Intrusion Detection System(IDS)

IDS- UNIT 1

Introduction to Intrusion Detection System,its Characteristics, architecture of an IDS

Intrusion can be defined as any kind of unauthorized activities that cause damage to an information
system. This means any attack that could pose a possible threat to the information confidentiality,
integrity or availability will be considered an intrusion. For example, activities that would make the
computer services unresponsive to legitimate users are considered an intrusion. An IDS is a
software or hardware system that identifies malicious actions on computer systems in order to allow
for system security to be maintained (Liao et al., 2013a). The goal of an IDS is to identify different
kinds of malicious network traffic and computer usage, which cannot be identified by a traditional
firewall. This is vital to achieving high protection against actions that compromise the availability,
integrity, or confidentiality of computer systems.
An Intrusion Detection System is used to detect all types of malicious network traffic and computer
usage that can't be detected by a conventional firewall. This includes network attacks against
vulnerable services, data driven attacks on applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses,
and worms).
 Defined as the tools, methods, and resources to help identify, assess, and report unauthorized or
unapproved network activity.
 An IDS detects activity in traffic that may or may not be an intrusion.
 IDSes can detect and deal with insider attacks, as well as, external attacks, and are often very useful
in detecting violations of corporate security policy and other internal threats.

An intrusion detection system should address the following issues, regardless of what mechanism it is
based on:

 It must run continually without human supervision. The system must be reliable enough to
allow it to run in the background of the system being observed. However, it should not be a
"black box". That is, its internal workings should be examinable from outside.
 It must be fault tolerant in the sense that it must survive a system crash and not have its
knowledge-base rebuilt at restart.
 On a similar note to above, it must resist subversion. The system can monitor itself to ensure
that it has not been subverted.
 It must impose minimal overhead on the system. A system that slows a computer to a crawl will
simply not be used.
 It must observe deviations from normal behavior.
 It must be easily tailored to the system in question. Every system has a different usage pattern,
and the defense mechanism should adapt easily to these patterns.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 1

 Intrusion Detection System(IDS)

 It must cope with changing system behavior over time as new applications are being added. The
system profile will change over time, and the IDS must be able to adapt.
 Finally, it must be difficult to fool.

Characteristics of Intrusion Detection Systems A number of desired characteristics for intrusion

detection systems (IDSs) have been identified, as follows:

• Prediction performance. In intrusion detection, simple performance measure such as prediction

accuracy is not adequate. For example, the network intrusions typically represent a very small
percentage (e.g. 1%) of the entire network traffic, and a trivial IDS that labels all network traffic as
normal, can achieve 99% accuracy. In order to have good prediction performance, an IDS needs to
satisfy two criteria:

(i) it must be able to correctly identify intrusions

(ii) it must not identify legitimate action in a system environment as an intrusion.

Typical measures for evaluating predictive performance of IDSs include detection rate and false alarm
rate (Table). Detection rate is defined as the ratio of the number of correctly detected attacks and the
total number of attacks, while the false alarm (false positive) rate is the ratio of the number of normal
connections that are incorrectly misclassified as attacks and the total number of normal connections. In
practice, it is very difficult to evaluate these two measures, since it is usually infeasible to have global
knowledge of all attacks. Since detection rate and false alarm rate are often in contrast, evaluation of
IDSs is also performed using ROC (Receiver Operating Characteristics) analysis . ROC curve
represents a trade-off between detection rate and false alarm rate as illustrated in Figure. The closer the
ROC is to the left upper corner of the graph (point that corresponds to 0% false alarm and 100%
detection rate), the more effective the IDS is.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 2

 Intrusion Detection System(IDS)

 Time Performance. The time performance of an intrusion-detection system corresponds to the

total time that the IDS needs to detect an intrusion. This time includes the processing time and
the propagation time. The processing time depends upon the processing speed of the IDS, which
is the rate at which the IDS processes audit events. If this rate is not sufficiently high, then the
real time processing of security events may not be feasible. The propagation time is the time
needed for processed information to propagate to the security analyst. Both times need to be as
short as possible in order to allow the security analyst sufficient time to react to an attack before
much damage has been done, as well as to stop an attacker from modifying audit information or
altering the IDS itself.
• Fault tolerance. An IDS should itself be dependable, robust and resistant to attacks, and
should be able to recover quickly from successful attacks and to continue providing a secure
service. This is especially true in the case of very large distributed DoS attacks, buffer overflow
attacks and various deliberate attacks that can shut down the computer system and thus IDS too.
This characteristic is very important for the proper functioning of IDSs, since most commercial
IDSs run on operating systems and networks that are vulnerable to different types of attacks. In
addition, IDS should also be resistant to scenarios when an adversary can cause the IDS to
generate a large number of false or misleading alarms. Such alarms may easily have a negative
impact on the availability of the system, and the IDS should be able to quickly overcome these
obstacles.

