Monday, June 3, 2019

History Of Intruder Knowledge Versus Attack Sophistication Information Technology Essay

History Of Intruder Knowledge Versus Attack Sophistication Information Technology Essay invasion detection is a necessary shelter base for whatever organization. Its a process of noticing or monitoring the events equal imminent threats or unexpected new approach paths, standard security measure practices, acceptable policies and existing attacks that buy the farm in a net or computer. Detecting process is mainly establish on signs of incidents. The process which attempts to block these detected incidents is known as encroachment prevention. Both the infraction Detection System (IDS) and Intrusion Prevention System (IPS) ar princip altogethery focused on log information, identifying incidents, blocking incidents, reporting incidents to administrator. The unbendable problems when handling IDS is analysis of frame generated events, because in a meddling intercommunicate there provide be so many events to analyse with dish of whatsoever monitoring tools and devices but its precise hard manage due to unwished outcomes, undetected threats and unmanageable threats. These threats pile cause a serious damage to the engagement or organization.Research Question and ObjectivesE truly organisation recurrently face problem because of threats. As an Information Systems Security student I would like to do some search in Intrusion detection system. My main aim is to do an experiment on the Net ready Intrusion Detection System (NIDS) with help of Snort to detect web based attacks.Presently how the security infrastructure of the organizations is facing problems with imminent threats and malicious attacks? How it can be reduced by infringement detection system? In what way the tools and techniques can be used to experiment the net based attacks?The research objectives be planning and implementing IDS, Monitoring for precise security threats and detecting them vane wide, detecting malicious users on the mesh topology, proactive administration, regular entanglement maintenance, 24/7 security event management, Signature and protocol tuning, alerting and preventing the detected threats. Hopefully all these objectives can be achieved by implement a network security with Snort. Snort is a flexible, small, light-weight and cross weapons platform tool which is very suitable for NIDS. While working on this research network may also need some other computer info track with tools like genus Suricata and Bro which ar also familiar for NIDS and Experiment will also examine the integration of OSSEC with the analyst console Sguil.Literature Re suasionThe Intrusion Detection Systems (IDS) atomic number 18 vital modules of defensive methods to protect a network or computer system from abuse. Network attack detection system examines all inbound and outbound network activities and notices the attack in network or computer. IDS are a passive voice monitoring system it alerts when distrustful activity takes place. It inspects the network tra ffic and data. It identifies the probes, exploits, attacks and vulnerabilities. It responds to the malicious events in several ways like displaying alerts, events log or paging an administrator. It can reconfigure the network and reduce the effect of the malicious activities like worms and virus. It precisely looks at intrusion signatures or hacker signatures so that it can distinguish worms or viruses from general system activities. Intrusion detections are categorized as misuse detection, anomaly detection, passive and reactive system, network based system and host based system.This picture shows history of Intruder Knowledge versus Attack mundanitySource http//www.cert.org/archive/pdf/IEEE_IDS.pdfMisuse detectionIn misuse detection IDS investigates the gathered information and compares it to huge databases of attack signature. Primarily IDS look for particular attack which was already documented. It is very similar to anti-virus because the detection software has good collection of intrusion signature database and it compares packets against the database.Anomaly detectionIn anomaly the administrator provides the baseline, network traffic load state, typical packet size, break raft and protocol. Anomaly detector compares the inspected network segment to normal baseline and examines the anomalies.Passive and Reactive systemsIn passive systems IDS perceive a potential security breach, signal alerts and information of logs. Coming to reactive system IDS reacts to the distrustful and malicious activities either by shutting down the user or by reprogramming the firewall to stop or block network traffic from a malicious reservoir.Network based IDSIDS are network or host based solutions. Network based intrusion detection systems (NIDS) is an independent platform which categorizes network traffic and examines multiple hosts. They are hardware appliances hence they consists of network intrusion detection capabilities. It does consist of hardware sensors which are l ocated along the network or demilitarized zone. NIDS gains access over network traffic by connecting to network hubs and switches and they are configured got network tap or port mapping. The sensor software will examine all the data packets which are going in and out of the network. NIDS are comparatively cheaper solutions that HIDS. It also need less training and administration but it is not as flexible as HIDS. NIDS system essential have a good bandwidth Internet access and regular updates of latest worms and virus signatures. Best example is SnortHost based IDSHost based intrusion detection systems (HIDS) are not suitable for real time detection. It has to be configured properly to use in real time. It has software agents which are installed on individual host computers within the system. It analyse the packets going in and out from that specific computer where the