Different Toolsand Types of Intrusion Detection System with Network ...

2nd International Conference on Multidisciplinary Research & Practice

P a g e | 290

Different Toolsand Types of Intrusion Detection System with Network Attacks “T&T-IDSys” - A Review Tapan P. Gondaliya1, Hiren D. Joshi (PhD)2, Hardik J. Joshi3 1

Research Scholar, School of Computer Science, RK University, Rajkot, Gujarat (India) Associate Professor School of Computer Science Dr.BabasahebAmbedkar Open University Ahmadabad, Gujarat (India) 3 Assistant Professor School of Computer Science Gujarat University Ahmadabad, Gujarat (India)

2

Abstract:-This is the era of web & Cloud based technology and in this technology internet plays a very huge role. Internet is a hostile environment for networked computers. Each and every trend we must need the internet for different kind of the purpose like online transactions, online shopping and many online businesses. Network Security is the crucial and very important parts of information security because it is responsible for securing all the information passed through a Network computer. In this type of environment we must need the cyber security that will protect against the different kind of attacks, viruses & heavy inside as well as outside traffic. Security is the biggest challenges for the network as well as the researcher point of view. So in this paper here we describe the different kind of cyber attacks and its summery and then next segment we well explained that how can we protect against the different kind of attacks & inside outside traffic using the Intrusion Detection System and we also describe and differentiate the types of IDS and in the final segments we differentiate some of the IDS tools and it’s characteristics. General Terms:-Intrusion Detection System, Types of IDS, Comparative study of the different IDS Tools, Cyber Attacks and its summery Keywords:-Network Security, Cyber Attacks, Intrusion Detection System, Network Intrusion Detection System (NIDS), Host Intrusion Detection System (HIDS), IDS Tools

I.INTRODUCTION

I

n recent few years Hacking & Intrusion incidents activity are increased very fast because of technology growing up. Sorry to say but in today’s inter-connected ecommerce world there is no hiding place: you can be found through a wide variety of means: DNS, Name Server Lookup, NSlookup, Newsgroups, web site trawling, e-mail properties and so on. [1] Cyber Security is a key concern in today’s era of computerization to secure & safe the data, network resources, and other kind of serious information of organization or company. [2] Due to insufficient of information security there are various kind of cyber crimes occurs like a different kind of cyber attacks, intruder threats, Virus. Basically cyber security means a set of activities that is divide in to two part technical & non-technical for protecting the data or information, computer devices, network resources, and other critical information stored there in from unauthorized access, modification and disruption, disclosure.[1]

Volume III Issue I

IJRSI

II. NETWORK ATTACKS Basically the attacks are the kind of techniques that attackers use to utilize the vulnerabilities in different kind of online applications as well as the websites. Actually attacks are frequently confused with vulnerabilities, so try to be sure that the attack you are describing is something that an attacker would do, rather than a weak point in a websites or online software. There are lots of attacks available here we describe some of the attacks in brief. III.TYPES OF NETWORK ATTACKS Now a day’s without security your data is not safe and secure. Because of attackers is everywhere and is a very skilled and knowledgeable person that already knows how to exploit vulnerabilities. [3] This kind of attackers doing the different kind of attacks in our Network security system. Here we mentioned different kind of the attacks that’s basically divided in to two categories. Some attacks are passive, that means information is monitored; others are active, that means the information is modified with intent to corrupt or destroy the data or the network itself. [4] 3.1 Phishing Attack:“Phreaking + Fishing = Phishing”[7] Phishing is a kind of the technique that is basically used for illegal attempt to acquiresensitive information such as password, user id, Debit carddetailsfor malicious reasons, by masquerading as anhonest entity in an ecommunication. [5]In this kind of attacks basically

Fig-1 Phishing attack to find out credential [9]

Attackers used the concept of the social engineering to Steal the confidential information and the most common purpose of this kind of attack victim's banking account details and credentials. [6]In this kind of attacks unknown person send thousands of fraud e-mail that appear to come from websites you trust, like your bank or credit card

