Cyber Intrusion Analysis: Intrusion Detection Systems Research Paper

The Relationship Between Computer Forensics and IDS

Computer forensics is a “discipline that combines some elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” (Casey, 2000, p. 23). One of the tools used in the acquisition of this data is Intrusion Detection Systems (IDS). Intrusion detection refers to the process of “discovering or determining the existence, presence, or fact of the wrongful entering upon seizing or taking possession of the property of another” (Bace, 1998, p. 28). In a forensics survey, some of the facts include the log files, which provide evidence of “…the number of times, as well as the specific time and duration” (Bace, 1998, p. 28). The exists a significant relationship between computer forensics and IDS.

Whereas computer forensics refers to the entire investigation process that is necessary upon the discovery of the commission of a computer crime, IDS are just a piece of this investigation puzzle. In this age of globalization and revolutionized computers, an organization or corporation must equip itself just in case. A wise move would be to apply a multilayered security plan to secure one’s network or systems. IDS form just one of the necessary components of such a system. In computer forensics, IDS tools and technologies play a critical role in obtaining information on who logged into the system, when and why (Chau, 2008, p. 55). They also serve to gauge the time and nature of an attack or threat, as well as the source of the attack. However, for an IDS tool to show the source and or the exact point of initiation of an attack, there is a need to use the contribution of other applications and files together.

Case study

The server for Sun Solaris provides a real example of the above expositions where IDS contributed to a forensic investigation based on the then evident compromise. It is on a “production network using an exploit for the dtspcd service in CDE; a Motif-based graphical user environment for Unix systems” (Neville, 2011, p. 2). The forensic investigation aimed at establishing who the attacker was and what he/she wanted in the system. Of fastidious interest is the tool used to develop “dtspcd ‘buffer overflow vulnerability’, which must have allowed the attacker a remote access into the system” (Kelly, 2006, p. 57). The security engineer used a Snort dual detaining file to carry out a close examination of all IDS catches. The investigation was only half-successful but even then, not to the finer details. The engineer deciphered up to what commands the attacker had used to hack in through a backdoor. He was not able to determine who the hacker was although he determined what file he had taken from the system. The reason for this is the signature-based system that IDSs use. This prevents investigations from knowing or figuring out attacks with patterns not predetermined by the IDS. It is also because of the current limitations encountered when extracting information from the crime scene, which limits the investigator to carry the system and application log files. This makes it necessary to store logs remotely for follow-up investigations (Kruse, & Heiser, 1995, p. 34).

This includes the use of photographs. Data forensics is becoming increasingly important especially with the advent of mobile technology. More than ever, there are more sources of information, which one can use as sources of evidence in a criminal case. Mobile devices include thumb drives, USB drives, memory sticks, portable flash drives, portable externally enclosed hard drives, cellular or mobile phones, portable Digital / Data Assistants (PDAs), and smartphones (Mell, & McLarnon, 2001, p. 31). These devices are often available in most crime scenes, be they technical, non-technical, or violent. They are instrumental, acting as evidence sources in the form of the information they contain in call histories, contact lists, texts, photos, videos, and even ringtones. From the names on the call history and the contact lists, one can easily identify the accomplices in a crime with the correct warrant together with the taped conversations carried out during phone calls (Hartmanis, 1999, p. 15). Mobile phones are gaining a lot of popularity globally especially in Asia, India, and Africa. The Global subscriptions in 2007 were 3.3billion, half the world’s populace. In the United States alone, there were more than 243 wireless networks in operation. These devices serve much in intercepting criminal activities, tracking and tracing criminals as well as deciphering information. Data forensics is therefore undergoing a revolution in the not-so-distant future. In fact, it is already widening its scope to get abreast with the new technologies.

Daemonlogger, OfficeCat, and PE Sig add-ons

There exist a variety of add-on tools including Daemonlogger, which is a packet logger and soft tap. It assesses packets for intrusion signatures as well as makes logs on the packet information. It automatically restarts logging after the input of 2GB of data. It also “…acts as a soft tap by rewriting the packets it analyzes onto a second interface” (Bace, 1998, p. 25). However, these two tasks are mutually exclusive and cannot run simultaneously thus making it less efficient, as it cannot multitask. Another add-on tool is OfficeCat, which is a command-line developed by the Sourcefire Vulnerability Research Team. This application enables a user to analyze Microsoft Office Documents while scouting for potential exploit conditions in the file. It has a wide application in Windows and Linux. The final add-on I chose is PE Sig, which produces “ClamAV signatures for portable executable files” (Bace, 1998, p. 21).

