30

CHAPTER 2

LITERATURE SURVEY

This chapter presents some of the existing intrusion detection techniques, which

could provide high accuracy, low false positive rate and reduced number of

features. It also covers the detailed analysis of various available intrusion

detection tools available for detecting intrusions in WLAN. This work identifies a

number of important design and implementation issues, which provide a

framework for evaluating or deploying commercial intrusion detection systems.

2.1 Introduction

Several information security techniques are available today to protect

information systems against unauthorized use, duplication, alteration,

destruction and virus attacks. An Intrusion Detection System (IDS) is a program

that analyzes what happens or has happened during an execution and tries to

find indications that the computer has been misused. There are abundant

literatures on Intrusion detection system, and several IDS approaches have been

proposed, since the origins of this technology [1-4,61], and as mentioned in

Kabiri and Ghorbani [61] and in Abraham [1, 2,3,4]. Two highly relevant works

in this direction are given by Denning [27] and Verwoerd. [102]. Dorothy Denning

[27] proposed the concept of intrusion detection as a solution to the problem of

providing a sense of security in computer systems. The basic idea is that

31

intrusion behavior involves abnormal usage of the system. Different techniques

and approaches have been used in later developments. Some of the techniques

used are statistical approaches, predictive pattern generation, expert systems,

keystroke monitoring, state transition analysis, pattern matching, and data mining

techniques. Since 1970, several people have reviewed the state of the art,

including: Anantvalee [7], Kabari [61], Bass [16], Jeyanthi and Michel [50, 51,

52 ], Yang [105], Adam [5], Lee [68], Mukherjee et al. [80], S. Kumar and

Lakhotia [96], and Lee. et al [103]. The best reviews are those that present an

unbiased, thorough review of the literature, and/or provide a good taxonomy for

describing different intrusion detection methods. Examples of such reviews

include those by Axelsson [12], Debar [26], Almgren [6], and Hall, M., Jackson

wrote an excellent in-depth survey of commercial products. Brumley et al.

reviewed defenses against worms [21].

2.2 Evolution of Intrusion Detection

Several people have reviewed the state of the art, including:

Table 2.1: Evolution of Intrusion Detection

S.

No

.

Citation Main Contribution

1. James

Anderson,

1980

The genesis of intrusion detection commencing with

James Anderson’s technical report, Computer Security

Threat Monitoring and Surveillance for the U.S. Air

Force. The paper showed that audit records could be

used to identify computer misuse and to identify threat

classifications, and it offered suggestions to improve

32

Force. The paper showed that audit records could be

used to identify computer misuse and to identify threat

classifications, and it offered suggestions to improve

auditing of systems to identify misuse. It is based on

the beliefs that an intruder’s behavior will be

noticeably different from that of a legitimate user and

that many unauthorized actions will be detectable.

2. Dr.

Dorothy

Denning,1

985

This paper introduces a prototype that would analyze

audit trails from government systems and track user

activity. He named this system as Intrusion Detection

Expert System (IDES), and it was the foundational

research into IDS technology.

3. Dr.

Dorothy

Denning,1

986

This paper presents the first intrusion detection model,

which has six main components: subjects, objects,

audit records, profiles, anomaly records, and activity

rules. Subjects refer to the initiators of activity in an

information system; they are usually normal users.

Objects are the resources managed by the information

system, such as files, commands and devices. Audit

records are those generated by the information system

in response to actions performed or attempted by

subjects on objects.

4. Dr.

Dorothy

Denning,1

987

This paper presents profile of the behavioral analysis.

Behavioral analysis looks for deviations from the type

of behavior that has been statistically baselined, such

as relationships in packets and in what is being sent

over a network

33

Dorothy

Denning,1

987

Behavioral analysis looks for deviations from the type

of behavior that has been statistically baselined, such

as relationships in packets and in what is being sent

over a network

6. Haystack,

1988

This paper introduces a combined anomaly

detection/misuse detection IDS that models individual

users as well as groups of users. It assigns initial

profile to new users, and updates the profiles once a

pattern of actual behavior is recognized. Haystack used

a different statistical anomaly detection algorithm.

7. Lunt, T.F.,

1988

In this paper, a survey of automated audit trail analysis

techniques and intrusion detection systems was

presented. Lunt uses the combination of two

approaches IDES (Intrusion detection expert system)

to become strong intrusion detection system. The IDES

is strong in statistical approach.

8. Todd

Heberlein,

1989

an IDS system called Network System Monitor (NSM)

was introduced by Todd. NSM was different from

IDES and DIDS (Distributed Intrusion Detection

System) in that it would analyze network traffic rather

than system logs. NSM, along with the now

commercially available Stalker IDS, helped to create

new awareness and interest in IDS research for the

commercial and public sectors.

34

commercial and public sectors.

9. Marcus J.

Ranum,

1990

This paper presents commercial IDS called Network

Flight Recorder (NFR). Christopher Klaus and Thomas

E. Noonan founded Internet Security Systems (ISS)

and released a network-based intrusion-detection

system called RealSecure. .

