Malvin proposal

Malvin Kamba H1010472U

0

Hybrid Intrusion Detection System

By

Malvin Kamba

Reg No. H1010472U

Submitted in partial fulfilment of the requirements for the degree

BACHELOR OF TECHNOLOGY HONOURS IN

COMPUTER SCIENCE

in the

Department of Computer Science

SCHOOL OF INFORMATION SCIENCES AND TECHNOLOGY

HARARE INSTITUTE OF TECHNOLOGY

Supervisor: Mr Mapanga

Co-Supervisor: Title Name Surname

August 2016 - June 2017


1

Abstract

Intrusion-detection systems (IDS) aim at detecting attacks against computer systems and

networks or, in general, against information systems. Its basic aim is to protect the system

against malwares and unauthorized access of a network or a system. Intrusion Detection is of

two types Network-IDS and Host Based- IDS. This paper covers the scope of both the types

and their exponential growth of computer network attacks, it is becoming more and more

difficult to identify and the need for better and more efficient intrusion detection systems

increases. The main problem with current intrusion detection systems is high rate of false

alarms. The paper then proposes a design of a hybrid intrusion detection tool based on some

of the existing intrusion detection techniques and the concept of Honeypots, DDoS, Firewall

and Log Checks

KEYWORDS: Honeypot, Firewall, Protocol, Intrusion Detection System, Avoidance,

Monitoring, Prevention, Attack, Port Scanner


2

Contents

Abstract ........................................................................................................................................................... 1

1.1 Introduction .............................................................................................................................................. 3

2.1 Motivation ................................................................................................................................................ 4

3.1 Premises of the Research .......................................................................................................................... 4

4.1 Related Work ............................................................................................................................................ 5

5.1 Problem Statement .................................................................................................................................... 6

6.1 Technical Objectives ................................................................................................................................. 7

7.1 Justification ............................................................................................................................................... 7

8.1 Hypothesis ................................................................................................................................................ 8

9.1 Proposed tools .......................................................................................................................................... 8

10.1 Expected Results ..................................................................................................................................... 9

11.1 Ethics Consideration ............................................................................................................................... 9

12.1 Time Table .............................................................................................................................................10

October to November ....................................................................................................................................11

13.1 Estimated Budget ..................................................................................................................................12

References ....................................................................................................................................................12

Glossary.........................................................................................................................................................14


3

1.1 Introduction

Intrusion Detection Systems

According to the National Institute of Standards and Technology there are four classes of

intrusion detection systems: network-based IDSs (NIDS), host-based IDSs (HIDS), IDSs for

wireless networks and network behavior analysis systems (NBA). Also honeypots can be

considered to be a subclass of NIDSs because of many similarities with NIDSs. Sometimes

we can also encounter a term hybrid IDS, which denotes an IDS which combines the

functionality from several different types of IDSs. Network-based IDS monitors network

traffic for particular network segments or devices and analyses network, transport, and

application protocols to identify suspicious activity. NIDS is either installed on routers so the

traffic passes through it or it can be connected to network by the network tap or the spanning

port. Network taps enable the sensor to monitor all traffic going through the line. Spanning

port is a special switch port to where all packets transmitted through the switch is mirrored.

Host-based IDS monitors the characteristics of a single host and events occurring within that

host for suspicious activity. As input data it uses received packets, system logs, file integrity

checks, system configuration checks, system calls etc. Because the HIDS has access to the

application-level interpretation of the traffic it can detect attacks in packets which are

transmitted encrypted. Consequently, many network attacks cannot be detected because

HIDS has not access to the raw network layer data. A network behavior analysis system

examines network traffic or statistics on network traffic to identify unusual traffic flows, such

as distributed denial of service attacks, certain forms of malware (e.g. worms, backdoors),

and policy violations (e.g. a client system providing network services to other systems). NBA

probes can be placed in network similarly as NIDS. A wireless IDS monitors wireless

network traffic and analyses its wireless networking protocols to identify suspicious activity

involving the protocols themselves. Honeypot is a security resource whose value lies in being

probed, attacked or compromised. Honeypots are applications, hosts or entire networks

whose purpose is to convince the attacker that they contain valuable resources (e.g. secret

files, server services) and lure him to attack them. Because they have no legitimate purpose

other than security, they are not normally accessed. Therefore, every access to them can be

considered a sign of the attack.


