EARLY DETECTION OF INTRUSIONS AND MALWARE FOR LINUX BASED SYSTEMS

Xinrun Zhang (9856295)

08 March 2021

<p>The system call based research for host intrusion detection systems (HIDSs) and Android malware detection systems (AMDSs) have been conducted over the past several years. Several HIDS and AMDS frameworks have been proposed using different intrusion and malware datasets. Security researchers have used several machine learning (ML) techniques to improve the classification performance with high accuracy and low false-alarm rate. However, the emphasis on real-world deployment of HIDS and AMDS for intrusion and malware detection is limited. To address this issue, we propose a system call traces processing framework with the ability to perform early detection of intrusions and malware. In the proposed framework, a limited number of system calls are analyzed which are invoked by the processes/applications during their early execution. To verify the efficiency, we perform the experiments on a publicly available intrusion dataset known as ADFA-LD dataset and a self-constructed dataset for Android environment. We analyze both the datasets with statistical methods, and process the selected traces with 2-4 gram model and Term Frequency–Inverse Document Frequency (TF-IDF) model during the extraction of features. We train six ML classifiers using the datasets including Decision Tree, Random Forest, Multi-layer Perceptron, K-nearest-neighbor, Multi-variable Naive Bayesian, and Support Vector Machine. The experimental results demonstrate that the performance of proposed HIDS and AMDS are similar to the approaches that used all the system calls invoked during the full execution of applications. We also develop a client-server architecture based Android app for our Android malware detection system.</p>

Computer Engineering

HIDS

Android malware

Systémy detekce a prevence průniku / Intrusion Detection and Prevention Systems

Černý, Michal

January 2010

The detection and intrusion prevention systems could be realized as independent hardware or set in the software form on to the host. The primary purpose of these protective elements is the undesirable activity detection such as integrity intrusion of the files, invalid attempts while connecting to the remote service or acquisition of the local network data. The systems react to the event on the basis of the action that is defined by internal rules. We can include the caution sending or communication blocking among possible counteractions. The base principals of the detection and intrusion prevention systems are described in the dissertation. Various types of captured data analyses and processes of the inhere rules creation and further more caution formats are mentioned in the dissertation. There are also considered the alternatives of their location including advantages of selected situations. There is described the installation and setting up of particular elements of the realized network and security systems. In order to the verification of functionality and factor of the protection providing there was realized several selected types of attacks.

HIDS IDS IPS NIPS Snort inline OSSEC

Intrusion Detection systems : A comparison in configuration and implementation between OSSEC and Snort

Stegeby, Peter

January 2023

Hackare fortsätter att bli bättre på att få otillåten tillgång till våra datorer och kan undvika de mest grundläggande intrångsskyddade system och brandväggar på en standarddator. Då numren av intrång växer varje år och kostar företag miljoner av dollar, så verkar gapet mellan attackerare och försvarare att bli större. Frågan som då kan uppstå är, hur kan vi skydda oss själva? Kunskapen som blivit insamlad i detta arbete pekar tydligt på att det finns saker vi kan göra vilket svarar på frågan, hur kan vi upptäcka intrång? Studien visar att mer avancerade Intrusion Detection System (IDS) kan bli implementerad på hemdatorer (och i företag). Det finns många alternativ att välja mellan, men de valda IDSer – OSSEC och Snort – kan upptäcka säkerhetsbrister på enskilda host-maskiner (eller på nätverket) i realtid tack vare avancerad loggningshanterings och övervakning. Svårighetsgraden av att använda och implementera dessa IDSer var utmanande men tillfredställande och konfigurationen var flexibel vilket tillåter IDSerna att bli installerade på en ensam host-dator eller i ett nätverk. Om ett enkelt-att-följa grafiskt översikt av felmeddelanden är vad man önskar så har OSSEC IDS, tillsammans med att skicka e-mail över felmeddelandet, den funktionaliteten. Snort, på andra sidan, har en enkel konfiguration och flexibilitet i att skriva regler. Det borde framgå tydligt att implementera en IDS på ert system inte gör det ogenomträngligt, inte heller löser det alla säkerhetsrelaterade problem, men det som kommer att hända är att vi får en bättre förståelse av de hot som uppstår i våra system. / Hackers keeps getting better at gaining unauthorized access to our computers and can avoid some of the most basic intrusion detection systems and firewalls on a standard computer. The gap between attackers and defenders seem to grow as intrusions increase in numbers every year, costing companies millions of dollars, so the question is posed, how can we protect ourselves? The research done in this work clearly points to that there are things that can be done which answers the question, how can we detect intrusions? The study has shown that a more advanced intrusion detection system (IDS) can be implemented on home computers (and in businesses). There are many options to choose from but the chosen IDSs – OSSEC and Snort – can detect security issues on the host computer (or on the network) in real-time by advanced logging management and monitoring. The implementation and usage difficulties of these IDSs are challenging but satisfying and the configurations are flexible allowing the IDSs to be installed on a single host or in a larger network. If an easy-to-follow graphical overview of the alerts on your system is what you are looking for then that, and sending e-mails of the alert, is found in the OSSEC IDS. Snort, on the other hand, has easy configurations and flexible rule-writing and the options of sniffing packets on the network. It should be clear that implementing an IDS on your system does not make it impenetrable nor solve all the security issues but what it will do is to give you a better understanding of the threats on your system.

Intrusion detection

HIDS

NIDS

Signature-based

Linux

Windows

Sniffing packets

Upptäcka intrång

HIDS

NIDS

Signatur-baserad

Linux

Windows

Paketsniffing.

