A Comparative Study of Different IDS

Rajiv Gupta
Research Scholar, Department of Computer Science & Engineering, BBD University, Lucknow.
Email: rajivguptamca@gmail.com

Dr. Reena Srivastava

Dean, School of Computer Applications, BBD University, Lucknow.
Email: ureenas@gmail.com

Dr. Puneet Misra

Assistant Professor, Department of Computer Science, University of Lucknow, Lucknow-
226007
Email: puneetmisra@gmail.com

Abstract:

The increase in inter-connectivity of the computer networks has brought a lot of benefits to the
people but it also rendered networked systems vulnerable to malicious attacks from the hackers.
Adequately securing computer systems and implementing various security measures has led to
the growth of the Intrusion Detection Systems (IDS). An intrusion is a set of actions aimed to
compromise the security goals namely- integrity, confidentiality or availability of a computing
and networking resource. Intrusion Detection is a process of identifying and responding to
intrusion activities. An IDS is a system that detects and analyzes the events of intrusions. An IDS
must have the attributes like accuracy, adaptability and extensibility. An IDS may be classified
into Host-based and Network-based IDS. In-effect an IDS is a pattern discovering and
recognizing system. A general IDS model has components like- sensor, analyzer, manager,
administrator and operator. Organizations require flexible and adaptable intrusion detection
systems to combat increasing internal and external threats. To meet organizational objectives and
requirements the intrusion detection systems must be effective. This paper analyzes and presents
a thorough comparative study of the existing Intrusion Detection Systems ability to detect the
intrusions in computer systems. Different security threats are made on the networks by the
intruders who either misuse the assigned privileges or access the systems via internet. Conclusive
analysis of this paper indicates that security can be best achieved by using multi-agent based IDS
with Distributed Strategy.
Key Words: IDS, Host-based IDS, Network-based IDS, Multi-Agent based IDS.
Introduction:
The area of intrusion detection is central to the concept of computer security from internal and
external penetration. While a number of methods can be employed to protect the data stored
within a computer system, the ability to identify instances of an attack on the computer is
paramount if an effective security mechanism is to be developed. Halme and Bauer [1] have
identified intrusion detection as one of six components in their taxonomy of anti-intrusion
techniques. The first three components which they identified as prevention, preemption and
deterrence, are primarily based on passive measures which decrease the likelihood of a
successful attack on a system. These components address the policy related issues of information
security and those elements which can be incorporated into a system with minimal effort.
Examples of these include the establishment of organizational security guidelines, security
education and training and the posting of warning notices on the initial screens of a system.
The last three components as deflection, detection and countermeasures are more active
measures designed to protect the critical elements of a system. Out of the six components, the
accurate detection of a system intrusion is the most critical. While additional measures may be
very effective at preventing an eventual penetration of the system, all security measures rely on
the accurate identification of an attacker prior to the employment of defensive measures. This
paper analyzes and presents a thorough comparative study of the existing Intrusion Detection
Systems’ ability to detect the intrusions in computer systems and networks.
Need for Effective Intrusion Detection System:
The need for effective intrusion detection system as part of a security mechanism for computer
systems was recommended by Denning and Neumann [2]. They identified four reasons for
utilizing intrusion detection within a secure computing framework:
1. Many existing systems have security flaws which make them vulnerable but they are very
difficult to identify and eliminate because of technical and economic reasons.
2. Existing system with security flaws cannot be easily replaced by more secure systems because
of application and economic considerations.
3. The development of completely secure systems is probably impossible.
4. Even highly secure systems are vulnerable to misuse by legitimate users.
Development/Evolution of Intrusion Detection Systems:
The first major work in the area of intrusion detection was discussed by J.P Anderson in [3].
Anderson introduced the concept that certain types of threats to the security of computer systems
could be identified through a review of information contained in the system’s audit trail. Many
types of operating systems, particularly the various versions of UNIX, automatically create a
report which details the activity occurring on the system. Anderson identified three threats which
could be identified from a concentrated review of the audit data:
1. External Penetrations - Unauthorized users of the system.
2. Internal Penetrations- Authorized system users who utilize the system in an
unauthorized manner.
3. Misfeasors - Authorized user who mislead their access privileges.
Classification of Intrusion Detection Systems:

