Intrusion Detection

Intrusion Detection is as much an art as it is a science. As the references here indicate, there are a number of tools available for this purpose. Fundamentally, there are two main types of intrusion detection systems, namely, network-based and host-based systems. Hybrid systems contain components and characteristics of the two types. Each has their benefits and limitations.

In general, there are two types of architectures for network-based intrusion detection systems. One is the sensor-based architecture. The other is the distributed network-node architecture. Both types of architectures contain network sensor and central command console. The differences between them lie in the location of detection engine, local response subsystem, and the alerting subsystem.

Network-Based Intrusion Detection Systems

A network-based intrusion detection engine processes a stream of time sequential TCP/IP packets to detect predetermined sequences and patterns. These patterns are known as signatures.

By observing patterns of behavior, suspicious activity may be detected to tip-off the operator that misuse may be occurring. The defining characteristic for tip-off is that the system is detecting something previously unsuspected. Surveillance usually follows a tip-off. During surveillance, targets are observed more closely for patterns of misuse.

Network-based intrusion systems can be used to deal with outside threat detection. It has the function of deterrence. It can also provide automated response.

However, packet loss on high-speed network, switched networks, encryption, and sniffer detection programs are challenges for network-based intrusion detection systems.

Host-Based Intrusion Detection Systems

Host-base intrusion detection systems are used to analyze data that originates on computer hosts, such as application and operating system event logs. Host event logs contain information about specific file accesses and program executions, usually associated with an authenticated, or inside user.

There are two types of architectures for host-based intrusion detection systems. One is the centralized host-based intrusion detection system. The other is the distributed real-time host-based intrusion detection system.

Both types of architectures contain target and command console. The differences between them lie in the location of detection engine, local response subsystem, and the alerting subsystem.

Target agents are small executables that run with privilege on target systems. Autonomous agents move from system to system on their own looking for misuse. Agent-less, host-based intrusion detection system performs host-based actions from a central location through an API that provides remote control of the data source.

There are four operational modes for host-based intrusion detection. They are tip-off, surveillance, damage assessment, and compliance.

Since policies drive the operation of an intrusion detection system, effective policy management can reduce performance degradation and resource costs. Audit policies and detection policies have to be fine tuned to meet the needs in specific environments.

Data sources are the heart of any host-based intrusion detection system. They include operating system logs, application logs, and middleware logs.

Host-based intrusion detection systems have the function of deterrence. It can detect threats. It can provide notification and response when a misuse is detected. It can also provide damage assessment, attack anticipation, and prosecution support.

However, performance, deployment, maintenance, threats of compromise, and spoofing are the challenges for host-based intrusion detection systems.

Both network-based intrusion detection systems and host-based intrusion detection systems are needed for different environments. Both of them have limitations. They all need further improvement.

On Intrusion Detection:

• Aviel D. Rubin, White-Hat Security Arsenal: Tackling the Threats, Addison Wesley, 2001.
• Brian Caswell, et al, Snort 2.0 Intrusion Detection, Syngress, 2003.
• Chris Prosise, Incident Response: Investigating Computer Crime, McGraw-Hill, 2001.
• Chris Prosise and Kevin Mandia, Incident Response and Computer Forensics, McGraw-Hill, 2001.
• Edward Amoroso, Intrusion Detection: An Introduction To Internet Surveillance, Correlation, Trace back, Traps and Response, Intrusion.Net Books, 2000.
• Eugene Schultz, Jim Mellander and Carl F Endorf, Intrusion Detection, McGraw-Hill, 2003.
• Keith J Jones, et al, Anti-Hacker Toolkit, McGraw-Hill, 2002.
• Kenneth R. Van Wyk and Richard Forno, Incident Response, O’Reilly, 2001.
• Mark Cooper, Intrusion Signatures and Analysis, Que, 2001.
• Rebecca Gurley Bace, Intrusion Detection, Que, 1999.
• Stephen Northcutt, Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems, Que, 2002.
• The HoneyNet Project, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community, Addison Wesley, 2001.

