SECURITY EXPERTS THAT NETWORK INTRUSION DETECTION SYSTEM (NIDS)

CHAPTER ONE

GENERAL INTRODUCTION

1.0 INTRODUCTION

Research works and experiments have convinced security experts that Network Intrusion Detection Systems (NIDS)alone are not capable of securing the computer networks from internal and external threats completely. (Renuka et al., 2011). An intrusion detection system (IDS) is a device or software application that monitors systems for malicious activities and policy violations and produces reports to a management station. Intrusion detection systems are primarily focused on identifying possible incidents, logging information about them and reporting attempts. Organizations use these systems for identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. The goals of intrusion detection systems are to use all available information in order to detect both attacks by external hackers and misuse by insiders. IDSs are based on the belief that an attacker’s behaviour will be noticeably different from that of a legitimate user. (tzeyoung, 2009).

Intrusions can occur due to vulnerabilities in operating systems. Many common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack, many times if an operating system is compromised, it can be difficult for an IDS to recognise that the operating system is no longer legitimate. Operating Systems must be designed to better support security policies pertaining to authentication, access control and encryption. Intrusion detection uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to access the security of a computer system or network. Hackers can use malware to record keyboard strokes, then send that account and password information by hacking sites which store those details through the use of tools such as scanning tools; which they use to survey and analyse system characteristics and remote management tools; used by system’s administrators to manage a network by managing and controlling systems devices from a remote location.

According to the Information Assurance Technology Analysis Center (IATAC), 2009; IDSs are generally made up of sensors, analysers, user interfaces and honeypot. Sensors are deployed in a network or on a device to collect data, they take input from various sources, including network packets, log files and system call traces. Analysers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. The user interface of the IDS gives the end user a view and way to interact with the system. Through the interface, a user can control and configure the system. Honeypot is a fully deployed IDS which administrators deploy as a bait or decoy for intruders, it can be used as early warning systems of an attack, decoys from critical systems and data collection sources for attack analysis.

Provos and Holz (2007), defined honeypot as ‘A closely monitored computing resource that we want to be probed, attacked or compromised.’ The value of a honeypot is weighed by the information that can be obtained from it. To detect malicious behaviour, a network intrusion detection system (NIDS) requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. Also NIDSs produces erroneous results called false positives and false negatives, which occur when the NIDS erroneously detects a problem with benign traffic and when unwanted traffic is undetected by the NIDS respectively. On the other hand, honeypots can detect vulnerabilities that are not yet understood. For instance, a compromise can be detected by observing network traffic leaving the honeypot, even if the means of the exploit has never been seen before. Honeypots consists of unreal services such as mail, telnet, HTTP etc, database for logging, packet dispatcher and protocols such as ICMP, TCP and UDP.

This work is aimed at developing a network intrusion detection system by utilizing the effect of a decoy system precisely a honeypot which addresses false positives and false negatives as they are not easily evaded or defeated by new exploits. In fact, one of their primary benefits is that they can most likely detect when a new compromise occurs via a new or unknown attack by virtue of system activity, not signatures. Administrators also do not have to worry about updating a signature database or patching anomaly detection engines. Honeypots happily capture any attacks thrown their way. Honeypots reduce false positives by capturing small datasets of high value. The data in the honeypot will be analysed using Adaptive neuro-fuzzy inference system (ANFIS).

1.1 MOTIVATION OF STUDY

This work is motivated by the need to secure networks and system resources. Intrusion detection systems has been developed at 1980 to protect the computer from threats by monitoring and surveillance. It has been observed that network intrusion detection systems alone cannot handle both internal and external threats to computers because the number of false alarms generated by Network Intrusion Detection Systems have firewalls which also play a vital role in network security but also cannot prevent attacks from happening and computer security system still fails to secure the computer networks in case of new attacks.

The problems posed by the existing system are as follows:

Network breaches occur as invalid data and TCP/IP stack attacks may cause an NIDS to crash.
Local packets that escaped can create a significantly high false-alarm rate in the NIDS.
NIDS requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed.
Encrypted packets are not processed by the intrusion detection system, therefore the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
Therefore, in order to have a better secured networking system, the honeypot system should be incorporated into networks to allow administrators monitor the behaviour of attackers closely.

1.2 AIM AND OBJECTIVES.

The aim of this work is to develop a honeypot based intrusion detection system that will enhance network security by using Adaptive Neurofuzzy Inference System.

The specific objectives are as follows:

To design a virtual honeypot network consisting of a honeywall, honeyd and high interaction honeypot analysing tool in a virtualized domain.
To capture, collect and analyse network data.
Using the result obtained to access system and file integrity and network security.
Design of a Mamdani type ANFIS for intelligent analysis of activities.
To provide necessary network security measures.
Implementation of the system using MATLAB tool.

1.3 METHODOLOGY

The steps necessary to achieve the objectives in section 1.2 are as follows;

Review of relevant literature in network intrusion detection systems (NIDS), honeypots and adaptive neuro-fuzzy inference system.
Honeypot system design and network setup in virtualized environment using VMware workstation.
Intrusion into the honeypot network; using an advanced penetrating tool such as backtrack5 or kali-linux.
Data control, capture and collection using liblibrary (libevent, libdnet, libpcap).
Design of a Mamdani type ANFIS for intelligent analysis of activities.
Implementation of the system using MATLAB tool.
Result and inferences.

1.4 SCOPE OF THE STUDY

This work considers the use of honeypot as a network intrusion detection system in tracking attacker’s traffic and traffic analysis using ANFIS. It does not cover other advanced features of honeypot such as load balancing. The design is basically for academic and research purposes.

1.5 ORGANIZATION OF STUDY

This work is presented in five chapters. Chapter one represents a general overview of the study and states the problems that motivates this study, the aim and objectives of the study and the methodologies employed to realise the objectives of the study.

Chapter two is summarily concerned with the review of relevant literature in network intrusion detection system, honeypot, fuzzy inference system and analysis of the existing system.

The model of the system structure and its components are presented in chapter four.

Chapter five sums up the work by presenting the summary, offering recommendations to the system and conclusion of the work.

1.6 DEFINITION OF TERMS

Intrusion Detection System (IDS): This is a device or software application that monitors network or system activities for malicious activities.

Honeypot: This is a system that is expressly setup to ‘attract’ and ‘trap’ people who attempt to penetrate other people’s computer systems.

Fuzzy Logic: This is a form of many valued logic which deals with reasoning that is approximate rather than fixed and exact.

False Positive: This is an event signalling an IDS to produce an alarm when no attack has taken place.

Noise: This refers to data or interference that can trigger a false positive.

Ethernet: A physical network protocol for transmitting information across copper wires. Ethernet network segments are restricted to distances normally less than415 meters and utilize a packet oriented message transfer protocol. Ethernet is the most popular physical network topology in use today.
Event: A notification from an analyzer to the security administrator a signature has triggered. An event typically contains information about the activity that triggered the signature, as well as the specifics of the occurrence.
File assessment: A technology in which message digest hashing algorithms are used to render files and directories tamper evident.
Firewall – A computer or router (or combination thereof) configured to permit or deny specific kinds of traffic through it. Usually used to protect a network from potentially hostile outside networks; intranetwork firewalls, however are becoming more popular. Available in a variety of strengths and reliability.