This paper will examine intrusion detection systems, and in particular, network-based systems.  Intrusion detection systems are commonly classified by the type of analysis they perform, such as misuse versus anomaly detection.  They can also be classified according to the source and type of information they collect, such as host-based versus network-based.  In this paper I will compare and contrast the differences between these classifications. I will end by examining in detail two network-based systems that are currently on the market, NetRanger and Network Flight Recorder.

 
 

1.  Introduction

Networked systems have grown at an astonishing rate, and unfortunately, the rate of attacks against such systems by malicious users has also grown.  In fact, over the last five years, information theft increased over 250%, and 99% of all major companies reported at least one major intrusion incident.  Telecom and computer fraud totaled $10 billion in the US alone [11].  Recently,  the Internet has been the subject of attacks such as Denial of Service (against major commercial web sites such as yahoo.com and cnn.com) and intruders gaining access to privileged information (credit card numbers on commercial music sites).  However, not all attacks are solely internet based.  Attacks can be aimed at corporate networks, school networks, and even private computers.   One approach to countering such attacks is prevention.  To prevent attacks, a system might utilize firewalls, data encryption, or message authentication.  But prevention cannot be counted on to stop all attacks, so the next step is detection.
    Intrusion detection systems (IDS) are more than just off-the-shelf kits you can buy from your local vendor and set up.  They are actually entire collections of various detection tools that need to be configured and monitored according to specific parameters in order to give peak performance for a system.  Computer network systems vary widely, and different systems may be on the lookout for different types of attacks.  Thus security teams need to choose intrusion detection tools that best fit their needs, and then tailor their systems according to the type of service they require.  Intrusion detection systems can be used to complement firewalling strategies, serve as another layer of defense or augment a security team's efforts [8].
 
 

2.  Intruders and Intrusion Detection

Amoroso defines intrusion detection to be "the process of identifying and responding to malicious activity targeted at computing and networking resources."  The process of intrusion detection involves both detection tools and people.  In addition, the process can often undergo changes to meet new needs or re-address old ones.
     Identifying malicious activity requires the analysis of a range of activities and the ability to pinpoint those that are malicious.  A combination of analytical methods may be needed, and different steps may be taken depending on whether identification was done before, during, or after an intrusion.  For example, if an attempted intrusion is detected before it occurs, the best policy might be to block the user before he or she even enters the systems.  Another option might be to allow the user to enter the system and start the attack in order to learn more about the source and type of attack.  If, on the other hand, an intrusion is detected while it is in progress, or even after it has completed, the first priority might be to assess potential damage and isolate compromised sections of the network.
    Responding to malicious activity usually entails writing the event to a log file for later analysis.  Systems can be configured to set off alarms or beepers if certain attacks are detected.  Responses can also include blocking a user from entering the system, allowing the user to enter but keeping a close watch, or even mounting a counterattack.
    Malicious activity, or an intrusion attempt, was defined as early as 1980 by Anderson to be "the potential possibility of a deliberate unauthorized attempt to (1) access information, (2) manipulate information, or (3) render a system unreliable or unusable [11]".  Anderson's definition still holds true today, and encompasses almost all types of current attacks.
    The computing and network resources that can come under attack include not only computers, but also the data stored on them, their computing power, and the resources they control.  Network resources might include the bandwidth along a given portion of the network, the routers at different points along the way, and the packets that traverse the network.
    The intruder in an intrusion attempt is classified by Denning as either internal or external.  External intruders are unauthorized users of the machine or network they are attacking, and they launch their attacks from outside the network.  Internal intruders are usually legitimate users of a system who have restricted priveleges.  They operate by trying to gain access to unauthorized portions of the system, or even leaking information to the outside.  Internal intruders can be further divided into masqueraders and clandestine users.  Masqueraders try to pass themselves off as a different user, and clandestine users manage to turn off auditing features of the system they are attacking so that no trace of their attack is left when they are done [10].
 

