Friday, October 11, 2013

Intrusion Detection

It has been many days that i blogged and shared my knowledge. Now i am going to share about the topic which i took seminar also its my UG research topic.

Intrusion Detection
Generally reffered to the hacker or cracker
Three classes of intruder
1.     Masquerader: An individual who is not authorized to use a computer.
2.     Misfeasor: A legitimate user who access data,program ,resources for which he is not authorized
3.     Clandestine User: An individual who seizes supervisory control of the system.

Intrusion Techniques
Typically a system would contain the file which stores passwords. If such files are stored with no protection, then it is easy matter to gain access to the system. The password file can be protected in two ways
1.     One-way encryption: password will be encrypted with a key and stored in a file
2.     Access control: Access to the password file is limited to one or a very few accounts.
To break this password the intruder will try the following techniques
1.     Try the default password of the standard accounts.
2.     Exhaustively try all short passwords
3.     Try words in the systems online directory
4.     Collect information about the user
5.     Try user’s phone number
6.     Try all legitimate license plate number
7.     Use a Trojan horse and by pass restriction on access
8.     Tap the line between remote user and host system
Intrusion Detection
Intrusion detection is based on the assumption of the intruder differs from that of a legitimate user in ways that can be quantified.
Approaches to intrusion detection

1.     Statically anomaly detection: It collects all the statistical data relating to the users behavior.
a.     Threshold Detection : Defining threshold, Independent of user, frequency of occurrence of various events
b.     Profile based: A profile of the activity of each user is developed and used to detect changes.
2.     Rule based detection: define a set of rules that can be used to decide that the given behavior is an intruder.
a.     Anomaly detection: rules are developed to detect deviation from previous usage pattern
b.     Penetration identification: An expert system is used to identify the intruders
Audit Records
            A fundamental tool of intrusion detection. Two planes are used
1.     Native Audit records: all multiuser operating system has the accounting software that collects information about the events that occurs in the system. This is very useful for the intrusion detection
2.     Detection-specific audit records: A collection facility can be implemented that generated audit records containing only that information required by the intrusion detection system.
Each audit records contains fields
·        Subject: Initiators of actions.
·        Action: Operation performed by the subject
·        Object: Receptors if actions
·        Exception-condition: Denotes if any exception conditions occurs
·        Resources-usage: A list of quantitative elements in which each statement gives the amount of resource used.
·        Time-Stamp: Unique time-and-date stamp
Statically Anomaly Detection
Profile-based detection needs the following metrics
·        Counter: A non-negative integer which can be increased but not decreased until it is reset by the management action.
·        Gauge: A non-negative integer that can be incremented or decremented. It measures the current value of the some entity.
·        Interval timer: The length between two related events.
·        Resource utilization: quantity of recourse consumed during a specified period.
Rule-based detection
It detects by observing the events in the system and applying a set of rules that lead to a decision regarding weather the given pattern of activity is or is not suspicious.
            Rule-based anomaly detection: similar to statical anomaly detection, here historically audit records are analyzed to identify usage pattern and to generate automatically rules that describe those patterns.
Rule-based penetration identification: it takes very different approach to intrusion detection, one based on expert system technology. This will use of rules for identifying known penetration.
Simple example of the types of rules
1.     Users should not read files in other users personal directories
2.     Users must not write on other users file
3.     User who log in after hours often access the same files they used earlier
4.     User should not log in more than one time in a single system
5.     User do not make duplicate copies of system programs
Distributed Intrusion Detection
·        A distributed intrusion detection system may need to deal with different audit record formats.
·        One or more nodes in a network will serve as collection and analysis point for data from the system on network. Thus, entire raw audit data or summary data must be transmitted over network.
·        Either a centralized or decentralized architecture can be used
·        Central architecture will have a single point of analysis and collection
·        Decentralized architecture will have more than one analysis center, but this must coordinate the activity and exchange information.
A good distributed intrusion detection system will contain the following
·        Host agent module: A audit collection module operating as a background process on a monitored system.
·        LAN Monitoring agent module: it analyzes the LAN traffic and reports the results to the central manager.
·        Central manager module: receives report from host agent and LAN monitoring module and processes and correlates these report to detect intrusion.

This is independent design for any operating system; this is quite general and flexible architecture. The central manager module will conclude the presence of intrusion from the results.

Honeypots are decoy systems that are designed to lure a potential attacker away from critical system. These are designed to
·        Divert the attacker from central system
·        Collect information about the attacker activity
·        Encourage the attacker to stay on the system long enough for administrators to respond.
Initial efforts involved a single honeypot computer with IP address designed to attacker hacker.

Twitter Bird Gadget