Upload
duongnhu
View
234
Download
4
Embed Size (px)
Citation preview
30
CHAPTER 2
LITERATURE SURVEY
This chapter presents some of the existing intrusion detection techniques, which
could provide high accuracy, low false positive rate and reduced number of
features. It also covers the detailed analysis of various available intrusion
detection tools available for detecting intrusions in WLAN. This work identifies a
number of important design and implementation issues, which provide a
framework for evaluating or deploying commercial intrusion detection systems.
2.1 Introduction
Several information security techniques are available today to protect
information systems against unauthorized use, duplication, alteration,
destruction and virus attacks. An Intrusion Detection System (IDS) is a program
that analyzes what happens or has happened during an execution and tries to
find indications that the computer has been misused. There are abundant
literatures on Intrusion detection system, and several IDS approaches have been
proposed, since the origins of this technology [1-4,61], and as mentioned in
Kabiri and Ghorbani [61] and in Abraham [1, 2,3,4]. Two highly relevant works
in this direction are given by Denning [27] and Verwoerd. [102]. Dorothy Denning
[27] proposed the concept of intrusion detection as a solution to the problem of
providing a sense of security in computer systems. The basic idea is that
31
intrusion behavior involves abnormal usage of the system. Different techniques
and approaches have been used in later developments. Some of the techniques
used are statistical approaches, predictive pattern generation, expert systems,
keystroke monitoring, state transition analysis, pattern matching, and data mining
techniques. Since 1970, several people have reviewed the state of the art,
including: Anantvalee [7], Kabari [61], Bass [16], Jeyanthi and Michel [50, 51,
52 ], Yang [105], Adam [5], Lee [68], Mukherjee et al. [80], S. Kumar and
Lakhotia [96], and Lee. et al [103]. The best reviews are those that present an
unbiased, thorough review of the literature, and/or provide a good taxonomy for
describing different intrusion detection methods. Examples of such reviews
include those by Axelsson [12], Debar [26], Almgren [6], and Hall, M., Jackson
wrote an excellent in-depth survey of commercial products. Brumley et al.
reviewed defenses against worms [21].
2.2 Evolution of Intrusion Detection
Several people have reviewed the state of the art, including:
Table 2.1: Evolution of Intrusion Detection
S.
No
.
Citation Main Contribution
1. James
Anderson,
1980
The genesis of intrusion detection commencing with
James Anderson’s technical report, Computer Security
Threat Monitoring and Surveillance for the U.S. Air
Force. The paper showed that audit records could be
used to identify computer misuse and to identify threat
classifications, and it offered suggestions to improve
32
Force. The paper showed that audit records could be
used to identify computer misuse and to identify threat
classifications, and it offered suggestions to improve
auditing of systems to identify misuse. It is based on
the beliefs that an intruder’s behavior will be
noticeably different from that of a legitimate user and
that many unauthorized actions will be detectable.
2. Dr.
Dorothy
Denning,1
985
This paper introduces a prototype that would analyze
audit trails from government systems and track user
activity. He named this system as Intrusion Detection
Expert System (IDES), and it was the foundational
research into IDS technology.
3. Dr.
Dorothy
Denning,1
986
This paper presents the first intrusion detection model,
which has six main components: subjects, objects,
audit records, profiles, anomaly records, and activity
rules. Subjects refer to the initiators of activity in an
information system; they are usually normal users.
Objects are the resources managed by the information
system, such as files, commands and devices. Audit
records are those generated by the information system
in response to actions performed or attempted by
subjects on objects.
4. Dr.
Dorothy
Denning,1
987
This paper presents profile of the behavioral analysis.
Behavioral analysis looks for deviations from the type
of behavior that has been statistically baselined, such
as relationships in packets and in what is being sent
over a network
33
Dorothy
Denning,1
987
Behavioral analysis looks for deviations from the type
of behavior that has been statistically baselined, such
as relationships in packets and in what is being sent
over a network
6. Haystack,
1988
This paper introduces a combined anomaly
detection/misuse detection IDS that models individual
users as well as groups of users. It assigns initial
profile to new users, and updates the profiles once a
pattern of actual behavior is recognized. Haystack used
a different statistical anomaly detection algorithm.
7. Lunt, T.F.,
1988
In this paper, a survey of automated audit trail analysis
techniques and intrusion detection systems was
presented. Lunt uses the combination of two
approaches IDES (Intrusion detection expert system)
to become strong intrusion detection system. The IDES
is strong in statistical approach.
8. Todd
Heberlein,
1989
an IDS system called Network System Monitor (NSM)
was introduced by Todd. NSM was different from
IDES and DIDS (Distributed Intrusion Detection
System) in that it would analyze network traffic rather
than system logs. NSM, along with the now
commercially available Stalker IDS, helped to create
new awareness and interest in IDS research for the
commercial and public sectors.
34
commercial and public sectors.
9. Marcus J.
Ranum,
1990
This paper presents commercial IDS called Network
Flight Recorder (NFR). Christopher Klaus and Thomas
E. Noonan founded Internet Security Systems (ISS)
and released a network-based intrusion-detection
system called RealSecure. .