Figure1
Intrusion Detection Systems (IDS) are the software designed for detecting, blocking and
reporting unauthorized activities in computer networks. An Intrusion Detection System (IDS)
can be categorized into two different forms according to data collection mechanisms and attack
detecting techniques [4].
a) Based on Data Collection Mechanism: An IDS can be categorized into three types [6]
according to the data collection method: Network Based, Host Based, Hybrid intrusion detection
system. Network based intrusion detection system reside on a separate system from where it
watches the network traffic, looks for indications of attacks that traverse the portion of the
network. Host based intrusion detection system resides on a particular host and looks for the
indications of attacks on that host. Hybrid intrusion detection system has both the functionality
of Network based and Host based intrusion detection system.
i. Network Based IDS: Network Based IDS (NIDS) exists as a software process on a dedicated
hardware. The NIDS places the network interface card on the system into promiscuous mode, i.e.
the card passes all traffic on the network to the NIDS software. The traffic is then analyzed
according to a set of rules and attack signatures to determine if it is traffic of interest. If it is, an
event is generated. Its attack recognition module uses four common techniques to recognize an
attack signature:
􀁸 Pattern, expression or byte code matching
􀁸 Frequency or threshold crossing
􀁸 Correlation of lesser events
􀁸 Statistical anomaly detection
Once an attack has been detected, the IDS response module provides a variety of options to
notify, alert and take action in response to the attack.
ii. Host-Based IDS: HIDS exists as a software process on a system. HIDS examines log entries
for specific information. Periodically, the HIDS process looks for new log entries and matches
them up to pre-configured rules. If a log entry matches a rule, the HIDS will alarm. Today’s host
-based intrusion detection systems remain a powerful tool for understanding previous attacks and
determining proper methods to defeat their future application. Host-based IDS still use audit log,
but they are much more automated, having evolved sophisticated and responsive detection
techniques.
iii. Hybrid IDS: Hybrid intrusion detection system is an IDS which combine the functionality of
network based sensor technology with host based agent that is capable of analyzing the network
traffic only addressed to specific host where agent of hybrid IDS is installed [8].
b) Based on Detection Techniques: An intrusion detection system can be categorized into two
different forms based on detection techniques: Signature or Misuse based and Anomaly based
intrusion detection system.
i. Signature or Misuse based IDS: Misuse detection attempts to model abnormal behavior or
signatures of known attacks. It is based on the assumption that all intrusions or attacks leave their
signatures that can be detected[9,10]. Any occurrence of which clearly indicates system abuse.
For Example, an HTTP request referring to the cmd.exe file may indicate an attack.
ii. Anomaly based IDS: Anomaly based IDS attempts to model normal behavior. Events that
violate this model are considered to be suspicious. For Example, a normally passive public web
server attempting to open connections to a large number of addresses may be indicative of a
worm infection.
Comparative study of IDS:
In our study we are comparing the two broad categories of IDS i.e. host based Intrusion
Detection System and network based Intrusion Detection System. A Host based Intrusion
Detection system has only host based sensors and a network based Intrusion detection system has
network-based sensor as explained in the figure2 below. As shown in the figure2, a network
based IDS sensor has two interfaces. One of the interfaces is manageable. The IDS management
console communicates with the sensor through the management interface. The other interface of
the IDS is in promiscuous (listening) mode. This interface cannot be accessed over the network
and is not manageable. The monitoring interface is connected to the network segment, which is
being monitored. The sensor examines every packet that crosses the network segment. Network
based sensors apply predefined attack signatures to each frame to identify hostile traffic. If it
finds a match against any signature, it notifies the management console.

