Upload
malvin-kamba
View
28
Download
0
Embed Size (px)
Citation preview
Malvin Kamba H1010472U
0
Hybrid Intrusion Detection System
By
Malvin Kamba
Reg No. H1010472U
Submitted in partial fulfilment of the requirements for the degree
BACHELOR OF TECHNOLOGY HONOURS IN
COMPUTER SCIENCE
in the
Department of Computer Science
SCHOOL OF INFORMATION SCIENCES AND TECHNOLOGY
HARARE INSTITUTE OF TECHNOLOGY
Supervisor: Mr Mapanga
Co-Supervisor: Title Name Surname
August 2016 - June 2017
Malvin Kamba H1010472U
1
Abstract
Intrusion-detection systems (IDS) aim at detecting attacks against computer systems and
networks or, in general, against information systems. Its basic aim is to protect the system
against malwares and unauthorized access of a network or a system. Intrusion Detection is of
two types Network-IDS and Host Based- IDS. This paper covers the scope of both the types
and their exponential growth of computer network attacks, it is becoming more and more
difficult to identify and the need for better and more efficient intrusion detection systems
increases. The main problem with current intrusion detection systems is high rate of false
alarms. The paper then proposes a design of a hybrid intrusion detection tool based on some
of the existing intrusion detection techniques and the concept of Honeypots, DDoS, Firewall
and Log Checks
KEYWORDS: Honeypot, Firewall, Protocol, Intrusion Detection System, Avoidance,
Monitoring, Prevention, Attack, Port Scanner
Malvin Kamba H1010472U
2
Contents
Abstract ........................................................................................................................................................... 1
1.1 Introduction .............................................................................................................................................. 3
2.1 Motivation ................................................................................................................................................ 4
3.1 Premises of the Research .......................................................................................................................... 4
4.1 Related Work ............................................................................................................................................ 5
5.1 Problem Statement .................................................................................................................................... 6
6.1 Technical Objectives ................................................................................................................................. 7
7.1 Justification ............................................................................................................................................... 7
8.1 Hypothesis ................................................................................................................................................ 8
9.1 Proposed tools .......................................................................................................................................... 8
10.1 Expected Results ..................................................................................................................................... 9
11.1 Ethics Consideration ............................................................................................................................... 9
12.1 Time Table .............................................................................................................................................10
October to November ....................................................................................................................................11
13.1 Estimated Budget ..................................................................................................................................12
References ....................................................................................................................................................12
Glossary.........................................................................................................................................................14
Malvin Kamba H1010472U
3
1.1 Introduction
Intrusion Detection Systems
According to the National Institute of Standards and Technology there are four classes of
intrusion detection systems: network-based IDSs (NIDS), host-based IDSs (HIDS), IDSs for
wireless networks and network behavior analysis systems (NBA). Also honeypots can be
considered to be a subclass of NIDSs because of many similarities with NIDSs. Sometimes
we can also encounter a term hybrid IDS, which denotes an IDS which combines the
functionality from several different types of IDSs. Network-based IDS monitors network
traffic for particular network segments or devices and analyses network, transport, and
application protocols to identify suspicious activity. NIDS is either installed on routers so the
traffic passes through it or it can be connected to network by the network tap or the spanning
port. Network taps enable the sensor to monitor all traffic going through the line. Spanning
port is a special switch port to where all packets transmitted through the switch is mirrored.
Host-based IDS monitors the characteristics of a single host and events occurring within that
host for suspicious activity. As input data it uses received packets, system logs, file integrity
checks, system configuration checks, system calls etc. Because the HIDS has access to the
application-level interpretation of the traffic it can detect attacks in packets which are
transmitted encrypted. Consequently, many network attacks cannot be detected because
HIDS has not access to the raw network layer data. A network behavior analysis system
examines network traffic or statistics on network traffic to identify unusual traffic flows, such
as distributed denial of service attacks, certain forms of malware (e.g. worms, backdoors),
and policy violations (e.g. a client system providing network services to other systems). NBA
probes can be placed in network similarly as NIDS. A wireless IDS monitors wireless
network traffic and analyses its wireless networking protocols to identify suspicious activity
involving the protocols themselves. Honeypot is a security resource whose value lies in being
probed, attacked or compromised. Honeypots are applications, hosts or entire networks
whose purpose is to convince the attacker that they contain valuable resources (e.g. secret
files, server services) and lure him to attack them. Because they have no legitimate purpose
other than security, they are not normally accessed. Therefore, every access to them can be
considered a sign of the attack.