10. Teng,
Chen, And
Lu, 1990
This paper introduces the use of a time-based inductive
machine (TIM) to capture a user’s behavior pattern. As
a general-purpose tool, TIM discovers temporal
sequential patterns in a sequence of events. The
sequential patterns represent highly repetitive activities
and are expected to provide predication. The temporal
patterns, which are represented in the form of rules, are
generated and modified from the input data using a
logical inference called inductive generalization. When
applied to intrusion detection, the rules describe the
behavior patterns of either a user or a group of users
based on past audit history.
11. Mukherjee,
B.,
Heberlein,
L., and
Levitt, K,
1994
This paper surveyed several host-based and network-
based IDSs, and identified the characteristics of the
corresponding systems are identified. The host-based
systems employ the host operating system's audit trails
as the main source of input to detect intrusive activity,
while most of the network-based IDSs build their
detection mechanism by monitoring network traffic,
and some employ host audit trails as well. An outline
of a statistical anomaly detection algorithm employed
35
1994 while most of the network-based IDSs build their
detection mechanism by monitoring network traffic,
and some employ host audit trails as well. An outline
of a statistical anomaly detection algorithm employed
in a typical IDS is also included [80].
12. Anderson
D, Lunt
TF, Javitz
H, Tamaru
A, Valdes,
1995
This report presents the findings of System Research
Institute‘s (SRI)’s analysis of the Network Intrusion-
Detection Expert System (NIDES). The statistical
analysis heled to detect unauthorized application
execution based on system-level audit trails.
13. Sundaram,
A., 1996.
An overview of intrusion detection concepts and
taxonomy was given. Next, it introduces and discusses
several commercial and public-domain IDS’s
available. This paper also describes recent
developments in conventional intrusion detection:
Distributed, modular system which includes both
anomaly and misuse detection. A peek at the new
breed of pro-active, preventative tools so-called
Delphic tools identify the threats and risks in the very
early attack stages; was also discussed.
14. Axelsson,
S., 1998
This paper describes the concept of intrusion detection
in local area networks, connected to the Internet. The
intrusion detection techniques and vulnerabilities in
intrusion detection systems (IDS) and also intrusion
detection and response (IDR) systems were explored.
A distinction is made between host-based and network-
36
intrusion detection techniques and vulnerabilities in
intrusion detection systems (IDS) and also intrusion
detection and response (IDR) systems were explored.
A distinction is made between host-based and network-
based intrusion systems. The network security
standards, general connectivity and compatibility
requirements of IDS are also discussed.
15. Lane and
Brodley
(1998)
This paper introduces the applied instance based
learning (IBL) to learn entities’ (e.g., users) normal
behavior from temporal sequence data. IBL represents
a concept of interest with a set of instances that
illustrate the concept. The set of instances is called the
instance dictionary. A new instance is classified
according to its relation to stored instances. IBL
requires a notion of “distance” between the instances
so that the similarity of different instances can be
measured and used to classify the instances.
16. Lee W. and
Stolfo S.
and Mok
K, 1999
In this paper, a data mining framework for adaptively
building Intrusion Detection (ID) models was
described. The central idea was to utilize auditing
programs to extract an extensive set of features that
describe each network
17. Allen, J.,
Christie,
A., and
Stoner,
2000
This paper presents a comprehensive survey of
anomaly detection systems and hybrid intrusion
detection systems. The recent technological trends in
anomaly detection and identify open problems and
challenges in this area were also discussed.
37
Christie,
A., and
Stoner,
2000
anomaly detection systems and hybrid intrusion
detection systems. The recent technological trends in
anomaly detection and identify open problems and
challenges in this area were also discussed.
18. Debar, H.,
Dacier, M.,
And
Wespi,
2000
This paper discussed a taxonomy of intrusion-detection
systems that highlights the various aspects of this area.
This taxonomy divides families of intrusion-detection
systems according to their properties.
19. Alessandri,
D, 2001
This paper presents the combination of the taxonomy
introduced and the notion of activity scope provides us
with a flexible and practical instrument to describe
intrusion detection system. This taxonomy has been
developed to describe the functional aspects i.e., the
capabilities of intrusion detection system such that one
can in a next step evaluate intrusion detection system
for their potential to detect attacks, generate false
positives etc.
20. Axelsson,
S, 2002
A taxonomy of intrusion detection systems was
presented. The taxonomy consists of a classification
first of the detection principle, and second of certain
operational aspects of the intrusion detection system.
The systems are also grouped according to the
increasing difficulty of the problem they attempt to
address. These classifications are used predicatively,
pointing towards a number of areas of future research
in the field of intrusion detection.
38
increasing difficulty of the problem they attempt to
address. These classifications are used predicatively,
pointing towards a number of areas of future research
in the field of intrusion detection.
21. Bai, Y.,
And
Kobayashi,
H, 2003
In this paper a survey on major challenges to ID
technology was presented. It is involved with several
main aspects of ID technology. Analyses on intrusion
detection techniques and data collection techniques are
emphasized. Some novel developments in ID Systems,
such as both data mining based ID systems and data
fusion based ID systems, were also discussed. Current
ID technology faces powerful challenges.
22. Giovanni
et al, 2004
The mobile ad hoc network routing protocols that are
highly vulnerable to subversion were presented.
