IDS för alla : Intrångsdetekteringssystem för hemmaanvändare

Johansson, Fredrik, Johansson, Jörgen, Johansson, Marcus

January 2013

I dagens IT-samhälle är säkerhet en viktig aspekt. Ett sätt att nå högre säkerhet är att bygga upp säkerheten i lager. I hemmanätverk är två vanliga lager antivirus och brandvägg. Den här kandidatuppsatsen undersöker om ett intrångsdetekteringsystem (IDS) är ett bra komplement till säkerheten i ett hemmanätverk.För att hålla systemet så attraktivt som möjligt för hemmanätverket fokuserar man på att hålla priset nere och konfigurationen enkel. Vi valde enkorts-datorn (Raspberry Pi) med programvaran IPFire, som är open-source, där IDS:en Snort ingår och IPFire har ett enkelt gränssnitt för konfiguration.För att mäta hur effektivt systemet fungerar, mäts det hur många hot Snort upptäcker. Mätningar gjordes också för att undersöka om systemet orsakade prestandaförluster i hemmanätverket.Av resultaten drogs slutsatsen att systemet är ett bra komplement till säkerheten i ett hemmanätverk. Det gick inte att säkerställa någon prestandaförlust på nätverket förens vid en uppkoppling på 100 mbit och däröver.

IDS

Raspberry Pi

Nätverk

Bloom Filter Based Intrusion Detection for Smart Grid

Parthasarathy, Saranya

2012 May 1900

This thesis addresses the problem of local intrusion detection for SCADA (Supervisory Control and Data Acquisition) field devices in the smart grid. A methodology is proposed to detect anomalies in the communication patterns using a combination of n-gram analysis and Bloom Filter. The predictable and regular nature of the SCADA communication patterns is exploited to train the intrusion detection system. The protocol considered to test the proposed approach is MODBUS which is used for communication between a SCADA server and field devices in power system. The approach is tested for attacks like HMI compromise and Man-in-the-Middle. Bloom Filter is chosen because of its strong space advantage over other data structures like hash tables, linked lists etc. for representing sets. The advantage comes from its probabilistic nature and compact array structure. The false positive rates are found to be minimal with careful choice of parameters for Bloom Filter design. Also the memory-efficient property of Bloom Filter makes it suitable for implementation in resource constrained SCADA components. It is also established that the knowledge of physical state of the power system i.e., normal, emergency or restorative state can help in improving the accuracy of the proposed approach.

SCADA IDS

Bloom Filter Based IDS

Smart Grid IDS

IDS for SCADA System in Smart Grid

The Model of Evasion Attack Detection using Finite State Machine

Su, Wen-De

09 August 2003

With the electronic commerce is going popular, many enterprise turn their business to the internet. The electronic commerce brings many problems on security and the key point is the data of the enterprise and the privacy of the customer. Firewall is not enough and the IDS is needed to provide the acceptable security. With the network monitoring and intrusion detection techniques, we can detect the attacks, alarm the administrators, and write to log files. The log files can be analyzed to provide the prevention to the same types of attacks and protect the security of the system. Recently, some attacks are proposed which can avoid the familiar IDS such as SNORT. The attack will bring a serious damage to the system. We analyze one of these attacks and try to propose a model which can detect it. We believe that the model is useful in the research of the IDS.

IDS

Evasion Attack

NIDS

Design of Efficient FPGA Circuits For Matching Complex Patterns in Network Intrusion Detection Systems

Clark, Christopher R.

03 March 2004

The objective of this research is to design and develop a reconfigurable string matching co-processor using field-programmable gate array (FPGA) technology that is capable of matching thousands of complex patterns at gigabit network rates for network intrusion detection systems (NIDS). The motivation for this work is to eliminate the most significant bottleneck in current NIDS software, which is the pattern matching process. The tasks involved with this research include designing efficient, high-performance hardware circuits for pattern matching and integrating the pattern matching co-processor with other NIDS components running on a network processor. The products of this work include a system to translate standard intrusion detection patterns to FPGA pattern matching circuits that support all the functionality required by modern NIDS. The system generates circuits efficient enough to enable the entire ruleset of a popular NIDS containing over 1,500 patterns and 17,000 characters to fit into a single low-end FPGA chip and process data at an input rate of over 800 Mb/s. The capacity and throughput both scale linearly, so larger and faster FPGA devices can be used to further increase performance. The FPGA co-processor allows the task of pattern matching to be completely offloaded from a NIDS, significantly improving the overall performance of the system.

