Please rewrite

13 Aug Please rewrite

An intrusion detection and prevention system (IDPS) can be very beneficial for an organization. In addition to other security measures, this system can assist in protecting the network from threats and attacks. This paper will cover two IDPS methodologies which are signature-based and anomaly-based. Each of these methodologies can be used to analyze certain kinds of attacks. Environments that have particular requirements will either use a signature or anomaly-based IDPS. An internal network architecture of a company may have a variety of malware attacks, so the signature-based IDPS would be better suited for this situation. This paper will cover three different types of environments and based on their threats, a methodology will be suggested.

Intrusion Detection/Prevention Systems

Intrusion detection systems (IDS) analyze traffic flowing through the network to determine if there may be possible signs of malicious activity or violations to company policies. An intrusion prevention system (IPS) performs the same tasks, but it can also detect and stop an incident before it occurs (Juniper Networks, Inc., 2017). Network architectures in an organization can have many access points both internally and externally. Since attackers are becoming more experienced with their efforts to invade network systems and the hosts within, these access points must be protected. Although these organizational architectures are more than likely protected by security technologies, an IDPS will certainly assist in safeguarding the network (Juniper Networks, Inc., 2017). Below is an image showing a very simple example of an IDPS on a network. Sensors are placed between the firewall and router, and host-based IDPSs are installed on the servers. Traffic moving in and out of the network is analyzed carefully to ensure nothing out of the ordinary occurs. Specific hosts, such as servers and individual user devices can contain host-based IDPS for protection as well.

Figure 1: IDPS Architecture

There are two methodologies used in IDPS that are quite common: signature-based and anomaly-based detection. Both are used to detect threats and malicious behavior. Depending on the type of environment and the needs of the network, an organization may choose one or both of these methodologies for protection.

Signature-Based Detection

“A signature is a pattern that corresponds to a known threat” (NIST, 2007, p. 2-4). Like a virus scanner, signature-based detection tries to find known patterns that attempt to intrude upon a system or network. A sequence of steps taken to infiltrate a system are compiled to create rules. The intrusion detection system observes these rules to compare them with a defined list of known attacks held within a database. The system then determines if an attempt is positive or negative and then acts accordingly. Although signature-based detection is quite effective at determining known attacks, it is not efficient at determining unknown attacks or zero-day attacks. Because signature-based detection is a simple method, it has a small limitation to understanding protocols and complex communications (NIST, 2007). Some examples of known malicious attacks are:

· When there is no ACK flag set but the acknowledgement number has a variety of values; this number should be set to 0

· Using Port 21 for both source and destination when affiliated with File Transfer Protocol (FTP) servers

· When only SYN and FIN flags are set

· “A telnet attempt with a username of ‘root’ which is a violation of an organization’s security policy” (NIST, 2007, p. 2-4)

Anomaly-Based Detection

Companies have what they call a baseline of normal network activity that occurs in daily operations. This includes activities from employees, devices, connections, and use of applications. This is usually recorded over a generalized period of time which is often referred to as a “training period”. Profiles can be static which remain unchanged unless a new profile is requested or dynamic which require constant adjustment (NIST, 2007). Anomaly-based intrusion detection uses this recorded data and compares it using statistical methods. For instance, if the use of a host’s processor is well over a specified level in a given period, the anomaly-based detection can alert administrators of the event. If an employee is sending an abnormal amount of emails compared to a regular day, and event such as this will also trigger an alert. Whenever an activity does not quite match the original baseline, anomaly-based detection can assist to bring it to attention (NIST, 2007).

A benefit to using this method is the fact that anomaly-based detection can detect unknown attacks when signature-based detection cannot. If an attack occurs that uses up vast amounts of a host’s resources, this detection would take notice because it is comparing it to the baseline set of normal activities. Other types of attacks can occur that involve IP addresses, denial-of-service, and protocol misuse (Cisco, 2010). A major downfall to this method is it requires a larger amount of resources to use this type of detection. It also triggers a higher number of false positives. Although a baseline of normal activity may exist, it can be difficult for anomaly-based detection to truly know the difference when an attack occurs. For instance, a user may try to enter his or her password into the system and not realize the caps lock key is on. After a few attempts of this, an alert may trigger. Even though nothing malicious was occurring, the user may have exceeded the normal number of attempts to log in, thus, creating the false positive (Cisco, 2010).

Internal Network Security

It can be difficult to define the typical architecture for an organization because the layout will depend on the size of the company. A smaller company network may be simple. However, a larger company may require a variety of servers, devices, and other factors to create a much more complex architecture. The figure below will represent a smaller non-critical architecture.

Figure 2: Enterprise Architecture

This image depicts an organization with both internal and external users. The external users can access the trusted network over the Internet through a virtual private network which is protected by a firewall. The trusted network allows users to access any services within, such as email, Web, file transfer protocol (FTP), proxy, or application servers.

On a typical Air Force Base, there are employees who require different resources that are dependent upon what their job entails. Most Air Force Bases’ main mission is to fly planes, such as jets, helicopters, and heavy aircraft. To support this mission, the Air Force divides its personnel in the following groups: maintenance, operations, logistics, medical, force support, and communications. Although these individual groups work separately, their main objective is to accomplish the mission. Each group has different specifications to be able to support their individual tasks. No matter the task, they all utilize software on an end device. Some employees only access Web-based applications; some require database access; and everyone accesses the Internet for instructions, technical orders, and email. This particular network environment houses up to “Secret” information and can be subjected to a variety of different attacks with the main objective of gaining access to the network.