3.  Intrusion Detection System Classification

Intrusion detection systems are commonly classified according to either their data sources or their models of intrusion.  When classified according to data source, IDS can be broadly grouped into host-based and network-based systems.  Host-based systems use system logs and operating system audit trails to collect and chronologically store information about the events occurring on a particular host.  Network-based systems, on the other hand, examine data associated with the network.  The data is gathered by placing network monitors or sensors at strategic points along the network.
    When classified according to which intrusion model they follow, IDS are grouped as either anomaly detection or misuse detection systems.  Anomaly detection systems analyze system information and use statistical techniques to search for behavior that falls out of a certain "normal" range.  Such systems must first compile data from normal usage, and then compare new behavior patterns to this set of normal patterns.  Misuse detection systems, on the other hand, use pattern matching techniques to search for behavior that matches a known pattern of intrusion activity.  This is similar to virus detection software that searches a system for signatures of known viruses; like virus detection software, misuse detection systems need to be updated periodically with the signatures of new attacks as they arise.
 

3.1  Host-Based Systems

The main difference between host-based and network-based systems is the data source, and consequently, the type of data available from each type of system.  Host-based and network-based systems both have advantages and disadvantages; generally, security managers are recommended to use a mix of both host and network sensors to obtain the greatest possible protection.  However, it's interesting to note that many experts believe the advantages of network-based systems far outweigh those of host-based systems (7).  Their reasons will be elaborated upon in the next  section.

    Host-based systems rely on information provided by operating system audit trails and system logs to detect intrusions [2].  Operating system audit trails consist of information about operating system events stored in chronological order in files.  The files are generated by a specialized operating system mechanism.  System logs are text files containing information about system and application events, and they are usually written to by log-generating software running as an application.
    Audit trails provide information at a very fine level of granularity.  The events recorded are generally triggered by either application events (which occur at the user level) or system calls (which occur at the kernel level).  An audit record might contain values such as the process ID and user ID associated with an event, the system call that was made, and the arguments that were passed.  The time and date of the event might also be recorded, along with relevant flags or descriptions.
    One of the main advantages of audit trails is the inherent security of operating system files and processes.  The audit trail will most likely be stored in a protected directory and will be quite difficult to tamper with.  Another advantage is the fine-grained level of detail that audit trails can provide.  Careful analysis of the records in an audit trail can catch processes that are not executing properly, or suspicious behavior of process ID's and user ID's.  A coarser level of granularity would not allow such a detailed look at suspicious events.
    However, the fine level of granularity does introduce issues of record size and complexity [2].  The sheer volume of records generated can make analysis difficult at best.  In response to this concern, most systems incorporate some form of audit reduction, whereby the files are filtered to remove redundant or unnecessary information.  The complexity of the audit reduction process introduces new problems;  finding a reduction process that can interpret the relationships between events and safely decide which event records to keep is not an easily solved problem.  Some audit trail programs, such as Sun's BSM security package, provide tools to automate the selection and reduction process.  Once the audit trail has been reduced, the resulting size can still be large enough to present storage space and storage duration dilemmas. In fact, Christopher Klaus, founder and CTO of Internet Security Systems, believes that data overload is one of the major problems with intrusion detection systems [7].
    System logs are files that contain information about user and application level events, generally at a coarser level of granularity than audit trails.  For example, Sun Solaris log events include a history of each user's commands and resource usage, all login failures, and a list of time-stamped logins and logouts [2].  In addition, the UNIX syslogd daemon can be used to maintain system information in a special log file using the syslog command.
    System logs have some distinct advantages over audit trails.  First of all, system logs are much easier to read and interpret than their audit trail counterparts, which are often cryptic and unreadable.  Second, system logs can be generated using multiple logging mechanisms, allowing correlation of records if necessary.
    A disadvantage of system logs that can make some system managers quite wary is the weak security associated with system logs.  The applications that generate system logs are susceptible to attackers, as are the log files themselves, which are usually kept in unprotected directories.  A related point to consider is the fact that the system logs on a compromised machine most probably cannot be trusted, since the attacker may have modified them to cover his or her tracks.  This can also be an issue for audit logs on compromised machines [9].
    Another disadvantage of both audit trails and system logs is the slower performance that arises because so many system calls and events are constantly being logged [9].  This can tempt some system managers to log fewer events, but consequently see an increase in performance.
    The main advantage offered by host-based mechanisms is the level of granularity of the collected information.  However, the large size of audit and log files and the decreased performance that can be seen when logging events can make these options much less attractive.
 

