PowerPoint Presentation
16
INTRUSION DETECTION SYSTEMS IN NETWORK SECURITY
Topic: Intrusion detection Systems in Network Security
Introduction and Thesis Statement
The advent and penetration of digital technology has made it a necessity for organizations, governments and other institutions to adopt computer networks to simplify and improve the quality of their service delivery. It is important to note that when developing or running an organizational computer network, the security of the network should be of top priority to network administrators and managers. A computer network is made up of a series of nodes which are interconnected via communication paths to enable the transmission of data and information, and sharing files, voice and video traffic. An organization’s computer network enables the organization to post its goods and services online, enable local employees to access organizational IT resources and provide IT services and also collects vital data and information for the company and its external customers. The computer network thus plays a crucial role in ensuring smooth operations of organizations by easing access to services and products online. The network also plays a critical role of storing private and confidential information that should be protected using any cyber security mechanisms and best practices.
It is thus critical for organizations or institutions operating a computer network system to protect and safeguard the network information and data by implementing fool proof network security systems. Network security is described as the processes and mechanisms either physical measures or software measures implemented in networks to prevent and protect the network infrastructure from misuse, system malfunction, data modification, data destruction, unauthorized disclosure of corporate information or data and preventing unauthorized access to the network IT assets. An efficient network security program ensures that the network platform is secure, efficient and in good working condition to enable the network computers, users and system programs to function optimally in a secure and safe environment. One critical protective mechanism that can help organizations operating network infrastructures is the implementation of an effective intrusion detection systems. An intrusion detection system can either be a device or a software system application that is tasked with monitoring network and computer systems to detect malicious and suspicious activity, or organizational network policy violations or breach. The intrusion detection system constantly looks out for malicious online activity on the network and reports findings to the network or system administrator. Some intrusion detection systems collect malicious activity and policy violations which are then centrally collected using a SIEM Security Information and Event Management system. The SIEM system collects malicious network activity from different network nodes and outputs with this information filtered to determine actual malicious activity for further action and false alarms which are ignored.
It is thus critical for network administrators and organizational information technology IT teams to implement an effective intrusion detection system IDS to detect malicious activity and network policy violations as a preventative mechanism of protecting network infrastructure and network IT assets from misuse or unauthorized access. Intrusion detection systems are critical parts of the overall network security since they enable the network systems to detect malicious activity before they occur denying the unauthorized users and other cyber threats from compromising the integrity, data availability and confidentiality of the data and other IT resources. This paper will examine how an intrusion detection system works, identify the various IDS tools used to monitor and detect network anomalies for swift action before large scale damage can occur.
Intrusion Detection System
An intrusion detection system plays a critical role in protecting and enhancing network security in an organization network. The intrusion detection system conducts network traffic monitoring to detect for suspicious activity in the system. The intrusion detection system then reports on the anomaly alerting the network system administrator to initiate measures to counter the threat and seal the vulnerabilities identified. The technology of intrusion detection systems have been improved over the years to not only monitor and identify suspicious activity or unauthorized access but goes further to block unauthorized or malicious users by denying access to the source IP address through the use of reactive intrusion detection systems.
When developing an enterprise network, one of the critical protection mechanisms is the installation of an effective and active firewall. The firewall main objective is to deny incoming traffic to the network. There is however need to create and open holes in the firewall to enable access to the network from established standpoints. Some common holes include opening up port 80 which hosts the website and port 21 which hosts the FTP file server. These open holes provide vulnerable points in the network firewall making it easy for malicious data packets or malware to enter the network. These necessary vulnerability creates the need for an active intrusion detection system IDS which is located in these holes to monitor inbound and outbound network traffic to enable the identification of malicious activities or suspicious network traffic which might have bypassed the network firewall, or malicious activity from the internal network users (Bace, 2012). It is important to note that despite the effectiveness of the intrusion detection systems IDS in detecting and protecting the network infrastructure, they are prone to issuing false alerts. It is thus critical for network administrators and developers to fine tune the available intrusion detection systems IDS with the needs of the organization during the installation process. This will involve configuring the intrusion detection system with the organization network to enable it to know normal traffic on the organization network and malicious traffic. This will enable the system administrators to understand the different types of IDS alerts and what they mean to enable them to respond appropriately and efficiently. The intrusion detection system is available in different varieties namely the network based intrusion detection system NIDS and the host based intrusion detection system HIDS.
| Intrusion Detection System | |
| Placement in network infrastructure | Out of band (out of direct communication line) |
| System type | Passive mechanism |
| Detection mechanisms |
|
| Types |
|
Types of Intrusion Detection Systems IDS
Network Intrusion Detection Systems NIDS
A network intrusion detection system NIDS are IDS systems which are strategically located in sensitive network points to monitor incoming traffic and outgoing network traffic from all the connected devices in the network. When implementing the network intrusion detection system NIDS, the anti-threat software is applied at network specific points such as servers which act as an interface between the external environments connected via the internet and protects the internal network infrastructure. The network intrusion detection system NIDS conducts a detailed network traffic analysis of traffic passing through the whole network subnet. The network based intrusion detection system evaluates all network traffic in the subnet passing the traffic to the library containing known network attack signatures. Once the network based intrusion detection system identifies an attack or malicious behavior in the network, it immediately sends an alert to the network administrator for further protective action. The network intrusion detection system NIDS is ideally meant to monitor all incoming and outgoing network traffic. However if this is achieved the NIDS will significantly cause network bottlenecks affecting network speed and efficiency and thus it is implemented offline. A good place to install a network based intrusion detection system is the subnet containing the firewall. This position will enable the NIDS to monitor and detect any threats pertaining to breaching the firewall (Viegas et.al, 2017).