Intrusion Detection and Computer Forensics URLs

• Bill Nelson, Amelia Phillips, Frank Enfinger & Chris Steuart, Guide To Computer Forensic and Investigations, Thomson Course Technology: New York, 2004.
• Casey, Eoghan. Digital evidence and computer crime: Forensic science, computers, and the Internet. Academic Press. 2001.
• Christopher L.T. Brown, Computer Evidence: Collection & Preservation, Hingham, MA: Charles River Media, 2006.
• Dan Farmer & Wietse Venema, Forensic Discovery, Upper Saddle River, NJ: Addison Wesley, 2005.
• Extractions from the list compiled by Professor David Dittrich, University of Washington, Seattle.
• Greg Hoglund & James Butler, Rootkits: Subverting The Windows Kernel, Upper Saddle River, NJ: Addison Wesley, 2006.
• Hammer, Richards. Enhancing IDS using, Tiny Honeypots. Posted November 13, 2006. http://www.sans.org/reading_room/whitepapers/detection/1665.php?portal=08450990a6c34aebb2648ef76c865103
• Intrusion Detection Best Practices Marcella, Albert J., and Greenfield, Robert S. (editors). Cyber forensics: A field manual for collecting, examining, and preserving evidence of computer crimes. Auerbach. 2002.
• Intrusion Detection, Honeypots and Incident Handling Resources. Retrieved December 4, 2006 from http://www.honeypots.net/
• Jansen, Wayne A. Intrusion Detection with Mobile Agents. NIST. http://csrc.nist.gov/mobilesecurity/Publications/IDwMA.pdf
• Keith J. Jones, Richard Bejtlich & Curtis W. Rose, Real Digital Forensics: Computer Security and Incident Response, Upper Saddle River, NJ: Addison Wesley, 2006.
• Mell, Peter, Vincent Hu (National Institute of Technology and Standards) and Richard Lippman, Josh Haines, Marc Zissman (Massachusetts Institute of Standards and Technology Lincoln Laboratory ITL). An Overview of Issues in Testing Intrusion Detection Systems. http://csrc.nist.gov/publications/nistir/nistir-7007.pdf
• Network Magazine article on Intrusion Detection
• Parker, Donn. Fighting computer crime. John Wiley & Sons. 1998.
• Patwardhan, Anand, Jim Parker, Anupam Joshi, Michaela Iorga and Tom Karygiannis. Secure Routing and Intrusion Detection in Ad Hoc Networks. http://csrc.nist.gov/mobilesecurity/Publications/nist-umbc-adhocids-ipv6.pdf
• Peterson, Dale. Intrusion Detection and Cybersecurity. InTech. ISA. Research Triangle Park, NC. May 1, 2004. http://www.isa.org/InTechTemplate.cfm?Section=Article_Index1&template=/ContentManagement/ContentDisplay.cfm&ContentID=35311
• SANS Intrusion Detection FAQs
• Secret Service Evidence Best Practices: http://www.secretservice.gov/electronic_evidence.shtml
• Shinder, Debra Littlejohn, and Tittel, Ed (editor). Scene of the cybercrime: Computer forensics handbook. Syngress Shinder Books. 2002.
• US Department of Justice. Computer Crime and Intellectual Property Section (CCIPS). Retrieved December 5, 2006 from http://www.usdoj.gov/criminal/cybercrime/index.html
• US Department of Justice. National Institute of Justice. Electronic Crime Scene Investigation: A Guide for First Responders. Retrieved December 5, 2006 from http://www.ncjrs.gov/pdffiles1/nij/187736.pdf

PASSWORD Tools

• Accent OFFICE Password Recovery.
• COTSE. Site listing various password tools.
• DS Password Tools.
• John the Ripper Toolkit - http://www.openwall.com/john/

Password Recovery

• NirSoft
  A group of small unique password recovery tools
• LastBit
  
• Lost password
  http://www.lostpassword.com/
  Links for different password recovery tools
• iOpus
  