Malvin Kamba H1010472U
4
2.1 Motivation
The increase in interest over the implementation of Intrusion Detection System (IDS)
in computer networks security
The huge amounts of alerts which are mostly false alerts generated by IDS,
contributing negatively in system complexity and consequently increase the
ambiguity of assessment decision maker for alerts
More investigation on implementing the various techniques of IDS specially to deal
with the huge data for such systems
3.1 Premises of the Research
The standard that is going to be followed in the whole project is the ISO 27001 gives you a
systematic checklist of what the top management must do:
set their business expectations (objectives) for information security
publish a policy on how to control whether those expectations are met
designate main responsibilities for information security
provide enough money and human resources
regularly review whether all the expectations were really met
Because ISO 27001 gives you a framework for you to decide on appropriate protection. The
same way, e.g., you cannot copy a marketing campaign of another company to your own, this
same principle is valid for information security – you need to tailor it to your specific needs.
And the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment
and risk treatment. This is nothing but a systematic overview of the bad things that can happen
to you (assessing the risks), and then deciding which safeguards to implement to prevent those
bad things from happening (treating the risks).
Malvin Kamba H1010472U
5
The whole idea here is that you should implement only those safeguards (controls) that are
required because of the risks, not those that someone thinks are fancy; but, this logic also means
that you should implement all the controls that are required because of the risks, and that you
cannot exclude some simply because you don’t like them.
4.1 Related Work
Intrusion detection system is used to generate alerts, those alerts can be classified into false
positives and true negatives. Kruegel and Robertson (2004) developed a plug-in to add an
alert processing pipeline to IDS Snort. Root because analysis was proposed by (Julisch and
Dacier, 2002) to identify the root causes that trigger false positives and remove the alert
generated. However, this method cannot be controlled. Fixing a problem is also very
expensive, thus its impracticality. Pietraszek (2004) adopted a system that worked faster and
an effective rule learner, requiring no human feedback and background knowledge. The
disadvantage of this system is that it requires infinite growth size to train the system during
its lifetime; thus, the system is inefficient. To perform alert verification using the Nessus
vulnerability scanner. A statistical causality analysis correlation approach was proposed by
(Lee and Qin, 2005). This approach was based on statistical analysis and time series to
develop attack scenarios. The authors proposed a clustering technique to aggregate the alerts
to be represented as one hyper alert in each cluster based on time intervals. The objective of
their approach was to reduce the number of alerts and obtain alert prioritization to identify the
important alerts. The drawback of this approach is also its incapacity to remove redundant
alerts and its inflexibility to choose the alert features. A robust alert cluster mechanism to
Malvin Kamba H1010472U
6
reduce false alerts was proposed by (Njogu and Jiawei, 2010). This mechanism calculates the
similarities of verified alerts using distance among the new alert features.
5.1 Problem Statement
Information Systems and Networks are subject to electronic attacks. Attempts to breach
information security is rising every day, along with the availability of the Vulnerability
Assessment tools that widely available on the Internet, for free, as well as for a commercial
use. Tools such as Subs even, BackOrifce, Nmap, LoftCrack, can all be used to scan, identify,
probe, and penetrate your systems. Firewalls are put in place to prevent unauthorized access
to the Enterprise Networks. Let’s, however, ask ourselves: Are the firewalls enough? An
example. Imagine that you have just purchased a state of the art Home Theatre System.
Everyone who knows anything about electronics, have an idea of how much it may cost.