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice company, and request that you provide personal information. [6] 3.2Eavesdropping Attacks:"Listen in" or interpret (read) [4] In a big organization or in the company Eavesdropper attacks are the biggest security problems that face the network administrators. In general Maximum number of network communications arises in an unsecured format, which allows an attacker who has gain access to data paths in your network to "listen in" or interpret (read) the traffic. [4] Network Eavesdropping is also called a network sniffing. This type of an attack is called the network layer attack.In basically this kind of attacks consisting of capturing packets from thenetwork transmitted by others' computers and reading the data content in search of sensitive information like a user name, passwords, session tokens, or any kind of confidential information as well. [8]

P a g e | 291

safe and secure application because of the attackers. Email sender spoofing is a key problem of the E-mail system through internet.E-mail spoofing is a kind of malicious activity in which the source is being altered and presented as if the E-mail is coming from trusted sender basically mails come from the attacker. [12]Example of Spoofing attacks is man in the middle attacks, routing redirect, source routing, blind snooping, flooding. 3.4DoS &DDos Attacks:Denial of Services & Distributed Denial of Services DoS attacks is basically design for the consume more resources so other client are enable to use resources. In computer network environment resources may be CPU, memory and bandwidth. Denial-of-service attack prevents normal use of your computer or network by valid users. After got the network access the attackers can do the following.[13]

Fig-3 DoS attacks scenario [14]



Fig-2 Eavesdropping Attacks [10]



3.3Spoofing Attack:-



This technique is used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. Here we describe the some of the spoofing attacks types like an IP spoofing, ARP Spoofing, DNS Spoofing, and Email Spoofing. [6]



IP spoofing:-This technique of attack is also known as IP address forgery or it is also called a host file hijack, in this attacks a cracker masquerades as a trusted host to conceal his identity, spoof a web site, hijack a browser, or gain access to a network. [11]This kind of spoofing is often used in DoS attacks. [6] ARP spoofing:-This kind of attacks techniques is also called an ARP Cache Poisoning or ARP Poison Routing, in this technique attacker sends the spoofed ARP message in the local network. Main goal of the attackers is MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead. [6] DNS spoofing: - This kind of attacks is namely called the DNS cache poisoning. Generally in this attacks were the wrong data is entered into the DNS cache server. Causing the DNS server switch the traffic by returning wrong IP addresses as results for client queries. [6] Email Spoofing: -Email is most powerful and very useful application in all over the world. Now a day’s email is not

Volume III Issue I



Send the improper data to applications or network services, which causes abnormal termination of the applications or services. Flood a computer or the entire networks with traffic until your application will not the off due to overload. Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately Which will allows the attacker to make more attacks during the diversion. Block traffic, which results in a loss of access to network resources by authorized users.[4] 3.5 Data Modification:-

This kind of attacks is a type of active attacks in this real authorized piece of data is altered, stopped, or delayed to produce an unauthorized effect to the data.In this attack the attackers edit or modify the particular data in the packets without the knowledge of sender or receiver. [4]

Fig-4 Attackers Interrupts between sender to receiver[14]

IJRSI

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice 3.6 Man in Middle Attacks:-

IV.

Man in middle attacks is the kind of attacks that meaning same as name indicates. This attack occurred when some unknown person communicate between sender and receiver as well as that unknown person with whom you are communicating is capturing, controlling and actively monitoring your communication transparently.

P a g e | 292

INTRUSION DETECTION SYSTEM

Intrusion detection system is the kind of software or the application that is basically designed for detecting, blocking and reporting the unauthorized activity in the whole network system. [16] Intrusion detection do exactly as the name suggests: they generally detect possible intrusions. More specifically, IDS main aim is to detect computer attacks and computer misuse, and to alert the proper individuals upon detection. [1] 1.

Sensor

Continually monitor activities

2.Automatically recognize suspicious, Malicious or inappropriate activities.

