Unit IV

What is Intrusion?
A network intrusion is any unauthorized activity on a
computer network. Detecting an intrusion depends on the
defenders having a clear understanding of how attacks
work.
In most cases, such unwanted activity absorbs
network resources intended for other uses, and nearly
always threatens the security of the network and/or its
data. Properly designing and deploying a network
intrusion detection system will help block the
intruders.
Some popular attack vectors-
• Asymmetric Routing
In this method, the attacker attempts to utilize more
than one route to the targeted network device. The
idea is to have the overall attack evade detection by
having a significant portion of the offending packets
bypass certain network segments and their network
intrusion sensors.

Networks that are not set up for asymmetric routing

are impervious to this attack methodology.
• Buffer Overflow Attacks
This approach attempts to overwrite specific sections
of computer memory within a network, replacing
normal data in those memory locations with a set of
commands that will later be executed as part of the
attack. In most cases, the goal is to initiate a denial of
service (DoS) situation, or to set up a channel through
which the attacker can gain remote access to the
network.
• Common Gateway Interface Scripts
The Common Gateway Interface (CGI) is routinely
used in networks to support interaction between
servers and clients on the Web. But it also provides
easy openings—such as "backtracking"—through
which attackers can access supposedly secure
network system files.
When systems fail to include input verification or
check for backtrack characters, a covert CGI script
can easily add the directory label ".." or the pipe "|"
character to any file path name and thereby access
files that should not be available via the Web.
• Protocol-Specific Attacks
When performing network activities, devices obey
specific rules and procedures. These protocols—such
as ARP, IP, TCP, UDP, ICMP, and various application
protocols—may inadvertently leave openings for
network intrusions via protocol impersonation
("spoofing") or malformed protocol messages. For
example, Address Resolution Protocol (ARP) does
not perform authentication on messages, allowing
attackers to execute "man-in-the-middle" attacks.
Protocol-specific attacks can easily compromise or
even crash targeted devices on a network.
• Traffic Flooding
An ingenious method of network intrusion simply
targets network intrusion detection systems by
creating traffic loads too heavy for the system to
adequately screen.
In the resulting congested and chaotic network
environment, attackers can sometimes execute an
undetected attack and even trigger an undetected
"fail-open" condition.
• Trojans- These programs present themselves as
benign and do not replicate like a virus or a worm.
Instead, they instigate DoS attacks, erase stored data,
or open channels to permit system control by outside
attackers.
• Worms- A common form of standalone computer
virus, worms are any computer code intended to
replicate itself without altering authorized program
files. Worms often spread through email attachments
or the Internet Relay Chat (IRC) protocol. Undetected
worms eventually consume so many network
resources, such as processor cycles or bandwidth, that
authorized activity is simply squeezed out.
Intrusion Detection System (IDS)-
An Intrusion Detection System (IDS) is a system that
monitors network traffic for suspicious activity and
issues alerts when such activity is discovered. It is a
software application that scans a network or a system for
the harmful activity or policy breaching. Any malicious
venture or violation is normally reported either to an
administrator or collected centrally using a security
information and event management (SIEM) system.

A SIEM system integrates outputs from multiple sources

and uses alarm filtering techniques to differentiate
malicious activity from false alarms.
Classification of Intrusion Detection System:
IDS are classified into 5 types:

Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at
a planned point within the network to examine traffic from
all devices on the network.
It performs an observation of passing traffic on the entire
subnet and matches the traffic that is passed on the subnets
to the collection of known attacks. Once an attack is
identified or abnormal behavior is observed, the alert can
be sent to the administrator.
Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the
device only and will alert the administrator if suspicious or
malicious activity is detected.

It takes a snapshot of existing system files and compares it

with the previous snapshot. If the analytical system files
were edited or deleted, an alert is sent to the administrator
to investigate.
Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS)
comprises a system or agent that would consistently
resides at the front end of a server, controlling and
interpreting the protocol between a user/device and the
server.

It is trying to secure the web server by regularly

monitoring the HTTPS protocol stream and accept the
related HTTP protocol. As HTTPS is un-encrypted and
before instantly entering its web presentation layer then
this system would need to reside in this interface, between
to use the HTTPS.
Application Protocol-based Intrusion Detection System
(APIDS):
Application Protocol-based Intrusion Detection System
(APIDS) is a system or agent that generally resides within
a group of servers.