After installing it, you decided that you might need to install new locks on all the doors in
your house, because the old ones do not use the up to date secure mechanisms. You call the
locksmith, and in about 2 months (if you are lucky) you have a new lock on your doors, and
you are the only one who have the keys (well, maybe you mother has another pair). With that
in mind you pack your things, and with whatever money you got left from your recent
purchases, you go on vacation. As you came back a week later, you find that the
Entertainment room looks different. After careful examination, you realize that your Home
Theater System, that you were dwelling over for the last year, is missing. What worse is that
your wife told you that the window in the kitchen is broken, and there is boot stains on the
carpet, all over the house. That led you to believe that someone broke into your house, stole,
and vandalized a lot of your prized possessions. After you wipe the tears from your eyes, you
suddenly begin to vaguely remember the brochure that you got, about a burglar alarm
installation in your neighborhood. You threw it away just a week before. The installation and
monitoring would have cost you 19.95 a month with this promotional offer. Neglecting to
install the system, is a secret that you would have to leave with for the rest of your life could
you have prevented it from happening, were you to install an alarm? May be not completely,
but the damage would be much less. The real life example above is the exact same analogy of
what might happen to your network. What’s worth is that the thief may be on your network
for a long time, and you might not even know it. Firewalls are doing a good job guarding
your front doors, but they do not have a possibility to alert you in case there is a backdoor or
Malvin Kamba H1010472U
7
a hole in the infrastructure. Script kiddies are constantly scanning the Internet for known bugs
in the system, including constant scans by subnets. More experienced crackers may be hired
by your competitors, to target your network specifically, in order to gain competitive
advantage. The list of threats can go on.
6.1 Technical Objectives
The objective of this proposal is to present a framework tool that reduces IDS alerts and
assesses its threat. To achieve the above objectives, the following procedures will be taken
into account:
Leveraging information gain ratio algorithm to extract the best features of IDS alerts
for the purpose of assessing the alerts
Building a new aggregation Hybrid IDS alert system to reduce the amount of false
positive alerts and to get rid of the alert redundancy
Building a visualization engine that involves discovered-based knowledge to assist
network engineers in making an appropriate decision
7.1 Justification
An intrusion detection system (IDS) monitors and analyzes events that occur on a network or
system, looking for intrusion attempts (events that try to compromise the confidentiality,
integrity, and availability of data). The increase and severity of attacks now make intrusion
detection systems a necessary part of security. Since most networks require intrusion
detection, a corporation must understand what type of IDS provides the functions needed to
protect its infrastructure. Corporations sometimes invest in an IDS that is difficult to support,
reports far too many false positives, and cannot keep up with the speed of the network. False
positives are seeming attacks generated by legitimate activity. A system administrator may
believe that an attack took place when in fact none ever occurred. An IDS that reports many
false positives is difficult and often impossible to manage. After a while the system
administrator may ignore alerts because they look like false positives, or the administrator
stops looking at the alerts and data being collected because it is too difficult to figure out if an
attack actually took place. If the corporation is not looking for intrusion attempts it has no
idea what the threat to the organization is. Once in place, an IDS will report threats that can
substantiate claims that the network is under attack. Understanding the frequency and types
Malvin Kamba H1010472U
8
of attacks allows an organization to determine what security controls need to be in place.
IDSs simplify the task of verifying and categorizing the threat in reports to executive
management. This solid information helps sell management on budgeting for additional
security. For example, if you put only one sensor at the gate of your network and can show
management how often you are attacked, how severe the attacks were, and how you were
warned of zero-day attacks such as Code Red, then management will most likely understand
the need to monitor other important areas on the network, like partner connections and virtual
private networks
8.1 Hypothesis Attacks of the same kind has enough similarity to distinguish from normal behavior
Resources are not adequately protected by infrastructure
Any attack causes enough deviation from profile (generally true?)
9.1 Proposed tools
SO.NO. TOOL USE
1. Perl Programming Language
2. Wireshark Packet Sniffing Tool
3. Tshark Command Line Packet Sniffing Tool
4. TCP DUMP TCP Traffic Intercepting Tool
5. Apache Server HTTPD Server to host Websites
6. Airmon-ng To Put wireless network card at monitor mode.
7. Airodump-ng To Dump All Wireless connection detail
8. Airplay-ng To do ARP Poisoning Attack on Base Stations
9. Airbase-ng To Create a New Base Station
10. DHCP Server To configure Networking such as IP-Address
Ranges
11. BrupSute To Intercept Session Of Users
12. Driftnet To Sniff Images form captured packets
13. Hamster & Ferret To Sniff Documents from captured packets
Malvin Kamba H1010472U
9
10.1 Expected Results
Trojans Scanner: It check the active connection and find the possible Trojans plus
report the administrator about it.
