Intrusion is harmful for personal PCs, organizations, government agencies sensitive installations such as nuclear, space and military programs. Some of the high profile intrusive events are given below. In 1997 Department of Defense systems were hacked for a year and unclassified sensitive information was extracted. In 1999 NASA systems were hacked for file listing and people directories. Parking tools were installed as reference points. Attacks were reported on US official sites during American bombing of Chinese Embassy in Belgrade in 1999. According to data gathered in 1999 there were daily 80 to 100 attacks on US military systems. The sophistication of attacks had increased, such as limiting number of ping etc.

In early days intrusions were carried out by experts to gauge there skills. They developed their own tools and wrote their own scripts. Later on hacking was carried out due to other factors such as financial, political and military. Mostly e-commerce web sites are targeted for financial gains.

To deal with these problems IDS are developed. These systems are handled and monitored by professionals. The IDS warns administrator when suspicious activity takes place. If IDS has active response then it will carry counterattack. The IDS gather data such as network taps, syslog record and audit record. These data are fed into detection algorithm. The ability of detection algorithm to map data to attack or normal data determines its effectiveness. The detection algorithm is considered to be effective if its detection rate is high and its false alarm rate is low.

IDs are classified into signature detection and anomaly detection. Signature detection uses intrusion models to detect the events that misuse the system. All the incoming events are matched with intrusion models and if there is match then it is considered as an attack. Intrusion model can be portion of TCP packet such as flags etc.

It is effective in case of known attacks for which intrusion models are present but it cannot detect new form of attacks. Sometimes false alarms are generated which leads to wastage of time for administrator. To effective counter an attack sometimes multiple signatures are used but it increases processing time and packets are dropped due to buffer overflow. Therefore balancing act is required between strong signatures and data rate.

Anomaly detection use normal use models. They are based on statistics and behavior of network activity. All the activities are compared with models and if they are not matched then they are considered as attacks.

Anomaly detection work to specific network environment and generate lot of false alarms because mostly activities do not match with normal use models. For example anomaly detection will consider rapid increase in SMTP traffic due to some event as Denial of Service attack in times when normally there is low traffic. Events can be election or earthquake etc.

Protocol Anomaly Detection is based on well defined RFCs. Generally IDS are used after firewall to prevent application level intrusion where as it can be used for intrusion detection at network level, application level and commands level.

RFC define the behavior of protocol in detail therefore Protocol Anomaly Detection is easier to build. It consists of states where Intrusion detection system goes from one state to other based on specified rules. Mapping can be provided for violation at each state so that administrator can understand about the kind of attack. RFC of TCP defines states such as closed, listen, synsent, synrcvd, establised, time_wait etc and these can be helpful in designing network based intrusion detection system. PAD is based on normal use model or correct behavior model therefore if activity does not match with model then it is considered as attack.

NIMDA malware was designed to attack IIS and IE. After attacking a system it propagated to other systems. It used the Extended Unicode Directory Traversal vulnerability by using overlong UTF-8 characters, whereas Unicode Standard only allow shortest form of Unicode string to be interpreted. When these Uniform Resource Identifiers were decoded, they allowed remote excess to cmd.exe in system.

If PAD is used for application level ID such as HTTP then it will have states. When the client sends the request which include encoded URIs, IDS is in ‘Client Request’ state. It has to perform validation before moving to ‘Server send’ state. As request consists of encoded URI therefore it has to follow Unicode standard rules which do not allow overlong UTF-8 characters. The IDS will warn the administrator about the NIMDA attack. Signature detection systems were unable to detect this attack because it was new kind of attack.

In SMTP all commands have maximum size therefore single check on command can prevent buffer overrun because PAD matches size of each command in case of match failure the command is considered as an attack. In Signature detection system there will be signature for each attack.

The email address has limited number of allowed characters therefore processing of address characters can detect any executable code.

PAD system is easier to implement because it is based on protocols defined in RFCs. Whereas Signature detection Systems are difficult to design because there are few right behaviors many wrong behaviors and to design each and every possible wrong behavior is a difficult task. Similarly anomaly detection systems are based on statistics in certain environment therefore they are difficult to implement in real life. PAD system can detect both known and unknown attacks where as signature detection system only detects known attacks, as in case of NIMDA malware.

In PAD system single check at any state can detect different attacks that are based on same protocol violation. In case of signature detection system, each attack require corresponding intrusion model. PAD system only updates when there is change in protocol’s RFC. As we know that changes in protocol’s RFC are few and takes long time periods therefore its updates is also minimal. As number of new viruses, worms increases over time therefore in case of signature detection system there are new signatures for each new attack and the system requires frequent up gradation.

The processing time in PAD system is fast because few rules govern each state. Therefore there is never buffer overflow because of intrusion detection processing of packets. In case of signature detection, each packet has to match multiple signatures therefore it takes lot of processing time, which can lead to buffer overflow. The incoming packets will be dropped and the data rate will be affected. PAD system can detect command based attacks. As commands are executed in sequence therefore any command that is out of sequence will be considered as an attack. PAD system is vulnerable to virus or worm attacks which do not violate protocol rules. Such as email attachments which can carry viruses or worms.