10. Teng,

Chen, And

Lu, 1990

This paper introduces the use of a time-based inductive

machine (TIM) to capture a user’s behavior pattern. As

a general-purpose tool, TIM discovers temporal

sequential patterns in a sequence of events. The

sequential patterns represent highly repetitive activities

and are expected to provide predication. The temporal

patterns, which are represented in the form of rules, are

generated and modified from the input data using a

logical inference called inductive generalization. When

applied to intrusion detection, the rules describe the

behavior patterns of either a user or a group of users

based on past audit history.

11. Mukherjee,

B.,

Heberlein,

L., and

Levitt, K,

1994

This paper surveyed several host-based and network-

based IDSs, and identified the characteristics of the

corresponding systems are identified. The host-based

systems employ the host operating system's audit trails

as the main source of input to detect intrusive activity,

while most of the network-based IDSs build their

detection mechanism by monitoring network traffic,

and some employ host audit trails as well. An outline

of a statistical anomaly detection algorithm employed

35

1994 while most of the network-based IDSs build their

detection mechanism by monitoring network traffic,

and some employ host audit trails as well. An outline

of a statistical anomaly detection algorithm employed

in a typical IDS is also included [80].

12. Anderson

D, Lunt

TF, Javitz

H, Tamaru

A, Valdes,

1995

This report presents the findings of System Research

Institute‘s (SRI)’s analysis of the Network Intrusion-

Detection Expert System (NIDES). The statistical

analysis heled to detect unauthorized application

execution based on system-level audit trails.

13. Sundaram,

A., 1996.

An overview of intrusion detection concepts and

taxonomy was given. Next, it introduces and discusses

several commercial and public-domain IDS’s

available. This paper also describes recent

developments in conventional intrusion detection:

Distributed, modular system which includes both

anomaly and misuse detection. A peek at the new

breed of pro-active, preventative tools so-called

Delphic tools identify the threats and risks in the very

early attack stages; was also discussed.

14. Axelsson,

S., 1998

This paper describes the concept of intrusion detection

in local area networks, connected to the Internet. The

intrusion detection techniques and vulnerabilities in

intrusion detection systems (IDS) and also intrusion

detection and response (IDR) systems were explored.

A distinction is made between host-based and network-

36

intrusion detection techniques and vulnerabilities in

intrusion detection systems (IDS) and also intrusion

detection and response (IDR) systems were explored.

A distinction is made between host-based and network-

based intrusion systems. The network security

standards, general connectivity and compatibility

requirements of IDS are also discussed.

15. Lane and

Brodley

(1998)

This paper introduces the applied instance based

learning (IBL) to learn entities’ (e.g., users) normal

behavior from temporal sequence data. IBL represents

a concept of interest with a set of instances that

illustrate the concept. The set of instances is called the

instance dictionary. A new instance is classified

according to its relation to stored instances. IBL

requires a notion of “distance” between the instances

so that the similarity of different instances can be

measured and used to classify the instances.

16. Lee W. and

Stolfo S.

and Mok

K, 1999

In this paper, a data mining framework for adaptively

building Intrusion Detection (ID) models was

described. The central idea was to utilize auditing

programs to extract an extensive set of features that

describe each network

17. Allen, J.,

Christie,

A., and

Stoner,

2000

This paper presents a comprehensive survey of

anomaly detection systems and hybrid intrusion

detection systems. The recent technological trends in

anomaly detection and identify open problems and

challenges in this area were also discussed.

37

Christie,

A., and

Stoner,

2000

anomaly detection systems and hybrid intrusion

detection systems. The recent technological trends in

anomaly detection and identify open problems and

challenges in this area were also discussed.

18. Debar, H.,

Dacier, M.,

And

Wespi,

2000

This paper discussed a taxonomy of intrusion-detection

systems that highlights the various aspects of this area.

This taxonomy divides families of intrusion-detection

systems according to their properties.

19. Alessandri,

D, 2001

This paper presents the combination of the taxonomy

introduced and the notion of activity scope provides us

with a flexible and practical instrument to describe

intrusion detection system. This taxonomy has been

developed to describe the functional aspects i.e., the

capabilities of intrusion detection system such that one

can in a next step evaluate intrusion detection system

for their potential to detect attacks, generate false

positives etc.

20. Axelsson,

S, 2002

A taxonomy of intrusion detection systems was

presented. The taxonomy consists of a classification

first of the detection principle, and second of certain

operational aspects of the intrusion detection system.

The systems are also grouped according to the

increasing difficulty of the problem they attempt to

address. These classifications are used predicatively,

pointing towards a number of areas of future research

in the field of intrusion detection.

38

increasing difficulty of the problem they attempt to

address. These classifications are used predicatively,

pointing towards a number of areas of future research

in the field of intrusion detection.

21. Bai, Y.,

And

Kobayashi,

H, 2003

In this paper a survey on major challenges to ID

technology was presented. It is involved with several

main aspects of ID technology. Analyses on intrusion

detection techniques and data collection techniques are

emphasized. Some novel developments in ID Systems,

such as both data mining based ID systems and data

fusion based ID systems, were also discussed. Current

ID technology faces powerful challenges.

22. Giovanni

et al, 2004

The mobile ad hoc network routing protocols that are

highly vulnerable to subversion were presented.

Particularly some attacks against the routing and some

threats to wireless ad hoc networks are discussed. This

paper also presents a tool which aims at the real-time

detection of these attacks. The tool observes the

network packets to detect local and distributed attacks

within its radio range.