Architecture of an IDS:

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 3

 Intrusion Detection System(IDS)

Although these systems are extremely diverse in the techniques they employ to gather and analyze data,
most of them rely on a relatively general architectural framework , which consists of the following
components:

– Data gathering device (sensor) is responsible for collecting data from the monitored system.

– Detector (Intrusion Detection (ID) analysis engine) processes the data collected from sensors to
identify intrusive activities.

– Knowledge base (database) contains information collected by the sensors, but in preprocessed format
(e.g. knowledge base of attacks and their signatures, filtered data, data profiles, etc.). This information
is usually provided by network and security experts.

– Configuration device provides information about the current state of the intrusion detection system
(IDS).

– Response component initiates actions when an intrusion is detected. These responses can either be
automated (active) or involve human interaction (inactive).

Compare IDS and IPS (Difference Between IDS & IPS)

IDS and IPS are originally developed for addressing requirements of lacking in most firewalls. IDS are
basically used to detecting the threats or intrusions in network segment. But IPS is focused on
identifying those threats or intrusions for blocking or dropping their activities. The IDS and IPS are list
of similar functions like packet inspection, stateful analysis, TCP segment reassembly, deep packet
inspection, protocol validation, and signature matching. The best example of security gate in term of
difference of IDS and IPS is, An IDS works like a patrol car within the border, monitoring activities

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 4

 Intrusion Detection System(IDS)

and looking for abnormal situations. But an IPS operates like a security guard at the gate of allowing
and denying access based on credentials and some predefined rule set, or policy. No matter how strong
the security at the gate is, the patrols continue to operate in a system that provides its own checks.

IDS:

The IDS is software or an appliance that detects a threat, unauthorized or malicious network traffic.
IDS has their own predefined rule sets, through that it can inspect the configuration of endpoints to
determine whether they may be susceptible to attack (this is known as host-based IDS), and also it can
record activities across a network and compare it to known attacks or attack patterns (this is called
network-based IDS). The purpose of intrusion detection is to provide monitoring, auditing, forensics,
and reporting of network malicious activities.

 Preventing network attacks

 Identifying the intruders
 Preserving logs in case the incident leads to criminal prosecution

IPS:

The IPS are not only detect the bad packets caused by malicious codes, botnets, viruses and targeted
attacks, but also it can take action to prevent those network activity from causing damage on network.
The attacker’s main motive is to take sensitive data or intellectual property, through that they interested
4 in whatever they can get from customer data like employee information, financial records etc. The
IPS is specified to provide protection for assets, resources, data, and networks.

 IPS stops the attack itself

 IPS changes the security environment

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 5

 Intrusion Detection System(IDS)

Taxonomy of Intrusion Detection System

Several classifications of intrusion detection methods have been proposed in the past but there is
still no universally accepted taxonomy. We use five criteria to classify IDSs, as summarized in
Figure

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 6

 Intrusion Detection System(IDS)

The first criterion is information (data) source, which distinguishes IDSs based on the system that is
monitored, i.e. source of input information. The source information can be
(i) audit trails (e.g. system logs) on a host,
(ii) network connections/packets,
(iii) application logs,
(iv) wireless network traffic or
(v) intrusion-detection and/or sensor alerts produced by other intrusion-detection systems.

The analysis strategy describes the characteristics of the detector. When the IDS looks for events or
sets of events that match a predefined pattern of a known attack, this analysis strategy is called
misuse detection. When the IDS identifies intrusions as unusual behavior that differs from the
normal behavior of the monitored system, this analysis strategy is called anomaly detection.

Time aspects are used to categorize the IDSs into on-line IDSs that detect intrusions in real time and
off-line IDSs that usually first store the monitored data and then analyze it in batch mode for signs
of intrusion.

The architecture of IDSs is used to differentiate between centralized IDSs that analyze the data
collected only from a single monitored system and distributed IDSs that collect information from
multiple monitored systems in order to investigate global, distributed and coordinated attacks.

Detection response describes the reaction of the IDS to an attack (intrusion). If the IDS reacts to the
attack by taking corrective action (e.g. closing holes) or pro-active action (e.g. logging out possible
attackers, closing down services), the response is called active. If the IDS only generates alarms
(including paging security analysts) and does not take any actions, the response is called passive.

