4.7.1 Introduction to Intrusion Detection

The governments, banks and big enterprises usually have their own intranets. As is shown by these networks, their administrative structure is pyramidical, but the network administration is planar. It has become a serious problem that the internal system of the enterprise is intruded, wrecked so as to let out important information. Statistical data indicates that more than 80% of intrusions come from the intranet. On the other hand, abuse of the network resources can also cause great loss to enterprises.

The concept of intrusion: the system is exposed to intrusion when: (1) Illegal user accesses to the system. (2) Legal user accesses to unauthorized information or executes unauthorized

operations.

It has become an important research subject to detect and prevent intrusion to guarantee the security of the computer system, network system and the whole information infrastructure. Intrusion detection is one of core technologies of security audit as well as an important part of network security maintenance.

Intrusion detection is a technology developed to report unauthorized operations or other abnormal phenomena in the system. It is used to detect insecure operations in the network. Insecure operations include: intrusion-unauthorized operations of illegal users; abuse-unauthorized operations of legal users.

With the audit records, intrusion detection system can detect any unauthorized activities so as to ensure system security. The application of intrusion detection system can detect any attacks before the attack takes effect. When intrusion is detected, alarms will be given and protection system will be initiated to remove the intrusion. After the intrusion is removed, the system can gather information concerning the attacks and add the information to the knowledge base of the system, which will enhance the ability of the system against the attacks.

After several years’ development, intrusion detection products began to enter into a fast growing period. An intrusion detection product usually includes two parts: the sensor and the console. The sensor gathers data, such as packets and system logs, and analyzes these data. The console plays a role of central management.

Introduction to E-commerce

Commercialized products usually provide GUI console, most of which support the Windows NT platform.

Technically, these products are classified into several categories: network-based products and host-based products. A hybrid intrusion detection system can offset the one-sidedness of the network- and host-based products. Besides, the tool to check the integrity of documents can also be regarded as a kind of intrusion detection product.

Network-based products are placed in the comparatively important section of network, supervising various data packets, and analyzing each suspicious packet. If the data packet matches the built-in rules of the product, the intrusion detection system will give the alarm or cut off the connection directly. Currently most products are network-based. Among these products, there are several well-known open-source products, such as Snort, NFR, Shadow, etc.

Advantages of network-based intrusion detection system: (1) Network based intrusion detection system is capable of detecting the attacks

from the Internet, as well as illegal access.

(2) A network-based intrusion detection system does not need to change the setting of the hosts. Since it does not require the installation of additional software to the host, it will not affect the performance if the host takes up its recourses such as CPU, I/O, and hard disk.

(3) Unlike the router, firewall and other key devices, the network-based detection system will not become the critical path of the system. So the failure of the detection system will not affect normal operation. It is less risky to set up a network-based intrusion detection system than a host-based one.

(4) The network-based detection system has manifested a trend of becoming specialized equipment. Now it is simple and convenient to install a network- based detection system. All that is needed is to connect to the network with necessary setting made.

The weakness of the detection system: (1) Network based system can only checks the network segment which directly

connects with. And it has the monitoring limitation when using the switched Ethernet. If more sensors of network-based intrusion detection system are installed, the cost of the system will greatly increase.

(2) Network based system usually employs feature testing for the sake of high performance, which is able to detect normal attacks, but unable to realize large amount of computation and analysis.

(3) Network-based system may return tremendous data to the analysis system, which will generate huge analytical data flow. Some systems use certain method to reduce the back flow of data by making sensors decide on the intrusion, which consequently weakens the cooperative competence between sensors.

(4) It is more difficult for a network-based system to process encrypted session. As IPv6 is more popularly used, this problem will become more prominent.

Host-based intrusion detection products are usually installed on hosts to be

4 Security Technologies in E-commerce

monitored, analyzing the system logs and the real-time connection. If the host activities are very suspicious, the detection system will take corresponding measures.

The advantages of host intrusion detection system: (1) Host-based system is particularly effective to “possible attacks”. For example,

it can specify the activities of the intruders: what program they have run, what files they have opened, what system call they have used. Host-based system can usually provide more detailed information than network-based system.

(2) As far as the rate of false report is concerned, the host-based system is usually lower than the network based system, since it is easier to check the command sequence than to check network flow.

(3) The host-based detection system can be installed where the bandwidth between the sensor and the console is not sufficient and the extensive intrusion detection is not required.

Weakness of host based detection system: (1) Host-based system is installed on the equipment we want to protect. For

example, if a database server needs protection, the intrusion detection system should be installed on the server itself, which will reduce the efficiency of the system. Moreover, it will bring extra problems in that the installation of host-based intrusion detection system enables the security administrator to access to the server.

(2) Another problem with the host-based detection system is that it relies on the server’s logs and capacity of monitoring. If the server does not have the log function, it should be re-configured, which may bring unpredicted impact to the performance of the host.

(3) It costs much to configure the host-based intrusion detection system for the whole enterprise; so only part of the hosts can be protected with this kind of system. Thus those hosts that are not protected may become the target of the attacking.

(4) The host-based detection system monitors the host alone, and provides no monitoring for the network. The workload of analyzing the intrusion will increase with the number of hosts.