23. Yu Chen,

Yu-Kwong

Kwok, and

Kai

This paper presents a new signal-processing approach

to identify and detect the attacks (by examining the

frequency domain characteristics of incoming traffic

flows to a server). This technique is effective in that its

detection time is less than a few seconds. Furthermore,

this technique entails simple implementation, making it

deployable in real-life network environments.

39

Kai

Hwang,200

5

flows to a server). This technique is effective in that its

detection time is less than a few seconds. Furthermore,

this technique entails simple implementation, making it

deployable in real-life network environments.

24. Phillip

Brooke,

2006

This paper presents a new IDS framework for mobile

adhoc network (MANET) environments based upon

the concept of a friend in a small world phenomenon.

The two-tier IDS framework has been designed to

overcome longer detection mechanisms and detection

suffering from the potential for blackmail attackers and

false accusations with the help of friend nodes. It is

hypothesized that with the introduction of friend

nodes, the impacts of the IDS problems can be

minimized. It is noted that the proposed framework

would not be able to work on a diverse MANET

environments.

25. Jeyanthi

Hall, 2007

This paper demonstrates an anomaly-based intrusion

detection approach, which incorporates radio

frequency fingerprinting (RFF) and Hotelling’s T 2

, a multivariate statistical process control technique,

for detecting this attack. RFF is a technique used

to uniquely identify a transceiver based on the

transceiverprint (set of features) of the signal it

generates. The approach is to associate a

transceiver profile of a wireless device with its

corresponding MAC address. Hence, although the

MAC address can still be spoofed, the transceiverprints

40

generates. The approach is to associate a

transceiver profile of a wireless device with its

corresponding MAC address. Hence, although the

MAC address can still be spoofed, the transceiverprints

from the illegitimate device would not match the

profile of the legitimate device. Moreover, the success

rate of a wireless IDS can be further improved, by

analyzing multiple chronologically ordered

transceiverprints, prior to rendering a decision.

26. Eduardo

Mosqueira-

Rey et al,

2007

This paper described the design of misuse detection

agent which is one of the different agents in a

multiagent-based intrusion detection system. Using a

packet sniffer the agent examines the packets in the

network connections and creates a data model based on

the information obtained.

27. Magnus

Almgren,

Ulf

Lindqvist,

and Erland

Jonsson,

2008

This paper investigated the procedure to use the alerts

from may audit sources to improve the accuracy of the

intrusion detection system (IDS). A theoretical model

was designed automatically for the reason about the

alerts from the different sensors through concentrating

on the web server attacks. It also provides a better

understanding of possible attacks against their systems

for the security operators.

41

28. Naeimeh

Laleh and

Mohamma

d

Abdollahi

Azgomi,

2009

This paper discussed the fraud that is growing

remarkably with the growth of modern technology and

the universal superhighways of communication which

results in the loss of billions of dollars throughout the

world each year. This technique tends to propose a

new taxonomy and complete review for the different

types of fraud and data mining techniques of fraud

detection.

29. Yurong

Xu, James

Ford, and

Fillia

Makedon,

2010

This paper introduces a distributed wormhole

detection algorithm called Wormhole Geographic

Distributed Detection (WGDD) that is based on

detecting network disorder caused by the existence of a

wormhole. Since wormhole attacks are passive, this

algorithm uses a hop-counting technique as a probe

procedure to detect wormhole attacks, then

reconstructs local maps in each node. After that, it uses

a feature called “diameter” to detect abnormalities

caused by wormholes. The main advantage of using a

distributed wormhole detection algorithm is that it

provide the approximate location of a wormhole,

which may be useful information for further defense

mechanisms.

42

2.3 Gaps in Existing Research Literature

Most of the research has been carried out on signature based techniques. The

more efforts are required on anomaly detection techniques especially for

WLAN.

The exact design consideration for efficient technique for monitoring,

detecting and responding to the various security breaches to the WLAN has

not been accounted so for according to author ‘s knowledge..

2.4 Classification of Intrusion Detection System

In the literature, two classification systems for different intrusion detection

systems have been developed; host Based IDS and Network Based IDS [12, 57].

2.4.1 HOST-BASED INTRUSION DETECTION

A host based IDS resides on the system being monitored and tracks changes

made to important files and directories [40]. It takes a snap shot of existing

system files and matches it to the previous snap shot. If the critical system files

were modified or deleted, the alert is sent to the administrator to investigate.

Zirkle described host-based IDS as “loading a piece of software on the system to

be monitored”[44]. This software, which is generally defined as either host

wrappers/personal firewalls or agent-based software [72], performs the following:

i. Uses log files and or the system’s auditing agents as sources of data and also

traffic in and out of a single computer

43

ii. Checks the integrity of system files, and watches for suspicious processes,

including changes to system files and user privileges.

2.4.2 NETWORK-BASED INTRUSION DETECTION

A network-based intrusion detection system (IDS) monitors and analyzes the

traffic on its network segment to detect intrusion attempts. An IDS can be made

of many sensors, each sensor being in charge of monitoring the traffic passing

through its own segment [45].

The sensors cannot monitor anything outside their own segment or switch.