State of threats against computers, and networked systems.(or various types of threats on
Computer/network security)

Threat is a potential risk that exploits a vulnerability to infringe security and cause probable
damage/disruption to the information/service stored/offered in/by computer systems or through
communication links. A threat to a computer systems occurs when the confidentiality (preventing
exposure to unauthorized parties), integrity (not modified without authorization), and availability
(readily available on demand by authorized parties) of information on systems are affected. Thus, a
computer system threat in general can include anything deliberate, unintended, or caused by natural
calamity that effects in data loss/manipulation or physical destruction of hardware. Accordingly, the
threats on computer system are classified as physical threats and nonphysical threats. Physical
threats cause impairment to hardware or theft to system or hard disk that holds critical data.
Nonphysical threats target the data and the software on the computer systems by corrupting the data
or by exploiting the errors in the software. The computer security threats are defined as probable
attacks from hackers that let them to gain illicit entree to a computer.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 7

 Intrusion Detection System(IDS)

There are various steps involved in the attacking scenario, and these steps are briefly listed here:

Step 1: spoofing
Before initiating any of the attacking steps, the hackers normally prefer to hide their identity and
their activities. These are normally done by spoofing when the attacker hides his identity and
pretends to be someone else. This can be done by MAC cloning, IP spoofing, or email spoofing.

Step 2: reconnaissance
It is always a good practice to plan well before undertaking any action, and this is applicable in the
case of hacking too. The hackers first identifies a target to launch an attack, extract maximum
information regarding this target, understand its vulnerabilities, and then only explore the best ways
to exploit it.

Step 3: weaponization
The hacker with the information collected in the previous phase identifies/develops weapons in
order to get into the computer or the network. During this phase, the hacker collects the tools that
they plan to use once they gain access to the system for the successful exploitation of the
vulnerabilities in the system.

Step 4: implementation
In the implementation phase, the attack starts working. It is when the phishing e-mails are sent or
when the fake web pages are posted to the Internet and the attacker patiently waits for all the data
they need to start rolling in.

Step 5: exploitation
This is a state when the sensitive and confidential data starts rolling in. It is the most exciting phase
for the hackers, and they try out the usernames and passwords against web-based e-mail systems or
secured connections to sensitive networks.

Step 6: installation
After a successful exploitation, the attacker will make sure to have continued access to the system.
This is by installing a persistent backdoor or creating admin accounts on the system, disabling
firewall rules, and perhaps even activating remote desktop access on computer systems on the
network.

Step 7: control
Once the attacker gains access to the network or creates administrator accounts or installs all the
necessary tools for backdoor entry any time to the system, the attacker is in control of the target.

Step 8: action on set goals

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 8

 Intrusion Detection System(IDS)

With total control on the target system, the attacker can set goals and achieve it with or without the
knowledge of the genuine user.
The exploits when successful result in security attacks on computer systems. Hence, threat is a
possible danger caused by system vulnerability, while attack is the attempt of unauthorized action
or a harmful action. The realization of a threat is usually detrimental and is termed an attack.

Computer threats:
Spoofing
Spoofing is when someone hides their identity to evade detection for their wrong acts and pretends
to be someone else in an attempt to gain trust and get sensitive system information. The common
spoofing done by changing the hardware or MAC address is called MAC cloning, changing the IP
address or the unique identity on the network is called IP spoofing, and impersonating as someone
else in their digital communication is called email spoofing.

Information-gathering attacks
Information gathering is the practice of attacker gaining priceless details about probable targets.
This is not an attack but only a pre-phase of an attack and is totally passive as there is no explicit
attack. Systems including computers, servers, and network infrastructure, including communication
links and inter networking devices, are sniffed, scanned, and probed for information like whether
the target system is up and running, what all ports are open, details regarding the operating system
and its version, etc. Some of the information-gathering attacks are sniffing, mapping, vulnerability
scanning, phishing, etc.

Password attacks
The simplest way to achieve control of a system, or any user account, is through a password attack.
If the personal and behavioral details of the victim are known, the attacker starts with guessing
password. Frequently, the attacker uses some form of social engineering to trace and find the
password. Dictionary attack is the next step in password attacks and is automated.

Malware
After gaining access to a system, the attacker takes the support of malware or malicious software
that clandestinely acts against the interests of the computer user.

Virus
Computer viruses are the most communal threat to the computer users. Computer viruses are
malicious software designed to blow out from one computer to another through file transfer,
piggybacks on genuine programs and OS, or e-mails. The email attachments or downloads from
particular websites contaminate the computer and also other computers on its list of contacts by
using the communication network. Viruses influence the system security by changing the settings,
accessing confidential data, displaying unwanted advertisements, sending spam to contacts, and

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 9

 Intrusion Detection System(IDS)

taking control of the web browser. The viruses are identified as executable viruses, boot sector
viruses, or e-mail viruses.

