A system of detection of intrusion (or IDS: Intrusion Detection System ) is a mechanism intended to locate abnormal or suspect activities on the analyzed target (a network or a host). It thus makes it possible to have a knowledge on the attempts successful as failed of the intrusions.

Families of systems of detection of intrusion

There exist three big families distinct from IDS:

• the NESTS ( Network Based Intrusion Detection System ), which supervise the state of safety on the level of the network.

• the HIDS ( HostBased Intrusion Detection System ), which supervise the state of safety on the level of the hosts.
• IDS hybrids, which use the NESTS and HIDS to have more relevant alarms.

The HIDS are particularly effective to determine if a host is contaminated and the NESTS make it possible to supervise the whole of a network contrary with a HIDS which is restricted with a host.

NESTS

Introduction

NESTS cuts out in three great parts: The captures , the alert signatures and the .

Capture

The capture is used with recovery as traffic network. In general that is done in real-time, although certain NESTS allow the analysis of traffic captured previously.

The majority of the NESTS use the standard library of capture of package libpcap . The library of capture of packages “Packet Capture Library” is related to almost all the platforms, which in general makes it possible IDS network to follow.

The operation of the capture of NESTS is thus in general strongly related to this libpcap . Its operating process is to copy (under Linux) any package arriving at the level of the data link layer of the operating system. Once this package copied, it to him is applied a filter BPF (Berkley Packet Filter), corresponding to the refining of what IDS seeks to recover like information.

It may be that certain packages are ignored because under a strong load, OS will not copy it.

It should be noted that the behavior of the libpcap is different in world BSD, since it attaches the peripheral file to him /dev/bpf , thus allowing the NESTS not to need the rights super user to capture the traffic but simply capacity lira on this file on which the filters are directly compiled.

Also, the analyzed traffic is not inevitably equal to that of the inbound traffic. Since the libpcap acts with a layer in lower part of the Fire wall (which acts on the level network).

Signatures

The libraries of signatures (approach by scenario) make the step of analysis similar to that of the antiviruses when those are pressed on signatures of attacks. Thus, the NESTS is effective if he knows the attack, but ineffective in the contrary case. The commercial or free tools evolved/moved to propose a personalization of the signature in order to face attacks which one knows only part of the elements. The tools containing signatures require very regular updates.

The NESTS have the advantage of being systems real-time and have the possibility of discovering attacks at the same time targeting several machines. Their disadvantages are the high rate of false-positives which they generate, the fact that the signatures always have delay on the attacks of the 0day type and that they can be the target of an attack.

Alarms

Alarms are generally stored in the syslog. However there exists a standard which makes it possible to formalize the contents of it, in order to allow various safety members of interopérer. This format is called IDMEF (for Intrusion Detection Message Exchange Format ) described in the RFC4765. IDMEF is popularized by the project Prelude, which offers an infrastructure making it possible IDS not to have to deal with the sending of alarms. That makes it possible IDS to have only to describe information which he knows and Is a prelude to gives the responsability himself to store it to allow a human visualization later on.

The search for reason (pattern matching)

The search for reason is what makes it possible NESTS as soon as possible to find information in a package network. There exist different algorithms from search for reason. There are those which are conceived to return the negative ones like E2xB as soon as possible, others as Boyer-Moore (BM) which are interesting when there is little information stored in memory. It is agreed that BM is more effective than the others when there is less than 100 signatures. There exists also extension to Boyer-Moore which is freed from these restrictions. Or of the algorithms which are more precise and thus more interesting in the case of the NESTS like Knuth - Morris-Pratt (KMP).

In the case of NESTS, the search for reason is often the node of throttling. Being able to consume more than eighty pourcent of computing time.

E2xb at summer especially conceived to meet the needs for the NESTS. It is about an algorithm of search for reason for field specific to the detection of intrusion. It is an algorithm of exclusion because it leaves the principle that the majority of the packages network do not correspond to a signature which identifies an attempt at intrusion.

External bonds

Exact string matching algorithms

Analyzes

Starting from the elements given in the introduction, the engine of analysis puts these elements of relation by employing several techniques: the refragmentation , the protocolar dissection or behavioral analysis.

The refragmentation

The packages exceeding a certain size (which in general is of 1500 bytes) are fragmented. What made the NESTS vulnerable to the attacks of Stick and Snot because the fragmented packages were not analyzed.

The NESTS have the duty of refragmenter the front packages analyzes, in order not to miss an attack. It is about a relatively complex operation, since each host of destination refragmente not in the same way, according to the operating system on which the attack is aimed. It is still about a technique of escape usable today because the NESTS are not inevitably configured correctly for not managed a precise case.

The dissection

The dissection makes it possible to include/understand a given protocol, to decode it to analyze it. It is about the part most sensitive of the NESTS because it is it which is the largest vector of attacks.