Northcutt [6] described network based intrusion detection system (NIDS) as an

ID system that monitors the traffic on its network segment as a data source.

Implementation requires:

i. The network interface card is placed in promiscuous mode to capture all

network traffic that crosses its network segment; and packets traveling on

that network segment.

ii. A sensor, which monitors the objective, is to determine if packet flow

matches with a known signature.

iii. There are three signatures that are particularly important: first the string

signatures that look for a text string that indicates a possible attack. Second

the port signatures simply watch for connection attempts to well known,

frequently attacked ports. Third the header signatures that watches for

dangerous or illogical combinations in packet headers.

44

2.5 Misuse and Anomaly Based Detection

2.5.1 Misuse based detection

Misuse detection is also known as signature-based or knowledge-based systems.

They follow the same principle as most anti-virus software and rely on the

knowledge accumulated about previous attacks and vulnerabilities to detect

intrusion attempts [47, 65]. Misuse detection systems compare current activities

of the host or the network monitored with “signatures” of known attacks. If the

current activities match any of the known signatures, an alarm is triggered [96].

2.5.1.1. Advantages and Limitations:

i. Low Rate of False Alarms: The main advantage of misuse detection

systems is their ability to detect known attacks and the relatively low false

alarm rate when rules are correctly defined. It is important to note that, as

said above, the signatures which are used in rules must be as specific as

possible to prevent false alarms [47].

ii. Only Known Attacks Detection: The foremost drawback of misuse

detection systems is their complete inability in detecting unknown attacks.

2.5.2 Anomaly based detection

Anomaly detection systems are also known as behavior-based systems. They rely

on the fact that intrusions can be detected by observing deviations from the

expected behaviors of the system monitored [32]. These “normal” behaviors can

45

either correspond to some observations made in the past or to some forecasts

made by various techniques. Everything that does not correspond to this “normal”

pattern will be flagged as anomalous. Therefore, the core process of anomaly

detection is not to learn what is anomalous but to learn what is normal or

expected [67, 96,113].

2.5.2.1 Advantages and Limitations:

i. Unknown Attacks Detection: The main advantage of anomaly detection

systems is that, contrary to misuse detection systems, they can detect

unknown or novel attacks. They do not rely on any a priori knowledge

concerning the intrusions. It is also important to note that anomaly detection

systems have not for main purpose to replace misuse detection systems. The

very good efficiency of misuse systems in detecting known attacks makes

them a perfect complement to anomaly detection systems.

ii. High Rate of False Alarms: Two factors may lead to a very high rate of

false alarms or to a very poor accuracy of anomaly detection systems.

2.6 WLAN SECURITY

Wireless Local Area Networks have gained a tremendous and incredible

popularity across the computer network market over the years. However, the

threats and security fears associated with them have caused some network

managers and administrator to avoid installing wireless LAN, regardless of the

numerous benefits that they provide [82, 83]. Several manufacturers understand

46

the fears, uncertainties and doubts caused by the security problems of the

Wireless Local Area Network. Several measures of security have been proposed

by these manufacturers and some of them have been used by the IEEE

802.11[78].

2.7 WLAN Technologies and Standards

This study focuses specifically on the existing industry standard for IEEE 802.11

as the representative example of the WLAN family of technologies [10, 12].

2.7.1 Radio Frequency Technology

RF has become the de-facto technology for the majority of today’s WLANs.

Radio signals can travel in all directions for distances ranging from a few meters

to several kilometers. These characteristics can be very practical in situations

where wide or long-range coverage is required but they become problematic

when the signal’s propagation needs to be limited. The fact that the destination of

radio signals cannot be precisely controlled makes this medium the most

vulnerable to undetected interception and exploitation. All unprotected radio

traffic can be monitored with widely available radio equipment by anyone located

within the range of the transmitter; however it is important to note that amplifiers

and specialized antennas can also be used solely at the receiver site to increase

the effective range of radio signals, therefore simply controlling the transmitter

power is not sufficient to limit the propagation of signals [50, 51, 52].

47

2.7.2 Spread Spectrum

The development of spread-spectrum communications technology has been

claimed to have alleviated the vulnerabilities of standard RF transmission: Unlike

narrowband systems that transmit a powerful signal on a single frequency,

spread-spectrum systems transmit a low power signal over a broad range of

frequencies. The signal is spread according to pre-established parameters or

patterns that must also be known by the receiver so that it can recover the signal.

This transmission technique provides more resistance to noise and interference

and is less vulnerable to jamming and casual interception. In the case of WLANs,

the hardware must be aware of the signal spreading parameters in order to receive

a spread-spectrum signal, so these parameters are pre-programmed into the

hardware chipsets used to build these products [51].