4

2.1 Motivation

The increase in interest over the implementation of Intrusion Detection System (IDS)

in computer networks security

The huge amounts of alerts which are mostly false alerts generated by IDS,

contributing negatively in system complexity and consequently increase the

ambiguity of assessment decision maker for alerts

More investigation on implementing the various techniques of IDS specially to deal

with the huge data for such systems

3.1 Premises of the Research

The standard that is going to be followed in the whole project is the ISO 27001 gives you a

systematic checklist of what the top management must do:

set their business expectations (objectives) for information security

publish a policy on how to control whether those expectations are met

designate main responsibilities for information security

provide enough money and human resources

regularly review whether all the expectations were really met

Because ISO 27001 gives you a framework for you to decide on appropriate protection. The

same way, e.g., you cannot copy a marketing campaign of another company to your own, this

same principle is valid for information security – you need to tailor it to your specific needs.

And the way ISO 27001 tells you to achieve this tailor-made suit is to perform risk assessment

and risk treatment. This is nothing but a systematic overview of the bad things that can happen

to you (assessing the risks), and then deciding which safeguards to implement to prevent those

bad things from happening (treating the risks).


5

The whole idea here is that you should implement only those safeguards (controls) that are

required because of the risks, not those that someone thinks are fancy; but, this logic also means

that you should implement all the controls that are required because of the risks, and that you

cannot exclude some simply because you don’t like them.

4.1 Related Work

Intrusion detection system is used to generate alerts, those alerts can be classified into false

positives and true negatives. Kruegel and Robertson (2004) developed a plug-in to add an

alert processing pipeline to IDS Snort. Root because analysis was proposed by (Julisch and

Dacier, 2002) to identify the root causes that trigger false positives and remove the alert

generated. However, this method cannot be controlled. Fixing a problem is also very

expensive, thus its impracticality. Pietraszek (2004) adopted a system that worked faster and

an effective rule learner, requiring no human feedback and background knowledge. The

disadvantage of this system is that it requires infinite growth size to train the system during

its lifetime; thus, the system is inefficient. To perform alert verification using the Nessus

vulnerability scanner. A statistical causality analysis correlation approach was proposed by

(Lee and Qin, 2005). This approach was based on statistical analysis and time series to

develop attack scenarios. The authors proposed a clustering technique to aggregate the alerts

to be represented as one hyper alert in each cluster based on time intervals. The objective of

their approach was to reduce the number of alerts and obtain alert prioritization to identify the

important alerts. The drawback of this approach is also its incapacity to remove redundant

alerts and its inflexibility to choose the alert features. A robust alert cluster mechanism to


6

reduce false alerts was proposed by (Njogu and Jiawei, 2010). This mechanism calculates the

similarities of verified alerts using distance among the new alert features.

5.1 Problem Statement

Information Systems and Networks are subject to electronic attacks. Attempts to breach

information security is rising every day, along with the availability of the Vulnerability

Assessment tools that widely available on the Internet, for free, as well as for a commercial

use. Tools such as Subs even, BackOrifce, Nmap, LoftCrack, can all be used to scan, identify,

probe, and penetrate your systems. Firewalls are put in place to prevent unauthorized access

to the Enterprise Networks. Let’s, however, ask ourselves: Are the firewalls enough? An

example. Imagine that you have just purchased a state of the art Home Theatre System.

Everyone who knows anything about electronics, have an idea of how much it may cost.