It identifies the intrusions by monitoring and interpreting

the communication on application-specific protocols. For
example, this would monitor the SQL protocol explicit to
the middleware as it transacts with the database in the web
server.
Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the
combination of two or more approaches of the intrusion
detection system. In the hybrid intrusion detection system,
host agent or system data is combined with network
information to develop a complete view of the network
system.

Hybrid intrusion detection system is more effective in

comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.
Detection Method of IDS-
Signature-based Method:
Signature-based IDS detects the attacks on the basis of the
specific patterns such as number of bytes or number of 1’s
or number of 0’s in the network traffic.
It also detects on the basis of the already known malicious
instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose
pattern (signature) already exists in system but it is quite
difficult to detect the new malware attacks as their
pattern (signature) is not known.
Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware are developed rapidly.
In anomaly-based IDS there is use of machine learning to
create a trustful activity model and anything coming is
compared with that model and it is declared suspicious if
it is not found in model.
Machine learning-based method has a better-generalized
property in comparison to signature-based IDS as these
models can be trained according to the applications and
hardware configurations.
Comparison of IDS with Firewalls:
IDS and firewall both are related to network security but
an IDS differs from a firewall as a firewall looks
outwardly for intrusions in order to stop them from
happening.

Firewalls restrict access between networks to prevent

intrusion and if an attack is from inside the network it
doesn’t signal. An IDS describes a suspected intrusion
once it has happened and then signals an alarm
Intrusion Prevention System (IPS)
Intrusion Prevention System is also known as Intrusion
Detection and Prevention System. It is a network security
application that monitors network or system activities for
malicious activity.

Major functions of intrusion prevention systems are to

identify malicious activity, collect information about this
activity, report it and attempt to block or stop it.

Both IPS and IDS operate network traffic and system

activities for malicious activity.
How do intrusion prevention systems work?
An intrusion prevention system will work by scanning
through all network traffic. To do this, an IPS tool will
typically sit right behind a firewall, acting as an additional
layer that will observe events for malicious content.

In this way, IPS tools are placed in direct communication

paths between a system and network, enabling the tool to
analyze network traffic.
The following are three common approaches for an IPS
tool to protect networks:
Signature-based detection in which the IPS tool uses
previously defined attack signatures of known network
threats to detect threats and take action.

Anomaly-based detection in which the IPS searches for

unexpected network behavior and blocks access to the
host if an anomaly is detected.

Policy-based detection in which the IPS first requires

administrators to make security policies -- when an event
occurs that breaks a defined security policy, an alert is sent
to system administrators.
Types of Intrusion Prevention System
The intrusion prevention system is not limited to scanning
the network packets at entry-level only but also to
encounter the private network’s malicious activity.
Based on the functionality of the IPS, they are divided into
various types-

Host-based intrusion prevention system-

It can be defined as the type of intrusion prevention
system which operates on a single host. This kind of IPS
aims to make sure that no malicious activity should
happen in the internal network.
Wireless intrusion prevention system-
It can be considered as the other type of intrusion detection
system which operates over the wireless network. This
kind of IPS is deployed to monitor malicious activity in the
wireless network.

All the packets moving within the wireless network are

being checked or monitored by this kind of IPS with the
help of signatures.
Network-based intrusion prevention system-
This can be considered as the other kind of IPS that is
deployed in the network in order to prevent malicious
activities. The purpose of this IPS to monitor or keep a
check on the entire network.

Any malicious activity detected in the entire network can

be prevented by using this kind of IPS.
Network behaviour analysis-
As the name states, this kind of IPS is used to understand
the network’s behaviour, and all the network moving
throughout the network remains in sustain surveillance of
this system. Anytime the system detects the packets with
malicious signature, the IPS makes sure to block the packet
so that it could not lead to harm to the application.

This kind of IPS’ main purpose is to ensure that no

malicious packets should be drafted and transmitted
through the internal network.
It is also essential to know that IPS works in conjunction
with an intrusion detection system(IDS). The role of IDS
is to detect the malicious packet, while the role of IPS is to
make sure that the malicious packets are being destroyed
or should be blocked from execution.