Several signal-spreading schemes have been developed but the methods that

prevail in the WLAN domain are:

Frequency Hopping Spread Spectrum (FHSS)

Direct Sequence Spread Spectrum (DSSS) and

Orthogonal Frequency Division Multiplexing (OFDM)

FHSS and DSSS are the original spread-spectrum technologies employed in

802.11 WLANs.

48

2.7.3. IEEE 802.11 Standard

In 1985, the U.S. Federal Communications Commission (FCC) decided to open

the Industrial, Scientific, and Medical (ISM) bands, operating at 902 to 928MHz,

2.4 to 2.483GHz, and 5.725 to 5.875GHz, for unlicensed public use [10]. This not

only fulfilled a demand for commercial communication, but it also sparked the

development of WLAN technology. In 1977, the Institute of Electrical and

Electronics Engineers (IEEE) established the 802.11 WLAN standards to

standardize wireless LAN products. This standard has since been adopted by the

International Organization for Standardization / International Electrotechnical

Commission (ISO/IEC). The IEEE 802.11 core specification addresses both the

physical (PHY) and data link layers of the open systems interconnection (OSI)

basic reference model. The legacy standard proposed three (mutually

incompatible) implementations for the physical layer: IR pulse modulation, RF

signaling using Frequency Hopping Spread Spectrum (FHSS), and RF signaling

using Direct Sequence Spread Spectrum (DSSS).

Historically, the first successful commercial 802.11 WLAN products were

compliant with the 802.11b standard. Both 802.11a and b amendments were

actually adopted at the same time, but because 802.11b was less complex than

802.11a, products compliant with the 802.11b standard rapidly materialized while

products under 802.11a only reached the market in 2002. Since that time, the

802.11g amendment which utilized the same 2.4 GHz band as 802.11b, but

delivered faster and more robust connections as well as greater range, has come

to dominate the market. The IEEE is responsible for developing the radio

49

technology standards to be used by wireless LANs. These standards pertain to the

802 wireless standards including 802.11, the first one that was developed, and

several variations of it.

Each standard though developed for wireless LANs serves a different purpose for

the LANs, due in part to hackers, as well as others who might challenge its

security for the purpose of strengthening their own enterprise security. As

vulnerabilities, or holes, are found they become public knowledge and the IEEE

proceeds to update the standard.

2.7.4 IEEE 802.11 Task Groups Amendments

Core standard 802.11 WLANs based on IR transport were never commercially

implemented and the RF-based versions suffered from low transmission speed (2

Mbps). The IEEE later established several task groups to explore various

improvements to the original 802.11 core standard.

2.7.4i. 802.11a Amendment: Task Group A explored the unlicensed 5.0 GHz

frequency band, using Orthogonal Frequency Division Multiplexing (OFDM),

working to achieve throughputs up to 54 Mbps. The 802.11a extension [31, 33]

was completed in 1999 and in 2002 vendors began releasing products compliant

to this extension. Because of the different operating band and modulation, the

802.11a standard is not backward compatible or interoperable with the 802.11b

standard. Several vendors are marketing dual-band, multi-standard (802.11a and

802.11b/g) APs. The 802.11a is currently licensed for use in North America and

most European countries; however commercial use of 802.11a has historically

50

been quite limited. Recently, 802.11a has enjoyed somewhat of resurgence in

popularity due to the development of enterprise mesh infrastructure networks. In

such networks, 802.11a is used for communications between APs, and 802.11b/g

is used for communications between AP and wireless clients.

2.7.4ii. 802.11b: Task Group B explored DSSS technology to boost data rates in

the original 2.4 GHz band. The 802.11b extension [8], published in September

1999, delivers raw data rates up to 11 Mbps, which gave data rate parity with the

popular 10 Mbps “10Base” wired LAN systems of the day. The majority of

WLAN systems in the market today follow the 802.11b standard and it is

accepted throughout North America, Europe and Asia.

2.7.4iii. 802.11g: Task Group G approved the development of the new extension

to the 802.11 standard in November 2001; the resultant amendment was approved

in 2003. The 802.11g operates at 2.4 GHz with mandatory compatibility to

802.11b and uses the OFDM multicarrier modulation scheme to achieve a

maximum data rate of 54 Mbps.

2.7.4iv. 802.11n Amendment: Task Group N is currently engaged in the

development of the higher data rate extensions to the 802.11 standard. As with

802.11b and g, the 802.11n standard will operate at 2.4 GHz with mandatory

compatibility to 802.11b/g and uses Orthogonal Frequency Division Multiplexing

(OFDM) with MIMO techniques to achieve a maximum projected data rate of

248 Mbps. The OFDM+MIMO utilize the same basic modulation as 802.11g [8].

However it utilizes multiple transceivers with advanced techniques to compensate

51

for both the spatial and temporal variations of the RF channel as well as the

practice of “channel bonding” in order to greatly increase the range and raw data

rate. The 802.11n is still in the draft stage with an expected final approval in

2010, however many “Pre-N” or “Draft-N” products have already been emerging

in the market. Consumers are cautioned when purchasing such products because,

as draft-based products, they are not subject to the same interoperability testing as

full-standard compliant products. As such, they are not guaranteed to be

compatible with, and may not be upgradeable [33].

2.8 Analysis of Intrusion Detection Tools for WLAN

Intrusion-detection systems aim at detecting attacks against computer systems

and networks or, in general, against information systems. Indeed, it is difficult to

provide provably secure information systems and to maintain them in such a

secure state during their lifetime and utilization. Sometimes, legacy or operational

constraints do not even allow the definition of a fully secure information system

[32]. Therefore, intrusion detection systems have the task of monitoring the usage

of such systems to detect any apparition of insecure states. They detect attempts

and active misuse either by legitimate users of the information systems or by

external parties to abuse their privileges or exploit security vulnerabilities [2, 65].