3.2  Network-Based Systems

    Network-based intrusion detection systems (NIDS) commonly rely on data drawn from sensors, or "sniffers" placed on the network.  The sensors run in promiscuous mode and can view all network packets as they traverse segments of the network.  Data is processed "on-the-fly" and examined for signs of an intrusion attempt.
    A common utility used to grab packets off of the network is tcpdump, and its associated packet-capture library, libpcap.  Tcpdump is a network monitoring tool that allows filter translation, packet acquisition, and packet display [2].  Used in conjunction with libpcap, the two form a portable and powerful packet-capture tool.
    Sniffers can also be used effectively with firewalls and routers.  For example, a firewall might be configured to route all packets with illegal or malformed source addresses directly to a sniffer for evaluation.  Whether sniffers should be placed inside or outside a system's firewall is often a topic of debate [7].   Marcus Ranum, President and CEO of Network Flight Recorder,  used the following analogy to describe the relationship between firewalls and network sensors: "...filtering, proxies, firewalls, etc., are like armor plate around your network, IDS are like the surgeon that tells you 'Goodness, that bullet just missed your spine'."  Many experts believe that sensors should be placed outside of firewalls.  They reason that the sensors will then be able to monitor network traffic that would typically be blocked - especially intrusion attempts.  David Curry, Senior Internet Analyst of IBM's Internet Emergency Response Service,  believes that "If you put the IDS inside the firewall, then you're not seeing all the traffic the bad guys are sending at you, and this may impact your ability to detect intrusions."
    When asked to choose between network-based and host-based intrusion detection systems, Klaus replied that "network-based intrusion detection is the stronger approach for two reasons: real-time response and lower cost of operation" [7]. This illustrates the main goal of network-based systems:  to recognize intrusion attempts before they have a chance to breach the network.  This is very different from the approach of host-based systems, which analyze events that have already occurred in a system.  Also, a major advantage of network-based systems is that they can run at little or no performance cost, unlike host-based systems.
    Another advantage that network-based systems have over host-based systems is that they are more portable.  One network-based system can monitor an entire network of computers, regardless of what type of machines they are.  Host-based systems, on the other hand, must be purchased and configured according to the type of machine they will be running on.  Curry states, "[network-based systems] are also easier to deploy on a wide scale, because they do not have to run on dozens of different platforms" [7].  An appealing feature of network sensors is that they are generally invisible to network traffic, making their detection by potential attackers unlikely, or at least difficult.
    One weakness of network-based systems is that it is possible to flood the sensors with packets until they reach a point where they start to drop packets.  This is becoming more of a concern as bandwidth across networks increases; sensors must be able to continue functioning effectively even in the face of sharp increases in packet throughput.  A related concern is the frequency of false positives (and false negatives) that a network-based system encounters.  Such systems can be configured to set off alarms when a certain amount of activity is seen (for example,  3 or more port scans over the course of an hour).  The issue is raised then of where to set the limit.  False negatives can happen if an intruder is able to infrequently (and quietly) attack the system without setting off any alarms because his or her activity falls below the limit.  A false positive can occur if the system flags some behavior as an intrusive event though it's not.
    Another point that may need to be addressed in the future is that network-based systems might be limited by the topology of the network they are monitoring.  A specific example is that of switched networks: even though a sensor may be in promiscuous mode, it will only see traffic on sections of the network dedicated to a specific host.  As switched networks gain in popularity, NIDS developers will need to find new ways to view traffic on all portions of the network.
    Another limitation of network-based systems is that due to the sheer volume of information they process, storage of collected information may be limited by the size of their associated buffers.   This results in a need to cut down on the size of the information stored; for example, in order to store the most information in a given amount of space, a system manager may have to decide which portions of a packet are the most important to save.
     Any intrusion detection system should be chosen based on the specific needs of the computer network it is meant to protect.  However, network-based systems appear to have distinct advantages over host-based systems.   This is especially apparent in terms of cost of operation, portability, and real-time response.