Threats

There can be a variety of ways in which this particular system is attacked. They can range from structured to unstructured and from internal to external. Malware is a very common source of attacks on networks. This malicious software has the intent to intrude and can be very hostile. Other types of attacks can also be very damaging. Below is a list of attacks the Air Force network may come across.

· Virus: has the ability to spread from one host to another and is used to steal, alter, or delete data; viruses are often found within emails or downloadable software (Sanchez, 2010)

· Trojan: can be found connected to a piece of legitimate software with intent to record keystrokes and passwords; it can even take control of a computer’s webcam to watch the user; this malware does not replicate (Sanchez, 2010)

· Worm: replicates itself and is similar to viruses except it does not require a host file attachment to spread (Sanchez, 2010)

· Rootkits: tools used to gain administrator access into the network through a “backdoor”

· Phishing: links can be found in emails which lure the user to a legitimate looking site with the purpose of fooling the person to provide personal information

· Denial-of-Service: is a flooding of servers or systems with traffic that overwhelms with the purpose of crashing it

Suggested Methodology

A signature-based approach could greatly benefit this type of network. This method uses a database of known threats and attacks with rules that are recognized by certain patterns when packets are analyzed. As long as the database is constantly kept up-to-date, malware attempts can be thwarted using this particular IDPS.

Signature can be monitored by its contents or by distribution. For instance, in packet distribution, there may be an overload of incoming SYN packets that would indicate a denial-of-service attempt. By only examining the headers of the packet, the IDPS is able to be more efficient as opposed to examining the entire packet which is more thorough but much slower (Taylor, Harrison, Krings, & Hanebutte, n.d.).

Database Security

Another type of environment is a critical infrastructure involving database security. For instance, a large bank or financial firm relies heavily on information kept within one or more databases. This data can include private or sensitive data, such as customer information (names, addresses, credit card numbers, social security numbers, etc.), transactions, or information that is non-public. Security is the main goal when protecting this type of environment. Unauthorized access to these databases can be extremely detrimental to the bank in terms of revenue loss, reputation, or even legalities (Thales e-Security, Inc. 2017).

Threats

· Distributed Denial-of-Service: like a regular denial-of-service attempt, a DDoS floods a network to either slow it down or crash it; however, it requires the use of botnets that could be located over a large geographical area making it harder to pinpoint the location of the attacker

· Malware: this includes viruses, worms, Trojans, and rootkits

· Email: phishing attempts are made to trick a user/employee into providing private data; emails are also a good source of malware attempts

Suggested Methodology

It could be very difficult in an environment such as this to create a normal baseline of activity. There could be a vast amount of people accessing the bank database from different parts of the world at different times of the day. The normal activity for this environment may vary dramatically which makes an anomaly-based IDPS very inefficient. In order for this methodology to work effectively, the bank would need to record daily activity for a very long period of time, and even then, the baseline may not be correct. There would be too many false positives happening. A signature-based IDPS would be much more effective in this situation. Known attacks and threats could easily be analyzed. Once new threats are discovered, they should be added to the signature database immediately to keep it updated.

WAN Security

A wide area network (WAN) is a network used over a large geographical area. This could be a few cities, a state, a country, or throughout the world. A WAN usually connects different local area networks (LAN). Through this connection, computers located in one area can communicate with computers in a different area. In most cases, WANs are used by enterprises who have many facilities spread out over an particular area. The image below depicts a WAN with four separate LANS (University of South Florida, 2013).

Figure : Wide Area Network

First Energy is a power company that covers the Ohio/Indiana border to the New Jersey Shore. In addition to headquarters, there are six power stations in Northern Ohio belonging to one of these three subsidiaries: Toledo Edison, Ohio Edison, or The Illuminating Company. First Energy headquarters supplies power to the other six stations via a power plant. Currents travel through transformers through a power grid which supplies electricity to millions of people in Northern Ohio. The stations spread out across the state must be able to communicate with headquarters (First Energy, 2017). Each of the stations has a LAN, and they are all connected through a WAN. Without constant communication, these subsidiary companies may not be able to supply the power that citizens need.

Threats

· Email Attacks

· Malware

· Data Breaches

· Unauthorized Access

· Distributed Denial of Service

· Web Application Attacks

According to Burnett (2016), these types of attacks can cause great devastation, such as physical damage to equipment, power outages which span multiple cities, equipment malfunctions. In worst case scenarios, the public could be at risk for serious harm.

Suggested Methodology

With the many threats First Energy can face, it may be wise to use both methodologies by placing sensors through the WAN. A signature-based IDPS can help to analyze traffic and stop incidents that involve malware, application attacks, and email attacks. However, the organization could also determine a baseline of normal activities and use the anomaly-based IDPS to determine if there are abnormalities happening within the network. In the case of zero day attacks, the anomaly-based IDPS would detect it and notice if it fell out of the normal patterns of activity. For such a large company, both methodologies should be used.

Conclusion

It is important to choose the correct IDPS for the needs of the network. In three different environments, the requirements and threats were determined. In the internal network architecture, the majority of threats involved malware attacks, so a signature-based IDPS was appropriate. In the database security environment, the bank scenario also had most of their threats involving malware, denial-of-service, and email attacks. A signature-based IDPS is appropriate for their network. However, in the WAN scenario, both methodologies would greatly benefit the company.