Nowadays there is a very urgent problem of network attacks by hackers around the world to confidential information of a user as well as of an entire organization.
The main goal of an intruder is to penetrate inside a particular organization system to get confidential information or cause harm. For example, June 29th and 30th, 1999 a juvenile hacker Jonathan James, known as a «c0mrade», hacked into a well-protected server of the USA Government in Alabama with a simple Pentium PC. C0mrade stole several files, one of which was the source code of NASA international space station [3].
To carry out their attacks, hackers tend to set the system to the local switch-boards or use a security hole, and then install all the necessary software to sniff and penetrate with the servers of hacked organizations.
The experts from around the world have been studying this issue for more than a quarter of a century. Developers and advisors explore the signs of attacks, develop and put into operation methods and security tools to detect the system trespassing, both at a logical and physical level. The specialists use such notions as perimeter protection, fixed-site and dynamic protection and sewn dynamic, proactive security tools.
At present the intrusion detection systems are software or hardware-software solutions that computerize the entire control process in computer system or in network. They analyze events to find out the security problem indicators. Due to this, the number of unauthorized entries has recently increased significantly. Intrusion Detection Systems (IDS) became a necessary component of the security infrastructure of all large organizations [1].
The up-to-date intrusion detection systems have different architecture. The special attention should be given to IDS classification, developers and advisors decide which software to use in a given situation. Currently, you can divide all systems into: network and local. Network systems are erected on computers appropriate for this purpose and they analyze the local area network traffic. The local IDS have been already installed on individual computers that need to be protected and analyze various events, such as user actions or program calls.
Today we know a large number of different types of classifications. Unfortunately, some of the existing classifications are not very applicable, but they are actively used to select IDS and for further operation.
It should be noted that network attacks are divided into several types:
- Remote entry — a type of attack that allows realizing a remote control of your computer over a network, e.g. NetBus or BackOrifice attacks;
- Local penetration — a type of attack that results in an unauthorized access to the host where they are sent, e.g. GetAdmin attack;
- Network scanner attacks — a type of attack based on the use of network scanners — programs that analyze the network topology and discover the services available for attacks, e.g. nmap applet attack.
There are many types of network IDS. But it is not possible to study all these types in one work. Paying attention to everything that was aforementioned, all intrusion detection systems can be divided into systems oriented to search for:
- interaction anomalies of controlled objects;
- signatures of all recognized attacks;
- reference core information tampering.
It should be noted that today there are practically no hybrid systems and systems that used the information distributed in time and space. During this work we came to conclusion that from the vast majority of modern systems only the signature method of attack recognition or anomaly search in the supervised network are used [2].
Now we will talk about the real shortcomings of existing systems. The greatest mistake of computer attack detection is a primitiveness of a simple signature search, a low efficiency in detection of advanced attacks, a lack of data integration at the host and network level to detect interleaving attacks and unauthorized entries.
Among the operating shortcomings of modern IDS we can reveal a large number of calculation operations to divide events into “friend or foe” and the inability to process all incoming information in real time with an ordinary PC. It is worth saying that the processing rate of event network traffic is often slower than the real time. The time lag is usually 1.5–2 times bigger. Some analysis systems work in a deferred mode. This means that the attack on protected data and computing resources will not be noticed in time and certainly will not be met by the available means of protection, which will lead to the system failure or a loss of confidential information. In this mode, IDS is best used as a means of attack phases logging and a subsequent criminalistics examination. In all other cases it is unacceptable.
Currently, many up-to-date IDS are not originally designed portable, that is, their code is not portable to different operating systems and spur-of-the-moment hardware computing platforms. The majority of Western products and almost all domestic IDS cannot operate on several operating systems. Considering the fact that IDS does not take advantage of the development and code optimization for selected operating systems and hardware platforms, we can say that this is probably its most important drawback. Also, any software or hardware-software system is not equipped with a hot-swapping mode, allowing putting into operation a hot backup complex and restoring the destroyed defensive network perimeter.
Nowadays modern intrusion and attack detection systems are far from being ergonomic and efficient in terms of security solutions. The efficiency improvement should be introduced not only in the malicious action detection in the infrastructure of protected data objects, but even in terms of the daily «battle» operation of these tools, as well as the cost of computing and information resources of the security system owner.