Particularly some attacks against the routing and some
threats to wireless ad hoc networks are discussed. This
paper also presents a tool which aims at the real-time
detection of these attacks. The tool observes the
network packets to detect local and distributed attacks
within its radio range.
23. Yu Chen,
Yu-Kwong
Kwok, and
Kai
This paper presents a new signal-processing approach
to identify and detect the attacks (by examining the
frequency domain characteristics of incoming traffic
flows to a server). This technique is effective in that its
detection time is less than a few seconds. Furthermore,
this technique entails simple implementation, making it
deployable in real-life network environments.
39
Kai
Hwang,200
5
flows to a server). This technique is effective in that its
detection time is less than a few seconds. Furthermore,
this technique entails simple implementation, making it
deployable in real-life network environments.
24. Phillip
Brooke,
2006
This paper presents a new IDS framework for mobile
adhoc network (MANET) environments based upon
the concept of a friend in a small world phenomenon.
The two-tier IDS framework has been designed to
overcome longer detection mechanisms and detection
suffering from the potential for blackmail attackers and
false accusations with the help of friend nodes. It is
hypothesized that with the introduction of friend
nodes, the impacts of the IDS problems can be
minimized. It is noted that the proposed framework
would not be able to work on a diverse MANET
environments.
25. Jeyanthi
Hall, 2007
This paper demonstrates an anomaly-based intrusion
detection approach, which incorporates radio
frequency fingerprinting (RFF) and Hotelling’s T 2
, a multivariate statistical process control technique,
for detecting this attack. RFF is a technique used
to uniquely identify a transceiver based on the
transceiverprint (set of features) of the signal it
generates. The approach is to associate a
transceiver profile of a wireless device with its
corresponding MAC address. Hence, although the
MAC address can still be spoofed, the transceiverprints
40
generates. The approach is to associate a
transceiver profile of a wireless device with its
corresponding MAC address. Hence, although the
MAC address can still be spoofed, the transceiverprints
from the illegitimate device would not match the
profile of the legitimate device. Moreover, the success
rate of a wireless IDS can be further improved, by
analyzing multiple chronologically ordered
transceiverprints, prior to rendering a decision.
26. Eduardo
Mosqueira-
Rey et al,
2007
This paper described the design of misuse detection
agent which is one of the different agents in a
multiagent-based intrusion detection system. Using a
packet sniffer the agent examines the packets in the
network connections and creates a data model based on
the information obtained.
27. Magnus
Almgren,
Ulf
Lindqvist,
and Erland
Jonsson,
2008
This paper investigated the procedure to use the alerts
from may audit sources to improve the accuracy of the
intrusion detection system (IDS). A theoretical model
was designed automatically for the reason about the
alerts from the different sensors through concentrating
on the web server attacks. It also provides a better
understanding of possible attacks against their systems
for the security operators.
41
28. Naeimeh
Laleh and
Mohamma
d
Abdollahi
Azgomi,
2009
This paper discussed the fraud that is growing
remarkably with the growth of modern technology and
the universal superhighways of communication which
results in the loss of billions of dollars throughout the
world each year. This technique tends to propose a
new taxonomy and complete review for the different
types of fraud and data mining techniques of fraud
detection.
29. Yurong
Xu, James
Ford, and
Fillia
Makedon,
2010
This paper introduces a distributed wormhole
detection algorithm called Wormhole Geographic
Distributed Detection (WGDD) that is based on
detecting network disorder caused by the existence of a
wormhole. Since wormhole attacks are passive, this
algorithm uses a hop-counting technique as a probe
procedure to detect wormhole attacks, then
reconstructs local maps in each node. After that, it uses
a feature called “diameter” to detect abnormalities
caused by wormholes. The main advantage of using a
distributed wormhole detection algorithm is that it
provide the approximate location of a wormhole,
which may be useful information for further defense
mechanisms.
42
2.3 Gaps in Existing Research Literature
Most of the research has been carried out on signature based techniques. The
more efforts are required on anomaly detection techniques especially for
WLAN.
The exact design consideration for efficient technique for monitoring,
detecting and responding to the various security breaches to the WLAN has
not been accounted so for according to author ‘s knowledge..
2.4 Classification of Intrusion Detection System
In the literature, two classification systems for different intrusion detection
systems have been developed; host Based IDS and Network Based IDS [12, 57].
2.4.1 HOST-BASED INTRUSION DETECTION
A host based IDS resides on the system being monitored and tracks changes
made to important files and directories [40]. It takes a snap shot of existing
system files and matches it to the previous snap shot. If the critical system files
were modified or deleted, the alert is sent to the administrator to investigate.
Zirkle described host-based IDS as “loading a piece of software on the system to
be monitored”[44]. This software, which is generally defined as either host
wrappers/personal firewalls or agent-based software [72], performs the following:
i. Uses log files and or the system’s auditing agents as sources of data and also
traffic in and out of a single computer
43
ii. Checks the integrity of system files, and watches for suspicious processes,
including changes to system files and user privileges.
2.4.2 NETWORK-BASED INTRUSION DETECTION
A network-based intrusion detection system (IDS) monitors and analyzes the
traffic on its network segment to detect intrusion attempts. An IDS can be made
of many sensors, each sensor being in charge of monitoring the traffic passing
through its own segment [45].
