AN IMPLEMENTATION of INTRUSION DETECTION and PREVENTION SYSTEMS Dr

AN IMPLEMENTATION OF INTRUSION DETECTION AND PREVENTION SYSTEMS Dr. G.N.K.Suresh Babu1, Dr. M. Kumarasamy2 1Professor, Department of Computer Science, Acharya Institute of Technology, Bangalore 2Professor, Department of Informatics, Wollega University, Ethiopia /Africa

ABSTRACT Keywords: Intruders, Attacks, Virus, The purpose of the paper is to develop a two- Wireless, Hackers stage approach for the important cyber- security problem of detecting the presence of 1. INTRODUCTION a botnet and identifying the compromised Intrusion detection and prevention mechanisms nodes (the bots), ideally before the botnet can detect malicious activities performed by becomes active. The expansion of mobile external or internal attackers, by monitoring and computing devices such as laptops and analyzing network activities. The existing IDS Personal digital assistants (PDAs) increased architectures for ad hoc networks can be the demand for the Wireless Local Area classified into stand-alone, cooperative and Networks (WLANs) in the corporate world. hierarchical. In stand-alone architecture, every In last decade, there was a huge increase in node in the network performs detection based the deployment of the wireless LANs in the on its local data using an IDS agent installed on corporate and this growth is drastically it. In cooperative architecture, each node has an increases every year due to its low cost, IDS agent that communicates and collaborates strong performance and ease of deployment. with other nodes’ agents, forming a global Although many enterprises are highly intrusion detection to resolve inconclusive concerned about the security issues such as detections. Hierarchical IDS is a sm unauthorized use of service and privacy in their Wireless LANs, they are unaware or ort of cooperative architecture suited to multi- unsure about providing a strong security to layered networks. In this architecture, the their wireless network. Within the past 10 network is divided into clusters, where some years, wireless LANs become more prevalent nodes are selected as cluster heads to undertake at home, most of the computer users are more responsibility than other cluster members. getting adapted to laptops where they setup Each cluster member performs local detection, wireless networks to connect internet. Unlike while cluster heads perform global detection wired LANs, wireless LANs is more (Sen, 2010). This paper focuses on both home vulnerable to intrusions, misuse and attacks and enterprise wireless local area networks. It due to the fact that the data is transmitted starts with a research on the various threats, across the air in clear text which is easily attacks and vulnerabilities in the WLANs. accessible. Wireless hacking is one of the Multi-hop ad hoc networks are often secured by major issues in the wireless networking using either cryptography or intrusion detection where there are numerous and potentially systems (IDSs). Cryptographic approaches can dangerous threats that includes interception, protect ad hoc networks against external unauthorized monitoring of wireless traffic, attackers using node authentication and data client to client attacks, jamming, session encryption. However, these techniques cannot hijacking, etc. prevent insider attacks, consumes considerable

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 1 INTERNATIONAL JOURNAL OF CURRENT ENGINEERING AND SCIENTIFIC RESEARCH (IJCESR) resources and have their associated problems devices in the network. But scanning all such as key issuing and management. traffic could lead to the creation of bottlenecks, which impacts the overall 2. INTRUSION DETECTION AND speed of the network. PREVENTION SYSTEM  HIDS: Host intrusion detection systems IDS/IPS devices need two things to provide an run on separate machines or devices in the effective layer of security. The devices must be network, and provide safeguards to the tuned to the network they monitor and tuned-in overall network against threats coming to the latest threats. Getting the maximum ROI from the outside world. from your investment in IDS/IPS is easier with  Signature based IDS: Signature based a bit of expert help. The tough part of big data is IDS systems monitor all the packets in the analyzing it to know what action to take. IDS network and compare them against the devices can generate thousands of alerts daily, database of signatures, which are pre- many of which are false positives, which can configured and pre-determined attack send your team off to chase ghosts. Keeping patterns. They work similar to antivirus your IDS/IPS devices tuned, up-to-date and software. monitored appropriately given new emerging  Anomaly based IDS: This IDS monitors threats can become a heavy burden for limited network traffic and compares it against an security resources. Shifting this burden to a established baseline. The baseline managed service staffed with security device determines what is considered normal for experts can offer needed relief, along with the network in terms of bandwidth, improved insights that help you take the right protocols, ports and other devices, and the action to remediate identified threats. Fig 1 IDS alerts the administrator against all represents how firewall can be used for sorts of unusual activity. intrusion detection.  Passive IDS: This IDS system does the simple job of detection and alerting. It just alerts the administrator for any kind of threat and blocks the concerned activity as a preventive measure.  Reactive IDS: This detects malicious activity, alerts the administrator of the threats and also responds to those threats.