3.3  Misuse Detection Models

Misuse and anomaly detection models differ in the types of analysis they perform on the information they have gathered.  The information they analyze can come from host sources, network sources, or both.  Misuse detection systems search the data for cases of misuse, which they recognize by comparing behavior patterns against those of known attacks.  These systems of detection are limited to types of behavior that are known to be intrusive, and therefore they cannot detect unknown attacks.  Anomaly detection systems, on the other hand, are capable of recognizing both known and unknown attack patterns.  Anomaly detection systems search for cases of anomalous behavior.  They do so by comparing behavior patterns to profiles of normal behavior, and flagging any behavior that falls too far outside the normal range.  Such a system relies on the assumption that any intrusive behavior is necessarily anomalous.  An interesting characteristic of anomaly detection systems is that they are able to continuously learn about and update each user's behavior profile.  This can prove to be a weak point as will be described below.

    Misuse detection systems search for behavior patterns that match the patterns or signatures of known attacks.  Such systems require access to a database of known attack signatures.  The system's search engine is fed information (either from audit data or network packets) and then it compares it to the attack patterns kept in its database.  It is often the case that the search engine is looking for an entire sequence or set of events, and not just a single event.  The figure below illustrates how a typical misuse detection system works.
 
 

Figure 1:  A misuse detection system [11].

    Many techniques are available for misuse detection analysis of data, such as keystroke monitoring, expert systems, and state transition analysis.  Keystroke monitoring is the simplest of these techniques.  It involves monitoring a user's keystrokes and searching for attack patterns.  A possible weak point in this approach is the use of aliases by an intruder. Also, keystroke monitoring would not be able to detect running, malicious programs [11].
    Expert systems divide misuse detection into two phases, a rule matching phase and an action phase.  An example of a system that uses this approach is the Next Generation Intrusion Detection Expert System (NIDES) developed by SRI.  In such a system, rules for pattern matching are entered into a database in "if - then" cases.  For example, if A has happened and B has happened but C has not happened, then alert system manager.  Analysis on the "if" side of the statement tests whether certain conditions have been met. The resulting action is placed on the "then" side of the statement.  Since certain conditions must be met for the statement to be true, an expert system can discard sequences of events that fail the "if" test.  This can be helpful in keeping the amount of stored data to a minimum.  On the other hand, since multiple conditions may have to be tested, large volumes of data may overload the system's capabilities [2].
    State transition analysis uses finite state models to represent intrusion patterns.  The initial state represents the point at which the attacker first starts.  The attacker then executes sequences of actions, which correspond to paths taking the attacker from one state to another.  The proper sequence of actions could result in the attacker reaching a final state (indicating an intrusion), at which point an alert is sent out.  If the attacker does not execute the correct actions, then the final state is not reached and no threat has been made to security.  This system can be very data storage intensive, because large amounts of state information may need to be saved for each user.  Like an expert system, it may not handle large amounts of data or large numbers of users well.
    To be effective, a misuse detection system must not only search for known attacks, but must also be able to recognize variations of these attacks.  At the same time, if such a system broadens its database of attacks (and variations) too widely it may start flagging normal usage patterns as misuse, and generate too many false positives [11].
 

3.4  Anomaly Detection Models

Anomaly detection systems search for any behavior that does not fall within a profile of normal behavior.  They rely on the assumption that users exhibit predictable patterns of system usage, and that all intrusive behavior is therefore necessarily anomalous [11].  The figure below shows how an anomaly detection system checks profiles and looks for deviance from the norm.

Figure 2: An anomaly detection system [11].