The sensors cannot monitor anything outside their own segment or switch.
Northcutt [6] described network based intrusion detection system (NIDS) as an
ID system that monitors the traffic on its network segment as a data source.
Implementation requires:
i. The network interface card is placed in promiscuous mode to capture all
network traffic that crosses its network segment; and packets traveling on
that network segment.
ii. A sensor, which monitors the objective, is to determine if packet flow
matches with a known signature.
iii. There are three signatures that are particularly important: first the string
signatures that look for a text string that indicates a possible attack. Second
the port signatures simply watch for connection attempts to well known,
frequently attacked ports. Third the header signatures that watches for
dangerous or illogical combinations in packet headers.
44
2.5 Misuse and Anomaly Based Detection
2.5.1 Misuse based detection
Misuse detection is also known as signature-based or knowledge-based systems.
They follow the same principle as most anti-virus software and rely on the
knowledge accumulated about previous attacks and vulnerabilities to detect
intrusion attempts [47, 65]. Misuse detection systems compare current activities
of the host or the network monitored with “signatures” of known attacks. If the
current activities match any of the known signatures, an alarm is triggered [96].
2.5.1.1. Advantages and Limitations:
i. Low Rate of False Alarms: The main advantage of misuse detection
systems is their ability to detect known attacks and the relatively low false
alarm rate when rules are correctly defined. It is important to note that, as
said above, the signatures which are used in rules must be as specific as
possible to prevent false alarms [47].
ii. Only Known Attacks Detection: The foremost drawback of misuse
detection systems is their complete inability in detecting unknown attacks.
2.5.2 Anomaly based detection
Anomaly detection systems are also known as behavior-based systems. They rely
on the fact that intrusions can be detected by observing deviations from the
expected behaviors of the system monitored [32]. These “normal” behaviors can
45
either correspond to some observations made in the past or to some forecasts
made by various techniques. Everything that does not correspond to this “normal”
pattern will be flagged as anomalous. Therefore, the core process of anomaly
detection is not to learn what is anomalous but to learn what is normal or
expected [67, 96,113].
2.5.2.1 Advantages and Limitations:
i. Unknown Attacks Detection: The main advantage of anomaly detection
systems is that, contrary to misuse detection systems, they can detect
unknown or novel attacks. They do not rely on any a priori knowledge
concerning the intrusions. It is also important to note that anomaly detection
systems have not for main purpose to replace misuse detection systems. The
very good efficiency of misuse systems in detecting known attacks makes
them a perfect complement to anomaly detection systems.
ii. High Rate of False Alarms: Two factors may lead to a very high rate of
false alarms or to a very poor accuracy of anomaly detection systems.
2.6 WLAN SECURITY
Wireless Local Area Networks have gained a tremendous and incredible
popularity across the computer network market over the years. However, the
threats and security fears associated with them have caused some network
managers and administrator to avoid installing wireless LAN, regardless of the
numerous benefits that they provide [82, 83]. Several manufacturers understand
46
the fears, uncertainties and doubts caused by the security problems of the
Wireless Local Area Network. Several measures of security have been proposed
by these manufacturers and some of them have been used by the IEEE
802.11[78].
2.7 WLAN Technologies and Standards
This study focuses specifically on the existing industry standard for IEEE 802.11
as the representative example of the WLAN family of technologies [10, 12].
2.7.1 Radio Frequency Technology
RF has become the de-facto technology for the majority of today’s WLANs.
Radio signals can travel in all directions for distances ranging from a few meters
to several kilometers. These characteristics can be very practical in situations
where wide or long-range coverage is required but they become problematic
when the signal’s propagation needs to be limited. The fact that the destination of
radio signals cannot be precisely controlled makes this medium the most
vulnerable to undetected interception and exploitation. All unprotected radio
traffic can be monitored with widely available radio equipment by anyone located
within the range of the transmitter; however it is important to note that amplifiers
and specialized antennas can also be used solely at the receiver site to increase
the effective range of radio signals, therefore simply controlling the transmitter
power is not sufficient to limit the propagation of signals [50, 51, 52].
47
2.7.2 Spread Spectrum
The development of spread-spectrum communications technology has been
claimed to have alleviated the vulnerabilities of standard RF transmission: Unlike
narrowband systems that transmit a powerful signal on a single frequency,
spread-spectrum systems transmit a low power signal over a broad range of
frequencies. The signal is spread according to pre-established parameters or
patterns that must also be known by the receiver so that it can recover the signal.
This transmission technique provides more resistance to noise and interference
and is less vulnerable to jamming and casual interception. In the case of WLANs,
the hardware must be aware of the signal spreading parameters in order to receive
a spread-spectrum signal, so these parameters are pre-programmed into the
hardware chipsets used to build these products [51].