The IPS works either by detecting and preventing the

packets based on the signature or statistical anomaly.
There is a sheer difference between working through both
of the approaches.

The detection that is being done by signature makes sure

that the signature of the packets that are present in the
database of the IPS will get detected, while when we talk
about detecting the data through a statistical anomaly, it
checks the packet against the defined deadline.

Any packet that shows any activity defined under the

deadline will raise the alarm and get blocked by the IPS.
Where are the benefits of an intrusion prevention
system?
An intrusion prevention system offers many benefits:
Additional security: An IPS works in tandem with other
security solutions, and it can identify threats that those
other solutions can’t.

Increased efficiency for other security controls:

Because an IPS filters out malicious traffic before it
reaches other security devices and controls, it reduces the
workload for those controls and allows them to perform
more efficiently.
Time savings: Since an IPS is largely automated, it
requires less of a time investment from IT teams.

Compliance: An IPS fulfils many of the compliance

requirements set forth by PCI DSS, HIPAA, and others. It
also provides valuable auditing data.

Customization: An IPS can be set up with customized

security policies to provide security controls specific to the
enterprise that uses it.
Security Information management (SIM)-
Security information management (SIM) is the practice of
collecting, monitoring and analyzing security-related data
from computer logs and various other data sources.

A security information management system (SIMS) can

help automate this practice to reduce manual effort and
improve the efficiency of both the SIM program and the
organization's broader cybersecurity program.
With security log files, one can know the IP address of the
system, MAC or internet address, login data and status of
the system. If such details fall on bad guys, they might use
the details destructively. This is one of the major reasons
behind the birth of security information management.

Where does SIM obtain log data from?

The log data is collected from various sources like
firewalls, intrusion detection systems, antivirus software,
proxy servers, file systems, etc. So based on the data
gathered from all sources, security information is
monitored and maintained.
Security management is categorized into three segments.
One of them is SIM.
Another one is SEM (Security Event Management) which
deals with real-time monitoring and alerting the admins
whenever it detects certain events occurring in the network
activity.

The last one is the fusion of SIM + SEM = SIEM

(Apparently the abbreviation stands for Security
Information Event Management). These days, businesses
prefer the power-packed fusion of SIEM tools majorly.
What exactly SIM systems do ?

•SIM systems keep track and show the activity analytics of

the system events as they happen.

•They then translate events data gathered from many

resources into a general and simplified format. Usually, the
data is translated into an XML file.
•SIM systems collect and coordinate data from various
resources in such a way that helps administrators to
recognize the real threats and false positives on the system.
False positives mean events that seem to be a major threat
but in reality it’s not a threat.

•As soon as suspicious activities occur, the SIM tool

responds to the event by sending alerts to administrators of
organizations and by generating reports and graphical
representations such as charts and graphs.
The reports generated by SIM systems are typically used
to :
•Detect unauthorized access as well as modifications to
files and data breaches.

•Identify data trends that can be leveraged potentially by

business organizations for their progression.

•They are also used to identify network behavior and

assess performance.
Network Traffic Analysis (NTA)
Network traffic analysis (NTA) is a method of monitoring
network availability and activity to identify anomalies,
including security and operational issues.
Common use cases for NTA include:
•Collecting a real-time and historical record of what’s
happening on your network
•Detecting malware such as ransomware activity
•Detecting the use of vulnerable protocols and ciphers
•Troubleshooting a slow network
•Improving internal visibility and eliminating blind spots
There are three key differences between NTA systems and
other traffic-related solutions:

•NTA systems analyze both north/south and east/west

traffic. Other systems, like IDS/IPS and firewalls,
generally only monitor network perimeters.

With these other systems, an attacker's actions will go

unnoticed if they successfully breach a network perimeter
without detection.
•NTA systems detect attacks using a combination of tools,
which include machine learning, behavior analysis,
indicators of compromise, and retrospective analysis.

With these tools, attacks can be prevented both at network

perimeters and in cases when an attacker has already
gained access to network infrastructure.

