The Security Experts That Network Intrusion Detection System (NIDS) (PDF/DOC)
General Introduction
1.0 Introduction
Research works and experiments have convinced security experts that Network Intrusion Detection Systems (NIDS)alone are not capable of securing the computer networks from internal and external threats completely. (Renuka et al., 2011). An intrusion detection system (IDS) is a device or software application that monitors systems for malicious activities and policy violations and produces reports to a management station. Intrusion detection systems are primarily focused on identifying possible incidents, logging information about them and reporting attempts. Organizations use these systems for identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. The goals of intrusion detection systems are to use all available information in order to detect both attacks by external hackers and misuse by insiders. IDSs are based on the belief that an attacker’s behaviour will be noticeably different from that of a legitimate user. (tzeyoung, 2009).
Intrusions can occur due to vulnerabilities in operating systems. Many common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack, many times if an operating system is compromised, it can be difficult for an IDS to recognise that the operating system is no longer legitimate. Operating Systems must be designed to better support security policies pertaining to authentication, access control and encryption. Intrusion detection uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to access the security of a computer system or network. Hackers can use malware to record keyboard strokes, then send that account and password information by hacking sites which store those details through the use of tools such as scanning tools; which they use to survey and analyse system characteristics and remote management tools; used by system’s administrators to manage a network by managing and controlling systems devices from a remote location.
According to the Information Assurance Technology Analysis Center (IATAC), 2009; IDSs are generally made up of sensors, analysers, user interfaces and honeypot. Sensors are deployed in a network or on a device to collect data, they take input from various sources, including network packets, log files and system call traces. Analysers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. The user interface of the IDS gives the end user a view and way to interact with the system. Through the interface, a user can control and configure the system. Honeypot is a fully deployed IDS which administrators deploy as a bait or decoy for intruders, it can be used as early warning systems of an attack, decoys from critical systems and data collection sources for attack analysis.
Provos and Holz (2007), defined honeypot as ‘A closely monitored computing resource that we want to be probed, attacked or compromised.’ The value of a honeypot is weighed by the information that can be obtained from it. To detect malicious behaviour, a network intrusion detection system (NIDS) requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. Also NIDSs produces erroneous results called false positives and false negatives, which occur when the NIDS erroneously detects a problem with benign traffic and when unwanted traffic is undetected by the NIDS respectively. On the other hand, honeypots can detect vulnerabilities that are not yet understood. For instance, a compromise can be detected by observing network traffic leaving the honeypot, even if the means of the exploit has never been seen before. Honeypots consists of unreal services such as mail, telnet, HTTP etc, database for logging, packet dispatcher and protocols such as ICMP, TCP and UDP.
This work is aimed at developing a network intrusion detection system by utilizing the effect of a decoy system precisely a honeypot which addresses false positives and false negatives as they are not easily evaded or defeated by new exploits. In fact, one of their primary benefits is that they can most likely detect when a new compromise occurs via a new or unknown attack by virtue of system activity, not signatures. Administrators also do not have to worry about updating a signature database or patching anomaly detection engines. Honeypots happily capture any attacks thrown their way. Honeypots reduce false positives by capturing small datasets of high value. The data in the honeypot will be analysed using Adaptive neuro-fuzzy inference system (ANFIS).
1.1 Motivation of Study
This work is motivated by the need to secure networks and system resources. Intrusion detection systems has been developed at 1980 to protect the computer from threats by monitoring and surveillance. It has been observed that network intrusion detection systems alone cannot handle both internal and external threats to computers because the number of false alarms generated by Network Intrusion Detection Systems have firewalls which also play a vital role in network security but also cannot prevent attacks from happening and computer security system still fails to secure the computer networks in case of new attacks.
The problems posed by the existing system are as follows:
Network breaches occur as invalid data and TCP/IP stack attacks may cause an NIDS to crash.
Local packets that escaped can create a significantly high false-alarm rate in the NIDS.
NIDS requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed.
Encrypted packets are not processed by the intrusion detection system, therefore the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
Therefore, in order to have a better secured networking system, the honeypot system should be incorporated into networks to allow administrators monitor the behaviour of attackers closely.
1.2 Aim and Objectives.
The aim of this work is to develop a honeypot based intrusion detection system that will enhance network security by using Adaptive Neurofuzzy Inference System.
The specific objectives are as follows:
To design a virtual honeypot network consisting of a honeywall, honeyd and high interaction honeypot analysing tool in a virtualized domain.
To capture, collect and analyse network data.
Using the result obtained to access system and file integrity and network security.
Design of a Mamdani type ANFIS for intelligent analysis of activities.