After installing it, you decided that you might need to install new locks on all the doors in

your house, because the old ones do not use the up to date secure mechanisms. You call the

locksmith, and in about 2 months (if you are lucky) you have a new lock on your doors, and

you are the only one who have the keys (well, maybe you mother has another pair). With that

in mind you pack your things, and with whatever money you got left from your recent

purchases, you go on vacation. As you came back a week later, you find that the

Entertainment room looks different. After careful examination, you realize that your Home

Theater System, that you were dwelling over for the last year, is missing. What worse is that

your wife told you that the window in the kitchen is broken, and there is boot stains on the

carpet, all over the house. That led you to believe that someone broke into your house, stole,

and vandalized a lot of your prized possessions. After you wipe the tears from your eyes, you

suddenly begin to vaguely remember the brochure that you got, about a burglar alarm

installation in your neighborhood. You threw it away just a week before. The installation and

monitoring would have cost you 19.95 a month with this promotional offer. Neglecting to

install the system, is a secret that you would have to leave with for the rest of your life could

you have prevented it from happening, were you to install an alarm? May be not completely,

but the damage would be much less. The real life example above is the exact same analogy of

what might happen to your network. What’s worth is that the thief may be on your network

for a long time, and you might not even know it. Firewalls are doing a good job guarding

your front doors, but they do not have a possibility to alert you in case there is a backdoor or


7

a hole in the infrastructure. Script kiddies are constantly scanning the Internet for known bugs

in the system, including constant scans by subnets. More experienced crackers may be hired

by your competitors, to target your network specifically, in order to gain competitive

advantage. The list of threats can go on.

6.1 Technical Objectives

The objective of this proposal is to present a framework tool that reduces IDS alerts and

assesses its threat. To achieve the above objectives, the following procedures will be taken

into account:

Leveraging information gain ratio algorithm to extract the best features of IDS alerts

for the purpose of assessing the alerts

Building a new aggregation Hybrid IDS alert system to reduce the amount of false

positive alerts and to get rid of the alert redundancy

Building a visualization engine that involves discovered-based knowledge to assist

network engineers in making an appropriate decision

7.1 Justification

An intrusion detection system (IDS) monitors and analyzes events that occur on a network or

system, looking for intrusion attempts (events that try to compromise the confidentiality,

integrity, and availability of data). The increase and severity of attacks now make intrusion

detection systems a necessary part of security. Since most networks require intrusion

detection, a corporation must understand what type of IDS provides the functions needed to

protect its infrastructure. Corporations sometimes invest in an IDS that is difficult to support,

reports far too many false positives, and cannot keep up with the speed of the network. False

positives are seeming attacks generated by legitimate activity. A system administrator may

believe that an attack took place when in fact none ever occurred. An IDS that reports many

false positives is difficult and often impossible to manage. After a while the system

administrator may ignore alerts because they look like false positives, or the administrator

stops looking at the alerts and data being collected because it is too difficult to figure out if an

attack actually took place. If the corporation is not looking for intrusion attempts it has no

idea what the threat to the organization is. Once in place, an IDS will report threats that can

substantiate claims that the network is under attack. Understanding the frequency and types


8

of attacks allows an organization to determine what security controls need to be in place.

IDSs simplify the task of verifying and categorizing the threat in reports to executive

management. This solid information helps sell management on budgeting for additional

security. For example, if you put only one sensor at the gate of your network and can show

management how often you are attacked, how severe the attacks were, and how you were

warned of zero-day attacks such as Code Red, then management will most likely understand

the need to monitor other important areas on the network, like partner connections and virtual

private networks

8.1 Hypothesis Attacks of the same kind has enough similarity to distinguish from normal behavior

Resources are not adequately protected by infrastructure

Any attack causes enough deviation from profile (generally true?)

9.1 Proposed tools

SO.NO. TOOL USE

1. Perl Programming Language

2. Wireshark Packet Sniffing Tool

3. Tshark Command Line Packet Sniffing Tool

4. TCP DUMP TCP Traffic Intercepting Tool

5. Apache Server HTTPD Server to host Websites

6. Airmon-ng To Put wireless network card at monitor mode.

7. Airodump-ng To Dump All Wireless connection detail

8. Airplay-ng To do ARP Poisoning Attack on Base Stations

9. Airbase-ng To Create a New Base Station

10. DHCP Server To configure Networking such as IP-Address

Ranges

11. BrupSute To Intercept Session Of Users

12. Driftnet To Sniff Images form captured packets

13. Hamster & Ferret To Sniff Documents from captured packets


9

10.1 Expected Results

Trojans Scanner: It check the active connection and find the possible Trojans plus

report the administrator about it.