However, the dissection is essential on certain protocols, like RPC, in order to be able to detect attacks which would be invisible without this essential dissection. This stage also makes it possible to recover a precise field of a applicatif protocol what can simplify the writing of signatures.

HIDS

HIDS, for Host based IDS, meaning " System of detection of intrusion machine" are IDS dedicated to a material or operating system. Generally, contrary has NESTS, the HIDS recovers information which is given to him by the material or the operating system. There are for that several approaches: signatures, behavior (statistical) or delimitation of the perimeter with a system of ACL. A HIDS behaves like a standard Demon or service on a host system which detects a suspect activity while being based on a standard. If the activities move away from the standard, an alarm is generated. The machine can be monitored on several points:

• Activity of the machine: number and lists of process as well as users, resources consumed,…

• Activity of the user: schedules and duration of connections, orders used, messages sent, activated programs, going beyond of the definite perimeter…
• malicious Activity of a worm, virus or Trojan horse

Another type of HIDS seeks the intrusions in the “core” (kernel) of the system, and the modifications which are made there. Some call this technique “analyzes protocolar”. Very fast, it does not require research in a base of signature. Examples of controls for Windows…

• EPROCESS (structure of data in core mode containing of information which can make it possible to hide a process),
• the process functioning in mode “core”
• software functions system or of management of peripheral present in the PC.
• SSDT - System Service Descriptor Counts - table used by Windows to direct calls of system towards a suitable treatment: count of addressing Des.
• etc

The HIDS has as an advantage of having only few false-positives, making it possible to have relevant alarms. As for its disadvantages it is necessary to configure a HIDS by station and request a configuration of each system.

Hybrid IDS

IDS hybrids are based on a distributed architecture, or each component unifies are format of sending of alarm (typically IDMEF) making it possible various components to communicate and extract from more relevant alarms.

The hybrid advantages of IDS are multiple:

• Less false-positives
• Better correlation
• Possibility of reaction on the analyzers

The correlation

The correlation is a connection between two or several elements, of which one of these elements created or influences another.

Ideally, it requires Hybrid IDS because more there is heterogeneous information on an event, the correlation is done in a more relevant way. The formats having been standardized (IDMEF), it any more but does not remain to make associations in order to detect alarms which would never have taken place on an analyzer alone.

If one takes the example of a failed authentification, that generates an alarm of low intensity. But there is a series of authentification failed with different users, one can conclude with an attack from rough force.

The correlation makes it possible to generate new alarms from those existing. It is a stage preliminary to against effective measure.

There are various ways of doing of the correlation. However one can define two categories:

• the correlation passivates , corresponding to a generation of alarm based on those existing. We can take for example the scans of rough force HS.

• the correlation activates , which will seek information corresponding to emitted alarms. For example, when a person connects herself apart from the work hours, that has a high impact which would not have been in normal weather of activity.

Harmonization of the formats

Format IDMEF ( Intrusion Detection Message Exchange Format ) described an alarm in a way object and exhaustive. Alarm is message which is emitted since an analyzer, which is a probe in language IDMEF, towards a collector. The goal of IDMEF is to propose a standard making it possible to have a heterogeneous communication some is the environment or the capacities of a given analyzer.

These alarms are defined in format XML, offering a possibility of validation of each message. In general, the implementations remain binary, in order to avoid the known problems of addition of information useless apart from XML when one sends a message on the network.

IDMEF offers also a precise vocabulary, which it is current to use in the field of the detection of intrusions. For example, a classification corresponds in the name of an alarm; An impact that of a level of attack.

The countermeasure

Against measurement is art to control the elements network or the target machine, in order to avoid with an attack being propagated ( Islanding ) or of perdurer. It is about a rather complicated and often decontaminated procedure.

What returns against difficult measurement, it is the definition of an attack from a formal point of view. It is not possible to be based on elements which generate false-positives. And that can also generate another problem where the attacker is made pass for a customer of the network by generating reasons for attack. That can even block the internal network if the countermeasure is badly configured.

A system of countermeasure is configured in general with a white list, in which are put the IP of the internal network.

List IDS known

IDS network (NESTS)

• Snort

• Bro

IDS system (HIDS)

• ASSISTANCE * DarkSpy

• FCheck * IceSword detailed functions of IceSword (Infomars)
• Integrit * Nabou * OSSEC * Osiris * Prelude LML * RkUnhooker
• Samhain * Tripwire

These IDS are useful, inter alia, to check that a system was not compromised (by a Rootkit for example). They use checksums (MD5, SHA-1,…) workable programs to make sure that they were not modified.

Hybrid IDS

• Prelude

Random links:

Louis Arretche | Championship of Guinea-Bissau of football | Yan Xishan | Stars and Stripes (newspaper) | Panel of advertisement of turn on the left (France)