2.8.1 Research Parameters

In order to compare the different products on the market, we examined publicly

available product documentation, published conference material (proceedings)

and other material available for public review. As this report is an analysis of

52

design specifications rather than a test of implementations, we have not

performed any tests under laboratory or real-life conditions [62].

Parameter Definitions

i.Granularity of Data Processing: It refers to the response time of an Intrusion

Detection System depends partly on the granularity of data processing. The

unprocessed data collected for the processing can be processed at infinitum or in

consignments, at some regular interval. The most of the system are working on

Real-time i.e. ad infinitum and few systems are working on manual by grouping

batches or consignments.

ii.Audit source location: It refers to the location of the Intrusion detection system

.The audit source location discriminates intrusion-detection systems based on

the kind of input information they analyze. The input information can be audit

trails (such as system logs) on a host, network packets, application logs, or

intrusion-detection alerts generated by other intrusion-detection systems. The

source of audit data can be either network- or host-based. Network-based data

are usually read directly off some multicast network (Ethernet). Host-based data

(security logs) are collected from hosts distributed all over the network and can

include operating system kernel logs, application program logs and network

equipment logs or other host-based security logs. One advantage of using

network-based audit data is that it facilitates the intrusion detection system to

observe the whole traffic on the network.

53

iii.Management Console: This parameter refers to management console i.e. the

user interface that the client component of network management software

provides. It is the user interface and "control room" view of the network. A

terminal or workstation used to monitor and control a network. There are the

different values of this parameter i.e. excellent, accustomed i.e. comfortable

user interface and the Intricate that is complicated for the user to view the

network.

iv.Behavior on Attack: It describes the response of the intrusion-detection system

to attacks. On the basis of their response to Intrusion, IDS can be either Active

or Passive. An active IDS actively reacts to the attack by taking either corrective

(closing holes) or pro-active (logging out possible attackers, closing down

services) actions, then the intrusion-detection system is said to be active [64].

And when the intrusion-detection system merely generates alarms (such as

paging), it is said to be passive.

v.Reporting Capability: This parameter is related to how quick an IDS reports

about the attack to the network administrator. We have classified it as two

values i.e. High and Medium.

vi.Interoperability: The interoperability is the measures of the intrusion

detection system’s ability to cooperate with other similar systems.

Interoperability can be of interest at various levels in the architecture serving

many different purposes.

54

2.8.2 Tools Analyzed

A total of 25 research and commercial intrusion detection tools were analyzed as

shown in table in this survey [70].

Table 2.2: Tools Analyzed

Sr.No. Intrusion

Detection

System

Vendor

1 Snort Snort Corporation

2 Dragon Enterasys Corporation

3 Cisco Secure

IDS

Cisco system, Inc.

4 Emerald SRI International

5 Net Ranger Cisco Systems, Inc.

6 Tripwire Purdue University

7 Intruder Alert Axent Technologies, Inc.

8 Netstat University of California at

Santa Barbara

9 CMDS Science Application

International Corporation

(SAIC)

55

International Corporation

(SAIC)

10 Entrax Centrax Corporation

11 Bro Centrax Corporation

12 Stake Out I.D Harris Communications,

Inc

13 SecureNet PRO MimeStar, Inc.

14 Kane Security

Monitor

Security Dynamics

(formerly Intrusion

Detection, Inc.)

15 NetProwler Axent Corporation

16 Session Wall-3 AbirNet

17 Network Flight

Recorder

Network Flight Recorder,

Inc.

18 INTOUCH

INSA

Touch Technologies, Inc

19 RealSecure Internet Security Systems

(ISS)

56

20 CyberCop Network Associates, Inc.

21 ID-Trak Internet Tools, Inc

22 NIDES SRI International

23 T-Sight EnGarde Systems, Inc.

24 Shadow Network Research Group

(Lawrence Berkeley Lab)

25 SecureCom

Suite

ODS Networks

The intrusion detection tools are analyzed the results are categorized using the

above research parameters [89].

Almost all of the vendors allow intrusions to be detected in real-time. In the host

based ID tools the audit logs are collected in batches before they are processed or

analyzed, with an even longer delay as a result. These delays may or may not be a

problem, depending on the security of the intrusion detection system and its

ability to track further activities (audit capabilities) and to terminate established

sessions and processes. T-Sight form Engarde, Inc. has adopted a somewhat

different scheme for detecting intrusions. T-Sight is focused on collecting and

presenting data to the security officer, who then in turn tries to identify intrusions.

57

Systems using manual intrusion detection schemes can certainly not be classified

as “real-time” as they depend on the presence of a human user.

A majority of the analyzed systems are network oriented in terms of source of

audit data. Only six systems are purely host-based and four systems support both

host- and network-based audit data. As previously mentioned in the section on

comparison criteria the increasing use of switched network technologies and

encryption jeopardizes the future of network-based systems. Most systems of

today rely upon network audit data. Some vendors claim that switched networks

can easily be analyzed using dedicated management ports on the switches. This

may be true if the network is moderately loaded but it is unrealistic on medium or

heavily loaded networks. An innovative solution is provided by ODS Networks

Inc. They incorporate ID (provided by ISS Inc.) into their product line of

switches, thus eliminating the restrictions posed by switching technology. The

most important system like Dragon is unique in the industry based on its ability to

deliver both host-based and network-based functionality i.e. it can be used both as

a NIDS as well as HIDS. Thus it provides complete security for a network. The

Cisco Secure and Snort these are Network based IDS.