Analysis

3.Trigger alarms to system administrator.

Response Fig-5 Scenario of Man in the middle attacks [15]

Fig-6 Activity of IDS [1]

INTRUSION DETECTION SYSTEM

Technique of IDS

Signature Based

Anomaly Based

Types of IDS

NIDS

Structure of IDS

HIDS

Centralized

Distributed

Hybrid Fig-7 Classification of Intrusion Detection System

IDS are collection of technique that is basically detecting the suspicious activity from both sides at network level as well as the host level.

restricted activity for the future used or reporting purpose. Intrusion detection can produce an alarm or it can be produced automatic response as well.

4.2Characteristics of IDS:Intrusion detection system is monitoring all the systems or sometimes the part of that system as per the administrator need. Intrusion Detection can openly advertised or be stealth. Intrusion Detection occurs either during an intrusion or after it. If any restricted activity happens in the network IDS produced alarm and keeps the log of that

Volume III Issue I

4.3IDS Techniques:Intrusion detection technique is mainly divided into two basic categories one is signature based intrusion detection and second one is anomaly detection system. [1]In signature based IDS will monitoring the packets on the network and compare them against the database of signatures or its attributes from known malicious threats. This is just like most antivirus software detects malware. [17]Anomaly-based Intrusion detection system

IJRSI

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice is a valuable technology to protect target systems and networks against malicious activities. [18] Anomaly Based IDS is a kind of system for detecting the computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. Classification is mainly on rules based or heuristics based, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. [19]

Unauthorized Outsider Access, Bandwidth thief, Denial of services, some possible downsides to NIDS. [1] 4.4.2 HIDS: Host based intrusion detection system were the first developed and implemented intrusion detection system [1] that is basically work in individual host or the device on the network.[20] This type of IDS is collect and analyzed the data of the host or devices. A HIDS monitor the outbound and inbound data traffic in the particular host or is in the device and will reply the admin or the user if suspicious activity found. It also compare the two snapshot of the files existing system file and previous system file and if the file is deleted or modified then alert send to the administrator.[20]

4.4 IDS Types:An Intrusion Detection System is basically divided in to two parts. One is the network based intrusion detection system (NIDS) and the second one is the Host based intrusion detection system (HIDS) and last but not least the combination of both IDS is the hybrid types of intrusion detection system. This all types are well describes as under.

4.4.3Hybrid IDS: Hybrid intrusion detection technique is a one of the best technique in the network point of view because of that is a combination of above both of the intrusion detection Host Based IDS and Network Based IDS. It will work on the both of the field weather it is in network level or it’s in the host level.

4.4.1NIDS: Network Based intrusion detection system monitors the data traffic activity take a place on the particular network. [1] NIDS analyze the data packets that travel over the whole network or in the subnet, NIDS works in a promiscuous mode it first identify and detect the attacks and alert send to the administrator. [20] In general the NIDS is detecting the different kind of activity like an

No.

P a g e | 293

4.5 NIDS vs. HIDS:In this session here we describe the characteristic vise comparison of the both of the intrusion detection system Network based IDS and Host based IDS in tabular form.

Network based Intrusion Detection System

Host Based Intrusion Detection System

1.

NIDS is monitoring the data traffic activity on the network.

HIDS work on the particular host or in the machine.

2.

This type of intrusion is a kind of host independent.

This kind of Intrusion detection is the host dependent.

3.

NIDS Detects the network attacks as payload is analyzed.

HIDS detects the local attacks before they hit the network.

4.

NIDS is Not suitable for the Switches network or the encrypted network.

HIDS is the Good suitable for encrypted and switches network.

5.

NIDS contains the high false positive rates compare to HIDS.

HIDS contains the low false positive rates.

6.

NIDS Response is NEAR REAL TIME.

HIDS Response after suspicious entry.

7.

Broad in scope compare to the Host based Intrusion Detection System.