In so doing, it upgrades the protection against viruses and sometimes worms. It comes in handy when researchers want to determine whether a file is a malware or whether there is a need to write a signature for it or not. It reduces the risk of false positives. Out of the three, the tool that I find most useful is PE Sig because it, not only identifies malware but also writes and or develops signatures where a developer did not use ClamAV thus making it difficult to identify a virus in the application, as most viruses disguise themselves under PE packer. The existent forces in intrusion detection are leaning towards being forensically acceptable in terms of the information collected. Therefore, most ‘intrusion detection system developers will probably lean towards digital forensic tools. They will strive to align their tools to the federal standards required for information to be admissible as evidence in a court of law.

The other force in the intrusion detection world is the pressure exerted on legislators to allow public and private corporations and organizations to utilize IDSs and IPSs. The result is that legislators are making more and more reforms to allow that to happen. Consequently, there is bound to be an increase in the demand for these tools and technologies that translates to competition among developers and ultimately ingenuity in the invention of tools to stand apart from the crowd. However, this demand may also have some negative consequences in that poorer quality will result based on the rush to produce more. In the case of the three snort tools, it suffices to predict the possibility of the Daemonlogger’s packet logging and soft tapping features becoming mutually inclusive (Mell, & McLarnon, 2001, p.29). This can result in a pronounced efficiency and usefulness of the tool. It may also increase the capacity of the information it can store or log in before turning over the disk. Introducing features that can process documents from other programmers as well and not just Microsoft (Chau, 2008, p. 67) may improve OfficeCat.

It may also undergo some improvement to enable it to handle vulnerabilities as well so that it can protect the user better than before. Presently, it only deals with exploitable conditions. In addition to this, one can also program it makes it able to analyze the patterns in the programs that it is bound to protect. PE Sig is already very good, as it enables users to generate signatures where none had existed before (Bace, 1998, p. 25). However, one can also make it handle all types of attacks and their symptoms and effects, leave alone the viruses transmitted through executable programs. Maybe in the future, it might incorporate Trojan horses, viruses, and malicious codes among other threats. With this analysis, the new security guru would remain PE Sig. In addition to identifying unmarked viruses, it will be able to identify all other unmarked threats as well. Hence, the rate of false positives and false negatives will reduce. It is also advisable to contract computer forensics professionals to handle matters in case of a crisis, as having the forensically untrained IT team deal with a crisis could be detrimental to the organization in terms of costs and even the integrity of the corporation.

There is a probability of inadmissibility of the evidence they may collect since the team lacks the appropriate training to extract it as required by the federal rules of evidence. However, if the system administrators and other IT technicians have a firm base: versed with laws of evidence, there is no harm in utilizing their skills. Another prominent issue is in the knowledge of how to collect the daily processes that affect the quality of data as evidence as well as the expertise on the matters of privacy and confidentiality.

Intrusion Detection System Tools

There are several types of Intrusion Detection System tools including Misuse detectors, anomaly detectors, passive systems, reactive systems, network-based systems, host-based systems, and physical IDSs (Northcutt, 1999, p. 87). The general capabilities of these systems include the ability to display an alert in case of an attack, logging of an event, either an attack, an anomaly, or a threat, some can page the system administrator in case of an attack, and the ability to reconfigure the entire network to minimize the possible damage of a dangerous intrusion. They watch out for worms, viruses, hackers, and other attacks by scouting a system or a network for intrusion signatures. Intrusion signatures, contained in a database in the IDS refer to predetermined or preset forms of possible attacks. These are what the IDS compares an ‘unusual’ activity to for instance in the case of an anomaly system. The IDS can also detect attacks by identifying a similar strain or characteristic as those of a recorded intrusion signature, even if the entire intrusion is relatively unfamiliar and not yet registered in the form of a signature. The problem of IDSs is that they can only notify one after an attack has already occurred and by so doing are somewhat retrogressive. This provides the reason behind the invention of the Intrusion Prevention Systems, which can both detect and alert when a system or network is in jeopardy of a siege or intrusion, while also preventing the imminent attack from happening or mitigating its effects. Intrusion detection techniques include signature-based detection, which I have explained in brief above, statistical anomaly-based detection, and stateful protocol analysis detection.

Signature-based detections are either exploit-based, which means that they seek and examine the blueprints that emerge in feats that are under guard, and vulnerability-based, which means that they assess the weaknesses in the program, i.e. its implementation as well as the circumstances necessary for the establishment of aforementioned vulnerability. Statistical anomaly-based detection works on an established baseline performance of network traffic activity. The baseline is usually the average or normal performance of a network in a normal traffic condition. A system administrator sets it. After this setting, there is regular or periodical sampling of the network performance through statistical analysis. This assessment draws a comparison between the obtained samples and the standard baseline for the detection of any variances. Stateful protocol analysis detection is simply the identification of deviant protocol states by again comparing the current events or working of the protocol with “preset profiles of generally accepted definitions of benign activity” (Proctor, 2001, p. 21).