Several signal-spreading schemes have been developed but the methods that
prevail in the WLAN domain are:
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS) and
Orthogonal Frequency Division Multiplexing (OFDM)
FHSS and DSSS are the original spread-spectrum technologies employed in
802.11 WLANs.
48
2.7.3. IEEE 802.11 Standard
In 1985, the U.S. Federal Communications Commission (FCC) decided to open
the Industrial, Scientific, and Medical (ISM) bands, operating at 902 to 928MHz,
2.4 to 2.483GHz, and 5.725 to 5.875GHz, for unlicensed public use [10]. This not
only fulfilled a demand for commercial communication, but it also sparked the
development of WLAN technology. In 1977, the Institute of Electrical and
Electronics Engineers (IEEE) established the 802.11 WLAN standards to
standardize wireless LAN products. This standard has since been adopted by the
International Organization for Standardization / International Electrotechnical
Commission (ISO/IEC). The IEEE 802.11 core specification addresses both the
physical (PHY) and data link layers of the open systems interconnection (OSI)
basic reference model. The legacy standard proposed three (mutually
incompatible) implementations for the physical layer: IR pulse modulation, RF
signaling using Frequency Hopping Spread Spectrum (FHSS), and RF signaling
using Direct Sequence Spread Spectrum (DSSS).
Historically, the first successful commercial 802.11 WLAN products were
compliant with the 802.11b standard. Both 802.11a and b amendments were
actually adopted at the same time, but because 802.11b was less complex than
802.11a, products compliant with the 802.11b standard rapidly materialized while
products under 802.11a only reached the market in 2002. Since that time, the
802.11g amendment which utilized the same 2.4 GHz band as 802.11b, but
delivered faster and more robust connections as well as greater range, has come
to dominate the market. The IEEE is responsible for developing the radio
49
technology standards to be used by wireless LANs. These standards pertain to the
802 wireless standards including 802.11, the first one that was developed, and
several variations of it.
Each standard though developed for wireless LANs serves a different purpose for
the LANs, due in part to hackers, as well as others who might challenge its
security for the purpose of strengthening their own enterprise security. As
vulnerabilities, or holes, are found they become public knowledge and the IEEE
proceeds to update the standard.
2.7.4 IEEE 802.11 Task Groups Amendments
Core standard 802.11 WLANs based on IR transport were never commercially
implemented and the RF-based versions suffered from low transmission speed (2
Mbps). The IEEE later established several task groups to explore various
improvements to the original 802.11 core standard.
2.7.4i. 802.11a Amendment: Task Group A explored the unlicensed 5.0 GHz
frequency band, using Orthogonal Frequency Division Multiplexing (OFDM),
working to achieve throughputs up to 54 Mbps. The 802.11a extension [31, 33]
was completed in 1999 and in 2002 vendors began releasing products compliant
to this extension. Because of the different operating band and modulation, the
802.11a standard is not backward compatible or interoperable with the 802.11b
standard. Several vendors are marketing dual-band, multi-standard (802.11a and
802.11b/g) APs. The 802.11a is currently licensed for use in North America and
most European countries; however commercial use of 802.11a has historically
50
been quite limited. Recently, 802.11a has enjoyed somewhat of resurgence in
popularity due to the development of enterprise mesh infrastructure networks. In
such networks, 802.11a is used for communications between APs, and 802.11b/g
is used for communications between AP and wireless clients.
2.7.4ii. 802.11b: Task Group B explored DSSS technology to boost data rates in
the original 2.4 GHz band. The 802.11b extension [8], published in September
1999, delivers raw data rates up to 11 Mbps, which gave data rate parity with the
popular 10 Mbps “10Base” wired LAN systems of the day. The majority of
WLAN systems in the market today follow the 802.11b standard and it is
accepted throughout North America, Europe and Asia.
2.7.4iii. 802.11g: Task Group G approved the development of the new extension
to the 802.11 standard in November 2001; the resultant amendment was approved
in 2003. The 802.11g operates at 2.4 GHz with mandatory compatibility to
802.11b and uses the OFDM multicarrier modulation scheme to achieve a
maximum data rate of 54 Mbps.
2.7.4iv. 802.11n Amendment: Task Group N is currently engaged in the
development of the higher data rate extensions to the 802.11 standard. As with
802.11b and g, the 802.11n standard will operate at 2.4 GHz with mandatory
compatibility to 802.11b/g and uses Orthogonal Frequency Division Multiplexing
(OFDM) with MIMO techniques to achieve a maximum projected data rate of
248 Mbps. The OFDM+MIMO utilize the same basic modulation as 802.11g [8].
However it utilizes multiple transceivers with advanced techniques to compensate
51
for both the spatial and temporal variations of the RF channel as well as the
practice of “channel bonding” in order to greatly increase the range and raw data
rate. The 802.11n is still in the draft stage with an expected final approval in
2010, however many “Pre-N” or “Draft-N” products have already been emerging
in the market. Consumers are cautioned when purchasing such products because,
as draft-based products, they are not subject to the same interoperability testing as
full-standard compliant products. As such, they are not guaranteed to be
compatible with, and may not be upgradeable [33].
2.8 Analysis of Intrusion Detection Tools for WLAN
Intrusion-detection systems aim at detecting attacks against computer systems
and networks or, in general, against information systems. Indeed, it is difficult to
provide provably secure information systems and to maintain them in such a
secure state during their lifetime and utilization. Sometimes, legacy or operational
constraints do not even allow the definition of a fully secure information system
[32]. Therefore, intrusion detection systems have the task of monitoring the usage
of such systems to detect any apparition of insecure states. They detect attempts
and active misuse either by legitimate users of the information systems or by
external parties to abuse their privileges or exploit security vulnerabilities [2, 65].