The most of the system analyzed are provide console based user interface few are

also provide the graphical user interface to view the activities. Snort provides

good management Console. It provides this feature with the help of ACID plug-in

module. Plug-in are very important feature of Snort IDS. These are programs that

are written to conform to Snort’s plug-in API. These programs used to be part of

the core Snort code, but were separated out to make modifications to the core

58

source code more reliable and easier to accomplish. ACID stands for The

Analysis Console for Intrusion Databases. It provides logging analysis for Snort.

Requires PHP, Apache, and the Snort database plug-in. Dragon provides

excellent management console. This feature is implemented in ‘Dragon

Enterprise Management Server’ component. This component is made up of a

number of highly integrated technologies. Web based and centralized, Policy

Management tools offer enterprise-wide management of small and large-scale

Dragon deployments. Dragon Policy Manager provides centralized management

of the Dragon Network and Host Sensors, while Alarm tool offers centralized

alarm and notification management. Cisco provides management console but it’s

not so good in comparison to that of Snort and Dragon. It is responsible for the

communication between the server and the agents. Communication between

agents and the server take place at intervals set in the console. The

communication port for the console and the agent must be the same for them to

communicate. It also contains the list indicating state of each agent.

The behavior of the system is either passive or active. Passive response means

that an intrusion is brought to the attention of the adminstrator. Mechanisms for

passive response may be sending e-mails, paging or displaying alert messages.

Many systems provide some support for passive response mechanisms. Active

response; All but three systems (Stake Out, Kane Security Monitor and TSight)

support active response without human interaction. For network-based systems,

active response include actions like terminating transport level sessions, which

most active response systems claim they support. Some systems, such as

59

SecureNet Pro, even allow the SSO to hijack a TCP session. This provides a

means for closing or terminating sessions such as Telnet or Rlogin in a controlled

manner. Host-based ID systems have the advantage that they can also control

hostile processes on the host on which they reside. Most host-based systems

analyzed claim to support termination of processes. Kane Security Monitor does

not have this feature. Entrax offers only the possibility to log out a user, disable a

users account or shut down the entire computer, which can be seen as a drastic

way of terminating processes. Emergency shutdown of the entire host can be

useful when the system contains information whose confidentiality is more

important than its availability. Systems contaminated by computer viruses may

also benefit from being shut down to prevent further contamination. One should

keep in mind that ID systems that have the capability to shut down processes or

terminate network sessions often run with super user privileges.

The most important system like Snort can be used for Active as well as passive

monitoring of the network. Passive monitoring is simply the ability to listen to

network traffic and log it. Active monitoring involves the ability to either to

monitor traffic and then send alerts concerning the traffic that is discovered or to

actually intercept and block this traffic. Snort is primarily used for active

auditing. Dragon behaves actively on detecting attacks. When an attack is

detected, Dragon Network Sensor employs a variety of techniques to prevent

intrusion, including terminating the session and configuring firewall ACLs to

block the would-be intruder. Cisco can behave actively or passively on the choice

of the user.

60

The detection capabilities between products vary quite extensively. In general, a

network- based IDS has greater capabilities owing to its ability to capture and

analyze packet at the underlying network. Host-based ID systems are limited to

audit-logs provided by the operating system or application logs. Due to the large

number of different intrusions recognized, this survey present only an overview

of the types of attacks each product can detect. Some of the products, such as

RealSecure and Intruder Alert, include up to 200 different known intrusion

signatures out of the box. Table below shows the detection capabilities mapped

onto a simple protocol stack. Cisco performs real time attack detection using

Intrusion Detection System Module (IDSM). The IDSM performs network

sensing in real-time. It monitors network packets through packet capture and

analysis. Dragon provides real time attack reporting. Dragon Host Sensor

component monitors key system logs for evidence of tampering. Dragon

Enterprise Management Server provides complete monitoring and control. Snort

provides attack alert messages to be sent via e-mail to notify a system

administrator in real time. This way no one has to monitor the Snort output all

day and night.

Interoperability for IDS can be achieved in a number of different areas. Four

important areas are;Exchange of audit data record; Exchange of security policies;

Exchange of misuse patterns or statistical information about user activities;

Exchange of alarm reports, event notifications and response mechanisms.

61

Table 2.3: Analysis of Intrusion Detection Tools

Sr.

No.