4. OPEN SOURCE NETWORK INTRUSION DETECTION TOOLS 4.1Snort Snort is a free and open source network intrusion detection and prevention tool. It was created by Martin Roesch in 1998. The main advantage of using Snort is its capability to perform real-time traffic analysis and packet Fig. 1 Intrusion Detection Using Firewall logging on networks. With the functionality of Systems protocol analysis, content searching and various pre-processors, Snort is widely accepted as a 3. INTRUSION DETECTION TOOLS tool for detecting varied worms, exploits, port There are a wide variety of IDSs available, scanning and other malicious threats. It can be ranging from antivirus to hierarchical systems, configured in three main modes — sniffer, which monitor network traffic. The most packet logger and network intrusion detection. common ones are listed below. In sniffer mode, the program will just read packets and display the information on the  NIDS: Network intrusion detection console. In packet logger mode, the packets will systems are placed at highly strategic be logged on the disk. In intrusion detection points within the network to monitor mode, the program will monitor real-time traffic inbound and outbound traffic from all and compare it with the rules defined by the

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 2 INTERNATIONAL JOURNAL OF CURRENT ENGINEERING AND SCIENTIFIC RESEARCH (IJCESR) user. 4.3OpenWIPS-NG Snort can detect varied attacks like a buffer OpenWIPS-NG is a free wireless intrusion overflow, stealth port scans, CGI attacks, SMB detection and prevention system that relies on probes, OS fingerprinting attempts, etc. It is sensors, servers and interfaces. It basically runs supported on a number of hardware platforms on commodity hardware. It was developed by and operating systems like Linux, OpenBSD, Thomas d’Otrepe de Bouvette, the creator of FreeBSD, Solaris, HP-UX, MacOS, Windows, Aircrack software. OpenWIPS uses many etc. functions and services built into Aircrack-NG for scanning, detection and intrusion 4.2SecurityOnion prevention. The three main parts of OpenWIPS- Security Onion is a Linux distribution for NG are listed below: intrusion detection, network security monitoring and log management. The open source Sensor: Acts as a device for capturing wireless distribution is based on Ubuntu and comprises traffic and sending the data back to the server lots of IDS tools like Snort, Suricata, Bro, Sguil, for further analysis. The sensor also plays an Squert, Snorby, ELSA, Xplico, NetworkMiner, important role in responding to all sorts of and many others. Security Onion provides high network attacks. visibility and context to network traffic, alerts Server: Performs the role of aggregation of and suspicious activities. But it requires proper data from all sensors, analyses the data and management by the systems administrator to responds to attacks. Additionally, it logs any review alerts, monitor network activity and to type of attack and alerts the administrator. regularly update the IDS based detection rules. Interface: The GUI manages the server and Security Onion has three core functions: displays the information regarding all sorts of threats against the network.  Full packet capture  Network based and host based intrusion 4.4Suricata detection systems Suricata is an open source, fast and highly  Powerful analysis tools robust network intrusion detection system developed by the Open Information Security Full packet capture: This is done using Foundation. The Suricata engine is capable of netsnifff-ng, which captures all network traffic real-time intrusion detection, inline intrusion that Security Onion can see, and stores as much prevention and network security monitoring. as your storage solution can hold. It is like a Suricata consists of a few modules like real-time camera for networks, and provides all Capturing, Collection, Decoding, Detection and the evidence of the threats and malicious Output. It captures traffic passing in one flow activities happening over the network. before decoding, which is highly optimal. But unlike Snort, it configures separate flows after Network-based and host-based IDS: It capturing and specifying how the flow will analyses the network or host systems, and separate between processors. provides log and alert data for detected events and activity. Security Onion has varied IDS 4.5BroIDS options like rule-driven IDS, analysis-driven BroIDS is a passive, open source network IDS, HIDS, etc. traffic analyser developed by Vern Paxson, and is used for collecting network measurements, Analysis tools: In addition to network data conducting forensic investigations, traffic base capture, Security Onion comprises various tools lining and much more. BroIDS comprises a set like Sguil, Squert, ELSA, etc, for assisting of log files to record network activities like administrators in analysis. HTTP sessions with URIs, key headers, MIME Security Onion also provides diverse ways for types, server responses, DNS requests, SSL the live deployment of regular standalone, certificates, SMTP sessions, etc. In addition, it server-sensor and hybrid monitoring tools. provides sophisticated functionality for the analysis and detection of threats, extracting files from HTTP sessions, sophisticated malware