intrusion detection software is installed. It also examines the application logs, system calls and file system cha nges. HIDS can provide some addition features which not there in NIDS. For instance HIDS are capable to inspect activities which are only able to implement by administrator. It detects the modifications in the key system files and can also examine the attempts to overwrite key files. Trojans and backdoors installation can be detected and stopped these particular intrusions are not generally seen in NIDS. HIDS systems must have internet access and also frequent updates of worms and virus signatures. legitimate application based IDS are also a portion of HIDS. Best example is OSSEC.IDS ProtectionSource http//www.cert.org/archive/pdf/IEEE_IDS.pdfIntrusion detection system (IDS) vs. Intrusion prevention system (IPS)Most of them believe like IDS IPS works similar and IPS is future way of IDS. tho it is like comparing an apple and banana. These two solutions are very different from each other. IDS is passive it monitors and detects but IPS is active prevention system. The IDS drawbacks can be overcome by implementation, management and proper training. IDS is a cheaper implementation that IPS. However, by looking at IPS benefits most of them believe that IPS is following generation of IDS. The main point to remember is that no single security device can prevent all attacks at all the time. IDS and IPS works satisfactory when they are integrated with some addition and current security solutions. The combination of firewall and IDS gives protection to system so IPS is usually considered as next generation IDS. Presently IPS also has both types of HIPS and NIPS as like IDS. IPS can some more actions like drop the malicious data packets, sending an alarm, reorganizing the connection and/or stopping the traffic from the malicious IP address, correcting CRC errors and few more like cleaning up unwanted network and transport layer options.SnortSnort is deliver and unclouded source software which is used for network intrusion detection (NIDS) and network intrusion pre vention system (NIPS). Martin Roesch was the creator of snort in 1998 but now it is maintained by a network security software and hardware fraternity known as Sourcefire. Roesch is the founder and Chief technical officer of Sourcefire. The latest version is 2.9.0.5 and it was released on 6th April 2011. It is written in C language and cross-platform so that can fall on any operating system. It is also a licensed by GNU general public license. Over a ten Snort has been recognized as the lift out prominent software in the security Industry.Snort is a great piece of software used for NIDS. It has baron to perform real time traffic analysis, protocol analysis, content matching, Internet Protocol networks packet log and content search. It can even examine probes or attacks, buffer overflows, OS fingerprinting, common gateway interface, stealth port scans and server message block probes. Snort mainly configured in three modes network intrusion detection, sniffer and packet logger. In NIDS mode it can examine network traffic and inspect it against ruleset provided by the user. As a sniffer it read all network data packets and displays them on the user console. As a packet logger it writes all log packets to the harddisk. Some 3rd party tools like Snorby, RazorBack and carnal interface with snort for administration, log analysis and reporting.Snort provides dramatic power, speed and performance. It is light weight and protects against latest dynamic threats by rules based detection engine. Its source code and ruleset are regularly revised and tested by worldwide security professionals. It is most popular for IDS and IPS solutions with more than 205,000 registered users. There are minimum 25 companies that are incorporate with Snort for network security assistance.Snort vs. Suricata vs. BroSourcehttp//blog.securitymonks.com/2010/08/26/three-little-idsips-engines-build-their-open-source-solutions/Suricata and BroSuricata is also an open sources which is used for I DS and/or IPS. Open Information Security Foundation (OISF) has developed it. First standard release was in July 2010. It was written in C language and can run in Linux, Mac and Windows operating systems. It was licensed by GNU general public license. Suricata is a new tool when compared with other Opensource IDS and very best in all as shown in the above figure. As its new software there are no much research papers and journals. Bro is open source and UNIX based, it is used for NIDS. It was written by Vern Paxson and licensed by BSD. It runs on any Linux based operating system. These two tools are very good very there is no much research and literature on them. But these two are quite good when compared to Snort.OSSEC and SGUILOSSEC is an open source HIDS. It does log analysis, rootkit detection, windows register monitoring, active response and integrity checking. It offers IDS for all Linux, Mac and Windows Operating systems because it has centralized cross platform. It was writte n by Daniel B in 2004. SGUIL is a pool of free software modules for Network Security Monitoring and IDS alerts. It was written in Tcl/Tk and run on any OS which supports Tcl/Tk. It integrates with Snort and generates alert data and session data from SANCP. Full content can be retrieved my running Snort in packet logger mode. Sguil is an application of Network Security Monitoring (NSM)Critical military ratingThe gathered information from different sources gives a brief idea of research. Literature covers all the aims and objectives of the research which was drawn and supported from the pool of journals, research papers, white papers, blogs and wikis. incoming gives the over idea of the research going to takes place. Research question focuses on the heavens of interest and research area. Objectives mentions the clear tasks what are going to be