Worms
Computer worms are fragments of malicious software that reproduce swiftly and blow out from one
computer to another through its contacts, again spreading to the contacts of these other computers
and so on and reaching out to a large number of systems in no time. Captivatingly, worms are
prepared for spreading by exploiting software vulnerabilities. Worms display unwanted
advertisements. It uses up tremendous CPU time and network bandwidth in this process thereby
denying access to the systems or network of the victim, creating chaos and trust issues on a
communication network.

Trojans
Trojans are programs that appear as perfectly genuine but, in reality, have a malicious part
embedded in it. Trojans are spread usually through email attachment from the trustworthy contacts
and also on clicking on fake advertisements. The payload of Trojans is an executable file that will
install a server program on the victim’s system by opening a port and always listening to that port
whereas the server is run on the attacker’s system. Hence, whenever the attacker wants to login to
the victim machine, they can do so by means of the backdoor entry making it hidden from the user.

Spyware and adware

Spyware and adware are software with a common property of collecting personal information of
users without their knowledge. Adware is intended to track data of the user’s surfing behaviors,
and, based on that, pop-ups and advertisements are displayed. The adware clause in the agreement
during the installation process is often skipped with least seriousness. Spyware on the other hand
gets installed on a computer and gathers information about the user’s online activities without their
knowledge. Spyware contains keyloggers that record everything typed on the keyboard, making it
unsafe due to the high threat of identity mugging.

Scareware
Scareware is yet another malware that tricks victims by displaying fake alerts and forcing the victim
to buy protective software that is fraudulent. The alerts or the pop-up messages sound like warning
messages along with proper protective measures, which if followed creates security issues.

Rootkit
Rootkit is a pool of software tools that gets mounted in stealth along with some genuine software.
Rootkit allows remote access and administrative control on a system. With these privileges, the
rootkit performs malicious activities like disabling of antivirus, password sniffing, keylogging, etc.

Keylogger
Keylogger software has the ability to record keystrokes and also capture screenshots and save it to a
log file in encrypted form. Keylogger software can record all the information that is typed on the

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 10

 Intrusion Detection System(IDS)

keyboard including passwords, e-mail, and instant messages. The log file created by the keylogger
is saved and mailed to the attacker on a remote machine with the motive to extract password and
banking details for financial fraud.

Ransomware
Ransomware is a malicious software that hampers admission to computer or files on the computer.
The computers may be locked or files encrypted. Accordingly, the two common types of
ransomware are lock screen ransomware and encryption ransomware. The victim will be demanded
ransom for the restriction to be removed, and this gets displayed on victim’s system. There can also
be notification stating that establishments have detected illicit activity on this computer and
demands ransom as fine to avoid prosecution.

Rogue security software

Rogue security software is another malicious program that deceives users to believe that there is
malware installed on their system or the security measures are outdated and hence of concern. They
offer installing or updating users’ security settings. Then it is an actual malware that gets installed
on the computer.

Botnets
A collection of compromised systems or bots acts as a team of infected computers under the control
of a bot master to remotely control and send synchronized attacks on a victim host. This army of
bots, agents, and bot master constitute a botnet. Botnets are used for sending spams and also for
distributed denial of service attacks.

Denial-of-service attacks
Denial-of-service (DoS) attacks as the name suggests deny users from accessing or using the
service or system. This is mainly done by overwhelming the bandwidth, CPU, or memory wherein
the access to the network of the victim machine or server offering the service gets denied. DoS
attacks thus interrupt the service of a computer or network systems, making it inaccessible or too
inferior in performance.

Distributed DoS
In distributed DoS (DDoS) attacks, the victim is targeted from a large number of individual
compromised systems simultaneously. The DDoS attacks are normally done with the help of
botnets. The botmaster is the attacker who indirectly attacks the victim machine using the army of
bots or zombies. The DDoS attacks occur when a large number of compromised systems act
synchronously and are being coordinated under the control of an attacker in order to totally exhaust
its resources and force it to deny service to its genuine users. It is the upsurge in the traffic volume
that loads the website or server causing it to appear sluggish.

IoT-based attacks

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 11

 Intrusion Detection System(IDS)

The last decade has seen exponential increase in the use of Internet of Things (IoT) that are smart
devices used at home, organizations, and businesses. The issue with these IoT is its weak security
as these devices are often overlooked when it comes to applying security patches that create lead-
ins for attackers to seize these devices to infiltrate the networks. An IoT-based attack is any
cyberattack that leverages a victim’s use of IoT to sneak malware onto a network.