• Petri IT Knowledgebase
  http://www.petri.co.il/forgot_administrator_password.htm
  Windows administrator password recovery
• Password Recovery tools
  http://www.passwordrecoverytools.com/
  Microsoft Office recovery tools
• Rixler Software
  
• Open Wall
  
• ActMon Password Recovery for Windows XP
  
• SnapFiles – Different password recovery tools
  
• Zip Cure - Zip Password Recovery utility
  
• ABF Password Recovery
  
• Password Changer – supports Windows VISTA
  
• FSPRO Labs
  
• Free Downloads
  http://www.freedownloadscenter.com/Search/password_recovery.html
  http://www.download.com/SpotIE-Password-Recovery/3000-2092_4-10633252.html
• PicoZip
  
• Luigi Auriemma
  

History of Intrusion Detection

• Security Focus
  

CERIAS - Security Archive Word dictionaries for comparison

• http://ftp.cerias.purdue.edu/pub/dict/local/
• System Default Password lists - http://www.phenoelit.de/dpl/dpl.html
• NT password utility for SAM - http://home.eunet.no/~pnordahl/ntpasswd/
• Cisilia multi-pltform utility - http://www.cisiar.org/proyectos/cisilia/home_en.php
• A Distributed cracking facility - http://ktulu.com.ar/en/djohn.php
• Project Rainbow Cracker - http://www.antsight.com/zsl/rainbowcrack/
• CERIAS (Center for Education and Research in Information Assurance and Security), home page.

Sniffers

• Airsniff Tool - http://www.aimsniff.com/
• Cain and Able –(password recovery tool for Windows)
• Driftnet network listening device - http://www.ex-parrot.com/~chris/driftnet/
• dsniff: Network audit tool - http://monkey.org/~dugsong/dsniff/
• Ethereal Network Protocol Analyzer - http://www.ethereal.com/
• Ettercap Sniffer Tool - http://ettercap.sourceforge.net/
• Hping2 - (network probing utility)
• Kismet - (wireless sniffer)
• Metasploit Framework - (exploitation tool)
• Nessus - (UNIX vulnerability assessment tool)
• Netcat - (reads and writes data over TCP or UDP network connections)
• TCP dump facility - http://www.tcpdump.org/
• Tanase, Matthew. Sniffers: What They Are and How To Protect Yourself. February 26, 2002.
• Wireshark - (open source network protocol analyzer for Unix and Windows)

Honeypots

• Labrea Honeypot tool - http://labrea.sourceforge.net/labrea-info.html
• HoneyD project to create virtual hosts - http://www.honeyd.org/
• The "original" Honeynet Project - http://www.honeynet.org/
• Magalhaes, Ricky M. Host Based IDS vs. Network-Based IDS (Part 1).
• Magalhaes, Ricky M. Host Based IDS vs. Network-Based IDS (Part 2 – Comparative Analysis).
• Magalhaes, Ricky M. Understanding Virtual Honeypots.
• Spitzner, Lance. Honeypots: Are They Illegal? 6/12/03. Retrieved December 4, 2006
• Spitzner, Lance. “Know Your Enemy:” Everything you need to know about honeypots.
• Free Tools
  
• Everything you need to know about honeyPots
  
• Ernst & Young PPT
  
• Philippine HoneyPot Project
• Honeynet Project

Intrusion Detection Tools

• Adaptive Security Analyzer
• chkrootkit - (checks for signs of a rootkit)
• eTrust Intrusion Detection - (ID that operates on Windows software)
• F.I.R.E. - (portable, bootable cdrom that establishes an environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment)
• GFI LANguard System Integrity Monitor - (checks to see if files have been changed, added or deleted on a Windows 2000 system)
• Impost – (network security auditing tool)
• ISS Threat database - http://xforce.iss.net/xforce/search.php
• Open Source Network Intrusion Detection System - http://www.snort.org/
• Prelude Hybrid ID system - http://www.prelude-ids.org/
• Swatch log file monitoring system - http://swatch.sourceforge.net/
• Sha-1 Tool - http://www.faqs.org/rfcs/rfc3174.html