Shell Finder: The program finds the shell and back-connect backdoors in apache
server and report it to the administrator.
PSAD: well known as "Port Scan Attack Detector". The concept of the PSAD is from
well-known book called "The Art Of War" By Sun Tzu where he states "If you know
the enemy and know yourself, you need not fear the result of a hundred battles".
Similar port scanning is the first step of the hacking to know your enemy so, PSAD
detect and alert the administrator.
Fake Access Point: The fake access point is a honeypot which attract attacker and
administrator can easily know about attacker and its capabilities.
ADS Blocker: The program block ads and spam for user.
11.1 Ethics Consideration
The subject of honeypots, firewall, log checks, DDoS and DoS used in computing can be a
controversial one, therefore this sections aims to analyse these controversies and explore the
ethics surrounding honeypots.
One of the major issues of using a honeypot is that it could be seen as encouraging criminal
activity, since the purpose of this project is to build a software system which allows attackers
to gain unauthorised entry into it. However, one of the major aims of this project is to allow
attackers to believe that they are gaining unauthorised access (when in fact they are actually
not). Therefore, the attacker is not actually gaining unauthorised entry at all. The details of
the attackers' IP addresses will remain anonymous throughout this project, and will only be
used to determine approximately which countries/states certain attacks originate from
(although some attacks may route through a proxy which could be in a deferent
location/country from the originating attack). Therefore, any IP 9 address logs that appear in
this dissertation shall be masked using the asterisk (*) symbol (for example the IP address
192.168.0.1 may be masked as 192. ***.*.1). Another major issue surrounding the use of
honeypots is that of deception. This is because participants in this project do not know that
they are participating in a research project. This is a difficult subject to address due to the
Malvin Kamba H1010472U
10
nature of the aims of honeypots. If attackers were informed about participating in a research
project; they would not participate. If participants were told to "attack" the honeypot it would
likely produce unrealistic results since the attackers know they are being monitored.
Some experts consider honeypots to be unethical because they are strengthening the attackers'
ability to detect honeypots. This could then allow attackers to stop targeting honeypots and,
instead, only attack genuinely insecure systems. The result could be argued that honeypots
are contributing to attackers becoming more sophisticated and creating a bigger problem.
However, the use of honeypots has resulted in many insecure systems being toughened,
viruses and malicious code discovered and the information security sector as a whole has
developed due to the use of honeypots.
12.1 Time Table
Malvin Kamba H1010472U
11
October to November
December to January
Malvin Kamba H1010472U
12
13.1 Estimated Budget
A positive return on investment (ROI) of intrusion detection systems (IDS) is dependent upon
an organization's deployment strategy and how well the successful implementation and
management of the technology helps the organization achieve the tactical and strategic
objectives it has established. ROI has traditionally been difficult to quantify for network
security devices, in part because it is difficult to calculate risk accurately due to the subjectivity
involved with its quantification. Also, business-relevant statistics regarding security incidents
are not always available for consideration in analyzing risk.
In considering an implementation of IDS technology, a return on investment can be understood
by analyzing the difference between annual loss expectancy (ALE) without IDS deployment
and the ALE with IDS deployment, adjusted for technology and management costs.
The ultimate initial goal, then, should be to prove that the value proposition (re: a benefit in the
form of a quantifiable reduction in ALE) in implementing and effectively managing the IDS
technology is greater than the implementation and management costs associated to deploying
the IDS technology.
References
Alfaro, J., Boulahia-cuppens, N., & Cuppens, F. (2008). Complete analysis of configuration
rules to guarantee reliable network security policies. International Journal of Information
Security, 7(2), 103. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1459115061&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Anagnostakis, K., Greenwald, M., Ioannidis, S., & Keromytis, A. (2007). COVERAGE:
Detecting and reacting to worm epidemics using cooperation and validation. International
Journal of Information Security, 6(6), 361. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1363502201&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Chen, Z., Chen, Z., & Delis, A. (2007). An inline detection and prevention framework for
distributed denial of service attacks. The Computer Journal, 50(1), 7. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1180225761&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Debar, H., & Viinikka, J. (2006). Security information management as an outsourced service.
