Title: Intrusion Detection Tolerance Prevention System

Objective:

The objective of this project is to ensure the safety, security of system and server which is
connected on the network. The vulnerability is used to come from hackers and intruders
(external and internal) as well as intentional and non-intentional threats from user inside and
outside. With the help of Intrusion Detection Tolerance Prevention System, we may be able
to ensure security, safety of the system at all levels.

Scope:

In this project, the focus is made on the various mechanism and process to identify different
kind of intruders and accordingly the prevention mechanism is to be adopted to assure safety
and security. In this project, the following aspect is to be developed:

A. Intrusion Detection System.

B. Intrusion Prevention System.
C. Intrusion Tolerance System.

Motivation:

Attacks are result of vulnerabilities, which are faults in the requirements, specification,
design, implementation, and /or configuration of a system. A successful attacker is said to be
an intruder and a successful attack results in an intrusion and damage upon the system who
make unauthorized attempts to access, modify, or destroy information in a system, and/or to
render the system unreliable or unusable i.e. which could in turn introduce a vulnerability
in other parts of the system that depend on the mechanism, allowing the original attack that
caused the intrusion to propagate further into the system. And thus the system becomes
unusable saying this kind of threats, I got interested in security and safety of the system
because of various kinds of vulnerability due to intrusion.

Brief Description:

Note: Here IDTPS is an abbreviation used for Intrusion Detection Tolerance Prevention
System.
An Intrusion Detection System (abbreviated as IDS) is a defence system, which detects
hostile activities in a network. The key is then to detect and possibly prevent activities that
may compromise system security, or a hacking attempt in progress including
reconnaissance/data collection phases that involve for example, port scans. One key feature
of intrusion detection systems is their ability to provide a view of unusual activity and issue
alerts notifying administrators and/or block a suspected connection. According to Amoroso
[1], intrusion detection is „a process of identifying and responding to malicious activity
targeted at computing and networking resources". In addition, IDTPS tools are capable of
distinguishing between insider attacks originating from inside the organization (coming from
own employees or customers) and external ones (attacks and the threads posed by hackers).

Intrusion detection functions include:

 Monitoring and analyzing both user and system activities

 Analyzing system configurations and vulnerabilities
 Assessing system and file integrity
 Ability to recognize patterns typical of attacks
 Analysis of abnormal activity patterns
 Tracking user policy violations

Typically, an Intrusion Detection Tolerance Prevention System follows a two-step process.

The first procedures are host-based and are considered the passive component, these include:
inspection of the system's configuration files to detect inadvisable settings; inspection of the
password files to detect inadvisable passwords; and inspection of other system areas to detect
policy violations. The second procedures are network-based and are considered
the active component: mechanisms are set in place to re-enact known methods of attack and
to record system responses.
A signature-based intrusion Detection Tolerance Prevention system is actually quite simple in
functionality. The system maintains a database of signatures, which correspond to known
attacks. The tool then monitors all network traffic, looking for anything that matches those
signatures. The true art of intrusion detection lies in creating, maintaining and tuning the
signature database over time.

The Intrusion Detection Tolerance Prevention System typically performs the following
functions:

 Recording information related to observed events: Information is usually recorded

locally, and might also be sent to separate systems such as centralized logging servers,
security information and event management (SIEM) solutions, and enterprise
management systems.
 Notifying security administrators of important observed events: This notification,
known as an alert, occurs through any of several methods, including the following: e-
mails, pages, messages on the IDTPS user interface, Simple Network Management
Protocol (SNMP) traps, system log messages, and user-defined programs and scripts.
A notification message typically includes only basic information regarding an event;
administrators need to access the IDTPS for additional information.
 Producing reports: Reports summarize the monitored events or provide details on
particular events of interest.
  Some IDTPSs are also able to change their security profile when a new threat is
detected. For example, an IDTPS might be able to collect more detailed information
for a particular session after malicious activity is detected within that session.
 An IDTPS might also alter the settings for when certain alerts are triggered or what
priority should be assigned to subsequent alerts after a particular threat is detected.

Other functions of intrusion Detection Tolerance Prevention system are:

 Terminate the network connection or user session that is being used for the attack
 Block access to the target (or possibly other likely targets) from the offending user
account, IP address, or other attacker attribute. Block all access to the targeted
host, service, application, or other resource.
 The IDTPS changes the security environment. The IDTPS could change the
configuration of other security controls to disrupt an attack. Common examples are
reconfiguring a network device (e.g., firewall, router, switch) to block access from the
attacker or to the target, and altering a host-based firewall on a target to block
incoming attacks. Some IDTPSs can even cause patches to be applied to a host if the
IDTPS detects that the host has vulnerabilities.
 The IDTPS changes the attack’s content. Some IDTPS technologies can remove or
replace malicious portions of an attack to make it benign. A simple example is an
IDTPS removing an infected file attachment from an e-mail and then permitting the
cleaned email to reach its recipient.
 A more complex example is an IDTPS that acts as a proxy and normalizes incoming
requests, which means that the proxy repackages the payloads of the requests,
discarding header information. This might cause certain attacks to be discarded as
part of the normalization process.