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 3 INTERNATIONAL JOURNAL OF CURRENT ENGINEERING AND SCIENTIFIC RESEARCH (IJCESR) detection, software vulnerabilities, SSH brute used for integrity assurance, change force attacks and validating SSL certificate management and policy compliance. chains. BroIDS is divided into the following two layers. 4.8 AIDE AIDE (Advanced Intrusion Detection Bro Event Engine: This does the task of Environment) was developed by Rami Lehti analysing live or recorded network traffic packs and Pablo Virolainen. It is regarded as one of using C++ to generate events when something the most powerful tools for monitoring changes unusual happens on the network. to UNIX or Linux systems. AIDE creates a Bro Policy Scripts: These analyse events to database via regular expression rules that it create policies for action, and events are finds from the config files. On initialising the handled using policy scripts such as sending database, it is used to verify the integrity of emails, raising alerts, executing system files. Some of the most powerful features of commands and even calling emergency AIDE are as follows: numbers.  Supports all kinds of message digest 4.6OSSEC algorithms like MD5, SHA1, RMD160, OSSEC is a free and open source host based TIGER, SHA256 and SHA512. IDS that performs varied tasks like log analysis,  Supports POSIX ACL, SELinux, XAttra integrity checking, Windows registry and Extended File System. monitoring, rootkit detection, time-based  Powerful regular expression support to alerting and active response. The OSSEC include or exclude files and directories system is equipped with a centralised and cross- for monitoring. platform architecture allowing multiple systems  Supports various operating system to be accurately monitored by administrators. platforms like Linux, Solaris, Mac OS The OSSEC system comprises the following X, UNIX, BSD, HP-UX, etc. three main components. 5 PROPOSED METHODOLOGY  Main application: This is a prime We begin the implementation with traffic requirement for installations; OSSEC is filtering, which eliminates all Non-P2P Clients. supported by Linux, Windows, Solaris Followed by Fine grained P2P clients where and Mac environments. those Non-P2P clients that escaped the traffic  Windows agent: This is only required filter stage are eliminated here. This is followed when OSSEC is to be installed on by Coarse grained detection of P2P Bots where Windows based computers/clients as most of the legitimate P2P clients are identifies well as servers. and eliminated. Finally the few legitimate P2P  Web interface: Web based GUI clients present are identified and eliminated in application for defining rules and Fine grained P2P Bot detection. Those hosts that network monitoring. are left after the filtering process are the bots present in the system. 4.7 Open Source Tripwire Open Source Tripwire is a host based intrusion Module description detection system focusing on detecting changes We have four modules in this project and they in file system objects. On the first initialisation, Tripwire scans the file system as instructed by are: the systems administrator and stores the 1. Traffic Filtering information of each file in a database. When a) Network Monitoring b) DNS Traffic files are changed and on future scans, the results are compared with the stored values and 2. Fine Grained Detection of P2P Clients changes are reported to users. Tripwire makes a) Cluster Formation based on protocol use of cryptographic hashes to detect changes in files. In addition to scanning file changes, it is 3. Coarse Grained Detection of P2P Bots a) Calculate Start and End Time Stamp

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 4 INTERNATIONAL JOURNAL OF CURRENT ENGINEERING AND SCIENTIFIC RESEARCH (IJCESR) b) Calculate Active time the system for a long time to listen to the system c) Compare Active time with System time communication. Those clients that have active time not comparable with the system are 4. Fine Grained Detection of P2P Bots identified as legitimate P2P clients and are a) EuclideanDistance Calculation discarded. b) Peer Evaluation Input: P2P clients (including Bots and legitimate clients) Algorithm and detailed explanation for each Output: Legitimate P2P clients module 1. Traffic Filtering This module will accept the input from the network traffic. The input will be a set of hosts present in the network and these hosts include P2P clients, P2P Bots and Non-P2P traffic. The Traffic Filter component aims at filtering out network traffic that is unlikely to be related to P2P communications. This is accomplished by passively analyzing DNS traffic, and identifying network flows whose destination IP addresses were previously resolved in DNS responses and then eliminating it from the system. Input: Network traffic Output: DNS Traffic Eliminated from the initial input traffic