Activity
Data Source Sensor

Events
Sensor Operator

Notifications

Response
Events Alerts
Analyzer

Manager
Security Policy

Security Policy

Security Policy

Security Policy
Administrator

Figure2: Deployment of IDS Sensors and Management Console in a network

The host based Intrusion detection systems on the other hand works off the hosts. The host-based
sensor is software running on the host being protected. It monitors system audit and event logs.
When any of these files change, the IDS sensor compares the new log entry with attack
signatures to see if there is a match. In case a match is found, the sensor notifies the management
console. The host-based sensors do not perform any packet level analysis. Instead, they monitor
system level activities, e.g.- an unauthorized user (other than administrator) changing registry
files in a Windows NT system, or changing password in a system, a user trying to login at 8:00
pm, although he or she is allowed to login only between 10:00 am and 6:00 pm. The host-based
sensors monitor these kinds of activities and if it finds any anomaly, it responds with
administrator alerts. Some hosts based IDS systems checks key system files and executables via
checksums at regular intervals for unexpected changes. Some products listen to port based
activities and alert administrators when specific ports are accessed.
Network based and Host based Intrusion detection systems have their own advantages and
disadvantages. These are discussed below:
Advantages of Network based Intrusion Detection Systems:
1. Lower Cost of Ownership: Network based IDS can be deployed for each network segment.
An IDS monitors network traffic destined for all the systems in a network segment. This nullifies
the requirement of loading software at different hosts in the network segment. This reduces
management overhead, as there is no need to maintain sensor software at the host level.
2. Easier to deploy: Network based IDS are easier to deploy as it does not affect existing
systems or infrastructure. The network-based IDS systems are Operating System independent. A
network based IDS sensor will listen for all the attacks on a network segment regardless of the
type of the operating system the target host is running.
3. Detect network based attacks: Network based IDS sensors can detect attacks, which host-
based sensors fail to detect. A network based IDS checks for all the packet headers for any
malicious attack. Many IP-based denial-of-service attacks like TCP SYN attack, fragmented
packet attack etc. can be identified only by looking at the packet headers as they travel across a
network. A network based IDS sensor can quickly detect this type of attack by looking at the
contents of the packets at the real time.
4. Retaining evidence: Network based IDS use live network traffic and does real time intrusion
detection. Therefore, the attacker cannot remove evidence of attack. This data can be used for
forensic analysis. On the other hand, a host-based sensor detects attacks by looking at the system
log files. Many hackers are capable of making changes in the log files so as to remove any
evidence of an attack.
5. Real Time detection and quick response: Network based IDS monitors traffic on a real time.
So, network based IDS can detect malicious activity as they occur. Based on how the sensor is
configured, such attack can be stopped even before they can get to a host and compromise the
system. On the other hand, host based systems detect attacks by looking at changes made to
system files. By this time critical systems may have already been compromised.
6. Detection of failed attacks: A network based IDS sensor deployed outside the firewall, can
detect malicious attacks on resources behind the firewall, even though the firewall may be
rejecting these attempts. This information can be very useful for forensic analysis. Host based
sensors do not see rejected attacks that could never hit a host inside the firewall.
Advantages of Host based Intrusion Detection Systems:
1. Verifies success or failure of an attack: Since a host based IDS uses system logs containing
events that have actually occurred, they can determine whether an attack occurred or not with
greater accuracy and fewer false positives than a network based system. Network based IDS
sensors although quicker in response than host based IDS sensors, generate a lot of false
positives because of the fact that it detects malicious packets on the real time and some of these
packets could be from a trusted host.
2. Monitors System Activities: A host based IDS sensor monitors user and file access activity
including file accesses, changes to file permissions, attempts to install new executables etc. A
host based IDS sensor can also monitor all user logon and logoff activities; user activities while
connected to the network, file system changes, activities that are normally executed only by an
administrator. Operating systems log any event where user accounts are added, deleted or
modified. The host based IDS can detect an improper change as soon as it is executed. A
network-based system cannot give so much detailed information about system activities.
3. Detects attacks that a network based IDS fail to detect: Host based systems can detect
attacks that network based IDS sensors fail to detect. For example, if an unauthorized user makes
changes to system files from the system console, this kind of attack goes unnoticed by the
network sensors. So, host based sensors can be very useful in protecting hosts from malicious
internal users in addition to protecting systems from external users.
4. Near real time detection and response: Although host based IDS does not offer true real-
time response, it can come extremely close if implemented correctly. Unlike older systems,
which use a process to check the status and content of log files at predefined intervals, many
current host-based systems receive an interrupt from the operating system when there is a new
log file entry. This new entry can be processed immediately, significantly reducing the time
between attack recognition and response.
5. Does not require additional hardware: Host based Intrusion detection sensors reside on the
host systems. So they do not require any additional hardware for deployment, thus reducing cost
of deployment.
6. Lower entry cost: Host based IDS sensors are far cheaper than the network based IDS
sensors.