Building the framework of our monitoring strategy:

The framework of our network intrusion monitoring strategy is based upon determining
which parts of the infrastructure will be monitored, what monitoring techniques will be used
and the frequency of data collection.

What Facets of the infrastructure should be monitored:

Each organization should identify the devices, applications and processes specific to the
system they want to monitor. Facets to the network that should be evaluated include:

 Network, system and application logs

 System Processes
 Utilization of networks, CPUs and Disks
 Configuration of Networks Devices, Operating System and Application
 Vulnerability of Networks and Devices.
Logs can be derived from:
 Network Devices- router ACL logs, firewalls, VPN servers ,load balancing
servers, remote access servers, authentication servers
 Operating System-Unix system logging, Linux
 Applications-Web servers, directory servers, application servers, EIS applications,
database and mail servers

There are a number of network components that could be monitored periodically to get
advance notice of suspicious activity:

 Process on Critical servers-Check for availability of critical processes and scan the
process table for unknown processes. Verify the count of processes on a system
against an average threshold. A significant difference could indicate an intrusion.
 Configuration- Create integrity hashes for all network, system, and application
configuration files and periodically checks them.
 Utilization- Check CPU, disk, and network utilization for unusual patterns including
high usage at odd times.
 Site- Specific components to identify anomalies against the regular usage patterns.

Components:
This section describes the major components of IDTPS are mentioned as under:

Typical Components:

The typical components in an IDTPS are as follows:

 Sensor or Agent: Sensors and agents monitor and analyze activity. The term sensor
is typically used for IDTPSs that monitor networks, including network-based,
wireless, and network behaviour analysis technologies. The term agent is typically
used for host-based IDTPS technologies.
 Management Server: A management server is a centralized device that receives
information from the sensors or agents and manages them. Some management servers
perform analysis on the event information that the sensors or agents provide and can
identify events that the individual sensors or agents cannot. Matching event
information from multiple sensors or agents, such as finding events triggered by the
same IP address, is known as correlation. Management servers are available as both
appliance and software-only products. Some small IDTPS deployments do not use
any management servers, but most IDTPS deployments do. In larger IDTPS
deployments, there are often multiple management servers, and in some cases there
are two tiers of management servers.
  Database Server: A database server is a repository for event information recorded by
sensors, agents, and/or management servers. The IDTPSs provide support for
database servers.
 Console: A console is a program that provides an interface for the IDTPS’s users and
administrators. Console software is typically installed onto standard desktop or laptop
computers. Some consoles are used for IDTPS administration only, such as
configuring sensors or agents and applying software updates, while other consoles are
used strictly for monitoring and analysis. Some IDTPS consoles provide both
administration and monitoring capabilities
 Monitor Server: When and how, often to monitor for intrusions is a critical aspect of
our security policy. The frequency of monitoring activity is often related to data
archiving and storage capabilities. The quantity of data to be collected and stored, and
for how long, is dependent upon the storage capacity of the security systems database.
Intrusion detection experts predict that long-term storage data will continue to be a
critical issue in successful intrusion detection.

Techniques to be used:
There are three techniques to consider in determining when and how often our security
activity will be monitored. Proactive monitoring prevents potential damage to protected
assets by taking appropriate action before an intrusion occurs. Based on predictive analysis,
this technology is still evolving and has yet to be stabilized.
Using near real-time monitoring, intrusion activity can be tracked in real-time and decisions
can be made quickly to avoid potential damage to protected assets. Automated responses can
be taken based on attack profiling, which has been developed over a period of time. Audit
trail analysis can be helpful in assessing damage that may have been done to protected assets.
It is also used to track the activity of an intruder and gather a footprint that may be used in
prosecution. This type of historical analysis is also useful in revising organizational security
policies and procedures.

Integrity of Our Intrusion Monitoring System

Whichever techniques, tools and devices we decide to utilize in structuring our intrusion
monitoring system. It is essential to establish procedures to periodically revalidate the
integrity of our systems and data.

 Network devices- keep the devices current with respect to the vendor software,
firmware releases.
 Servers and workstations- install the latest OS patches and run OS hardening tools
 File Systems, databases, and other sensitive data – use tools such as Tripwire to create
integrity checking cryptographic hashes and periodically scan for known Trojans.
 Intrusion Detection Systems- these systems, especially, should be always running the
current stable release and be setup in highly available, scalable, and secure
configurations to fight off penetration and denial of service attacks.
Hardware Platform and Software tools to be used:

 Intel X86 based platform

 Operating System- Linux
 Database Tools-SQL Server
 Language-Python

Software Engineering Concept will be used as per the following:

 SRS
 Design and Implementation
 Testing and Verification