Of course, if we talk only about the data processing units, perhaps each attack signature in the present scheme of attack information processing is a basic element to recognize a common action — to recognize the attack phase. Each attack is divided into a set of steps of its realization. The simpler the attack is, the easier it is to detect and the more opportunities there are to analyze it. Each signature shows a specific event in a computer network and the local framework in the phase space of cyber-attacks. These phases can be determined simply, but it is better to keep a sufficient detail level to be able to describe attacks with detailed attack scenarios (list of attack phases and transitions between them).
Advantages of an integrated approach are obvious — in case of separate processing of different attack steps it is possible to recognize the threat in the course of its gathering and delivering rather than at the stage of operation as it is done in existing systems.
- An intermediate level extracts information from the lower level and aggregates it with finite state automatons (attack scripts), statistical analysis and threshold filtration mechanisms;
- The highest level aggregates information from two previous levels and allows identifying common and distributed attacks, their real source and predicting its further behavior on the basis of mining.
The core of computer attack detection system should be clearly separated from the visual and signaling system. We use methods that form a list of options (passport), which check incoming network packets, to search for signatures in network packets. The existing systems (e.g., Snort or PreludeIDS, which uses Snort methods) use the string mode of these methods description:
alert tcp $HOME_NET 1024:65535 ->
$EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)";
flow:established;
dsize:>1000;
content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|";
classtype:trojan-activity;
reference: url,/www.viruslist.com/en/viruses/ encyclopedia?virusid=142254;
sid:2007578;
rev:1;
)
This form is more convenient for quick machine-aided processing, but less suitable for humans. In addition, it lacks the ability to extend the functionality, which is incorporated in such XML-like signature database embedding. For example, a simple «parenthetic» pattern allows you to record a control variable set and to describe the methods in a much more enjoyable and understandable visual form, retaining the ability to extend the functionality. Thus, the determination of attack phases, protected objects and events in the network might look as follows:
type_defs {
alert = 1;
warning = 2;
fail = 4;
}
srcdst_defs {
HOME_NET = 195.208.245.212
localhost = 127.0.0.1
}
proto_defs {
tcp = 1;
udp = 2;
tcp-flow = 10;
}
phase_defs {
port_scanning = 1;
exploiting = 2;
icmp_sweeping = 3;
ftp_bouncing = 4;
shell_using = 5;
dir_listing = 6;
file_opening = 7;
}
Both classic event signs (an event type, a checking protocol, a source effect and a working object, a short message) and accessory signs (an attack phase, a threat type, which refers to the event appearance. Moreover, these methods may be grouped into sets that are suitable for binding them with discerned network and local services in protected system. [4]
If we go back to check the method effectiveness in the intrusion detection systems, we should note the following fact. Now, all methods in IDS are tested as follows. The checking of heterogeneous methods is done separately, method after method, and the homogeneous operations on packages are carried out separately all the time. This approach does not allow to parallelize the network packet manipulating effectively, to take full advantage of multiple pipelines in modern processors and to optimize the search for partly similar signature methods. However, it is worth noting that there is a disadvantage of approach when, for example, the patterns are connected to each other. Nevertheless, there is a small number of such methods and that allows to spin it off into a separate class as a filter rule, but of parallelized methods and to use any simple sequential check methods in them.
In conclusion, we would like to summarize that the modern approach to the building of network intrusion detection systems and cyber-attack sign finding on information systems is full of gaps and security vulnerabilities that allow malicious attacks to overcome successfully the information security systems of almost all organizations. The transition from attack signature search to the steps of information security threats should help to ensure the radical situation change, reducing the development gap of secure systems. This transition should enhance the effectiveness of information security control, and finally, more specific examples of requirements document and regulatory guide application that have already become standard.
References:
1. Network solutions A-Z [Electronic course]/ Computer-based threat detection systems — Electronic Data. — URL: http://www.nestor.minsk.by/sr/2008/05/sr80513.html#2, (access date: 31.04.2014);
2. Internet technologies.ru [Electronic course]/Network attack classification — Electronic data. — URL:http://www.internet-technologies.ru/articles/article_237.html, (access date: 03.05.2014);
3. IT — sector [Electronic course]/Hackers’ methods — Electronic data. — URL: http://it-sektor.ru/metody-xakerov.html, (access date: 03.05.2014);
4. Attack detection systems [Electronic resource]/ Internet — GPU solutions «Data security» — Electronic data. — URL: http://doc.marsu.ru/sec/pub/p01.html, (access date: 03.05.2014)
