by January 5, 2004 0 comments

Despite the escalating awareness about the need for computer security, it is estimated that over 90% of corporate networks are vulnerable to intrusions and other forms of cyber-attacks. This makes it imperative to deploy tools such as IDS (Intrusion Detection Systems) to secure a computer network. But, you must note that an IDS alone may be quite incapable of handling all security threats.

In this article, we will focus on the design and architecture issues to be considered when implementing SIDS (Signature-based IDS). 

Design issues
The design of an IDS is intertwined with what you want it to achieve. The primary goals of any SIDS are: filtering of data packet header and packet content, logging of alerts and suspicious traffic, resourceful signature management, provision of user friendly graphical and user interface tools to work on IDS. Looking at the goals desired, the most important design issues are briefly discussed below.

Basic intrusion detection: The intrusion-detection operation can be filtering on packet header or filtering on packet content. For filtering on packet header, a SIDS should be programmed to look into the header of each incoming packet, whatever be the underlying protocol used on the network. Important fields to be parsed are flags value, sequence number, acknowledgement number, source and destination IP addresses, source and destination port numbers, etc as applicable for matches against any signature aiding in the detection of a possible attack

For filtering on packet content the header of a data packet is followed by the ‘data’ or the ‘payload’ that consists of the actual information being transmitted from the source to the destination. The content stored against the ‘content’ field from the signatures is extracted and is pattern-matched with the incoming packet payload for a possible match.

Intrusion-detection engine: Each packet through the network is scanned by the IDS’s core ‘engine’ against hundreds or thousands of signatures stored within it for presence of any malicious activity. The design of this engine must be such that it provides for speedy performance and also greater efficiency.

Resourceful signature management: Attack signatures keep changing on the hour or even faster, so it is essential that a SIDS keep itself up to date without a stop in its execution within its operational environment. 

Logging of alerts and traffic: Traffic through the network often generates alerts caused by matches with the signatures being used to detect malicious or suspicious activities. These alerts are required to be saved often along with the traffic associated with them so that the saved material may be used by other tools to carry out investigations or even research into the mechanism of the attack.

A sophisticated GUI: Since the IDS deals with vast volumes of data during its operations, it is essential for it to be easy to use. In current scenarios where in graphical-based computing are present virtually everywhere, the IDS must employ an easily understandable GUI. Display of its features such as data gathering, alert generation and transaction logging must be easily evident to even non-computer savvy users.

A SIDS typically addresses all the above architectural design issues to varying degrees based on the operational environment it is to be put to use in. A generic SIDS has the following architecture. The intrusion-detection engine consists of a the following modules; a packet handler, a signature substantiation and matching module along with alerting and logging division components. The packet handler module procures every packet transmitted through the network, extracts the relevant fields of these packets and stores them for later examination. Rules files store the various attack patterns or signatures along with the protocols used. The signature substantiation and matching module performs the crucial act of pattern matching the packet header and payload with the fields extracted from the rules. The alert and logging module performs the alert generation required when suspicious traffic triggers a match on a signature being used in the intrusion detection systems signature rules collection. 

N Sumanth,Wipro Technologies M Manu, MindTree Consulting Dr B
, Wipro Technologies

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.