2.8.1 Research Parameters
In order to compare the different products on the market, we examined publicly
available product documentation, published conference material (proceedings)
and other material available for public review. As this report is an analysis of
52
design specifications rather than a test of implementations, we have not
performed any tests under laboratory or real-life conditions [62].
Parameter Definitions
i.Granularity of Data Processing: It refers to the response time of an Intrusion
Detection System depends partly on the granularity of data processing. The
unprocessed data collected for the processing can be processed at infinitum or in
consignments, at some regular interval. The most of the system are working on
Real-time i.e. ad infinitum and few systems are working on manual by grouping
batches or consignments.
ii.Audit source location: It refers to the location of the Intrusion detection system
.The audit source location discriminates intrusion-detection systems based on
the kind of input information they analyze. The input information can be audit
trails (such as system logs) on a host, network packets, application logs, or
intrusion-detection alerts generated by other intrusion-detection systems. The
source of audit data can be either network- or host-based. Network-based data
are usually read directly off some multicast network (Ethernet). Host-based data
(security logs) are collected from hosts distributed all over the network and can
include operating system kernel logs, application program logs and network
equipment logs or other host-based security logs. One advantage of using
network-based audit data is that it facilitates the intrusion detection system to
observe the whole traffic on the network.
53
iii.Management Console: This parameter refers to management console i.e. the
user interface that the client component of network management software
provides. It is the user interface and "control room" view of the network. A
terminal or workstation used to monitor and control a network. There are the
different values of this parameter i.e. excellent, accustomed i.e. comfortable
user interface and the Intricate that is complicated for the user to view the
network.
iv.Behavior on Attack: It describes the response of the intrusion-detection system
to attacks. On the basis of their response to Intrusion, IDS can be either Active
or Passive. An active IDS actively reacts to the attack by taking either corrective
(closing holes) or pro-active (logging out possible attackers, closing down
services) actions, then the intrusion-detection system is said to be active [64].
And when the intrusion-detection system merely generates alarms (such as
paging), it is said to be passive.
v.Reporting Capability: This parameter is related to how quick an IDS reports
about the attack to the network administrator. We have classified it as two
values i.e. High and Medium.
vi.Interoperability: The interoperability is the measures of the intrusion
detection system’s ability to cooperate with other similar systems.
Interoperability can be of interest at various levels in the architecture serving
many different purposes.
54
2.8.2 Tools Analyzed
A total of 25 research and commercial intrusion detection tools were analyzed as
shown in table in this survey [70].
Table 2.2: Tools Analyzed
Sr.No. Intrusion
Detection
System
Vendor
1 Snort Snort Corporation
2 Dragon Enterasys Corporation
3 Cisco Secure
IDS
Cisco system, Inc.
4 Emerald SRI International
5 Net Ranger Cisco Systems, Inc.
6 Tripwire Purdue University
7 Intruder Alert Axent Technologies, Inc.
8 Netstat University of California at
Santa Barbara
9 CMDS Science Application
International Corporation
(SAIC)
55
International Corporation
(SAIC)
10 Entrax Centrax Corporation
11 Bro Centrax Corporation
12 Stake Out I.D Harris Communications,
Inc
13 SecureNet PRO MimeStar, Inc.
14 Kane Security
Monitor
Security Dynamics
(formerly Intrusion
Detection, Inc.)
15 NetProwler Axent Corporation
16 Session Wall-3 AbirNet
17 Network Flight
Recorder
Network Flight Recorder,
Inc.
18 INTOUCH
INSA
Touch Technologies, Inc
19 RealSecure Internet Security Systems
(ISS)
56
20 CyberCop Network Associates, Inc.
21 ID-Trak Internet Tools, Inc
22 NIDES SRI International
23 T-Sight EnGarde Systems, Inc.
24 Shadow Network Research Group
(Lawrence Berkeley Lab)
25 SecureCom
Suite
ODS Networks
The intrusion detection tools are analyzed the results are categorized using the
above research parameters [89].
Almost all of the vendors allow intrusions to be detected in real-time. In the host
based ID tools the audit logs are collected in batches before they are processed or
analyzed, with an even longer delay as a result. These delays may or may not be a
problem, depending on the security of the intrusion detection system and its
ability to track further activities (audit capabilities) and to terminate established
sessions and processes. T-Sight form Engarde, Inc. has adopted a somewhat
different scheme for detecting intrusions. T-Sight is focused on collecting and
presenting data to the security officer, who then in turn tries to identify intrusions.
57
Systems using manual intrusion detection schemes can certainly not be classified
as “real-time” as they depend on the presence of a human user.
A majority of the analyzed systems are network oriented in terms of source of
audit data. Only six systems are purely host-based and four systems support both
host- and network-based audit data. As previously mentioned in the section on
comparison criteria the increasing use of switched network technologies and
encryption jeopardizes the future of network-based systems. Most systems of
today rely upon network audit data. Some vendors claim that switched networks
can easily be analyzed using dedicated management ports on the switches. This
may be true if the network is moderately loaded but it is unrealistic on medium or
heavily loaded networks. An innovative solution is provided by ODS Networks
Inc. They incorporate ID (provided by ISS Inc.) into their product line of
switches, thus eliminating the restrictions posed by switching technology. The
most important system like Dragon is unique in the industry based on its ability to
deliver both host-based and network-based functionality i.e. it can be used both as
a NIDS as well as HIDS. Thus it provides complete security for a network. The
Cisco Secure and Snort these are Network based IDS.