Mac changer

• Linux security - http://www.linuxsecurity.org/
• GNU MAC Changer
• Internet Storm center - http://isc.incidents.org/
• http://www.alobbs.com/modules.php?op=modload&name=macc&file=index

Wireless

• Airsnort - http://airsnort.shmoo.com/
• Airtraffic tool - http://airtraf.sourceforge.net/
• Kismet 802.11- http://www.kismetwireless.net/
• MAC Address - http://www.iana.org/assignments/ethernet-numbers
• Mobile Tech - Wireless Security - (news, articles, tools)
• Netstumbler - http://www.netstumbler.com
• Nmap - http://www.insecure.org/nmap/
• WiFI planet - http://www.wi-fiplanet.com/
• Wireless ID system - http://freshmeat.net/projects/widz/
• Wireless Tools for Linux
• Wireless Week magazine - (news, articles, discussions, tools)

On Penetration Testing

• James C Foster, Writing Security Tools and Exploits, Rockland, MD:Syngress, 2006.
• Johnny Long, Google Hacking, Rockland, MD:Syngress, 2005.
• Johnny Long, Aaron W. Bayles, James C Foster, Chris Hurley, Mike Petruzzi, Noam Rathaus & Mark Wolfgang, et.al. Penetration Tester's Open Source Toolkit, Rockland, MD:Syngress, 2006.
• Stephen Northcutt, Mark Cooper, Matt Fearnow & Karen Frederick, Intrusion Signatures and Analysis, NYC: New Riders, 2001.
• Bumgarner, John N. Waive Goodbye to Liability. January 2001.
• Ethical Hacking and Penetration Testing, Discussions on ethical hacking and penetration.
• Mehta, Puneet, CISSP. Guide to Penetration Testing, Part 1: Reasons to Perform a Penetration Test. April 27, 2005.
• Mehta, Puneet, CISSP. Guide to Penetration Testing, Part 2: Performing a Penetration Test. April 27, 2005.
• Mehta, Puneet, CISSP. Guide to Penetration Testing, Part 3: Penetration Testing Strategies. April 27, 2005.
• Mehta, Puneet, CISSP. Guide to Penetration Testing, Part 4: Types of Tests. April 27, 2005.
• Mehta, Puneet, CISSP. Guide to Penetration Testing, Part 5: Testing Methodology and Standards. April 27, 2005.
• Peterson, R. Craig, Security Penetration Testing Should You Do It? Mainstream Security Services, LLC. 2000-2003.

Intrusion Detection News and Articles

• Dworakowski, Wojciech. Why is a Firewall Alone, Not Enough? What are IDSes and are They Worth Having? WindowsSecurity.com. Updated July 23, 2004.
• Government Technology. News and articles.
• Greenemeier, Larry. New Cybersecurity Center To Warn Law Enforcement of Critical Infrastructure Attacks. Information Week. August 24, 2005.
• Parker, Don. Tools of the Trade Revisited (Part 1). Windows Security.com. TechGenix Ltd. November 15, 2006.
• Parker, Don. Tools of the Trade Revisited (Part 2). Windows Security.com. TechGenix Ltd. November 15, 2006.
• Parker, Don. Tools of the Trade Revisited (Part 3). Windows Security.com. TechGenix Ltd. November 15, 2006.
• WindowSecurity.com. Articles and Tutorials on Intrusion Detection.