•NTAs can assist in the investigation of past incidents, and

in threat hunting. Threat hunting helps security teams to
detect threats that would go unnoticed by traditional
security features.
The key benefits of network traffic analysis-
Benefits of NTA include:
•Improved visibility into devices connecting to your
network (e.g. IoT devices, healthcare visitors)
•Meet compliance requirements
•Troubleshoot operational and security issues
•Respond to investigations faster with rich detail and
additional network context
Uses of NTA systems-
Attack detection is not the only benefit of NTA systems.
They can also be used to retrospectively trace the
development of attacks and lay out the chronology of their
progression, as well as to isolate threats and compensate
for vulnerabilities.
NTA systems can be used in a much wider set of contexts
than other systems that analyze traffic.

Using NTA, information security specialists can detect

attacks within networks as well as on network perimeters,
can control network compliance, investigate security
incidents, and eliminate potential threats.
What to look for in a network traffic analysis and
monitoring solution?
Not all tools for monitoring network traffic are the same.
Generally, they can be broken down into two types:

Flow-based tools and deep packet inspection (DPI) tools

Within these tools you’ll have options for software agents,

storing historical data, and intrusion detection systems.
When evaluating which solution is right for your
organization, consider these five things:
Availability of flow-enabled devices: Do you have flow-
enabled devices on your network capable of generating the
flows required by a NTA tool that only accepts flows like
Cisco Netflow? DPI tools accept raw traffic, found on
every network via any managed switch, and are vendor
independent.

The data source: Flow data and packet data come from
different sources, and not all NTA tools collect both. Be
sure to look through your network traffic and decide which
pieces are critical, and then compare capabilities against
the tools to ensure everything you need is covered.
Real-time data vs. historical data: Historical data is
critical to analyzing past events, but some tools for
monitoring network traffic don’t retain that data as time
goes on. Also check whether the tool is priced based on the
amount of data you want to store. Have a clear
understanding of which data you care about most to find
the option best suited to your needs and budget.

Full packet capture, cost and complexity: Some DPI

tools capture and retain all packets, resulting in expensive
appliances, increased storage costs, and much
training/expertise to operate
System Integrity Validation-
The quality that a system has when it performs its intended
function in an unimpaired manner, free from unauthorized
manipulation of the system, whether intentional or
accidental.
Integrity is the protection of system data from intentional
or accidental unauthorized changes.

System integrity check is a function that runs the status

revision of security detectors and devices before arming.
Many system problems are caused by wrong software or
hardware configuration - because of wrong installation,
hardware or file system failure or software virus.

Validation of software/hardware configuration is a

must before system testing in development, during
system manufacturing and field service.
Customizable System Integrity Check utility is used for
validation of system software/hardware configuration.
The utility provides recovery recommendation if
problem is found.

Verification process is implemented in a number of stages.

Each stage covers files with the same verification type
and the same recovery recommendation. The following
validation types may be used:
• Permanent files check - files that do not change
• Changeable files check - files that can change
• Registry entries check for Windows platform
• Custom software/hardware configuration check
Protecting against Threats to Integrity:
Like confidentiality, integrity can also be arbitrated by
hackers, unprotected downloaded files, LANs,
unauthorized user activities, and unauthorized programs
like Trojan Horse and viruses, because each of these
threads can lead to unauthorized changes to data or
programs.

For example, unauthorized user can corrupt or change

data and programs intentionally or accidentally if their
activities on the system are not properly controlled.
Generally, three basic principles are used to establish
integrity controls:
Need-to-know access: User should be granted access only
on to those files and programs that they need in order to
perform their assigned jobs functions.

Separation of duties: To ensure that no single employee

has control of a transaction from beginning to end, two or
more people should be responsible for performing it.

Rotation of duties: Job assignment should be changed

periodically so that it becomes more difficult for the users
to collaborate to exercise complete control of a transaction
and subvert it for fraudulent purposes.
Integrity Models – Integrity models are used to describe
what needs to be done to enforce the information integrity
policy.
There are three goals of integrity, which the models
address in various ways:
•Preventing unauthorized users from making modifications
to data or programs.

•Preventing authorized users from making improper or

unauthorized modifications.

•Maintaining internal and external consistency of data and

programs.