    In order to perform comparisons against normal profiles, a database of normal usage patterns must first be built.  Usually a unique profile is built for each user, and the profile is updated whenever the user performs any actions.  At the same time, the system calculates the variance of the present profile from the original one.  If a user performs an intrusive action, its pattern will fall outside his or her normal range and a system manager can be alerted.  This model can be extended to profile the normal behavior of an entire system.
   When implementing anomaly detection systems, a major concern can be where to set the threshold for normal behavior.  In other words, how far from the normal range can a behavior pattern lie before it is flagged as anomalous?  If the threshold is set too low, then slight deviations in a user's behavior can trigger false positives.  If the threshold is high and the range of normal behavior is wide enough, a patient hacker could "train" the system to recognize his or her behavior as normal by making many minor changes over time [9].
    Statistical methods are the most common techniques used to analyze data in anomaly detection systems.  However, the fine tuning of each system can be tricky.  A system manager must decide which metrics to measure and what threshold level to set.  There is also a question of whether the system will recognize sequences of normal events that combine to make up an intrusion.  This can cause anomaly detection systems to be quite computationally expensive since profiles must constantly be stored, updated and analyzed for each user.
    A similar analytical technique is rule-based analysis.  Sequences of events are represented by rules, and behavior patterns are then checked against these rules.  Some systems also include algorithms for predicting what sequences of events are most likely to occur, and the probability of each event's occurrence.  This is the approach taken by DEC's TIM system [2].  Some advantages to such an approach are reduced amounts of data to store (since the focus is now on sequences of events and not single events) and a lower likelihood of an intruder being able to train the system to recognize his or her behavior.
    For both misuse and anomaly detection systems, some major concerns are computational cost and data storage.  Even more important, however, is the question of whether misuse or anomaly detection systems alone can identify all intrusive behavior.  Misuse detection can miss cases of unknown attacks.  Anomaly detection can miss cases of intruders slowly changing their behavior patterns.  With both systems, the rate at which false positives and false negatives are generated can also be an issue.  However, both types of systems have major advantages and analytical techniques that work in their favor.  Perhaps the best approach is to use a combination of both anomaly and misuse detection.  Lee Sutterfield, co-founder and Vice President of WheelGroup, agrees that this may be the new direction for IDS, terming the approach "signature-based anomaly detection."
 

4.  Examples of Network Intrusion Detection Systems

Network Flight Recorder (NFR) and Netranger are both examples of Unix-based network intrusion detection systems.  NFR, developed in the mid-1990's by Network Flight Recorder Inc., uses an interpreted language known as "n-code" to analyze and filter network packets. NetRanger is a robust IDS that gathers and analyzes data from network sensors and audit trails.  Both systems perform misuse detection analysis.  NFR's source code is freely available to the public [5].
 

4.1  Network Flight Recorder

Network Flight Recorder is a network intrusion detection system that analyzes IP packets as they travel across the network and applies filters to them to recognize network attacks.  NFR packet filters are written in n-code, a powerful interpreted language that can be used to script attack signatures.
    Performance does not suffer too much because the n-code filters are compiled and stored as byte-code instructions.   Filters are bound to incoming packets, and then information from the packet is collected and analyzed [2].  When an attack has been detected, an appropriate alert is sent out.  Both NFR and NetRanger can be configured by the system manager to some extent to customize what attacks are important to look for.
    NFR supports packet reassembly by implementing a stack table, which is a structure used to keep track of the state of an entire network session.  In this way, attack signatures can be matched against information from any point in the network session's lifetime [2].  This is a powerful deterrent against attacks that split up strings between different network packets in the hopes of avoiding detection.
    While some company's have been pleased with NFR's robust performance and implementation of n-code, many are disappointed in its relatively small signature database [3, 8].  Vincent Maes of Information Security Magazine writes, "We thought the best part of this appliance was its robust scripting language or n-code. This might be the reason the product lacked in pre-built attack signatures."
    NFR is a powerful tool for misuse detection, mainly because of the performance and implementation of n-code packet filters.  Another advantage it has is the fact that it can be used in conjunction with anomaly detection systems to further improve its performance.
 

4.2  Netranger

Described as robust and complex by Information Security Magazine [3], NetRanger is a network intrusion detection system that examines information from both host and network sources. It has two main components, a sensor and a director, and they communicate via a third component, a postoffice.
    The sensor is a network tool that uses rule-based techniques to analyze and compress the network traffic into distinct security events, which it then sends to a director.  It analyzes both syslogd data and actual network packets in real time.  The sensor is also capable of logging security data, cutting TCP sessions when necessary, and dynamically managing a router's access control lists to prevent an intruder from entering [4].
    NetRanger uses a misuse detection model to search for patterns of intrusion attempts.  It examines either the data portion or the header portion of network packets.  An excellent feature of NetRanger that is not often found in other NIDS is that it supports packet reassembly; thus attack strings that are fragmented between multiple packets can still be detected [6].
    The director is a tool responsible for monitoring and managing sensors, and it can send alerts (by beeper, email, or GUI display) to system managers when necessary.  It also provides a centralized graphical interface.
     The post office  provides the communication protocol that allows NetRanger services and hosts to communicate with each other.  One of the advantages that this protocol offers is that it can switch between alternate routes to maintain point-to-point connections if it needs to.  These three components are represented in figure 3 below.
 