HIDS is Narrow in the scope and only monitor specific activity as well.

8.

Lower cost of ownership.

In HIDS not require other additional hardware.

9.

NIDS is a Bandwidth Dependent

HIDS is bandwidth independent as well.

10.

Detecting attacks from outside and detect attacks that miss by the HIDS.

Detecting attacks from inside and detect attacks that miss by the NIDS.

Table -1. NIDS vs. HIDS [21]

Volume III Issue I

IJRSI

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice

P a g e | 294

Here in next phase we well describes the some of the Intrusion Detection Tools and its comparative study with its different parameter wise like its features, advantages and disadvantages, weather it is paid or free, which language supported, developed in which year and whose the authors. Tools Name Snort

Authors & Year Marty Roesch 1998

Honeyd

Niels Provos 2007

Sguil

BammVis scher, Steve Halligan

Features

OS & Lang Supported

Free/Paid

Perform real-time traffic analysis Packet logging on Internet Protocol Content searching, and content matching Allow to user set up and run multiple virtual hosts on a computer network Provide a thread detection and assessment

Cross Platform

Network Security Monitoring (NSM) Event driven analysis of IDS alerts

Cross Pletform

 Runs on commodity hardware on standard UNIX-style systems Real-time and offline analysis Fully passive traffic analysis off a network tap Support for many application-layer protocol DNS, FTP, SSL, SSH, HTTP, SMTP

LINUX, MAC OS

Open Source &

Written in Bro scripting language

Free

Host Based Intrusion Detection System & Performs log analysis File integrity checking, Windows registry monitoring

Linux, MacOS, Solaris, Windows

Open Source & Free

 Tripwire is HBID System for monitoring and alerting on specific file change on a range of systems.  Detect and report any unauthorized changes to the files and directories

Linux, POSIX & Unix

Open Source & free

Written in C Lang

Linux, Unix Written in C Lang

OSSEC

Vern Paxson

Daniel Cid 2004

Tripwire

Gene Kim & Dr. Eugene Spafford 1992

Volume III Issue I

Flexible application Module design and ability to add and break in any software Efficient IDS

 Limited shortfalls when it comes to anomaly detection

Free & Open Sources

Monitored Any TCP or UDP Port On entire Network Free & Open Source & Quick Development  Resist fingerprinting efforts by emulating OS at IP stack level Easier Firewalling at server and server end. easily talk to the sensors from the server, for ssh sessions, SNMP polls,

Low Interaction Solution No Formal Support for maintenance and troubleshooting

 Bro-ids are capable to perform application level deep packet inspection.  Bro is capable in doing Tunnel detection and analysis  Bro reassembles the packet stream prior to reaching the event engine.

 Bro requires a UNIX platform. Bro-ids support only Linux, FreeBSD, and Mac OS  Bro-ids only reports information to log files and do not have a graphical user interface

Analyse logs from multiple devices and formats. The devices include Syslog devices, Routers, Switches, Printers OSSEC will not only monitor but also respond to threats  Encrypts its database and configuration file.

 Upgradation version is very difficult.  Coordinating pre-shared keys can be problematic.

Free

Written in Tcl/Tk Lang

IJRSI

Disadvantages

Free & Open Sources NIPS

2005

Bro

Advantages & Disadvantages

Complexity Double encryption. Open VPN is encrypting stuff, including stuff already encrypted by Sguil and autossh.