The network based intrusion detection system NIDS contains a library that contains signatures of the different data packets passing through the network. When a suspicious packet with a known signature belonging to a harmful packet is identified and blocked. The network based intrusion detection NIDS can operate either online or offline. The on-line NIDS system monitors the network in real time and detects threats or unauthorized access when the network is up and running. the on-line network based intrusion detection system monitors and analyzes the Ethernet packets which are matched with set rules to determine if they pose a threat to the network or not. The off-line NIDS on the other hand monitors the network stored data and other system processes offline to determine whether the network is under attack or not (Perdisci et. al, 2014).
The network based intrusion detection system is passive with its primary role being the collection, gathering, identifying, and logging all network traffic to determine any suspicious activities or threats before alerting the network administrator. The network traffic is collected by the NIDS system using network tapping, span port and hub collection of packets transmitted in the network. The captured data is then analyzed and suspicious data packets are flagged and reported to the network administrator. Some of the common network based intrusion detection systems commonly use are the OPNET and NETSIM tools which are used to simulate network intrusion detection systems.
Host Intrusion Detection Systems HIDS
The second intrusion detection system classification is the host intrusion detection system HIDS. The host intrusion detection system is a detection mechanism that operates on individual hosts or connected devices in the network. In the host intrusion detection system, anti-threat software applications ranging from firewalls, anti-virus software and spy-ware detection systems are installed in each connected device in the network which is operating a two way access to the external environment through the internet and the network infrastructure. A host intrusion detection system monitors and analyzes inbound and outbound data packets from the connected device only and alerts the network system administrator when suspicious activity is detected.
The HIDS system captures a snapshot of the existing network system files which are then matched with the previous snapshot to identify anomalies. If the new system files snapshot indicates that the system files have been altered, deleted or modified, the HIDS will alert the network system administrator for further investigation and further action. The host intrusion detection system is mostly used in priority and mission critical system machines which hardly undergo any form of configuration changes. The host intrusion detection system HIDS installs an agent on each and every system to detect, monitor and alert the network administrator on suspicious activity in the local operating system and system application activities.
According to Mafra et.al. (2014), HIDS makes use of packet signatures, set rules and heuristics to identify unauthorized activity, and like the NIDS system HIDS is also passive and does not act or block the suspicious activities. Some of the common host intrusion detection systems in the market include OSSEC which is an open source IDS, Tripwire, AIDE or the Advanced Intrusion Detection environment and Prelude Hybrid IDS. OSSEC host intrusion detection system conducts logging analysis, integrity testing, rootkit detection and punctual alerting on threats and active response to detected threats (Whitman and Mattord, 2014). The intrusion detection system technology have undergone many improvements and additional features including system specific intrusion detection systems customized tools and honey pots which act as traps to attract would be unauthorized users or cyber- attacks. It is critical for organizations operating an enterprise network to combine both the host intrusion detection system and network intrusion system to offer a more effective protection of the network.
Physical Intrusion Detection Systems
The physical intrusion detection systems are manual systems that are placed in organizations to identify threats to physical network infrastructure. Physical intrusion detection is usually made up of physical controls that ensure network confidentiality, integrity and availability. Some of the common physical detection systems and physical controls include security guards, surveillance cameras, access control systems including employee smart cards and biometric access controls, firewalls, man traps and motion sensors to protect physical network hardware.
Intrusion Detection Methods
Signature Based Detection
The signature based intrusion detection method uses specific patterns in the network traffic from byte sequences and identified malicious instruction sequences applied by most malware attacking code. The patterns used to detect and identify intrusion or attacks are referred to as signatures. The signature based detection system relies on a database that holds data packet signatures and attributes with malicious packets identified to enable the IDS to flag these malicious threats. The main disadvantage of the signature based detection method is that the system relies on flagging malicious threats based on malicious signatures and attributes from the database (França et.al, 2015). This means that a new threat which has yet to be included in the signature databases can go undetected and cause major threat or damage to the network infrastructure.
Anomaly Based Detection Method
An anomaly based intrusion detection system monitors the network traffic and matches it to a set baseline. The baseline contains established attributes and features which are expected from the network traffic passing through the network. The baseline contains information such as the type of bandwidth in use, the protocols used in the network, the ports and connected devices and how they connect with each other during normal operations (Newman, 2012). Once the network traffic exhibits abnormal attributes or any anomalies, the anomaly detection system will alert the network administrator on the anomalous traffic that does not comply with the set baseline.