There exist different types of intrusion detection techniques and technologies available to an organization. For instance, Misuse Detection is the comparison of attack-related information with the existent database of intrusion or attack signatures. As Pladna (2006, p. 59) reveals, Anomaly Detection, as another one refers to a case where “a system administrator establishes a baseline of the traffic load, breakdown, protocol, and typical packet size”. The scouting then takes place on bits of the network states and sizes of packet data to determine whether any anomalous activity is occurring. Passive systems play a crucial role in detecting an attack thereby recording it in the log files and finally alerting the user. The Reactive systems are more efficient in their response to suspicious activity. They log off a user. They may also initiate “a reprogramming of the firewall to block out the network traffic from the suspicious source” (Proctor, 2001, p. 23). Network-based Intrusion Detection Systems (NIDS) also find their way in this subject.

A good example of this is SNORT and they are usually individual hardware appliances with the capacity to detect intrusions. These come in the form of sensors on different points of the network o software, which remains installed in computer systems connected to a network. They serve a very important function. For instance, they analyze data packets entering and leaving a network using a network tap, span port, and or a hub to gather these packets. These IDSs are cheaper and more efficient to use in an organization and they require less time and resources in terms of needing to train the staff on how to utilize them. The Host-based Intrusion Detection Systems (HIDS) lack ‘real-time’ detection unless their operators correctly configure them. They comprise ‘software agents’ set up within each of the computing machines in a system. They alert on the local Operating System and application activities (Kruse, & Heiser, 1995, p. 43). They assess traffic, to and from one’s computer, and have features that NIDS lack, for instance, they can monitor administrator-specific activities, they can detect changes in the main system files, and they can detect and stop attempts to install Trojans and backdoors (Kozushko, 2007, p. 17). They do all these using signature rules and heuristics and just like NIDS, they require regular connection to the internet to update the latest worm and virus signatures. Examples include OSSEC- Open-Source Host-based Intrusion Detection System, Tripwire, AIDE- Advanced Intrusion Detection Environment, and Prelude Hybrid IDS among others. Physical IDSs too identify threats to the physical systems and simultaneously serve as prevention systems. They include security guards, security cameras, including CCTVs, Access Control Systems including codes, cards, and biometrics, Firewalls, mantraps, and motion sensors among others (Proctor, 2001, p. 65).

These IDSs have evolved into what they have become today over time and now there are Intrusion Prevention systems that perform all the activities performed by IDSs and go a little further, to prevent or block attacks from happening. Some of the processes they can execute include sounding alarms dropping malicious packets, resetting a risky connection, blocking incoming traffic from a dangerous IP address, correcting CRC errors. Worth noting is the possibility of one to use IPSs together with IDSs an instance that secures them the name IDPS or Intrusion Detection and Prevention Systems. However, even if used as such, they cannot substitute the role of other protective applications such as antivirus, anti-spam ware, or firewalls. Instead, people should use all of them together in a multilayered protective manner.

IDS/IPS Tools and Technologies Application

Some significant characteristics of intrusion detection are the efficient use of IDS/IPS apparatus and techs to guard against some explicit cases of attacks and misuse that occur in a variety of types. Examples of possible attacks and misuse include viruses, Trojan horses, hackers, malicious codes, and worms. As Scarfone (2007, p. 39) points out, “A virus attaches itself to a program or file enabling it to transfer itself from one computer to the next leaving infections in its trail”. These infections can be either mild or extensive. Extensive damage includes a complete distortion of files, programs, and even hardware. Most viruses attach themselves to executable files, meaning that they lie dormant until one runs the infected programs. However, it can only spread through human actions, which means that a person has to run a program or send an email for it to pass. Worms are the other kind of possible attack. They are similar to viruses except that they can spread unaided by human actions (Schneier, & Kelsey, 1999, p. 47) because they manipulate the file transport features in a system.

Another distinctive feature of worms is their ability to replicate themselves, which means that they can multiply by millions transporting themselves across networks. They thus end up taking too much system memory resulting in non-responsive web and network servers as well as personal computers. Trojan horses are trickster attackers. They appear like useful software superficially. However, once installed, they can cause serious damage. They are notorious for their creation of ‘back doors’ into one’s system, which can, in turn, be used by malicious people to gain access to one’s files, network, or system. However, they can neither replicate nor infect other files (Shafik, & Mislan, 2008, p. 12). Blended threats feature the worst qualities of worms, viruses, and Trojan horses. Sometimes they also incorporate malicious codes. They can exploit the server and internet vulnerabilities thus posing attacks from multiple points simultaneously. They also have numerous modes of transportation including IRCs and file-sharing networks (Stephenson, 2003, p. 56). Finally, some hackers are malicious people who break into one’s personal information, which is usually mostly confidential thereby exploiting it. They do this mostly through backdoors created by Trojan horses and malicious codes.