 Not generate real-time alerts upon an intrusion.  Not detect any bugs that were already exists in the system

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice Security Onion

Doug Burks

Suricata

2008 OISF

Suricata Tools

2010 OISF Authors

Name

& Year

2010

Snort

Marty Roesch

AIDE

Rami 1998 Lehti& Pablo Virolainen 1999

Security Onion is a IDS, Used for Network Security Monitoring, and also used for log management Suricata is a high performance Network IDS, IPS. Suricata isSecurity a high  Network Features performance Network Monitoring engine IDS, IPS.  File Identification,  Network Security MD5 Checksums, and perform real-time Monitoring engine File Extraction traffic  File analysis Identification, MD5 Checksums, and AIDE is a host base packet File Extraction Intrusion Detection logging System on Internet

Protocol

P a g e | 295

Linux

Open Source & Free

 Easy to use and implement

Free BSD Linux, Unix, Mac Free OSX, Microsoft OSBSD & Lang Linux, Windows Supported Unix, Mac OSX, Microsoft Written in C Cross Platform Windows Lang

Open Source

Highly Scalable Multi-Threaded Snort runs with a single Highly Scalable& thread Advantages Multi-Threaded Highly efficient.Disadvantages Snort runs with a single IPv6 support thread  Flexible Highly efficient. application IPv6 support  Verify the integrity  Module of the files design and ability add and  Automatictogenerate break in reports any software the daily  multiple hash  Efficient IDS & algorithms Support generate the checksums for each file

Written UNIX in C Lang Written in C Written in C Lang Lang

Scans the file system content & Logs the searching, attributes of important and content files, matching directories, and devices

Open Free/Paid Source

Free & Open Sources Open NIPS Source & Free

As a platform made up of several technologies, Security Onion inherits the on Expensive drawbacks of each system resources, constituent resulting in tool. slow Expensive on network Disadvantages system resources, connections resulting in slow Can cause false networkin some alarms limited shortfalls connections cases. when it comes to Can cause false anomaly alarms some Doesinnot encrypt detection cases. & sign the baseline database by default  Report file of AIDE changes after the incident.

Table-2 Comparative study of Intrusion Detection Tools [22][23][24][25][26][27][28][29][30][31]

V. CONCLUSION In this paper authors first of all describe the network attacks and what are the different types of network attacks and how they are affect on the network and host or particular system. Next session authors explained how to detect the different kind of network attacks using the Intrusion detection system and classification of the IDS that classification contains the types of IDS, Characteristic of IDS, different types of IDS techniques and then authors summarized the comparison between NIDS vs. HIDS. In the last authors described the different IDS tools and its comparative study.

[10] [11] [12] [13] [14] [15] [16]

REFERENCES [1] TapanGondaliya, July 2014, “Intrusion Detection System in [2] [3] [4] [5] [6]

[7]

[8]

mobile ad hoc network in MAC layer”, EBook, Grin Publishing, ISBN: - 978-3-656-69762-6 Anoop Kumar Verma, Aman Kumar Sharma, April 2014, “Cyber Security Issues and Recommendations”, ijarcsse, Volume 4, Issue 4 Inam Mohammad, Rashi Pandey, AashiyaKhatoon, , May 2014,“A Review of types of Security Attacks and Malicious Software in Network Security”, ijarcsse, Volume 4, Issue 5, ISSN: 2277 128X Website, technet.microsoft.com https://technet.microsoft.com/ens/library/cc959354.aspx Website, Wikipedia, “Phishing”, http://en.wikipedia.org/wiki/Phishing SebastianZ, Dec 2013, “Security 1:1 - Part-3 - Various types of network attacks” ,Symantec http://www.symantec.com/connect/articles/security-11-part-3various-types-network-attacks Dr. Harold L. “Bud” Cothern, “Phishing, Spoofing, Spamming and Security, How To Protect Yourself”, Microsoft_Corporation, http://webpages.uncc.edu/wwang22/Teaching/2013Fall6167/IntroPhishing.ppt https://www.owasp.org/index.php/Network_Eavesdropping

[9] Cyberoam Blog, Feb 2014, “Phishing remains an inevitable part of most

Volume III Issue I

attacks”,

Cyberoam,

[17] [18] [19] [20] [21]

[22] [23] [24] [25] [26]