Computer Crime Legislation

• EPIC. US Patriot Act. Retrieved December 5, 2006 from http://www.epic.org/privacy/terrorism/hr3162.html
• US Department of Justice. Computer Crime and Intellectual Property Section (CCIPS). Computer Crime Legal Resources. Retrieved December 5, 2006 from http://www.usdoj.gov/criminal/cybercrime/cclaws.html

Data Mining

• Author unknown. Data Mining: What is Data Mining? Retrieved December 4, 2006 from
• Kelley, Matt. Feds sharpen secret tools for data mining. USA Today. 7/20/2006. Retrieved December 5, 2006 from
• Lee, Wenke, Salvatore J. Stolfo and Kui W. Mok. Computer Science Department, Columbia University. A Data Mining Framework for Building Intrusion Detection Models. New York, New York.

Intrusion Organizations

• Federal Bureau of Investigations. Computer Analysis and Response Team (CART). Brief description of who they are and what they do.
• Federal Bureau of Investigations. Cyber Investigations.
• FIRST. First is an array of computer security incident response teams from government, commercial and educational sources, that encourages and educates on incident prevention, incident reaction and information sharing.
• International Association of Computer Investigative Specialists. It’s an organization of volunteers who educate on computer forensics issues, including intrusion detection.
• International High Technology Crime Investigation Association. Provides information on investigation techniques and security. Great resource of information!
• Intrusion.org Security Central. They provide Information, news, articles, tips and tools.
• National Infrastructure Protection Center. They support and assist law enforcement agencies, provide training and assist with computer intrusion investigations.
• SearchSecurity.com. They provide information resources for IT professionals.

Intrusion Detection Studies

• A Model for Peer Vulnerability Assessment
• Application Penetration Test Super Veda
• Introduction to becoming a Penetration Tester
• Guidelines for Developing Penetration 'Rules of Behavior'
• Lock-Picking the eDoor: Knowing How Hackers Find the Weakest Link
• Penetration Studies - A Technical Overview
• Penetration Testing - Is it right for you?
• Penetration Testing and Vulnerability Management - Partners in Securing the Enterprise Network
• Software State of Software - Security is Getting There, Slowly
• Vulnerability Enumeration For Penetration Testing
• Wireless Informaton Warfare

Network Security

• http://www.attackprevention.com/
• http://www.bitpipe.com/rlist/term/Network-Security.html
• Firewall Architecture Guide
• Firewall Learning Guide
• Insider Risk Management Guide
• Intrusion Detection and Prevention Learning Guide
• Network Access Control Learning Guide
• Sarbanes-Oxley Compliance for the Security Practitioner
• Snort Technical Guide
• Spy Fishing: A New Breed of Blended Threats
• Spyware Learning Guide
• Step-by-Step Guide: Five BlueTooth Security Basics
• Step-by-Step Guide: How to Deploy a Successful Patch
• Thwarting Hacker Techniques
• Understanding Your Authentication Options
• VoIP Security Learning Guide
• http://www.trendmicro.com/en/security/white-papers/overview.htm
• Web Application Attacks Learning Guide
• Web Browser Security Learning Guide

Network Security and Auditing Tools

• http://www.aircrack-ng.org/doku.php
• http://www.cirt.net/code/nikto.shtml
• http://www.coresecurity.com/?module=ContentMod&action=item&id=32
• http://www.datarescue.com/idabase/
• http://www.foundstone.com/resources/proddesc/superscan.htm
• http://www.gfi.com/lannetscan/
• http://www.immunitysec.com/resources-freesoftware.shtml
• http://www.iss.net/products/index.html
• http://www.remote-exploit.org/backtrack.html
• http://www.secdev.org/projects/scapy/
• http://www.microsoft.com/technet/sysinternals/default.mspx
• http://www.monkey.org/~dugsong/dsniff/
• http://www.netfilter.org/
• http://www.nessus.org/
• http://www.openssl.org/
• http://www.oxid.it/cain.html
• http://www.parosproxy.org/index.shtml
• http://www.rootkit.nl/projects/rootkit_hunter.html
• http://www.snort.org/
• http://www.solarwinds.net/
• http://www.spidynamics.com/products/webinspect/
• http://www.stumbler.net/
• http://www.tripwire.com/
• http://www.vulnwatch.org/netcat/
• http://www.wireshark.org/