Shell Finder: The program finds the shell and back-connect backdoors in apache

server and report it to the administrator.

PSAD: well known as "Port Scan Attack Detector". The concept of the PSAD is from

well-known book called "The Art Of War" By Sun Tzu where he states "If you know

the enemy and know yourself, you need not fear the result of a hundred battles".

Similar port scanning is the first step of the hacking to know your enemy so, PSAD

detect and alert the administrator.

Fake Access Point: The fake access point is a honeypot which attract attacker and

administrator can easily know about attacker and its capabilities.

ADS Blocker: The program block ads and spam for user.

11.1 Ethics Consideration

The subject of honeypots, firewall, log checks, DDoS and DoS used in computing can be a

controversial one, therefore this sections aims to analyse these controversies and explore the

ethics surrounding honeypots.

One of the major issues of using a honeypot is that it could be seen as encouraging criminal

activity, since the purpose of this project is to build a software system which allows attackers

to gain unauthorised entry into it. However, one of the major aims of this project is to allow

attackers to believe that they are gaining unauthorised access (when in fact they are actually

not). Therefore, the attacker is not actually gaining unauthorised entry at all. The details of

the attackers' IP addresses will remain anonymous throughout this project, and will only be

used to determine approximately which countries/states certain attacks originate from

(although some attacks may route through a proxy which could be in a deferent

location/country from the originating attack). Therefore, any IP 9 address logs that appear in

this dissertation shall be masked using the asterisk (*) symbol (for example the IP address

192.168.0.1 may be masked as 192. ***.*.1). Another major issue surrounding the use of

honeypots is that of deception. This is because participants in this project do not know that

they are participating in a research project. This is a difficult subject to address due to the


10

nature of the aims of honeypots. If attackers were informed about participating in a research

project; they would not participate. If participants were told to "attack" the honeypot it would

likely produce unrealistic results since the attackers know they are being monitored.

Some experts consider honeypots to be unethical because they are strengthening the attackers'

ability to detect honeypots. This could then allow attackers to stop targeting honeypots and,

instead, only attack genuinely insecure systems. The result could be argued that honeypots

are contributing to attackers becoming more sophisticated and creating a bigger problem.

However, the use of honeypots has resulted in many insecure systems being toughened,

viruses and malicious code discovered and the information security sector as a whole has

developed due to the use of honeypots.

12.1 Time Table


11

October to November

December to January


12

13.1 Estimated Budget

A positive return on investment (ROI) of intrusion detection systems (IDS) is dependent upon

an organization's deployment strategy and how well the successful implementation and

management of the technology helps the organization achieve the tactical and strategic

objectives it has established. ROI has traditionally been difficult to quantify for network

security devices, in part because it is difficult to calculate risk accurately due to the subjectivity

involved with its quantification. Also, business-relevant statistics regarding security incidents

are not always available for consideration in analyzing risk.

In considering an implementation of IDS technology, a return on investment can be understood

by analyzing the difference between annual loss expectancy (ALE) without IDS deployment

and the ALE with IDS deployment, adjusted for technology and management costs.

The ultimate initial goal, then, should be to prove that the value proposition (re: a benefit in the

form of a quantifiable reduction in ALE) in implementing and effectively managing the IDS

technology is greater than the implementation and management costs associated to deploying

the IDS technology.

References

Alfaro, J., Boulahia-cuppens, N., & Cuppens, F. (2008). Complete analysis of configuration

rules to guarantee reliable network security policies. International Journal of Information

Security, 7(2), 103. Retrieved from

http://proquest.umi.com.library.capella.edu/pqdweb?did=1459115061&Fmt=7&clientId=627

63&RQT=309&VName=PQD

Anagnostakis, K., Greenwald, M., Ioannidis, S., & Keromytis, A. (2007). COVERAGE:

Detecting and reacting to worm epidemics using cooperation and validation. International

Journal of Information Security, 6(6), 361. Retrieved from



Chen, Z., Chen, Z., & Delis, A. (2007). An inline detection and prevention framework for

distributed denial of service attacks. The Computer Journal, 50(1), 7. Retrieved from



Debar, H., & Viinikka, J. (2006). Security information management as an outsourced service.