 

Figure 3: Interaction between NetRanger components [4].

    After it detects an attack, NetRanger can respond in a variety of ways.  It can create a log file of the IP session to record important information. It can also set off an alarm or alert a system manager.  The NetRanger sensors also have the ability to reset TCP connections if an attack has been detected, or shun the attack altogether by denying service to the attacker.
    Network Computing compared several NIDS and found the performance of NetRanger to be very satisfactory.
 

    NetRanger delivered. It was the only product to fully recover from the ICMP (Internet Control Message Protocol) redirect storms with which we punished our lab networks. Using winfreeze, a recent denial of service (DoS) attack circulating in the community of the mischievous, we dumped approximately 10 million ICMP redirect requests onto the wire from a remote host. The ensuing chaos slowed most platforms to a crawl, and crashed several of our NT servers.
    While the bombardment continued, we tried to sneak connection scans past the IDSes in an effort to perform basic network reconnaissance . . . NetRanger complained bitterly by sending multiple alerts to the console, and several daemons on the sensor reported failure. Then the services restarted, continued to process packets, and NetRanger caught our scans. In comparison, ID-Trak (running on NT) was neutralized by the attack, and NFR and RealSecure just sat there and took it--sort of. Neither complained about the millions of packets screaming down the wire, yet they were both sluggish.
                                                         - Network Computing

6.  Conclusion and Future Work

While network and host based detection systems both have their advantages, even greater protection can be gained by fusing the two methods and utilizing both approaches in an effective manner.  The same can be said for the approach of anomaly detection versus misuse detection.  No matter the approach, to build a reliable, dependable intrusion detection system,  designers must approach the task from an attacker's perspective.
    IDS can provide excellent protection for networked systems, but some believe that more and more often, IDS are being deployed as a last resort in environments with no real security; an analogy would be buying a burglar alarm for a house with no locks [9].  Another concern that may need to be addressed in the future is the issue of privacy.  Not all users would be content with the notion that their packets are constantly under scrutiny or that their behavior is being profiled and recorded.

    Future IDS will need to address the issue of higher data throughput and constantly evolving attack patterns.  While combining misuse and anomaly detection may prove to be helpful, other methods may soon be needed.  A related concern is that with increased analysis of data often comes decreased performance.  Optimizing performance may prove to be of great importance to future IDS competing in the market.
 
 
 
 
 
 
 
 
 
 
 

References

(1)  Amoroso, Edward.  Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, and Response.  Intrusion.Net Books, 1999.

(2)  Bace, Rebecca G.  Intrusion Detection.  Macmillan Technical Publishing, 2000.

(3)  Maes, Vincent.  "How I Chose an IDS."  ICSA Information Security Magazine.  September 1999.  http://www.infosecuritymag.com/sept99/first_person.htm.

(4)  "NetRanger 2.2.2 User Guide."  Cisco Systems Inc. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/netrangr/nr221/nr221ug/index.htm

(5)  Network Flight Recorder Inc. www.nfr.net.

(6)  Northcutt, Stephen.  Network Intrusion Detection: An Analyst's Handbook.  New Rider's Publishing, 1999.

(7)  Power, Richard.  "CSI Roundtable: Experts discuss present and future intrusion detection systems."  Computer Security Journal vol. XIV, #1. http://www.gocsi.com/roundtable.htm

(8)  Shipley, Greg. "ISS RealSecure Pushes Past Newer IDS Players".  http://www.networkcomputing.com/1010/1010r14.html . May 17, 1999.

(9)  Song, Dug.  "Intrusion Detection 101". UM ACM Computer Security Seminar Series, September 1999.  http://www.monkey.org/~dugsong/talks/ids/

(10)  Stallings, William.  Cryptography and Network Security:  Principles and Practice.  Prentice Hall, 1998.

(11)  Sundaram, Aurobindo.  "An Introduction to Intrusion Detection".  ACM Crossroads, Issue 2.4, April 1996.
 http://www.acm.org/crossroads/xrds2-4/intrus.html