Session hijacking
In session hijacking, the hacker takes control of a session going on between two hosts. Session
hijacking usually takes place in applications that use TCP with a sequence number prediction. With
that sequence number, the attacker sends a TCP packet.

Blended attacks
A blended attack is a software exploit that encompasses a mixture of exploit techniques to attack
and propagate threats, for example, viruses, worms, and Trojan horses.

Website attacks
Website attacks are targeting browser components that are at risk of being unpatched even when the
browser is patched. SQL injection attacks are intended to target any website or web application that
uses an SQL database such as MySQL, Oracle, etc. by taking advantage of the security flaws in the
application’s software. This attack is used to obtain and corrupt user’s sensitive data.

Mobile phone and VOIP threats

Malware target mobile phones, VoIP systems, and the IP PBXs as these devices have plentiful
published vulnerabilities. There are attack tools freely available on the Internet, and misusing these
vulnerabilities makes these attacks too common and simple even for a script kiddie.

Wi-Fi eavesdropping
Wi-Fi eavesdropping is an attack used by network attackers to grab sensitive information of a target
system. It is the act of silently listening on an unencrypted Wi-Fi network.

WPA2 handshake vulnerabilities

The key reinstallation attack (KRACK) lets an attacker to decipher the network traffic on Wi-Fi
routers. Every device connected to Wi-Fi, such as computers, smartphones, smart devices, and
wearables, can be identified by the hacker.

Insider attacks
One of the prevalent all-time computer security threats faced by any organization is from its own
employees. Insider attacks are initiated by disgruntled employees of an organization. Insider usually
has certain privileges to the data as well as rights on the systems and networks that they attack,
giving them an advantage over external attackers. These attacks can be hard to prevent with
firewalls, which are the first level of defense.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 12

 Intrusion Detection System(IDS)

Supply chain attacks

A supply chain attack seeks to cause harm by targeting the least secured elements in the supply
network.

Buffer overflows
Buffer overflows are used to exploit programming glitches that do not take care of the buffer size.
If a buffer is jam-packed beyond its size, the data overflows into the contiguous memory. This flaw
gets smartly used by hackers to change the execution of the program.

User to root attack

User to root attack is a case of privilege escalation where a user gains a higher privilege than that
authorized. This is not a class of attack as such, and it is the process of any attack. Every attack will
do activities the attacker is not privileged to do.

Man-in-the-middle attacks
Man-in-the-middle attacks allow the hacker to snoop on the communication between two systems,
affecting the privacy. A common method of doing this is to place the attacker at a point and redirect
all the communication through the route that includes that hacker so that eavesdropping is possible
by the hacker.

Pharming
Pharming is a widespread online fraud that will automatically point to a nasty and illicit website by
relaying the authentic URL. Even when the URL is correctly entered, the redirection happens to
some forged website looking similar to the actual one. This fake site prompts one to enter personal
information that gets to someone with a wicked intent.

Spam
Spams are unsolicited bulk e-mail messages that annoy the user with unwanted and junk mails. It
gives burden for communications service providers, organizations and individuals alike. These
emails can be commercial ones like an advertisement or noncommercial one like chain letters or
anecdotes. Spam is considered an active vehicle for virus propagation, scams, fraud and is a threat
to computer privacy. Spam also phishes for interesting information with offers and promotions that
trick victims into following links or entering details.

NIDS & HIDS(Host IDS and Network IDS)

Intrusion detection systems are used to detect anomalies with the aim of catching hackers before
they do real damage to a network. They are classified into two type:

 Network Based IDS (NIDS)

 Host Based IDS(HIDS)

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 13

 Intrusion Detection System(IDS)

NIDs: Network-based Intrusion Detection System is also known as network IDS or NIDS used to
examine the network traffic. A network intrusion system has to include a packet sniffer to gather
network traffic for further analysis.
We can easily add our own rules and modify the analysis engine of a NIDS. So, if We have
multiple NIDS, the system provider or community will provide the rules to understand the syntax or
implementation.
If We are thinking of collecting all of the data for analyzing, it is difficult, and We don’t want to
dump all traffic into files. So, with the help of NIDS, We can easily capture only the selective data.
If We have made a rule for a type of worrisome HTTP traffic, the network intrusion detection
system only captures and store HTTP packets that display those particular characteristics.
When looking at NIDs vs HIDs, keep in mind the NIDS is required to be installed on dedicated
hardware, and it comes with expensive enterprise solutions. NIDS requires a sensor module for
capturing network traffic, so We can also load it using a LAN analyzer or dedicated a computer to
execute this task. But, choose a computer with a higher clock speed not to slow down the network.
HIDs :Host-based intrusion detection systems (HIDS) are also known as host-based IDS or host
intrusion detection systems and used to analyze events on a computing device rather than the data
traffic that passes around the computer. HIDS mainly operates by taking and looking at data in
admin files (log files and config files) on the computing device that it protects.