Classification of Intrusion Detection Systems IDS
Passive Intrusion Detection Systems IDS
A passive intrusion detection system IDS main role is to detect malicious activities and unauthorized threats and alerts the network administrator of these suspicious activities. Once an anomaly is detected in the network, the intrusion detection system generates an alert which is sent to the network administrator. Once the network administrator gets the alert it is up to them to take further action to stop the malicious code from executing or blocking the malicious network traffic packet (Saranya, 2015).
Reactive Intrusion Detection Systems
A reactive intrusion detection system IDS differs from the passive intrusion detection system IDS in that it not only detects malicious and suspicious network activity and alerts the network administrator for further action, but it also has some pre-defined proactive mechanisms to counter the identified network threat. This is achieved by the reactive intrusion detection system IDS identifying the source IP address that generates the malicious activity or unauthorized access or the user trying to breach the network. The reactive intrusion detection system commonly used by corporate networks include the open source Snort that is free to install. The Snort IDS is compatible with a variety of operating systems ranging from Linux and Windows operating systems. Snort and other similar IDS tools provide services such as network traffic analysis, packet logging on IP networks, protocol analysis, searching of packet content and numerous pre-processors. Using these processes Snort and other similar IDS tools are able to detect numerous worms in the network, network vulnerabilities, network exploitation attempts, scanning ports and various anomalous behaviors (Hansen et.al, 2014). Snort users are provided with a wide variety of malicious signatures which include new threats enabling the network to detect and block new and emerging network threats.
Conclusion and Recommendations
In order to operate an effective and efficient organizational computer network, it is critical to prioritize network security. Network security is critical in protecting the network infrastructure and network data from unauthorized access or malicious software. The role of network security is the development of physical and software mechanisms to prevent malicious activity and unauthorized access to the network. Network security is also aimed at countering network infrastructure misuse, network malfunctioning, modification of system files, destruction and unlawful dissemination and sharing of network information to unauthorized parties. An effective network security system requires a multi-pronged approach to protect and secure network infrastructure. The intrusion detection system IDS is an effective protective mechanism that enables the monitoring and analysis of network traffic to detect anomalies, unauthorized access and malicious activities early to enable the network administrator to be alerted early to initiate counter actions and preventative actions to minimize damage or block network access for unauthorized network traffic packets.
A network based intrusion detection system can enable network administrators to view specific content being shared between two connected devices enabling the identification of exploitation attacks or compromised end point devices. NIDS also promotes network security by conducting protocol analysis of TCP and UDP payloads, with IDS sensors detecting anomalous activities which are out of line with set protocols. The IDS technology can also quantify and qualify the types of cyber-attacks. This information is then used to develop new network controls and changing vulnerable configuration settings to prevent future risks (Vacca, 2013). The IDS gives system administrators greater visibility of the network making it easy to comply with security standards and regulations. The major limitation of IDS in enhancing network security is that in most cases they are passive and only alert on suspicious activities. IDS are also unable to analyze encrypted data packets providing malicious individuals a pathway of entering the system. Despite these limitations intrusion detection systems are vital components of network security which minimize threats to the network and ensure that the network is working optimally since IDS are usually out of band and thus do not affect network access and speed.
References
Bace, R. G. (2012). Intrusion Detection. Indianapolis, IN: Macmillan Technical.
França, A. L., Pedroni, V. A. and Santin, A. O. (2015). "The energy cost of network security: A hardware vs. software comparison". 2015 IEEE International Symposium on Circuits and Systems (ISCAS), 21, 81–84.
Hansen, J. V., Lowry, P. M. and Rayman, M. D. (2014). "Genetic programming for prevention of cyberterrorism through dynamic and evolving intrusion detection". Decision Support Systems (DSS), 43 (4), 1362–1374.
Mafra, P. M., and Fraga, J. S. and Santin, A. O. (2014). "Algorithms for a distributed IDS in MANETs". Journal of Computer and System Sciences, 80 (3), 554–570.
Newman, R. C. (2012). Computer Security: Protecting Digital Resources. Boston: Jones & Bartlett Learning.
Perdisci, R. D., Davide, A. P. and Giacinto, W. L. (2014). "McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection" (PDF). Computer Networks, Special Issue on Traffic Classification and Its Applications to Modern Networks, 5 (6), 864–881.
Saranya, J. G. (2015). "A Brief Study on Different Intrusions and Machine Learning-based Anomaly Detection Methods in Wireless Sensor Networks". Avinashilingam Institute for Home Science and Higher Education for Women, 6(4), 120-131.
Vacca, J. R. (2013). Managing Information Security. New York: Syngress.
Viegas, A. O., Pedroni, V. A. and Oliveira, L. S. (2017). "Towards an Energy-Efficient Anomaly-Based Intrusion Detection Engine for Embedded Systems". IEEE Transactions on Computers, 66 (1), 163–177
Whitman, M. E. and Mattord, J. H. (2014). Principles of Information Security. Boston: Cengage Learning.