Network based Intrusion Host based Intrusion detection

detection systems systems
Resides on the computer or application Resides on a particular computer or server,
connected to a part on an organization’s known as the host and monitors activity only
network and monitors network traffic on that on that system looking for any malicious
segment looking for indication of ongoing or program running.
successful attacks.
Types of NIDS include Snort, Cisco NIDS, and Types of HIDS include Tripwire, Cisco HIDS
Netprowler. and Symantec ESM.
NIDS uses a monitoring port, when placed Capable of monitoring system configuration
next to a networking device like hub, switch. data bases, such as windows registries and
The port views all the traffic passing through stored configuration files like .ini, .cfg and .dat
the device. files.

Works on the principle of signature matching, Work on the principle of configuration and
i.e. comparing attack patterns to change management. An alert is triggered
known signatures in their data base. when file attributes change, new files created
or existing files deleted.
NIDS are suitable for medium to large scale Generally, most HIDS have common
organizations due to their volume of data and architectures, i.e. most host systems work as
resources. So, many smaller companies are host agents reporting to a central console.
hesitant in deploying IDS.
Advantages: Advantages:
Large networks can be monitored by deploying Attacks that elude NIDS and local events can
a few devices with a good network design. be detected by HIDS.

Ongoing network operations won’t be HIDS functions on the host system, where
disrupted by deploying NIDS, since they are encrypted traffic will be decrypted and
passive devices. available for processing.

NIDS are not susceptible to direct attack and The use of switched network does not affect a
may not be detectable by attackers. HIDS. HIDS can detect inconsistencies in the
application.
Disadvantages: Disadvantages:
NIDS may fail to recognize attack when More management efforts required to install
network volume becomes over-whelming. configure and manage HIDS.

Since many switches have limited or no Both direct attacks and attacks against the host
monitoring port capability, some networks are operating system results in compromise and/or
not capable of providing all the data for loss in functionality of HIDS.
analysis by a NIDS.
NIDS cannot analyze encrypted packets, HIDS is susceptible to some DoS attacks. Host
making some of the traffic invisible to the OS audit logs occupy large amounts of disk
process and reducing the effectiveness of space and disk capacity needs to be added,
NIDS. which may reduce system performance.
Attacks involving fragmented or malformed HIDS cannot scan or detect multi-host and
packets cannot easily be detected. non-host network devices.

Conclusion: 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
This paper has made an attempt to compare the two broad categories of IDS i.e. host based
Intrusion Detection System and network based Intrusion Detection System, explaining the two
types broadly and outlining their strengths and weaknesses, with making a comparison table.
Both have the same goal but they approaches to it in very different ways. The host-based systems
do offer an approach that scales better but implementing this type of intrusion detection system
requires a high degree of expertise about the operating system that the sensors will run on. Also,
the lack of cross-platform support is a considerable problem. On the other hand, network-based
solutions are more portable and are easier to implement but have the growing problem that they
cannot keep up with heavy traffic or with high network speeds. So, the multi-agent based IDS
with Distributed Strategy is the need of the hour, on which we are concentrating our research.

References:

[1] Halme, L.R. & Bauer, R.K. (1995). AINT Misbehaving: A Taxonomy of Anti-Intrusion
Techniques. Proceedings of the 18th National Information Systems Security Conference.
Baltimore, MD.
[2] Neumann, P.G. (1985). Audit Trail Analysis and Usage Collection and Processing. Technical
Report Project 5910, SRI International.
[3] Anderson, J.P. (April, 1980). Computer Security Threat Monitoring and Surveillance.
Technical Report, J.P. Anderson Company, Fort Washington, Pennsylvania.
[4] Sumitra Menaria, Prof. S Valiveti and Dr K Kotecha “Comparative study of Distributed
Intrusion Detection in Ad-hoc Networks” in 2010.
[5] http://secinf.net/info/ids/nvh_ids/
[6] Munish Sharma and Anuradha “Network Intrusion Detection System for Denial of Service
Attack based on Misuse Detection” in 2011.
[7] www.sans.org
[8] T. S. Sobh “Wired and wireless intrusion detection system: Classifications, good
characteristics and state-of-the-art”, Computer Standards & Interfaces 28, pp. 670-694,
Science Direct, 2006.
[9] P.G. Neumann and P.A. Porras, “Experience with EMERALD to date”, in Proc. Workshop
Intrusion Detection Network Monitoring, santa Clara, CA, Apr. 1999.
[10] Madge,(2005). Wireless Intrusion Detection System (ids) evolve to 3rd generation proactive
protection systems. Retrieved Apr. 06, 2006, from
http://www.telecomweb.com/readingroom/Wi