Case studies

A data breach hit the Royal Dutch Shell Company in 2010 in which the contact details of more than 170,000 employees were sent out to activists opposed to the group. The organization carried out its investigations wherein the IT department utilized the data in the log files as recorded by their network-based intrusion detection system. They found out that the attacker had been a member of staff though he had then retired. Although they initially downplayed the security ramifications of this incident, rumors of an imminent concurrent breach had them install host-based intrusion detection systems as well as several intrusion prevention systems. This organization just narrowly escaped the regulatory sanctions that usually come with the breaching of the Data Protection Act, which have since gone up to $500,000 (Neville, 2011, p. 3).

Recently, The University of California received such an attack where sensitive information of more than 160,000 current and former students had leaked into the internet. They were suing the University for its Negligent handling of confidential information (Neville, 2011, p. 4). The university took a similar path to Royal Dutch Shell and invested in IDPs to both prevent and protect against the attacks. This action served as a mitigating factor, as it was a prompt response to remedy the situation. The university had filters even before this incident, but the worm attack crushed it where the traffic identified by one of the IT technicians at around three o’clock in the afternoon had thickened by five o’clock that evening. It had defied all filters including firewalls, spam ware, and antivirus to infect most of the school computers, hence the breach. Claims concerning the matter go to a student believed to have carried in the worm via a dial-up modem. From these two studies, it is evident that IDSs alone cannot handle the weight of threats and attacks constantly advanced against organizations, institutions, and corporations.

There is, therefore, the need for a paradigm shift whereby the legislation that restricts IDS and IPS usage to national security agencies should go through some reformations to incorporate the needs of the public and private entities in need of similar protection of confidential information. It is also necessary to invest in training IT professionals on the Forensic requirements of analyzing the evidence so that it can gain admission before a court of law. Finally, organizations must utilize IDPS or Intrusion Detection and Prevention Systems (Stephenson, 2003, p. 69) so that they not only become aware of any attack launched against them but also stand a good chance to counter the attack. Such training should incorporate lessons on a layered approach to computer security as well as a challenge to programmers and software developers to steer away strictly from signature based IDPs. These restrict detection of only the ‘known’ threats and attacks while on the other hand failing to recognize new or unregistered attacks.

References

Neville, A. (n.d.). IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot. Web.

Scarfone, K. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS). In N. I. (NIST). New York: NIST Special Publications.

Schneier, B., & Kelsey, J. (1999). Tamperproof Audit Logs as a Forensics Tool for Intrusion Detection Systems. Computer Networks and ISDN Systems, 12 (7), pp. 12-56.

Shafik, G., & Mislan, P. (2008). Mobile Device Analysis. Small Scale Digital Device Forensics Journal, 5 (3), pp. 1-16.

Stephenson, P. (2003). The Application of Intrusion Detection Systems in a Forensic Environment. Oxford: Oxford Brookes University.

Detection Systems. Journal Of Digital and Computer Forensics, 7 (4), pp. 13-21.

Kruse, G., & Heiser, J. (1995). Computer Forensics: Incident Response Essentials. Melbourne: Addison Wesley.

Northcutt, S. (1999). Network Intrusion Detection, An Analyst’s Handbook. Indianapolis: New Riders.

Pladna, B. (2006). Computer Forensics Procedures, Tools, and Digital Evidence Bags: What They Are and Who Should Use Them. Digital Investigation, 2 (2), pp. 59-64.

Proctor, E. ( 2001). The Practical Intrusion Detection Handbook. New Jersey: Prentice Hall PTR.

Bace, R. (1998). An Introduction to Intrusion Detection and Assessment: for System and Network Security Management. ICSA White Paper, 2 (2), pp. 21-35.

Chau, H. (2008). Network Security – Defense Against DoS/DDoS Attacks. Tokyo: Cisco Press.

Mell, P., & McLarnon, M. (2001). Mobile Agent Attack Resistant Distributed Hierarchical Intrusion Detection Systems. 2nd International Workshop on Recent Advances in Intrusion Detection – RAID 99, 5 (1), pp. 23-35.

Bace, R. (1998). An Introduction to Intrusion Detection and Assessment: for System and Network Security Management. ICSA White Paper, 2 (2), pp. 21-35.

Casey, E. (2000). Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. San Diego, CA: Academic Press.

Chau, H. (2008). Network Security – Defense Against DoS/DDoS Attacks. Tokyo: Cisco Press.

Hartmanis, J. (1999). Information Security Second International Workshop. Germany: Springer.

Kelly, J. (2006). Computer Forensics Today. Law, Investigations and Ethics, 3(2), pp. 50-62.

Kruse, G., & Heiser, J. (1995). Computer Forensics: Incident Response Essentials. Melbourne: Addison Wesley.

Neville, A. (n.d.). IDS Logs in Forensics Investigations: An Analysis of a Compromised Honeypot. Web.