To provide necessary network security measures.
Implementation of the system using MATLAB tool.
1.3 Methodology
The steps necessary to achieve the objectives in section 1.2 are as follows;
Review of relevant literature in network intrusion detection systems (NIDS), honeypots and adaptive neuro-fuzzy inference system.
Honeypot system design and network setup in virtualized environment using VMware workstation.
Intrusion into the honeypot network; using an advanced penetrating tool such as backtrack5 or kali-linux.
Data control, capture and collection using liblibrary (libevent, libdnet, libpcap).
Design of a Mamdani type ANFIS for intelligent analysis of activities.
Implementation of the system using MATLAB tool.
Result and inferences.
1.4 Scope of the Study
This work considers the use of honeypot as a network intrusion detection system in tracking attacker’s traffic and traffic analysis using ANFIS. It does not cover other advanced features of honeypot such as load balancing. The design is basically for academic and research purposes.
1.5 Organization of Study
This work is presented in five chapters.
Chapter one represents a general overview of the study and states the problems that motivates this study, the aim and objectives of the study and the methodologies employed to realise the objectives of the study.
Chapter two is summarily concerned with the review of relevant literature in network intrusion detection system, honeypot, fuzzy inference system and analysis of the existing system.
The model of the system structure and its components are presented in chapter four.
Chapter five sums up the work by presenting the summary, offering recommendations to the system and conclusion of the work.
1.6 Definition of Terms
Intrusion Detection System (IDS):
This is a device or software application that monitors network or system activities for malicious activities.
Honeypot:
This is a system that is expressly setup to ‘attract’ and ‘trap’ people who attempt to penetrate other people’s computer systems.
Fuzzy Logic:
This is a form of many valued logic which deals with reasoning that is approximate rather than fixed and exact.
False Positive:
This is an event signalling an IDS to produce an alarm when no attack has taken place.
Noise:
This refers to data or interference that can trigger a false positive.
Ethernet:
A physical network protocol for transmitting information across copper wires. Ethernet network segments are restricted to distances normally less than415 meters and utilize a packet oriented message transfer protocol. Ethernet is the most popular physical network topology in use today.
Event:
A notification from an analyzer to the security administrator a signature has triggered. An event typically contains information about the activity that triggered the signature, as well as the specifics of the occurrence.
File assessment: A technology in which message digest hashing algorithms are used to render files and directories tamper evident.
Firewall:
A computer or router (or combination thereof) configured to permit or deny specific kinds of traffic through it. Usually used to protect a network from potentially hostile outside networks; intranetwork firewalls, however are becoming more popular. Available in a variety of strengths and reliability.
Summary and Conclusion
5.0 Introduction
This chapter comprises of the summary, recommendation, problem encountered and conclusion of this research work. This section is imperative should a user decide improving on the research work or in a situation of recommendation.
5.1 Summary
This project has presented an overview of network security and how honeypots can be used to improve network security. A comprehensive review of relevant literature is presented in chapter two of this work and the design of the system is presented in chapter three. A complete implementation of the design is presented in chapter four, where the honeypot network setup is shown and how logs of intrusion are obtained.
5.2 Problems Encountered
In designing this system, several problems were encountered, they include;
a) Understanding and writing of the honeypot configuration script:
The honeyd.conf was not that friendly to comprehend, should the script have single typographical error, the configuration file would not run. Therefore much time was spent on debugging the script before a perfect one was finally obtained.
b) Linux Platform:
The UNIX based operating systems used in the course of this project are Linux distributions (Kali and backtrack) which are not familiar and user-friendly like windows; most setup had to be done on the command interface.
5.3 Recommendation
To obtain maximum benefit of the system and for the system not to fall into disuse, the following recommendation should be adhered to:
This system is highly recommended for use in server environments, managed networking (switches, routers, etc).
The use of honeypots has allowed researchers and security professionals to monitor malicious attackers without their knowledge, and hopefully learn about the latest techniques and exploits in real time.
It is important to know that usage of only honeypots to secure a network is not recommended. There is need for multiple security tiers in order to successfully thwart network attacks and breaches. Therefore combining honeypots alongside with other security solutions is necessary and recommended.
5.4 Conclusion
The honeypot has emerged as an effective tool for observing and understanding intruder’s toolkits, tactics, and motivations. A honeypot suspects every packet transmitted to/from it, giving it the ability to collect highly concentrated and less noisy datasets for network attack analysis. In the future, more researches on how to optimally interface honeypots with real devices in network environments can be carried out.
Click the button below to INSTANTLY subscribe and download the COMPLETE MATERIAL (PDF/DOC)!