Information Management & Computer Security, 14(5), 416. Retrieved from



http://proquest.umi.com.library.capella.edu/pqdweb?did=1459115061&Fmt=7&clientId=62763&RQT=309&VName=PQD









13

Denning, D. E. (1987). An intrusion-detection model. IEEE Trans.Softw.Eng., 13(2), 222-

232. Retrieved from http://dx.doi.org.library.capella.edu/10.1109/TSE.1987.232894

Fan, W., Miller, M., Stolfo, S., Lee, W., & Chan, P. (2004). Using artificial anomalies to

detect unknown and known network intrusions. Knowledge and Information Systems, 6(5),

507. Retrieved from


3&RQT=309&VName=PQD

Filipek, R. (2006). Online security nightmares for CIOs. The Internal Auditor, 63(3), 19.

Retrieved from



Gonzalez, J. M., Paxson, V., & Weaver, N. (2007). Shunting: A hardware/software

architecture for flexible, high-performance network intrusion prevention. Paper presented at

the CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications

Security, Alexandria, Virginia, USA. 139-149. Retrieved from

http://doi.acm.org.library.capella.edu/10.1145/1315245.1315264

Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network

intrusion detection. Information Technology & People, 22(2), 92. Retrieved from



Goonatilake, R., Herath, A., Herath, S., Herath, S., & Herath, J. (2007). Intrusion detection

using the chi-square goodness-of-fit test for information assurance, network, forensics and

software security. J.Comput.Small Coll., 23(1), 255-263.

Lin, P. P. (2006). System security threats and controls. The CPA Journal, 76(7), 58.

Retrieved from



Roberts, G. K. (2005). Security breaches, privacy intrusions, and reporting of computer

crimes. Journal of Information Privacy & Security, 1(4), 22. Retrieved from


3&RQT=309&VName=PQD

Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2004). A new two-tiered strategy to

intrusion detection. Information Management & Computer Security, 12(1), 27. Retrieved

from


3&RQT=309&VName=PQD

Trabelsi, Z., & Shuaib, K. (2008). A NOVEL MAN-IN-THE-MIDDLE INTRUSION

DETECTION SCHEME FOR SWITCHED LANs. International Journal of Computers &

Applications, 30(3), 234. Retrieved from



http://dx.doi.org.library.capella.edu/10.1109/TSE.1987.232894





http://doi.acm.org.library.capella.edu/10.1145/1315245.1315264












14

Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K. G., & Markatos, E. P. (2006). An

active splitter architecture for intrusion detection and prevention. IEEE Transactions on

Dependable and Secure Computing, 03(1), 31. Retrieved from



Glossary

Access Control Mechanism – Security safeguards (i.e., hardware and

software features, physical controls, operating

procedures, management procedures, and

various combinations of these) designed to

detect and deny unauthorized access and

permit authorized access to an information

system.

Access Control – The process of granting or denying specific

requests to: 1) obtain and use information and

related information processing services; and

2) enter specific physical facilities (e.g.,

federal buildings, military establishments,

border crossing entrances).

Access Point – A device that logically connects wireless client

devices operating in infrastructure to one

another and provides access to a distribution

system, if connected, which is typically an

organization’s enterprise wired network.

Active Attack – An attack that alters a system or data.

Administrative Account – A user account with full privileges on a

computer.

Alert – Notification that a specific attack has been

directed at an organization’s information

systems.

Analysis – The examination of acquired data for its

significance and probative value to the case.

Anomaly-Based Detection – The process of comparing definitions of what

activity is considered normal against observed

events to identify significant deviations.




15

Attack – An attempt to gain unauthorized access to

system services, resources, or information, or

an attempt to compromise system integrity.