Host intrusion detection system will back up our config files so that We can restore our settings in
case of any malicious attack. Moreover, it is also mandatory to protect our root access on Unix-like
platforms and registry modification on Windows-based systems. So, HIDS is unable to block those
modifications, but it ought to have the ability to alert We if any such access happens.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 14

 Intrusion Detection System(IDS)

All hosts connected to our network under the HIDS monitoring have the required software installed
on it. If We want to get feedback from more than one device connected to our network, there is no
need to sign-in on each device. Remember, a distributed HIDS system requires a centralized control
module. So, it is recommended to use a system that encrypts the communication between the
central monitor and host agents.

NIDs vs HIDs: Purpose

When the network attacks are getting increased day by day, both HIDS and NIDS have become
popular. But if We want to protect our personal or individual computers, then there is no need to
use NIDS and HIDS because We can use anti-malware suits and firewalls. There are many network
security tools that are used to protect our networks and computing devices. While understanding
NIDs vs HIDs, it is a common question “when we have firewalls and other anti-malware solutions
then why we need both HIDS and NIDS?” Let me explain, these tools can protect our personal
computer, but they lack the intelligence to defend any corporate network. Both HIDS and NIDS

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 15

 Intrusion Detection System(IDS)

capture the network traffic and compare the collected information with predefined patterns to
discover the attacks and vulnerabilities.

NIDs vs HIDs: Core Functions

Host-based Intrusion Detection systems examine particular host-based activities, for example, what
software has been used, what documents have been accessed, and what information resides in the
kernel logs. At the same time, the Network Intrusion Detection systems examine the flow of data
between computers (network traffic). Therefore, NIDs can discover a hacker until he can generate
an unauthorized attack, whereas HIDs will not understand anything is wrong until the hacker has
breached the machine. Both are necessary for sniffing the network for suspicious activities.

NIDs vs HIDs: Benefits

NIDs Benefits: Where NIDs excel and have the capacity to safeguard countless computing devices
from a network location. This is the best option, which is simpler to deploy and less costly. NIDs
also supply a wider evaluation of a big and corporate network through scans and probes. Moreover,
administrators are able to protect other devices such as print servers, firewalls, routers and VPN
concentrators. NIDs are flexible with several operating systems and devices and protect the network
from bandwidth floods as well as DoS attacks.

Advantages of NIDS

 Good network design and placement of NIDS can enable organization to use a few devices
to monitor large network
 NIDSs are usually passive and can be deployed into existing networks with little disruption
to normal network operations

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 16

 Intrusion Detection System(IDS)

 NIDSs not usually susceptible to direct attack and may not be detectable by attackers

Disadvantages of NIDS

 Can become overwhelmed by network volume and fail to recognize attacks

 Require access to all traffic to be monitored
– Having problems with certain switches
 Cannot analyze encrypted packets
 Cannot reliably ascertain if attack was successful or not
 Some forms of attack are not easily discerned by NIDSs, specifically those involving
fragmented packets
HIDs Benefits : Although HIDs might appear to be a lousy solution, initially they have many
advantages. For starters, they could prevent attacks from causing any damage. As an example, if a
malicious file tries to rewrite a document, the HID will cut off its rights and quarantine it. Host-
based intrusion detection systems may keep laptops and personal computers protected whenever
they are removed or taken off from a network and into the field. In short, the HIDs are the last line
of defense used to ward off some attacks that are missed by NIDs.

Advantages of HIDSs

 Can detect local events on host systems and detect attacks that may elude a network-based
IDS
 Functions on host system, where encrypted traffic will have been decrypted and is available
for processing
 Not affected by use of switched network protocols
 Can detect inconsistencies in how applications and systems programs were used by
examining records stored in audit logs

Disadvantages of HIDSs

 Pose more management issues

 Vulnerable both to direct attacks and attacks against host operating system
 Does not detect multi-host scanning, nor scanning of non-host network devices
 Susceptible to some denial-of-service attacks. Can use large amounts of disk space
 Can inflict a performance overhead on its host systems

VPN & Firewalls

A Vulnerability Assessment is a technical safeguard that aims to discover weaknesses within an
organization’s IT infrastructure. The scan targets the entire network identifying all devices, servers
and endpoints by IP address. The scan will identify the applications and operating systems that are
in use. Gathered data is cross-referenced against a security database for known exploits and
vulnerabilities. This will help to identify if a device is vulnerable or not.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 17

 Intrusion Detection System(IDS)

Any non-compliant device is flagged and added to a vulnerability report. The report is used as a
baseline for post-assessment activities. Identified weakness in the organization's environment needs
to be resolved. Fixing issues with, for example, scheduling patching, software updates, firmware
updates or blocking network ports should follow the vulnerability scan.

