility of
being the first contact team whenever an incidence occurs.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

11. Intrusion Prevention Systems (IPSs)

IPS fall into two categories: network based and host based.

Network-Based Intrusion Prevention Systems (NIPSs)

Host-Based Intrusion Prevention Systems (HIPSs)

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

12. Intrusion Detection Tools

Several other commercial and freeware IDS
and scanning tools

• NetFlow
• Tripwire
• TCPdump
• Snort
• Portsentry
• Dragon IDS
• TCP Wrappers
• RealSecure
• Shadow
• NetProwler

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

13. Exercises

1. Are IDSs similar to firewalls?

2. Why are system intrusions dangerous?
3. Discuss the best approaches to implementing an effective IDS.
4. Can system intrusions be stopped? Support your response.
5. For a system without a DMZ, where is the best area in the network to install a honeypot?
6. Why are honeypots important to a network? Discuss the disadvantages of having a honeypot in the network.
7. Discuss three approaches of acquiring information needed to penetrate a network.
8. Discuss ways a system administrator can reduce system scanning by hackers.
9. Discuss the benefits of system scanning.
10. Discuss as many effective ways of responding to a system intrusion as possible. What are the best? Most
implementable? Most cost effective?

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017