Attack Sensing and Warning (AS&W) – Detection, correlation, identification, and

characterization of intentional unauthorized

activity with notification to decision makers so

that an appropriate response can be developed

Attack Signature – A specific sequence of events indicative of an

unauthorized access attempt.

Audit – Independent review and examination of

records and activities to assess the adequacy

of system controls, to ensure compliance with

established policies and operational

procedures, and to recommend necessary

changes in controls, policies, or procedures.

Audit Log – A chronological record of system activities.

Includes records of system accesses and

operations performed in a given period.

Audit Trail – A record showing who has accessed an

Information Technology (IT) system and what

operations the user has performed during a

given period.

Backdoor – An undocumented way of gaining access to a

computer system. A backdoor is a potential

security risk.

Blacklisting – The process of the system invalidating a user

ID based on the user’s inappropriate actions.

A blacklisted user ID cannot be used to log on

to the system, even with the correct

authenticator. Blacklisting and lifting of a

blacklisting are both security-relevant events.

Blacklisting also applies to blocks placed

against IP addresses to prevent inappropriate

or unauthorized use of Internet resources


16

Communications Profile – Analytic model of communications associated

with an organization or activity. The model is

prepared from a systematic examination of

communications content and patterns, the

functions they reflect, and the communications

security measures applied.

Computer Abuse – Intentional or reckless misuse, alteration,

disruption, or destruction of information

processing resources.

Confidentiality – Preserving authorized restrictions on

information access and disclosure, including

means for protecting personal privacy and

proprietary information.

Denial of Service (DoS) – The prevention of authorized access to

resources or the delaying of time-critical

operations. (Time-critical may be milliseconds

or it may be hours, depending upon the service

provided.)

Digital Signature – An asymmetric key operation where the

private key is used to digitally sign data and

the public key is used to verify the signature.

Digital signatures provide authenticity

protection, integrity protection, and non-

repudiation.

Distributed Denial of Service –

(DDoS)

A Denial of Service technique that uses

numerous hosts to perform the attack.

External Network – A network not controlled by the organization.

False Positive – An alert that incorrectly indicates that

malicious activity is occurring

Firewall – A gateway that limits access between networks

in accordance with local security policy.

Hacker – Unauthorized user who attempts to or gains

access to an information system.


17

Honeypot – A system (e.g., a Web server) or system

resource (e.g., a file on a server) that is

designed to be attractive to potential crackers

and intruders and has no authorized users

other than its administrators.

Inside(r) Threat – An entity with authorized access (i.e., within

the security domain) that has the potential to

harm an information system or enterprise

through destruction, disclosure, modification

of data, and/or denial of service.

Intrusion – Unauthorized act of bypassing the security

mechanisms of a system.

Intrusion Detection Systems (IDS) – Hardware or software product that gathers

and analyzes information from various areas

within a computer or a network to identify

possible security breaches, which include both

intrusions (attacks from outside the

organizations) and misuse (attacks from

within the organizations.)

IP Security (IPsec) – Suite of protocols for securing Internet

Protocol (IP) communications at the network

layer, layer 3 of the OSI model by

authenticating and/or encrypting each IP

packet in a data stream. IPsec also includes

protocols for cryptographic key establishment

Malware – A program that is inserted into a system,

usually covertly, with the intent of

compromising the confidentiality, integrity, or

availability of the victim’s data, applications,

or operating system or of otherwise annoying

or disrupting the victim.

Network Access – Access to an organizational information

system by a user (or a process acting on

behalf of a user) communicating through a

network (e.g., local area network, wide area

network, Internet).

Online Attack – An attack against an authentication protocol

where the Attacker either assumes the role of a

Claimant with a genuine Verifier or actively

alters the authentication channel. The goal of


18

the attack may be to gain authenticated access

or learn authentication secrets.

Packet Sniffer – Software that observes and records network

traffic.

Port Scanning – Using a program to remotely determine which

ports on a system are open (e.g., whether

systems allow connections through those

ports).

Protocol – Set of rules and formats, semantic and

syntactic, permitting information systems to

exchange information

Real-Time Reaction – Immediate response to a penetration attempt

that is detected and diagnosed in time to

prevent access.