Network security

Intrusion detection

IDS

Implementation and Evaluation of A Low-Cost Intrusion Detection System For Community Wireless Mesh Networks

2015 February 1900

Rural Community Wireless Mesh Networks (WMN) can be great assets to rural communities, helping them connect to the rest of their region and beyond. However, they can be a liability in terms of security. Due to the ad-hoc nature of a WMN, and the wide variety of applications and systems that can be found in such a heterogeneous environment there are multiple points of intrusion for an attacker. An unsecured WMN can lead to privacy and legal problems for the users of the network. Due to the resource constrained environment, traditional Intrusion Detection Systems (IDS) have not been as successful in defending these wireless network environments, as they were in wired network deployments. This thesis proposes that an IDS made up of low cost, low power devices can be an acceptable base for a Wireless Mesh Network Intrusion Detection System. Because of the device's low power, cost and ease of use, such a device could be easily deployed and maintained in a rural setting such as a Community WMN. The proposed system was compared to a standard IDS solution that would not cover the entire network, but had much more computing power but also a higher capital cost as well as maintenance costs. By comparing the low cost low power IDS to a standard deployment of an open source IDS, based on network coverage and deployment costs, a determination can be made that a low power solution can be feasible in a rural deployment of a WMN.

WMN, IDS, Intrusion Detection System.

State-of-the-art Intrusion Detection: Technology, Challenges, and Evaluation.

Peddisetty, Naga Raju

January 2005

<p>Due to the invention of automated hacking tools, Hacking is not a black art anymore. Even script kiddies can launch attacks in few seconds. Therefore, there is a great emphasize on the Security to protect the resources from camouflage. Intrusion Detection System is also one weapon in the security arsenal. It is the process of monitoring and analyzing information sources in order to detect vicious traffic. With its unique capabilities like monitoring, analyzing, detecting and archiving, IDS assists the organizations to combat against threats, to have a snap-shot of the networks, and to conduct Forensic Analysis. Unfortunately there are myriad products inthe market. Selecting a right product at time is difficult. Due to the wide spread rumors and paranoia, in this work I have presented the state-of-the-art IDS technologies, assessed the products, and evaluated. I have also presented some of the novel challenges that IDS products are suffering. This work will be a great help for pursuing IDS technology and to deploy Intrusion Detection Systems in an organization. It also gives in-depth knowledge of the present IDS challenges.</p>

Informationsteknik

IDS

Challenges

Evaluation

State-of-the-art IDS

Evasion attacks

IDS features

zero-day attacks

Encrypted traffic.

Informationsteknik

Information technology

Informationsteknik

Exploring Vulnerabilities in Networked Telemetry

Shonubi, Felix, Lynton, Ciara, Odumosu, Joshua, Moten, Daryl

10 1900

ITC/USA 2015 Conference Proceedings / The Fifty-First Annual International Telemetering Conference and Technical Exhibition / October 26-29, 2015 / Bally's Hotel & Convention Center, Las Vegas, NV / The implementation of Integrated Network Enhanced Telemetry (iNET) in telemetry applications provides significant enhancements to telemetry operations. Unfortunately such networking brings the potential for devastating cyber-attacks and networked telemetry is also susceptible to these attacks. This paper demonstrates a worked example of a social engineering attack carried out on a test bed network, analyzing the attack process from launch to detection. For this demonstration, a penetration-testing tool is used to launch the attack. This attack will be monitored to detect its signature using a network monitoring tool, and this signature will then be used to create a rule which will trigger an alert in an Intrusion Detection System. This work highlights the importance of network security in telemetry applications and is critical to current and future telemetry networks as cyber threats are widespread and potentially devastating.

Telemetry

Exploit

Metasploit

Intrusion Detection System (IDS)

