Survey of Current Network Intrusion Detection Techniques http://www.cse.wustl.edu/~jain/cse571-07/ftp/ids/1 of 18 12/19/2007 5:13 PMSurvey of Current Network Intrusion Detection TechniquesSailesh Kumar, [email protected]:The importance of network security has grown tremendously and a number of devices have been introduced to improve the security of a network. Network intrusion detection systems (NIDS) are among the most widely deployed such system.Popular NIDS use a collection of signatures of known security threats and viruses, which are used to scan each packet's payload. Signature based designs have low false positive rates, and they are effective and accurate in combating against the known security threats. However, they remain completely ineffective against those attacks that are yet unknown; these can be combated only after they are detected manually and a signature is created for them.Since new threats are potentially more lethal, a number of pro-active designs have been proposed, which can detect new security events such as propagation of a new and unknown virus or worm. Such systems accomplish this by creating a profile of normal Internet traffic, and then using this profile to continuously monitor the network activity for suspicious activity. As the system senses an anomaly, or a dramatic change in traffic characteristics, it takes certain actions such as raising an alarm or discarding certain traffic. In this Survey paper, we will evaluate a number of current NIDS systems and the algorithms they employ to detect and combat security threats, both from technical and economical perspective.Keywords:NIDS, Anomaly Detection, Network Security, Security Signature, Pattern MatchingTable of Contents1. Introduction2. NIDS and Network Architecture2.1 Early Warning Mode2.2 Internal Deployments2.3 NIDS within Every Host (like an anti-virus)3. Signature Based NIDS3.1 Aho-Corasick Algorithm3.2 Regular Expressions Signatures3.2 Architecture of Signature based NIDS4. Anomaly Detection based NIDS4.1 Statistical Anomaly Detection4.2 Machine Learning to Detect Anomalies4.3 Data Mining Algorithms to Detect Anomalies5. Strengths and Limitations of NIDS5.1 Strengths of NIDS5.2 Limitations of NIDS6. Common Attacks and Vulnerabilities and Role of NIDS6.1 Attack Types6.2 Attacks detected by a NIDS6.2.1 Scanning Attack6.2.2 Denial of Service (DoS) Attacks6.2.3 Penetration AttacksSurvey of Current Network Intrusion Detection Techniques http://www.cse.wustl.edu/~jain/cse571-07/ftp/ids/2 of 18 12/19/2007 5:13 PM6.3 Role of NIDS in Combating Attacks6.3.1 Excessive Attack Reporting6.4 Computer Vulnerabilities and NIDS6.4.1 Buffer overflow6.4.2 Input Validation Error6.4.3 Boundary Condition Error6.4.4 Access Control Vulnerability7. Future of NIDS8. Summarizing NIDSReferencesList of Acronyms1. IntroductionNetwork security has recently received an enormous attention due to the mounting security concerns in today's networks. A wide variety of algorithms have been proposed which can detect and combat with these security threats. Among all these proposals, signature based Network Intrusion Detection Systems (NIDS) have been a commercial success and have seen a widespread adoption. While, these systems already generate several hundreds of million dollars in revenue, it is projected to rise to more than 2 billion dollars by 2010.A NIDS aims at detecting possible intrusions such as a malicious activity, computer attack and/or computer misuse, spread of a virus, etc, and alerting the proper individuals upon detection. A NIDS monitors and analyzes the data packets that travel over a network looking for such suspicious activities. A large NIDS server can be set up on the links of a backbone network, to monitor all traffic; or smaller systems can be set up to monitor traffic directed to a particular server, switch, gateway, or router. Another class of NIDS can be setup at a centralized server, which will scan the system files, looking for unauthorized activity and to maintain data integrity.There are two primary approaches to NIDS implementation: signature based, and anomaly detection based. The first approach has become a commercial success. A signature based NIDS maintains a collection of signatures, each of which characterizes the profile of a known security threat (e.g. a virus, or a DoS attack). These signatures are used to parse the data streams of various flows traversing through the network link; when a flow matches a signature, appropriate action is taken (e.g. block the flow or rate limit it). Traditionally, security signatures have been specified as a string signature, port signature and header condition signature.String signatures are a string of ASCII symbols that characterizes a known attack. For example, such a string signature in UNIX can be "cat "+ +" > /.rhosts" , which if executed, can cause the system to become extremely vulnerable to network attack. Simpel strings may lead to high false positives, therefore it is important to refine the string signature; for this purpose one may use a compound string signature. Such a compound string signature to detect a common Web server attack can be "cgi-bin" AND "aglimpse" AND "IFS".Port signatures commonly probes for the connection setup attempts to well known, and frequently attacked ports. Obvious examples include telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143). If these ports aren't being used by the site at a point in time, then the incoming packets directed to these ports are considered suspicious.Header signatures are designed to watch for dangerous or illegitimate combinations in packet headers fields. The most famous example is Winnuke, in which a packet's port field is NetBIOS port and one of the Urgent pointer, or Out Of Band pointer is set. In earlier version of Windows, this resulted in the "blue screen of death". Another well known such header signature is a TCP packet header in which both the SYN and FIN flags are set. This signifies that the requestor is attempting to start and stop a connection simultaneously.Some well known commercial NIDS include AXENT (www.axent.com), Cisco (www.cisco.com), CyberSafe (www.cybersafe.com), ISS (www.iss.net), and Shadow (www.nswc.navy.mil/ISSEC/CID), while the popular open source NIDS includes Snort, and Bro.While signature based NIDS has been widely deployed, anomaly based NIDS have not gained popularity yet, and theySurvey of Current Network