2. Fine Grained Detection of P2P Clients This component is responsible for detecting P2P Fig.2 Proposed Methodology clients by analyzing the remaining network ﬂows after the Trafﬁc Filter component. Each of the 6.CONCLUSION host is classified into clusters based on the Before evaluating IDPS products, organizations network flow (TCP or UDP). Once all the hosts should first define the general requirements that are grouped into clusters, the Euclidean distance the Products should meet. The features provided between the two flows are calculated for each by IDPS products and the methodologies that host.The average distance for each of the cluster they use vary considerably, so a product that is calculated and summarized. If the average best meets one organization’s requirements distance does not exceed a certain threshold might not be suitable for meeting another value, then the corresponding host is discarded. organization’s requirements. Information Input: Network traffic that contain only those security has become a legitimate concern for hosts with a legitimate IP address both organisations and computer users due to Output: P2P clients (including Bots and the growing confidence on computers and legitimate clients) are retained electronic transactions. Different techniques are used to support the security of an organization 3. Coarse Grained Detection of P2P Bots against threats or attacks. On the other side, The output from the previous model will have attackers are discovering new techniques and only those clients that are P2P. This component ways to break these security policies. Firewall, is responsible for identifying the bots. The active antivirus and antispyware are limited to provide time of each client is calculated. Also, the system security to the system against threats. This time of the underlying host is calculated. By paper concludes that both the intrusion comparing the active time and the system time, detection systems and preventions systems still the P2P clients can be distinguished from the need to be improved to ensure an unfailing bots. The feature that is leveraged is that, a client security for a network. They are not reliable that has its active time comparable with the enough and they are difficult to administer. It is system time is a bot as a bot must be active on

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 5 INTERNATIONAL JOURNAL OF CURRENT ENGINEERING AND SCIENTIFIC RESEARCH (IJCESR) obvious that these systems are now essential for Dissertation, Southern Illinois University companies to ensure their security. To assure an Carbondale (2011). effective computerized security, it is strongly [6] F. Cikala, R. Lataix, S. Marmeche", The recommended to combine several types of IDS/IPS. Intrusion Detection/Prevention detection system. Our proposed methodology Systems ", Presentation, 2005. combines some of the best features of existing [7] Hervé Debar and Jouni Viinikka, "Intrusion IDS tools and we try to give some solutions to Detection,: Introduction to Intrusion Detection the prevention systems. Security and Information Management", Foundations of Security Analysis and Design REFERENCES III, Reading Notes in to Compute Science, [1] U. A. Sandhu, S. Haider, S. Naseer, O. U. Volume 3655, 2005. pp. 207-236. Ateeb, “A Survey of Intrusion Detection & [8] Abdullah A. Mohamed, “Design Intrusion Prevention Techniques”, International Detection System Based On Image Block Conference on Information Communication Matching”, International Journal of Computer and Management IPCSIT: IACSIT Press, and Communication Engineering, IACSIT Singapore 2011. Press, Vol. 2, No. 5, September 2013. [2] K. Scarfone and P. Mell, Guide to Intrusion [9] Denning, Dorothy E., "An Intrusion Detection and Prevention Systems (IDPS), Detection Model," Proceedings of the Seventh Recommendations of the National Institute IEEE Symposium on Security and Privacy, May of Standards and Technology: NIST Special 1986, pages 119–131 Publication, February 2007. [10] Karen Scarfone & Peter Mell, “Guide to [3] B. Menezes, Network Security and Intrusion Detection and Prevention Systems Cryptography: CENGAGE Learning, (IDPS)”, NIST Special Publication on Chapter 14, 18, 19, 21, 22, 24, 2010. Computer security, February 2007. [4] J. R. Vacca, Computer and information [11 Lunt, Teresa F., "Detecting Intruders in security handbook: Morgan Kaufmann Computer Systems," 1993 Conference on Series in Computer Security, First edition, Auditing and Computer Technology, SRI May 4, 2009. International. [5] Langin, C. L. A SOM+ Diagnostic System for Network Intrusion Detection. Ph.D.

ISSN (PRINT): 2393-8374, (ONLINE): 2394-0697, VOLUME-4, ISSUE-10, 2017 6