Distributed Intrusion Detection
Mamata Desai,
M.Tech,
02,
48 pp.
Department of
Computer Science and Engineering
Indian Institute of Technology Bombay,
Powai, Mumbai 400 076.
Supervisor(s):
Sridhar Iyer, G.Sivakumar
As more and more data goes online, there is a pressing need to secure the
dissemination of a large amount of information. Because of the effort
required to monitor networks and systems manually, it is not easy to
detect attempts at misuse or successful attacks without the help of
intelligent Intrusion Detection Systems (IDS).
IDS, much like the security industry, has grown rapidly over the past
few years. These tools have become essential security components - as
valuable to many organizations as a firewall. However, as in any
environment, things change. Networks and crackers are evolving fast,
demanding that security tools keep up. Intrusion Detection Systems face
several daunting, but exciting challenges in the future and are sure to
remain one of our best weapons in the arena of network security.
The modern day Network IDS faces some very challenging problems, like
switched environments, increased network traffic, and encryption. Add to
that, the performance considerations of an IDS, such as false positives
and missed attacks, and the mole hill does become a mountain! The way to
go seems to be analysis and data correlation, in which, host IDSs also
play an important role. The concept of a management console dedicated to
the task of correlating abnormal event notifications, with relevance
measures is an emerging one. One can picturize many distributed elements
performing specific jobs, each passing the results onto a higher level
for correlation and analysis.
In an environment where many machines have similar configurations, a
complete portscan on one machine may trigger alarms but slow scans
across ports of different machines might go unnoticed and will result in
the intruder gaining all the information about the services running on
each machine, thus successfully performing a {\it distributed portscan}.
We focus on detecting a {\it distributed portscan}, by sniffing packets
on the network. Five types of TCP portscans, performed by {\it nmap} are
successfully detected, in scan sweeps of one-to-one, one-to-many,
many-to-one and many-to-many hosts. Our approach also manages to detect
slow scans which are typically missed by available commercial packages,
because of the features that we select to examine.