Improving intrusion prevention, detection and response

Ibrahim, Tarik Mohamed Abdel-Kader

January 2011

In the face of a wide range of attacks, Intrusion Detection Systems (IDS) and other Internet security tools represent potentially valuable safeguards to identify and combat the problems facing online systems. However, despite the fact that a variety of commercial and open source solutions are available across a range of operating systems and network platforms, it is notable that the deployment of IDS is often markedly less than other well-known network security countermeasures and other tools may often be used in an ineffective manner. This thesis considers the challenges that users may face while using IDS, by conducting a web-based questionnaire to assess these challenges. The challenges that are used in the questionnaire were gathered from the well-established literature. The participants responses varies between being with or against selecting them as challenges but all the listed challenges approved that they are consider problems in the IDS field. The aim of the research is to propose a novel set of Human Computer Interaction-Security (HCI-S) usability criteria based on the findings of the web-based questionnaire. Moreover, these criteria were inspired from previous literature in the field of HCI. The novelty of the criteria is that they focus on the security aspects. The new criteria were promising when they were applied to Norton 360, a well known Internet security suite. Testing the alerts issued by security software was the initial step before testing other security software. Hence, a set of security software were selected and some alerts were triggered as a result of performing a penetration test conducted within a test-bed environment using the network scanner Nmap. The findings reveal that four of the HCI-S usability criteria were not fully addressed by all of these security software. Another aim of this thesis is to consider the development of a prototype to address the HCI-S usability criteria that seem to be overlooked in the existing security solutions. The thesis conducts a practical user trial and the findings are promising and attempt to find a proper solution to solve this problem. For instance, to take advantage of previous security decisions, it would be desirable for a system to consider the user‟s previous decisions on similar alerts, and modify alerts accordingly to account for the user‟s previous behaviour. Moreover, in order to give users a level of flexibility, it is important to enable them to make informed decisions, and to be able to recover from them if needed. It is important to address the proposed criteria that enable users to confirm / recover the impact of their decision, maintain an awareness of system status all the time, and to offer responses that match users‟ expectations. The outcome of the current study is a set of a proposed 16 HCI-S usability criteria that can be used to design and to assess security alerts issued by any Internet security suite. These criteria are not equally important and they vary between high, medium and low.

621.382

Security : Usability : HCI : HCI-S : IDS

Measuring efficiency of ventilator-dependent integrated respiratory care in Taiwan : An Application of Data Envelopment Analysis

Chi, Chao-Chuan

15 July 2008

According to the report of the Bureau of National Healthcare Insurance (NHI) in 1997, the total expenses on ventilator-dependent patients was about 7,100 million yuan in hospital, account for 3% of the cost of one year of health insurance of the whole people. To efficiently control their admission so as to decrease unsuitable utilization of mechanical ventilation, and to achieve the rational growth of medical expenditure, the NHI has developed the perspective payment system for the ventilator-dependent integrated delivery system (IDS) respiratory care program since July 1, 2000. Ventilator-dependent patients, difficult to wean, rely on the mechanical ventilation, using for at least 21 days in succession. The patients are dependent upon long-term mechanical respiratory care. Integrating the different level of respiratory care, IDS program is including ¡§ICU , intensive care unit¡¨, ¡¨RCC, respiratory care center¡¨, ¡¨ RCW , respiratory care ward¡¨ and ¡§home care¡¨ and pay in accordance with the level. The purpose of IDS program is to promote the quality of respiratory care and effectively to utilize the limited medical resources. The data for this research was retrieved from the 2002-2004 ¡§NHI database¡¨ that includes charge and discharge information for 115 hospitals. Of the 115 hospitals analyzed using data envelopment analysis (DEA) technique, to explore the whole efficiency and purely technological efficiency.

IDS

Ventilator-Dependent Respiratory Care

DEA

Efficiency

Ontology/Data Engineering Based Distributed Simulation Over Service Oriented Architecture For Network Behavior Analysis

Kim, Taekyu

January 2008

As network uses increase rapidly and high quality-of-service (QoS) is required, efficient network managing methods become important. Many previous studies and commercial tools of network management systems such as tcpdump, Ethereal, and other applications have weaknesses: limited size of files, command line execution, and large memory and huge computational power requirement. Researchers struggle to find fast and effective analyzing methods to save maintenance budgets and recover from systematic problems caused by the rapid increment of network traffic or intrusions. The main objective of this study is to propose an approach to deal with a large amount of network behaviors being quickly and efficiently analyzed. We study an ontology/data engineering methodology based network analysis system. We design a behavior, which represents network traffic activity and network packet information such as IP addresses, protocols, and packet length, based on the System Entity Structure (SES) methodology. A significant characteristic of SES, a hierarchical tree structure, enables systems to access network packet information quickly and efficiently. Also, presenting an automated system design is the secondary purpose of this study. Our approach shows adaptive awareness of pragmatic frames (contexts) and makes a network traffic analysis system with high throughput and a fast response time that is ready to respond to user applications. We build models and run simulations to evaluate specific purposes, i.e., analyzing network protocols use, evaluating network throughput, and examining intrusion detection algorithms, based on Discrete Event System Specification (DEVS) formalism. To study speed up, we apply a web-based distributed simulation methodology. DEVS/Service Oriented Architecture (DEVS/SOA) facilitates deploying workloads into multi-servers and consequently increasing overall system performance. In addition to the scalability limitations, both tcpdump and Ethereal have a security issue. As well as basic network traffic information, captured files by these tools contain secure information: user identification numbers and passwords. Therefore, captured files should not allow to be leaked out. However, network analyses need to be performed outside target networks in some cases. The distributed simulation--allocating distributing models inside networks and assigning analyzing models outside networks--also allows analysis of network behaviors out of networks while keeping important information secured.

Ontology

SOA

SES

DEVS

Network

IDS