The most of the system analyzed are provide console based user interface few are
also provide the graphical user interface to view the activities. Snort provides
good management Console. It provides this feature with the help of ACID plug-in
module. Plug-in are very important feature of Snort IDS. These are programs that
are written to conform to Snort’s plug-in API. These programs used to be part of
the core Snort code, but were separated out to make modifications to the core
58
source code more reliable and easier to accomplish. ACID stands for The
Analysis Console for Intrusion Databases. It provides logging analysis for Snort.
Requires PHP, Apache, and the Snort database plug-in. Dragon provides
excellent management console. This feature is implemented in ‘Dragon
Enterprise Management Server’ component. This component is made up of a
number of highly integrated technologies. Web based and centralized, Policy
Management tools offer enterprise-wide management of small and large-scale
Dragon deployments. Dragon Policy Manager provides centralized management
of the Dragon Network and Host Sensors, while Alarm tool offers centralized
alarm and notification management. Cisco provides management console but it’s
not so good in comparison to that of Snort and Dragon. It is responsible for the
communication between the server and the agents. Communication between
agents and the server take place at intervals set in the console. The
communication port for the console and the agent must be the same for them to
communicate. It also contains the list indicating state of each agent.
The behavior of the system is either passive or active. Passive response means
that an intrusion is brought to the attention of the adminstrator. Mechanisms for
passive response may be sending e-mails, paging or displaying alert messages.
Many systems provide some support for passive response mechanisms. Active
response; All but three systems (Stake Out, Kane Security Monitor and TSight)
support active response without human interaction. For network-based systems,
active response include actions like terminating transport level sessions, which
most active response systems claim they support. Some systems, such as
59
SecureNet Pro, even allow the SSO to hijack a TCP session. This provides a
means for closing or terminating sessions such as Telnet or Rlogin in a controlled
manner. Host-based ID systems have the advantage that they can also control
hostile processes on the host on which they reside. Most host-based systems
analyzed claim to support termination of processes. Kane Security Monitor does
not have this feature. Entrax offers only the possibility to log out a user, disable a
users account or shut down the entire computer, which can be seen as a drastic
way of terminating processes. Emergency shutdown of the entire host can be
useful when the system contains information whose confidentiality is more
important than its availability. Systems contaminated by computer viruses may
also benefit from being shut down to prevent further contamination. One should
keep in mind that ID systems that have the capability to shut down processes or
terminate network sessions often run with super user privileges.
The most important system like Snort can be used for Active as well as passive
monitoring of the network. Passive monitoring is simply the ability to listen to
network traffic and log it. Active monitoring involves the ability to either to
monitor traffic and then send alerts concerning the traffic that is discovered or to
actually intercept and block this traffic. Snort is primarily used for active
auditing. Dragon behaves actively on detecting attacks. When an attack is
detected, Dragon Network Sensor employs a variety of techniques to prevent
intrusion, including terminating the session and configuring firewall ACLs to
block the would-be intruder. Cisco can behave actively or passively on the choice
of the user.
60
The detection capabilities between products vary quite extensively. In general, a
network- based IDS has greater capabilities owing to its ability to capture and
analyze packet at the underlying network. Host-based ID systems are limited to
audit-logs provided by the operating system or application logs. Due to the large
number of different intrusions recognized, this survey present only an overview
of the types of attacks each product can detect. Some of the products, such as
RealSecure and Intruder Alert, include up to 200 different known intrusion
signatures out of the box. Table below shows the detection capabilities mapped
onto a simple protocol stack. Cisco performs real time attack detection using
Intrusion Detection System Module (IDSM). The IDSM performs network
sensing in real-time. It monitors network packets through packet capture and
analysis. Dragon provides real time attack reporting. Dragon Host Sensor
component monitors key system logs for evidence of tampering. Dragon
Enterprise Management Server provides complete monitoring and control. Snort
provides attack alert messages to be sent via e-mail to notify a system
administrator in real time. This way no one has to monitor the Snort output all
day and night.
Interoperability for IDS can be achieved in a number of different areas. Four
important areas are;Exchange of audit data record; Exchange of security policies;
Exchange of misuse patterns or statistical information about user activities;
Exchange of alarm reports, event notifications and response mechanisms.
61
Table 2.3: Analysis of Intrusion Detection Tools
Sr.
No.