A virtual private network (VPN) has been used variously. Security experts use VPN for sharing
the
Intranet services on a public network with authentication and Authorization. However, Cyber
Criminals use it for Anonymity and spoofed identity. Now it’s the right time to revamp the
Infrastructure Security Policies and prepare all the security checks on every stage of the data
filtration, data Preservation, Authentication, and Authorization with the Notifications and
preventions using Intrusion detection and prevention systems. However, the VPN is playing a vital
role in the updated security system.

Exposed Vulnerabilities in VPN

The more organizations are dependent on VPN, Similarly, the new vulnerabilities have been
exposed. To date in total 479 vulnerabilities have been identified and exposed on the public domain
where Top 28 vulnerabilities identified and exposed only in the year 2020 [6]. While surveying the
listed vulnerabilities it has been identified that most of the vulnerabilities exist due to the old
versions of the VPN, deployed in the Hardware. The Firmware has never been updated due to
which many hacking attempts occurred and many organizations become the victim of VPN
hacking. Where the impact was like Data Theft, Identity Theft, Cyber Attacks on internal/external
Websites/ Networks, Hacking, Introducing Malwares, etc.
Common Threats and Attacks on VPN
Due to COVID-19, pandemic Enterprises are now more dependent on the VPN for Work-from
Home Model, where employees can connect as a VPN client to the corporate infrastructure and
access internal network services. However, the major threats and attacks have been massively
introduced in this pandemic period only. The real fact is that VPN clients can’t always be “trusted,”
due to which organization is affected by a large number of data breaches around the globe. As the
VPN ports are always open for Clients, it has been exploited by hackers and attackers easily with
various attacks. The few of the common threats and attacks are as follows:
1. MITM Attacks: It is known as “Man-in-the-middle” Attack, where hackers take the privilege to
exploit from the network connections and try to penetrate between Server and Client
communications. They try to exploit variously like from the Coding point of view, Protocols
exploits, session hijacking, fuzzing, brute force attacks, Dictionary attacks, decryption of common
algorithms, introducing Spywares on the Client machines, etc.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 18

 Intrusion Detection System(IDS)

2. DNS Hijacking: Most of the organizations are now interested to redirect the end-user traffic via
their DNS servers. It helps to filter the real-time content and to identify the behavior of the users.
Mostly Web access Firewall service providers sell their product which is technically based on DNS
services. Hackers also try to penetrate the user’s router to reroute the entire network traffic via
phished servers/ hackers controlled servers. Were they can easily redirect the legitimate client
request to anonymous servers or they may introduce some adware’s or other spyware to hijack
clients' machines so that they can further penetrate the entire internal network using VPN or other
proxy servers.
3. Trojans and Worms: Trojans are the Client-server architecture based program designed to open
the backdoors on the end-user systems connected on the same network and able to prevail, users,
their identities, resources, and credentials for hacker’s personal use. Worms are the self-replicated
programs designed to infect the shareable resources like multiple drives, network drives, removable
drives, and other network resources. It would be more dangerous at the time if the client is also
connected to any VPN. Because it is quite easy to infect the entire corporate network by introducing
Trojans and worms from the infected VPN client accessing internal network services.
4. Repeated Login attempts: This attack is a very common attack on the VPN servers/ routers
because of the common software-defined parameters and configurations applied for authentication
purposes. Such attacks are also known as Brute force attacks. Hackers try to find out the login
behavior based on pre-define parameters and the identified URLs/ Links/ Pre-opened ports and they
try to apply fuzzing tools to generate the adaptive authentication credentials.
5. Legacy Apps: These apps are such commonly used apps to connect various servers/ network
services without any auditing or any version updates like Putty etc. Almost every windows user
working on server configurations are much familiar with these apps. However the IT heads are least
bother about its security concerns, the version used, downloaded from legitimate sites, or is that
opening any backdoors and given privileges to their parent organizations or hackers or so. This is
one of the most common routes to hijack VPNs and able to misuse any resource accessed by the
end-user of an organization.