Information Management & Computer Security, 14(5), 416. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1143417571&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Malvin Kamba H1010472U
13
Denning, D. E. (1987). An intrusion-detection model. IEEE Trans.Softw.Eng., 13(2), 222-
232. Retrieved from http://dx.doi.org.library.capella.edu/10.1109/TSE.1987.232894
Fan, W., Miller, M., Stolfo, S., Lee, W., & Chan, P. (2004). Using artificial anomalies to
detect unknown and known network intrusions. Knowledge and Information Systems, 6(5),
507. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=690356861&Fmt=7&clientId=6276
3&RQT=309&VName=PQD
Filipek, R. (2006). Online security nightmares for CIOs. The Internal Auditor, 63(3), 19.
Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1061016441&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Gonzalez, J. M., Paxson, V., & Weaver, N. (2007). Shunting: A hardware/software
architecture for flexible, high-performance network intrusion prevention. Paper presented at
the CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications
Security, Alexandria, Virginia, USA. 139-149. Retrieved from
http://doi.acm.org.library.capella.edu/10.1145/1315245.1315264
Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network
intrusion detection. Information Technology & People, 22(2), 92. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1880534761&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Goonatilake, R., Herath, A., Herath, S., Herath, S., & Herath, J. (2007). Intrusion detection
using the chi-square goodness-of-fit test for information assurance, network, forensics and
software security. J.Comput.Small Coll., 23(1), 255-263.
Lin, P. P. (2006). System security threats and controls. The CPA Journal, 76(7), 58.
Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1082185941&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Roberts, G. K. (2005). Security breaches, privacy intrusions, and reporting of computer
crimes. Journal of Information Privacy & Security, 1(4), 22. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=999547341&Fmt=7&clientId=6276
3&RQT=309&VName=PQD
Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2004). A new two-tiered strategy to
intrusion detection. Information Management & Computer Security, 12(1), 27. Retrieved
from
http://proquest.umi.com.library.capella.edu/pqdweb?did=644926111&Fmt=7&clientId=6276
3&RQT=309&VName=PQD
Trabelsi, Z., & Shuaib, K. (2008). A NOVEL MAN-IN-THE-MIDDLE INTRUSION
DETECTION SCHEME FOR SWITCHED LANs. International Journal of Computers &
Applications, 30(3), 234. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1632843071&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Malvin Kamba H1010472U
14
Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K. G., & Markatos, E. P. (2006). An
active splitter architecture for intrusion detection and prevention. IEEE Transactions on
Dependable and Secure Computing, 03(1), 31. Retrieved from
http://proquest.umi.com.library.capella.edu/pqdweb?did=1018532191&Fmt=7&clientId=627
63&RQT=309&VName=PQD
Glossary
Access Control Mechanism – Security safeguards (i.e., hardware and
software features, physical controls, operating
procedures, management procedures, and
various combinations of these) designed to
detect and deny unauthorized access and
permit authorized access to an information
system.
Access Control – The process of granting or denying specific
requests to: 1) obtain and use information and
related information processing services; and
2) enter specific physical facilities (e.g.,
federal buildings, military establishments,
border crossing entrances).
Access Point – A device that logically connects wireless client
devices operating in infrastructure to one
another and provides access to a distribution
system, if connected, which is typically an
organization’s enterprise wired network.
Active Attack – An attack that alters a system or data.
Administrative Account – A user account with full privileges on a
computer.
Alert – Notification that a specific attack has been
directed at an organization’s information
systems.
Analysis – The examination of acquired data for its
significance and probative value to the case.
Anomaly-Based Detection – The process of comparing definitions of what
activity is considered normal against observed
events to identify significant deviations.
Malvin Kamba H1010472U
15
Attack – An attempt to gain unauthorized access to
system services, resources, or information, or
an attempt to compromise system integrity.
