Comprehensive research and analysis of Network Intrusion Detection System: SNORT
- Details
- Hits: 2162
Understanding of a network intrusion detection system (NIDS) requires first understanding the meaning of the term intrusion. Intrusion refers to an attempt by a hacker to access a system or a network while a network intrusion detection system detects such attempts by monitoring the flow of data in the system and raises an alarm whenever a malicious behavior is sensed (Castano, Fugini, Martella, & Samarati, 1995).
The objectives of a NIDS include offering continuous monitoring of the traffic in a system to detect any malicious activity and attacks, provide detailed information about the attempt or attack, respond appropriately to counter the attack and store the occurrences whenever there is an attack (Northcutt & Novak, 2000).
A NIDS is positioned strategically in a system so that all the data flowing in the network can be monitored. It is therefore paramount to consider the two types of NIDS namely the signature based system and anomaly based system and make a comparison between the two. The signature based NIDS is directed towards a particular threat and thus has a limited number of false positives. Anomaly based NIDS has many false positives and monitors unusual malicious attempts and attacks. It is therefore important to make a choice for the NIDS that suits specific needs (Bruschi, Martignoni & Monga, 2007).
A NIDS has many benefits such as deploying the system without interfering with the existing network, as the system is independent. NIDS are cost effective as once installed works for entire network thus saving the cost that would be incurred in installing software at each host in a system. Through a NIDS, attacks that the home-based sensors may have failed to sense are detected. A NIDS provide a real-time monitoring of attacks and gives the attacker no chance to interfere with evidence of any malicious behavior (Northcutt & Novak, 2000).
Despite the many advantages of a NIDS, there are a few disadvantages. The system is likely to be overloaded because of huge volumes of alerts made daily by NIDS. The high frequency of false positives may reduce confidence on alerts in general. The reliability of NIDS would be affected by any attempt to reduce the number of false positives. The work of analyzing and filtering cannot be automated and has to be done manually (Bruschi, Martignoni & Monga, 2007).
The following is an analysis of the effort being made in designing a NIDS for networks to prevent unauthorized persons from accessing them or even misuse by the permitted users. Many methods can be used to deter intrusion into a network but only the effective ones can successfully monitor instances of an attack in a system. The first three components of NIDS are prevention, preemption, and deterrence. Although they play a passive role, they are able to reduce the success of a hacker intruding in a system. For example, an organization can offer its employees with guidelines on security training and seminars as well as through initial screens where warning notices can be posted. After the first three components are successfully implemented, another set of three important components follow which are deflection, detection, and measures to counter an attack. The latter components are active and meant to detect intrusion for the critical elements of a network. It is important to note that any security measure depends on the accuracy of the identification of the intruder in a network even before defensive mechanisms can be used (Northcutt & Novak, 2000).
Effective detection is important for any network because of various reasons. Most of the systems are vulnerable to attacks due to their security flaws that are not easy to identify for reasons that are related to cost or applications. Existing networks that are not secure in organizations may not be easily replaced with effective networks because it would be expensive for the organization and applications required may be too complex for the existing system. It is almost impossible to develop a system that is perfect in terms of security and therefore there is need for network intrusion detection system. Lastly, even when an organization has developed a highly secure network the authorized users may misuse it making it vulnerable for attackers.
Intrusion detection requires understanding of the metrics used in analyzing data. Threats in a network are detected by reviewing data in the system through an audit process because many networks create a report showing all the activities that have taken place in the system. The threats that can be detected through audit are external penetration where users who are not legitimate access the system, internal intrusion where legitimate users misuse the system and misfeasors where a legitimate user misguides his or her access rights (Castano, Fugini, Martella, & Samarati, 1995).
External hackers referred to as clandestine users are dangerous to a network. They evade access control mechanisms used to analyze data through distortion of system rights or by carrying out activities in the system at a lower level than the level usually monitored by the system. Such attackers can be avoided by operating the audit trail at lower levels, identifying the functions that render the auditing of data inactive or by comparing observed usage with normal levels. Since it is inefficient manually to review records in a system, it has been a requirement to employ automated mechanisms for the analysis of data (Bruschi, Martignoni & Monga, 2007).
Intrusion detection system is founded on various concepts. On the concept of metrics, any detection uses definable metrics that form the basis of statistical analysis. The metrics enable one to know the resources in the system on how they are being used. Such resources include the usage of CPU, the quantity of files accessed and the attempts made to login. A metric can be an event counter, which determines the occurrence of a particular activity such as opening a file over certain duration or the number of time a wrong password has been used to attempt login. Another metric called time intervals monitors the duration interval between two related activities such as the time when different users accessed the system. Finally, a metric can be designed to quantify resources utilized by the system over duration of time such as the amount of files transmitted over the network (Ilgun & Porras, 1995).
Once an organization has decided on the metric to be used, the choice of statistical model follows to monitor deviations from a known norm. Such models include operational models and time series model. The role of the models is to form the basis of different profiles, which map the activities of the network that are not intrusive. This is in order to monitor the behavior of the users for the purposes of comparisons with observations being made. The last element in a NIDS is the analysis technique, which involves how the gathered data should be reviewed by the mechanism. Such analysis can be statistical and involves comparing statistics of specific activities according to a set of known criteria. It can also be rule-based, which makes use of predefined rules by the administration automated for the network. Once such rules are satisfied, the given operation is executed (Castano, Fugini, Martella, & Samarati, 1995).
The modern NIDS makes use of two approaches namely the anomaly detection and misuse detection. Anomaly detection makes a general identification of activities that deviate from the normal patterns of use. The approach identifies activities that might be a masquerade where an attacker may be disguising as an authorized user, which is a strong method of attacking a system. The method uses efficient multiple user profiles despite being very difficult to create and maintain. It is important to balance short-term profiles that monitor recent activities and long-term profiles that monitor the history of activities by the user. User profiles require regular updates to reduce the number of false alarms resulting from variations of user activities with time. The mechanism relies on input from the audit records in the network (Bruschi, Martignoni & Monga, 2007).
Misuse detection approach uses the already known behavior of a hacker intruding the system and compares different activities of the users in the network. The approach also uses information stored in the knowledge base, which includes metrics on methods used by hackers when the knowledge base was developed. The method is rule-based. If a certain user does an activity that is not consistent with predetermined rules, the mechanism identifies the activity as an attack and raises an alarm. However, research is underway to combine both anomaly and misuse detection to enhance efficiency in network intrusion detection system (Chakrabarti & Mukhopadhyay, 2011).