achieved and its intentional as a step by step procedure like starting with planning and implementation of IDS and later the steps that have to be achieved in the research area and ends with the some necessary applications like Snort, OSSEC and SGUIL which are very important to achieve the most out of Intrusion detection.Literature review covers to the highest degree each and every necessary step that is required in the research area. It is also very relevant to the research area and completely confined to it without any deviations. Intrusion detection and different types of IDS are clear explained. Host based intrusion detection systems and Network based intrusion detection systems are clearly explained with help of graphical images. The differences between IDS and IPS are mentioned and it also explains why IPS is more powerful. Lastly main application like Snort, Suricata, Bro, OSSEC and SGUIL are completely covered with features. But the interesting finding during literature search is Suricata and Bro. Both are very good for IDS and they are having more advanced features than the Snort. However there is very less r esearch done it that area. So there is a need of qualitative data by taking interviews of some security professionals and lectures. At last, in brief literature covers all the parameters of research question, objectives, methods and outcomes of different IDS and applications which are suitable for IDS are well make and documented.Research Methods and MethodologyI would like do the research according to Inductive process because I am sure intimately the topic and I want to know the outcomes of the experiment. As inductive research moves from specific point to general I selected it and start working. In this research I am planning to implement an experiment in small network with some applications. I am using these methodology and methods for the sake of researching, investigating and evaluating the research area. I have got some set of research problems and classifications. According to instructive research action I have set some aims to achieve. As a next step collected a pool of information required, organized the required out of it, analysed information and evaluated the literature, planning the experiment in all possible ways to detect more threats even in a busy traffic network.Now it is an important time to start my experiment before that I have to do some qualitative research by conducting interviews about Suricata and Bro because I need some assistance on genus Suricata and bro to take a advantage of it. I am not interested on survey because as they are new applications people might know less about it and I thing its waste of doing. Case study and knowledge domain study are also better to do because they can have depth look at issue or problem. But problem with field study is they may consume more time and they are very expensive. Quantitation method will be used analysing some numerical values, graphs and proportions. Experiment programme can be categorized by certain criteria Controlled experiment, Cross-sectional designs, Quasi experimental desig ns and Pre experimental designsMethodologies discussed in the literature review are from user view so I might vulnerable to attack and have plan well for the implementation of experiment. These vulnerabilities can be fixed face to face interviews with security professionals and can also do by narrowing hypothesis. After the experiment the observations and analysis must be tested with hypothesis of proposed theory. Finally I will use both quantitative and qualitative methods for data collection process. I have planned to continue my experiment with the same Inductive research approach.ObjectivesMethods preparedness and implementation of IDSLiterature review, research papers and interviewsDetection processLiterature review, case study and research papersNetwork maintenance, proactive administration and security ManagementLiterature review, white papers, blogs, case studiesSignature and Protocol tuningInterviews, updates from, on-going researchs and literature reviewsImplementing of se curity management toolsInterviews, case studies and some more qualitative approaches work outIssues of access and ethicsPotential outcomesExpected ImpactThe experiment impact would be more informative and extremely useful in the field of intrusion detection. Research will clearly show the intrusions events and blocks them even at the busy network traffic time. It may also show some new advantages because of the suricata and bro. In my opinion this research is going to detect and block all the intrusions up to date. Depending upon the qualitative approach some more methods of suricata and bros can be implement to network to get the best out of it.ConclusionThe research at first started with a study of intrusion detection and then afterwards I have drawn some boundaries with that following objectives. During literature collection I found some other interesting tools like Suricata and Bro which are predominately better that Snort. Though they are good but I couldnt find much literatur e and research area with them. So finally I distinct to do an experiment on IDS with a small network consisting of Snort IDS and secondarily I am planning to keep one computer with suricate IDS and other with Bros IDS and see the difference of these three tools from another angle. If I am successful dissertation can end up like Snort vs Suricata vs Bro or else minimum I can be successful with Snort. Using the research methodology of data collection and critical evaluation the literature work is investigated and evaluated. Lastly the outcomes of the theory are assumed from the research.I have already spoken to Neil regarding my dissertation idea and selected him as my supervisor. Finally I thank Neil Richardson and Louise Webb for providing ne this opportunity.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.