Cryptography: A Technique to Maintain Network Security

Cryptography: A Technique to Maintain Network Security

1 2 3

1

2Director, School of Computational Sciences S.R.T.M.University, Nanded 3

e-mail: [email protected], [email protected], [email protected]

Abstract—Cryptography is the science of writing in secret code. In data and telecommunications, cryptography is necessary when communicating over any entrusted medium, which includes just about any network, particularly the Internet. Cryptography, then, not only protects data from theft or alteration, but it can also be used for user authentication. There are, in general, three types of cryptographic schemes typically used to accomplish these goals: secret key (or symmetric) cryptography, public key (or asymmetric) cryptography, and hash functions, in all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into cipher text, which will in turn (usually) be decrypted into usable plaintext. Before we talk about network security, we need to understand in general terms what security is. Security is a continuous process of protecting an object from attack. Due to heavy use of network based systems now days it is necessary to maintain our computer secured from external threats such as hackers or crackers. Computer attacks are now routine. Security involves the security of all its resources such as its physical and logical. Security means preventing unauthorized access, use, alteration, and theft or physical damage to these resources. This paper identifies security issues for Intrusion detection systems are an important component of defensive measures protecting computer systems and networks from abuse.

Keywords: Cryptography intrusion, detection, IDS, plaintext, cipher text, Network Security

I. INTRODUCTION Cryptography, not only protects data from theft or alteration, but it can also be used for user authentication. There are, in general, three types of cryptographic schemes typically used to accomplish these goals: secret key (or symmetric) cryptography,

Public key (or asymmetric) cryptography, and hash functions, each of which is described below. In all cases, the initial unencrypted data is referred to as plaintext. It is encrypted into ciphertext, which will in turn (usually) be decrypted into usable plaintext. Within the context of any application-to-application communication, there are some specific security requirements, including

Authentication: The process of proving one’s identity. (The primary forms of host-to-host authentication on the Internet today are name based or address-based, both of which are notoriously weak.)

Privacy/confidentiality: Ensuring that no one can read the message except the intended receiver. •

Integrity: Assuring the receiver that the received message has not been altered in any way from the original.

Nonrepudiation: A mechanism to prove that the sender really sent this message.

Fig.1: Secret Key (Symmetric) Cryptography.

A. Secret Key Cryptography

In secret key cryptography, a single key is used for both encryption and decryption. As shown in fig, the sender uses the key (or some set of rules) to encrypt the plaintext and sends the cipher text to the receiver. The receiver applies the same key (or rule set) to decode the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption there are a number of other secret key cryptography algorithms that are also in use today.

Fig. 2: Public key (Asymmetric) Cryptography using Two Keys (One for Encryption and the Other for Decryption)

B. Public Key Cryptography

Public key cryptography (PKC) was invented in 1976 by Martin Hellmann and Whitfield Daffier of Stanford University to solve the key exchange problem with secret key cryptography. Their scheme requires two keys, where one key is used to encrypt the plaintext and the other key is used to decrypt the cipher text. The important point here is that it does not matter which key is applied first, but both keys are required for the process to work. Because a pair of keys is required, this approach is also Called asymmetric cryptography.

Fig: 3: Hash Functions using no Key (Plaintext is not Recoverable from the Cipher Text)

Department of Computer Science S.G.B. College, Purna Gajanan D. Kurundkar, Santosh D. Khamitkar and Nitin A. Naik

Department of Computer Science and IT, Yeshwant College, Nanded

International Journal of Cryptography and Security Volume 1, Issue 1, 2011, pp-01-05 Available online at: http://www.bioinfo.in/contents.php?id=115

International Journal of Cryptography and SecurityVolume 1, Issue 1, 2011

C. Hash Functions

Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, they transform the plaintext mathematically so that the contents and length of the plaintext are not recoverable from the cipher text. Furthermore, there is a very low probability that two different plaintext messages will yield the same hash value. Hash algorithms are typically used to provide a digital fingerprint of the contents of a file often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many Operating systems to encrypt passwords. Signatures include checksums, message-digest algorithms, and hash functions. A hash function computes a string of characters, usually a shorter and fixed in length, that represents the original string. A message-digest algorithm is one type of hash function. [1]

D. Network Security

Security is a continuous process of protecting an object from attack

1. Confidentiality

To prevent unauthorized discovery of information to third parties. This includes the discovery of information about resources.

2. Integrity

To prevent unauthorized modification of resources and maintain the status quo.

3. Availability

To prevent unauthorized preservation of system resources from those who need them when they need them.

E. Physical Security

Physical security is surrounded by a barricade like a boundary marker, has secure areas both inside and outside, and can resist access by intruders. Internet is changing computing as we know it. The possibilities and opportunities are limitless; unfortunately, so too are the risks and chances of malicious intrusions. It is very important that the security mechanisms of a system are designed so as to prevent unauthorized access to system resources and data. However, completely preventing breaches of security appear, at present, unrealistic. We can, however, try to detect these intrusion attempts so that action may be taken to repair the damage later. This field of research is called Intrusion Detection. Anderson, while introducing the concept of intrusion detection in 1980 [2] defined an intrusion attempt or a

threat to be the potential possibility of a deliberate unauthorized attempt to

access information, manipulate information, or Render a system unreliable or unusable.