Firewalls are a basic part of any company’s cybersecurity architecture. However, firewalls alone
should never be considered the be-all, end-all solution for our company’s cybersecurity needs. Yes,
they are useful, but there are a few issues with firewalls that can make it a bad idea to only rely on
this one security tool to protect our business.
• A firewall is a network security system that manages and regulates the network traffic based on
some protocols. A firewall establishes a barrier between a trusted internal network and the internet.
• Firewalls exist both as software that run on a hardware and as hardware appliances. Firewalls that
are hardware-based also provide other functions like acting as a DHCP server for that network.
• Most personal computers use software-based firewalls to secure data from threats from the internet.
Many routers that pass data between networks contain firewall components and conversely, many
firewalls can perform basic routing functions.
• Firewalls are commonly used in private networks or intranets to prevent unauthorized access from
the internet. Every message entering or leaving the intranet goes through the firewall to be
examined for security measures.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 19

 Intrusion Detection System(IDS)

An ideal firewall configuration consists of both hardware and software based devices. A firewall
also helps in providing remote access to a private network through secure authentication certificates
and logins

• Hardware firewalls are standalone products. These are also found in broadband routers. Most
hardware firewalls provide a minimum of four network ports to connect other computers. For larger
networks − e.g., for business purpose − business networking firewall solutions are available.
• Software firewalls are installed on our computers. A software firewall protects our computer from
internet threats.

Some of the firewall threats and vulnerabilities to look out for are listed as follows:
1) Insider Attacks
A perimeter firewall is meant to keep away attacks that originate from outside of our network. So,
what happens when the attack starts from the inside? Typically, the perimeter firewall becomes
useless—after all, the attacker is already on our system.

However, even when an attack originates from within our network, firewalls can do some good—IF
we have internal firewalls on top of our perimeter firewalls. Internal firewalls help to partition
individual assets on our network so attackers have to work harder to move from one system to
another one. This helps increase the attacker’s breakout time so we have more time to respond to
the attack.

2) Missed Security Patches

This is an issue that arises when network firewall software isn’t managed properly. For any
software program, there are vulnerabilities that attackers may exploit—this is as true of firewall
programs as it is of any other piece of software. When firewall vendors discover these
vulnerabilities, they usually work to create a patch that fixes the problem as soon as possible.

However, the patch’s mere existence doesn’t mean that it will automatically be applied to our
company’s firewall program. Until that patch is actually applied to our firewall software, the
vulnerability is still there—just waiting to be exploited by a random attacker.

The best fix for this problem is to create and stick to a strict patch management schedule. Under
such a schedule, we (or the person managing our cybersecurity) should check for any and all
security updates for our firewall software and make sure to apply them as soon as possible.

3) Configuration Mistakes
Even when a firewall is in place on our network, and has all of the latest vulnerability patches, it
can still cause problems if the firewall’s configuration settings create conflicts. This can lead to a
loss of performance on our company’s network in some cases, and a firewall outright failing to
provide protection in others.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 20

 Intrusion Detection System(IDS)

For example, dynamic routing is a setting that was long ago deemed a bad idea to enable because it
results in a loss of control that reduces security. Yet, some companies leave it on, creating a
vulnerability in their firewall protection.

Having a poorly-configured firewall is kind of like filling a castle’s moat with sand and putting the
key to the main gate in a hide-a-key right next to the entrance—we’re just making things easier for
attackers while wasting time, money, and effort on our “security” measure.

4) A Lack of Deep Packet Inspection

Layer 7 (or “deep packet”) inspection is a rigorous inspection mode used by next-generation
firewalls to examine the contents of an information packet prior to approving or denying that packet
passage to or from a system.

Less advanced firewalls may simply check the data packet’s point of origin and destination before
approving or denying a request—info that an attacker can easily spoof to trick our network’s
firewall.

The best fix for this problem is to use a firewall that can perform deep packet inspection to check
information packets for known malware so it can be rejected.

5) DDoS Attacks
Distributed Denial of Service (DDoS) attacks are a frequently-used attack strategy noted for being
highly effective and relatively low-cost to execute. The basic goal is to overwhelm a defender’s
resources and cause a shutdown or prolonged inability to deliver services. One category of attack—
protocol attacks—are designed to drain firewall and load balancer resources to keep them from
processing legitimate traffic.

While firewalls can mitigate some types of DDoS attacks, they can still be overloaded by protocol
attacks.

There is no easy fix for DDoS attacks, as there are numerous attack strategies that can leverage
different weaknesses in our company’s network architecture. Some cybersecurity service providers
offer “scrubbing” services, wherein they divert incoming traffic away from our network and sort
out the legitimate access attempts from the DDoS traffic. This legitimate traffic is then sent to our
network so we can resume normal operations.

Alone, firewalls cannot protect our network from all of the threats that are out there. However, they
can serve as an integral part of a larger cybersecurity strategy to safeguard our business.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 21