IJRSI

http://www.cyberoam.com/blog/phishing-remains-an-inevitablepart-of-most-attacks/ http://etutorials.org/Networking Margaret Rouse, “IP Spoofing”, techtarget.com, http://searchsecurity.techtarget.com/definition/IP-spoofing S.Gupta, E.S.Pilli, P.Mishra, S.Pundir, R.C.Joshi, Dec 2014, “Forensic analysis of E-mail address spoofing”, IEEE, ISBN 9781-4799-4237-4 Ebook, Chapter-28, “Denial of Service (DoS) Attack Prevention”, AlliedWare OS Software Reference Website, Wikipedia http://wiki.olc.edu/index.php/Active_attacks http://www.x-services.nl/certificate-pinning-plugin-for-phonegapto-prevent-man-in-the-middle-attacks/734 Opinder Singh & Dr. Jatinder Singh, May 2012, “Comparative study of various Distributed Intrusion Detection Systems for WLAN”, Global Journal of researches in engineering Electrical and electronics engineering, Volume 12, Issue 6, Online ISSN: 2249-4596, Print ISSN: 0975-5861 Website, Wikipedia ”Signature based Intrusion detection system”, http://en.wikipedia.org/wiki/Intrusion_detection_system#Signature -based_IDS P. Garcı´a-Teodoroa, J. Dı´az-Verdejoa, G. Macia´-Ferna´ndeza, E. Va´zquezb, Aug 2008, ”Anomaly-based network intrusion detection: Techniques, systems and challenges”, Elsevier, Wikipedia, “Anomaly based intrusion detection system”, http://en.wikipedia.org/wiki/Anomalybased_intrusion_detection_system Wikipedia, “Intrusion detection system”, http://en.wikipedia.org/wiki/Intrusion_detection_system Ebook, Chapter-6, MarjanKuchaki Rafsanjani, OCT 2009, “Evaluating Intrusion Detection Systems and Comparison of Intrusion Detection Techniques in Detecting Misbehaving Nodes for MANET”, DOI: 10.5772/8204 Suhad Abbas Yasir, 2012, “Overhead Evaluation in Real-Time Network Intrusion Detection System Using Snort”, IASJ, Vol-7 Blog, 2014, “Snort”, http://blog.snort.org/2014/12/introducingsnort-30.html Website, Wikipedia, http://en.wikipedia.org/wiki/Snort_(software) BalajiDarapareddy, VijayadeepGummadi, 2012 “An Advanced Honeypot System for Efficient Capture and Analysis of Network Attack Traffic”, ijett, vol-3, Issue-5 Surya Bhagvan Ambati, DeeptiVidyarathi, Dec 2013, “A brief study and Comparison of open source Intrusion detection system tools” IJACEN, Issue-10, Vol-1,

ISSN 2321-2705

2nd International Conference on Multidisciplinary Research & Practice Wikipedia, “Tripwire”, http://en.wikipedia.org/wiki/Open_Source_Tripwire [28] Blog, “Security Onion”, http://blog.securityonion.net/p/securityonion.html [29] Doug Burks, “Security Onion”, http://www.securityonionsolutions.com/p/welcome-to-securityonion-solutions.html [30] Blog, Joe Schreiber, Jan 2014, “Open Source Intrusion Detection Tools: A Quick Overview” https://www.alienvault.com/blogs/security-essentials/open-sourceintrusion-detection-tools-a-quick-overview

[27] Website,

Volume III Issue I

P a g e | 296

[31] Himanshu Arora, March 2013, “Introduction to intrusion prevention systems”, IBM http://www.ibm.com/developerworks/library/se-intrusion/ [32] Nitin Mohan Sharma, Tapan P. Gondaliya, May 2013, Enhance IDS False Alarm Filtering Using KNN Classifier, International Journal of Emerging Research in Management &Technology, Vol2, Issue-5 ISSN: 2278-9359 [33] TapanGondaliya, Maninder Singh, “Intrusion Detection System on MAC Layer for Attack Prevention in MANET”, ICCCNT 2013, IEEE Xplore

IJRSI

ISSN 2321-2705