Attack Sensing and Warning (AS&W) – Detection, correlation, identification, and
characterization of intentional unauthorized
activity with notification to decision makers so
that an appropriate response can be developed
Attack Signature – A specific sequence of events indicative of an
unauthorized access attempt.
Audit – Independent review and examination of
records and activities to assess the adequacy
of system controls, to ensure compliance with
established policies and operational
procedures, and to recommend necessary
changes in controls, policies, or procedures.
Audit Log – A chronological record of system activities.
Includes records of system accesses and
operations performed in a given period.
Audit Trail – A record showing who has accessed an
Information Technology (IT) system and what
operations the user has performed during a
given period.
Backdoor – An undocumented way of gaining access to a
computer system. A backdoor is a potential
security risk.
Blacklisting – The process of the system invalidating a user
ID based on the user’s inappropriate actions.
A blacklisted user ID cannot be used to log on
to the system, even with the correct
authenticator. Blacklisting and lifting of a
blacklisting are both security-relevant events.
Blacklisting also applies to blocks placed
against IP addresses to prevent inappropriate
or unauthorized use of Internet resources
Malvin Kamba H1010472U
16
Communications Profile – Analytic model of communications associated
with an organization or activity. The model is
prepared from a systematic examination of
communications content and patterns, the
functions they reflect, and the communications
security measures applied.
Computer Abuse – Intentional or reckless misuse, alteration,
disruption, or destruction of information
processing resources.
Confidentiality – Preserving authorized restrictions on
information access and disclosure, including
means for protecting personal privacy and
proprietary information.
Denial of Service (DoS) – The prevention of authorized access to
resources or the delaying of time-critical
operations. (Time-critical may be milliseconds
or it may be hours, depending upon the service
provided.)
Digital Signature – An asymmetric key operation where the
private key is used to digitally sign data and
the public key is used to verify the signature.
Digital signatures provide authenticity
protection, integrity protection, and non-
repudiation.
Distributed Denial of Service –
(DDoS)
A Denial of Service technique that uses
numerous hosts to perform the attack.
External Network – A network not controlled by the organization.
False Positive – An alert that incorrectly indicates that
malicious activity is occurring
Firewall – A gateway that limits access between networks
in accordance with local security policy.
Hacker – Unauthorized user who attempts to or gains
access to an information system.
Malvin Kamba H1010472U
17
Honeypot – A system (e.g., a Web server) or system
resource (e.g., a file on a server) that is
designed to be attractive to potential crackers
and intruders and has no authorized users
other than its administrators.
Inside(r) Threat – An entity with authorized access (i.e., within
the security domain) that has the potential to
harm an information system or enterprise
through destruction, disclosure, modification
of data, and/or denial of service.
Intrusion – Unauthorized act of bypassing the security
mechanisms of a system.
Intrusion Detection Systems (IDS) – Hardware or software product that gathers
and analyzes information from various areas
within a computer or a network to identify
possible security breaches, which include both
intrusions (attacks from outside the
organizations) and misuse (attacks from
within the organizations.)
IP Security (IPsec) – Suite of protocols for securing Internet
Protocol (IP) communications at the network
layer, layer 3 of the OSI model by
authenticating and/or encrypting each IP
packet in a data stream. IPsec also includes
protocols for cryptographic key establishment
Malware – A program that is inserted into a system,
usually covertly, with the intent of
compromising the confidentiality, integrity, or
availability of the victim’s data, applications,
or operating system or of otherwise annoying
or disrupting the victim.
Network Access – Access to an organizational information
system by a user (or a process acting on
behalf of a user) communicating through a
network (e.g., local area network, wide area
network, Internet).
Online Attack – An attack against an authentication protocol
where the Attacker either assumes the role of a
Claimant with a genuine Verifier or actively
alters the authentication channel. The goal of
Malvin Kamba H1010472U
18
the attack may be to gain authenticated access
or learn authentication secrets.
Packet Sniffer – Software that observes and records network
traffic.
Port Scanning – Using a program to remotely determine which
ports on a system are open (e.g., whether
systems allow connections through those
ports).
Protocol – Set of rules and formats, semantic and
syntactic, permitting information systems to
exchange information
Real-Time Reaction – Immediate response to a penetration attempt
that is detected and diagnosed in time to
prevent access.