Software Engineering

Programvaruteknik

An Evaluation of current IDS

Fernandez, Maria del Mar, Porres, Ignacio

January 2008

<p>With the possibility of connecting several computers and networks the necessity of protecting the whole data and machines from attackers (hackers) that try to get some confident information to use for their own benefit or just destroy or modify valuable information was born. At this point IDS appears to help users, companies or institutions to detect when they are getting compromised. This thesis will cover two main parts: the first one consists of an intense research study about the world of IDS and its environment. Subsequently, we will conclude this part with some points where IDS still needs to be questioned and show up desirable requirements for “the perfect” intrusion detection system. This “perfect” adjective can of course be discussed variously. The second part of the thesis approaches the implementation of the most used open source IDS: Snort. Some basic attacks on the machine where Snort is installed will be performed in order to make the future user see what kind of protection it ensures and the usability of this. There is a brief discussion about two of the main challenges in IDS will follow: analyzing big amounts of packets and encrypted traffic. Finally there are conclusions for a safe computer environment as well as the suggestion that some skilled programmer should give Snort a more friendly interface for every kind of users and a built in programme package which includes webserver, database and other libraries that are needed to run it properly with all its features.</p>

IDS

NIDS

HIDS

Snort

False Positive

Firewall

Informatik, data- och systemvetenskap

An Evaluation of current IDS

Fernandez, Maria del Mar, Porres, Ignacio

January 2008

With the possibility of connecting several computers and networks the necessity of protecting the whole data and machines from attackers (hackers) that try to get some confident information to use for their own benefit or just destroy or modify valuable information was born. At this point IDS appears to help users, companies or institutions to detect when they are getting compromised. This thesis will cover two main parts: the first one consists of an intense research study about the world of IDS and its environment. Subsequently, we will conclude this part with some points where IDS still needs to be questioned and show up desirable requirements for “the perfect” intrusion detection system. This “perfect” adjective can of course be discussed variously. The second part of the thesis approaches the implementation of the most used open source IDS: Snort. Some basic attacks on the machine where Snort is installed will be performed in order to make the future user see what kind of protection it ensures and the usability of this. There is a brief discussion about two of the main challenges in IDS will follow: analyzing big amounts of packets and encrypted traffic. Finally there are conclusions for a safe computer environment as well as the suggestion that some skilled programmer should give Snort a more friendly interface for every kind of users and a built in programme package which includes webserver, database and other libraries that are needed to run it properly with all its features.

IDS

NIDS

HIDS

Snort

False Positive

Firewall

Computer and Information Sciences

Data- och informationsvetenskap

Evaluating the efficiency of Host-based Intrusion Detection Systems protecting web applications

Willerton, Adam, Gustafsson, Rasmus

January 2022

Background. Web applications are a more significant part of our digital experience, and the number of users keeps continuously growing. Social media alone accounts for more than half of the world’s population. Therefore these applications have become a lucrative target for attackers, and we have seen several attacks against them. One such example saw attackers manage to compromise a twitter account [15], leading to false information being published, causing the New York stock exchange to drop 150 points, erasing 136 billion dollars in equity market value. There are methods to protect web applications, such as web application firewalls or content security policies. Still, another candidate for defending these applications is Host-based Intrusion Detection Systems (HIDS). This study aims to assess the efficiency of these HIDS when defending against web applications. Objectives. The main objective of the thesis is to create an efficiency evaluating model for a HIDS when protecting web applications. Additionally, we will test two open-source HIDS against web applications built to emulate a vulnerable environment and measure these HIDS efficiencies with the model mentioned above. Methods. To reach the objectives of our thesis, a literature review regarding what metrics to evaluate the efficiency of a HIDS was conducted. This allowed us to construct a model for which we evaluated the efficiency of our selected HIDS. In this model, we use 3 categories, each containing multiple metrics. Once completed, the environment hosting our vulnerable applications and their HIDS was set up, followed by the attacks of the applications. The data generated by the HIDS gave us the data required to make our efficiency evaluation which was performed through the lens of the previously mentioned model. Results. The result shows a low overall efficiency from the two HIDS when regarding the category attack detection. The most efficient of the two could be determined. Of the two evaluated, Wazuh and Samhain; we determined Wazuh to be the more efficient HIDS. We identified several components required to improve their attack detection. Conclusions. Through the use of our model, we concluded that the HIDS Wazuh had higher efficiency than the HIDS Samhain. However both HIDS had low performances regarding their ability to detect attacks. Some specific components need to be implemented within these systems before they can reliably be used for defending web applications.

Intrusion Detection System

IDS

Host-based Intrusion Detection System

HIDS

Web applications

Efficiency

Computer and Information Sciences

Data- och informationsvetenskap

Analýza systémových záznamů / System Log Analysis

Ščotka, Jan

January 2008

The goal of this master thesis is to make possible to perform system log analysis in more general way than well-known host-based instrusion detection systems (HIDS). The way how to achieve this goal is via proposed user-friendly regular expressions. This thesis deals with making regular expressions possible to use in the field of log analysis, and mainly by users unfamiliar with formal aspects of computer science.

Detekce útoku pomocí analýzy systémových logů / Attack Detection by Analysis of the System's Logs

Holub, Ondřej

Unknown Date

The thesis deals with the attack detection possibilities and the nonstandard behaviour. It focuses on problems with the IDS detection systems, the subsequent classification and methods which are being used for the attack detection. One part of the thesis presents the existing IDS systems and their properties which are necessary for the successful attack detection. Other parts describe methods to obtain information from the operating systems Microsoft Windows and it also analyses the theoretical methods of data abnormalities. The practical part focuses on the design and implementation of the HIDS application. The final application and its detection abilities are tested at the end of the practical part with the help of some model situations. In the conclusion, the thesis sums up the gained information and shows a possible way of the future development.