Intrusion
Detection
System
Granularity
of data
processing
Audit
Source
Location
Management
Console
Behavior on
Attack
Reporting
Capability
Inter-
opera
bility
1 Snort Realtime NIDS Accustomed Passive/Active High Medium
2 Dragon Realtime NIDS/HIDS Excellent High High
3 Cisco Secure ID Realtime NIDS Intricate Passive/Active High Medium
4 Emerald Realtime NIDS Accustomed active Medium
5 Net Ranger Realtime NIDS Intricate Active High Medium
6 Tripwire HIDS Intricate
7 Intruder Alert Realtime NIDS/HIDS Accustomed Active High Medium
8 Netstat Realtime NIDS Intricate Active
9 CMDS Realtime HIDS Accustomed Active Medium Low
10 Entrax Realtime HIDS Accustomed Active Medium
11 Bro Realtime NIDS Accustomed Active
12 Stake Out I.D Realtime NIDS Excellent Passive High Low
13 SecureNet PRO Realtime NIDS Excellent Active High Low
14 Kane Security
Monitor
Realtime HIDS Accustomed Passive Medium Low
15 NetProwler Manual HIDS Intricate Active
16 Session Wall-3 Realtime NIDS Excellent Active High Medium
17 Network
FlightRecorder
Realtime NIDS Accustomed Active High Low
18 INTOUCHINSA Realtime NIDS Excellent Active Medium Low
19 RealSecure Realtime NIDS/HIDS Excellent Active High Medium
20 CyberCop Real time NIDS/HIDS Accustomed Active High Medium
21 ID-Trak Real-time NIDS Accustomed Active Medium Low
22 NIDES Real time HIDS Intricate Active High Low
23 T-Sight Manual NIDS Intricate Passive - None
24 Shadow Manual NIDS Intricate Active
25 SecureCom
Suite
Real time NIDS Excellent Active High Medium
62
2.8.3 Detection Method
It is the capability of the IDS to detect various types of attacks. This depends on the
number of signatures defined in the knowledge base of the IDS [65, 72].
Table 2.4: Detection Method for Intrusion Detection Tools
Sr. No. Product Rule Based Anomaly Based
1 Snort *
2 Dragon * *
3 Cisco Secure *
4 Emerald *
5 Net Ranger *
6 Tripwire *
7 Intruder Alert *
8 Netstat * *
9 CMDS * *
10 Entrax *
11 Bro *
12 Stake Out I.D * *
13 SecureNet *
14 Kane Security * *
15 NetProwler *
16 Session Wall-3 *
17 Network Flight *
63
18 INTOUCH I * *
19 RealSecure *
20 CyberCop *
21 ID-Trak *
22 NIDES * *
23 T-Sight *
24 Shadow *
25 SecureCom Suite *
2.8.4 Architectural aspects of tools
i. System organization: Virtually every system can operate in a distributed
environment. Only INTOUCH INSA and T-Sight are limited to a single
host or network segment. Intruder Alert (IA) is partly distributed. While the
host-based IA can operate distributed under centralized control, its network-
based system (NetProwler) cannot.
ii. Operating systems. Despite the market trend to migrate applications to
Windows NT, a surprisingly number of ID systems operate in various
UNIX environments. Table 2.5 contains a summary of the network
technology of the operating system requirements for the manager and agent
side for each IDS. It is worth mentioning that Axent supports an impressive
number of operating systems for Intruder Alert.
64
iii. Protocol. As expected, TCP/IP is the dominating protocol suite supported.
Table 2.5 gives a summary of network technologies supported by each
product.
Table2.5: Architectural aspects of Intrusion Detection Tools
Sr.No. Intrusion
Detection
System
Operating
System
Support
Protocol
1 Snort MS
Windows,
LINUX
TCP/IP
2 Dragon MS
Windows,
LINUX,
Solaris
TCP/IP
3 Cisco Secure
IDS
MS
Windows,
UNIX
TCP/IP
4 Emerald MS
Windows,
UNIX
TCP/IP
5 Net Ranger Solaris TCP/IP
6 Tripwire UNIX
7 Intruder Alert Solaris, Sun
OS
TCP/IP,IPX/SPX
65
8 Netstat UNIX
9 CMDS Solaris, NT _
10 Entrax NT, UNIX _
11 Bro UNIX
12 Stake Out I.D Solaris TCP/IP
13 Secure Net
PRO
Solaris ,
LINUX
TCP/IP
14 Kane Security
Monitor
NT TCP/IP
15 Net Prowler MS
Windows,
UNIX
16 Session Wall-3 NT, W95/98 TCP/IP
17 NetworkFlight
Recorder
Red Hat
LINUX,
TCP/IP
18 INTOUCH
INSA
Not
Applicable
TCP/IP
19 Real Secure NT, Solaris TCP/IP
20 Cyber Cop NT, Solaris TCP/IP
21 ID-Trak NT TCP/IP
22 NIDES Sun OS TCP/IP
23 T-Sight Not Applicable TCP/IP
24 Shadow UNIX
25 SecureCom
Suite
NT, Solaris TCP/IP
66
2.9 CHAPTER SUMMARY
In this chapter the number of existing Intrusion detection tools that are capable of
monitoring wireless traffic are analyzed. The detailed analysis of twenty five
commercially, educational and research intrusion detection tools was given on the basis
of imperative research parameters for the detection of Intruders in the WLAN.
The summary of the educational, research and commercial systems are evaluated and
their results are predicted that will help the administrators to install suitable tool in the
wireless networks. A taxonomy especially designed for intrusion detection systems
(IDS) is utilized to compare and evaluate different functions, features and aspects of the
products. This review identifies a number of important design and implementation
issues, which provide a framework for evaluating or deploying intrusion detection
systems. This analysis will be helpful in future research. A practical and effective
solution can be designed and developed basis on these results.
.
---------------