Survey of Current Network Intrusion Detection Techniques 1 of 18 http www cse wustl edu jain cse571 07 ftp ids Survey of Current Network Intrusion Detection Techniques Sailesh Kumar sailesh arl wustl edu Abstract The importance of network security has grown tremendously and a number of devices have been introduced to improve the security of a network Network intrusion detection systems NIDS are among the most widely deployed such system Popular NIDS use a collection of signatures of known security threats and viruses which are used to scan each packet s payload Signature based designs have low false positive rates and they are effective and accurate in combating against the known security threats However they remain completely ineffective against those attacks that are yet unknown these can be combated only after they are detected manually and a signature is created for them Since new threats are potentially more lethal a number of pro active designs have been proposed which can detect new security events such as propagation of a new and unknown virus or worm Such systems accomplish this by creating a profile of normal Internet traffic and then using this profile to continuously monitor the network activity for suspicious activity As the system senses an anomaly or a dramatic change in traffic characteristics it takes certain actions such as raising an alarm or discarding certain traffic In this Survey paper we will evaluate a number of current NIDS systems and the algorithms they employ to detect and combat security threats both from technical and economical perspective Keywords NIDS Anomaly Detection Network Security Security Signature Pattern Matching Table of Contents 1 Introduction 2 NIDS and Network Architecture 2 1 Early Warning Mode 2 2 Internal Deployments 2 3 NIDS within Every Host like an anti virus 3 Signature Based NIDS 3 1 Aho Corasick Algorithm 3 2 Regular Expressions Signatures 3 2 Architecture of Signature based NIDS 4 Anomaly Detection based NIDS 4 1 Statistical Anomaly Detection 4 2 Machine Learning to Detect Anomalies 4 3 Data Mining Algorithms to Detect Anomalies 5 Strengths and Limitations of NIDS 5 1 Strengths of NIDS 5 2 Limitations of NIDS 6 Common Attacks and Vulnerabilities and Role of NIDS 6 1 Attack Types 6 2 Attacks detected by a NIDS 6 2 1 Scanning Attack 6 2 2 Denial of Service DoS Attacks 6 2 3 Penetration Attacks 12 19 2007 5 13 PM Survey of Current Network Intrusion Detection Techniques 2 of 18 http www cse wustl edu jain cse571 07 ftp ids 6 3 Role of NIDS in Combating Attacks 6 3 1 Excessive Attack Reporting 6 4 Computer Vulnerabilities and NIDS 6 4 1 Buffer overflow 6 4 2 Input Validation Error 6 4 3 Boundary Condition Error 6 4 4 Access Control Vulnerability 7 Future of NIDS 8 Summarizing NIDS References List of Acronyms 1 Introduction Network security has recently received an enormous attention due to the mounting security concerns in today s networks A wide variety of algorithms have been proposed which can detect and combat with these security threats Among all these proposals signature based Network Intrusion Detection Systems NIDS have been a commercial success and have seen a widespread adoption While these systems already generate several hundreds of million dollars in revenue it is projected to rise to more than 2 billion dollars by 2010 A NIDS aims at detecting possible intrusions such as a malicious activity computer attack and or computer misuse spread of a virus etc and alerting the proper individuals upon detection A NIDS monitors and analyzes the data packets that travel over a network looking for such suspicious activities A large NIDS server can be set up on the links of a backbone network to monitor all traffic or smaller systems can be set up to monitor traffic directed to a particular server switch gateway or router Another class of NIDS can be setup at a centralized server which will scan the system files looking for unauthorized activity and to maintain data integrity There are two primary approaches to NIDS implementation signature based and anomaly detection based The first approach has become a commercial success A signature based NIDS maintains a collection of signatures each of which characterizes the profile of a known security threat e g a virus or a DoS attack These signatures are used to parse the data streams of various flows traversing through the network link when a flow matches a signature appropriate action is taken e g block the flow or rate limit it Traditionally security signatures have been specified as a string signature port signature and header condition signature String signatures are a string of ASCII symbols that characterizes a known attack For example such a string signature in UNIX can be cat rhosts which if executed can cause the system to become extremely vulnerable to network attack Simpel strings may lead to high false positives therefore it is important to refine the string signature for this purpose one may use a compound string signature Such a compound string signature to detect a common Web server attack can be cgi bin AND aglimpse AND IFS Port signatures commonly probes for the connection setup attempts to well known and frequently attacked ports Obvious examples include telnet TCP port 23 FTP TCP port 21 20 SUNRPC TCP UDP port 111 and IMAP TCP port 143 If these ports aren t being used by the site at a point in time then the incoming packets directed to these ports are considered suspicious Header signatures are designed to watch for dangerous or illegitimate combinations in packet headers fields The most famous example is Winnuke in which a packet s port field is NetBIOS port and one of the Urgent pointer or Out Of Band pointer is set In earlier version of Windows this resulted in the blue screen of death Another well known such header signature is a TCP packet header in which both the SYN and FIN flags are set This signifies that the requestor is attempting to start and stop a connection simultaneously Some well known commercial NIDS include AXENT www axent com Cisco www cisco com CyberSafe www cybersafe com ISS www iss net and Shadow www nswc navy mil ISSEC CID while the popular open source NIDS includes Snort and Bro While signature based NIDS has been widely deployed anomaly based NIDS have not gained popularity yet and they 12 19 2007 5 13 PM Survey of Current Network Intrusion Detection Techniques 3 of 18 http www cse wustl edu jain cse571 07 ftp ids have remained a topic of