Intrusion

Detection

System

Granularity

of data

processing

Audit

Source

Location

Management

Console

Behavior on

Attack

Reporting

Capability

Inter-

opera

bility

1 Snort Realtime NIDS Accustomed Passive/Active High Medium

2 Dragon Realtime NIDS/HIDS Excellent High High

3 Cisco Secure ID Realtime NIDS Intricate Passive/Active High Medium

4 Emerald Realtime NIDS Accustomed active Medium

5 Net Ranger Realtime NIDS Intricate Active High Medium

6 Tripwire HIDS Intricate

7 Intruder Alert Realtime NIDS/HIDS Accustomed Active High Medium

8 Netstat Realtime NIDS Intricate Active

9 CMDS Realtime HIDS Accustomed Active Medium Low

10 Entrax Realtime HIDS Accustomed Active Medium

11 Bro Realtime NIDS Accustomed Active

12 Stake Out I.D Realtime NIDS Excellent Passive High Low

13 SecureNet PRO Realtime NIDS Excellent Active High Low

14 Kane Security

Monitor

Realtime HIDS Accustomed Passive Medium Low

15 NetProwler Manual HIDS Intricate Active

16 Session Wall-3 Realtime NIDS Excellent Active High Medium

17 Network

FlightRecorder

Realtime NIDS Accustomed Active High Low

18 INTOUCHINSA Realtime NIDS Excellent Active Medium Low

19 RealSecure Realtime NIDS/HIDS Excellent Active High Medium

20 CyberCop Real time NIDS/HIDS Accustomed Active High Medium

21 ID-Trak Real-time NIDS Accustomed Active Medium Low

22 NIDES Real time HIDS Intricate Active High Low

23 T-Sight Manual NIDS Intricate Passive - None

24 Shadow Manual NIDS Intricate Active

25 SecureCom

Suite

Real time NIDS Excellent Active High Medium

62

2.8.3 Detection Method

It is the capability of the IDS to detect various types of attacks. This depends on the

number of signatures defined in the knowledge base of the IDS [65, 72].

Table 2.4: Detection Method for Intrusion Detection Tools

Sr. No. Product Rule Based Anomaly Based

1 Snort *

2 Dragon * *

3 Cisco Secure *

4 Emerald *

5 Net Ranger *

6 Tripwire *

7 Intruder Alert *

8 Netstat * *

9 CMDS * *

10 Entrax *

11 Bro *

12 Stake Out I.D * *

13 SecureNet *

14 Kane Security * *

15 NetProwler *

16 Session Wall-3 *

17 Network Flight *

63

18 INTOUCH I * *

19 RealSecure *

20 CyberCop *

21 ID-Trak *

22 NIDES * *

23 T-Sight *

24 Shadow *

25 SecureCom Suite *

2.8.4 Architectural aspects of tools

i. System organization: Virtually every system can operate in a distributed

environment. Only INTOUCH INSA and T-Sight are limited to a single

host or network segment. Intruder Alert (IA) is partly distributed. While the

host-based IA can operate distributed under centralized control, its network-

based system (NetProwler) cannot.

ii. Operating systems. Despite the market trend to migrate applications to

Windows NT, a surprisingly number of ID systems operate in various

UNIX environments. Table 2.5 contains a summary of the network

technology of the operating system requirements for the manager and agent

side for each IDS. It is worth mentioning that Axent supports an impressive

number of operating systems for Intruder Alert.

64

iii. Protocol. As expected, TCP/IP is the dominating protocol suite supported.

Table 2.5 gives a summary of network technologies supported by each

product.

Table2.5: Architectural aspects of Intrusion Detection Tools

Sr.No. Intrusion

Detection

System

Operating

System

Support

Protocol

1 Snort MS

Windows,

LINUX

TCP/IP

2 Dragon MS

Windows,

LINUX,

Solaris

TCP/IP

3 Cisco Secure

IDS

MS

Windows,

UNIX

TCP/IP

4 Emerald MS

Windows,

UNIX

TCP/IP

5 Net Ranger Solaris TCP/IP

6 Tripwire UNIX

7 Intruder Alert Solaris, Sun

OS

TCP/IP,IPX/SPX

65

8 Netstat UNIX

9 CMDS Solaris, NT _

10 Entrax NT, UNIX _

11 Bro UNIX

12 Stake Out I.D Solaris TCP/IP

13 Secure Net

PRO

Solaris ,

LINUX

TCP/IP

14 Kane Security

Monitor

NT TCP/IP

15 Net Prowler MS

Windows,

UNIX

16 Session Wall-3 NT, W95/98 TCP/IP

17 NetworkFlight

Recorder

Red Hat

LINUX,

TCP/IP

18 INTOUCH

INSA

Not

Applicable

TCP/IP

19 Real Secure NT, Solaris TCP/IP

20 Cyber Cop NT, Solaris TCP/IP

21 ID-Trak NT TCP/IP

22 NIDES Sun OS TCP/IP

23 T-Sight Not Applicable TCP/IP

24 Shadow UNIX

25 SecureCom

Suite

NT, Solaris TCP/IP

66

2.9 CHAPTER SUMMARY

In this chapter the number of existing Intrusion detection tools that are capable of

monitoring wireless traffic are analyzed. The detailed analysis of twenty five

commercially, educational and research intrusion detection tools was given on the basis

of imperative research parameters for the detection of Intruders in the WLAN.

The summary of the educational, research and commercial systems are evaluated and

their results are predicted that will help the administrators to install suitable tool in the

wireless networks. A taxonomy especially designed for intrusion detection systems

(IDS) is utilized to compare and evaluate different functions, features and aspects of the

products. This review identifies a number of important design and implementation

issues, which provide a framework for evaluating or deploying intrusion detection

systems. This analysis will be helpful in future research. A practical and effective

solution can be designed and developed basis on these results.

.

---------------