Intrusion Detection Systems
The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?
Introduction
Types of computer attacks
Cyber-attacks can be categorized based on the activities and targets of the attacker. Each attack type can be classified into one of the following four classes (Sung & Mukkamala, 2003):
-
Denial-of-Service (DoS) attacks have the objective of blocking or restricting services delivered by the network, computer to the users.
-
Probing attacks have the objective of acquisition of information about the network or the computer system.
-
User-to-Root (U2R) attacks have the objective of a non-privileged user acquiring root or admin-user access on a specific computer or a system on which the intruder had user-level access.
-
Remote-to-Local (R2L) attacks involve sending packets to the victim machine. The cybercriminal learns the user's activities and obtains privileges which an end-user could have on the computer system.
Within these broad categories, there are many different forms of computer attacks. A summary of these attacks with a brief explanation, characteristics, and examples are presented in Table 15.
Table 15 Classes of computer attacks
|
Types of Attack |
Explanation |
Example |
|
Buffer Overflow |
Attacks the buffer's boundaries and overwrites memory area. |
Long URL strings are a common input. Cowan, et al. (1998) |
|
Worm |
Reproduces itself on the local host or through the network. |
SQL Slammer, Mydoom, CodeRed Nimda. |
|
Trojan |
Programs appear attractive and genuine, but have malicious code embedded inside them. |
Zeus, SpyEye Alazab, et al. (2013) |
|
Denial of service (DoS) |
A security event to disrupt the network services. It is started by forcing reset on the target computers. The users can no longer connect to the system because of unavailability of service. |
Buffer overflow, Ping of death (PoD), TCP SYN, smurf, teardrop Zargar, et al. (2013) |
|
Common Gateway Interface (CGI) Scripts |
The attacker takes advantage of CGI scripts to create an attack by sending illegitimate inputs to the web server. |
Phishing email; |
|
Traffic Flooding |
Attacks the limited size of NIDS to handle huge traffic loads and to investigate for possible intrusions. If a cybercriminal can cause congestion in the networks, then NIDS will be busy in analyzing the traffic. |
Denial of Service (Dos) or Distributed Denial of Service (DDoS) |
|
Physical Attack |
Aims to attack the physical mechanisms of the computer system. |
Cold boot, evil maid (Pasqualetti et al., 2013). |
|
Password Attack |
Aims to break the password within a small time, and is noticed by a sequence of failures login. |
A dictionary attack, Rainbow attack (Das et al., 2014). |
|
Information Gathering |
Gathers information or finds weaknesses in computers or networks by sniffing or searching. |
System scan, port scan, (Bou-Harb et al., 2014). |
|
User to Root (U2R) attack |
The cybercriminal accesses as a normal user in the beginning and then upgrades to a super-user which may lead to exploitation of several vulnerabilities of the system. |
Intercept packets, rainbow attack, social engineering Rootkit, load module, (Perl Raiyn, 2014). |
|
Remote to Local (R2L) attack |
The cybercriminal sends packets to a remote system by connecting to the network without having an account on the system. |
Warezclient, ftp write, multihop,phf, spy, warezmaster, imap (Raiyn, 2014). |
|
Probe |
Identifying the valid IP addresses by scanning the network to gather host data packets. |
Sweep, portsweep (So-In et al., 2014) |