Since then, several techniques for detecting intrusions have been studied. This paper discusses why intrusion detection systems are needed, the main techniques, present research in the field, and possible future directions of research.

II. THE NEED FOR INTRUSION DETECTION SYSTEMS

A computer system or computer network should provide confidentiality, integrity and assurance against denial of service. However, due to increased connectivity (especially on the Internet), and the vast spectrum of financial possibilities that are opening up, more and more systems are subject to attack by intruders. These subversion attempts try to exploit flaws in the operating system as well as in application programs and have resulted in spectacular incidents like the Internet Worm incident of 1988. [3].There is two ways to handle subversion attempts. One way is to prevent subversion itself by building a completely secure system. We could, for example, require all users to identify and authenticate themselves; we could protect data by various cryptographic methods and very tight access control mechanisms. However this is not really feasible because:

Cryptographic methods have their own problems. Passwords can be cracked, users can lose their passwords, and entire crypto-systems can be broken.

Even a truly secure system is vulnerable to abuse by insiders who abuse their privileges.

It has been seen that that the relationship between the level of access control and user efficiency is an inverse one, which means that the stricter the mechanisms, the lower the efficiency becomes.

This is essentially what an Intrusion Detection System (IDS) does. An IDS does not usually take preventive measures when an attack is detected; it is a reactive rather than pro-active agent. Intrusion detection system plays important role for Intrusion detection. The most popular way to detect intrusions has been by using the audit data generated by the operating system. An audit trail is a record of activities on a system that are logged to a file in chronologically sorted order. Since almost all activities are logged on a system, it is possible that a manual inspection of these logs would allow intrusions to be detected. However, large sizes of audit data generated (on 100 Megabytes a day) make manual analysis impossible. Audit trails are particularly useful because they can be used to establish fault of attackers, and they are often the only way to detect



unauthorized but subversive user activity. Many times, even after an attack has occurred, it is important to analyze the audit data so that the extent of damage can be determined, the tracking down of the attackers is facilitated, and steps may be taken to prevent such attacks in future. IDS can also be used to analyze audit data for such insights. This makes IDS valuable as real-time as well as investigation analysis tools. Anderson also classified intruders into two types, the external intruders who are unauthorized users of the machines they attack, and internal intruders, who have permission to access the system, but not some portions of it [2]. He further divided internal intruders into intruders who masquerade as another user, those with legitimate access to sensitive data, and the most dangerous type, the clandestine intruders who have the power to turn off audit control for them.

III. CLASSIFICATION OF INTRUSION DETECTION SYSTEMS

Intrusions can be divided as follows. Attempted break-ins, which are detected by

atypical behavior profiles or violations of security constraints.

Masquerade attacks, which are detected by atypical behavior profiles or violations of security constraints.

Penetration of the security control system, which are detected by monitoring for specific patterns of activity.

Leakage, which is detected by atypical use of system resources.

Denial of service, which is detected by atypical use of system resources.

Malicious use, which is detected by atypical behavior profiles, violations of security constraints, or use of special privileges. [4]

A. Intrusion Detection

1. Anomaly detection

Attempts to model normal behavior. Any events which violate this model are considered to be suspicious. For example, a normally passive public web server attempting to open connections to a large number of addresses may be indicative of a worm infection. Anomaly detection techniques assume that all intrusive activities are necessarily anomalous. Anomaly detection can be static or dynamic. A fixed anomaly detection system is based on the hypothesis that there is a fixed part of the system being monitored. Static portions of the system can be represented as a dual string or a set of dual strings (like files). If the fixed part of the system ever deviates from its original form, either an error has occurred or an intruder has altered the fixed part of the system [5]. Dynamic anomaly detectors are harder to build since building them requires a definition of

behavior, which is often defined as a sequence (or partially ordered Sequence) of distinct events. Differentiating between normal and anomalous activity in dynamic anomaly detection systems is much harder than the problem of distinguishing changes in static elements. Dynamic anomaly detection systems usually create a base profile to characterize normal, acceptable behavior. This means that if we could establish a "normal activity profile" for a system, we could, in theory, flag all system states varying from the established profile by statistically significant amounts as intrusion attempts. However, if we consider that the set of intrusive activities only intersects the set of anomalous activities instead of being exactly the same, we find a couple of interesting possibilities: (1) Anomalous activities that are not intrusive are flagged as intrusive. (2) Intrusive activities that are not anomalous result in false negatives (events are not flagged intrusive, though they actually are). This is a dangerous problem, and is far more serious than the problem of false positives. The main issues in anomaly detection systems thus become the selection of threshold levels so that neither of the above 2 problems is unreasonably magnified, and the selection of features to monitor. Anomaly detection systems are also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics. Diagram of a typical anomaly detection system is shown in Figure 1.

2. Misuse detection

The misuse detection is mainly concerned with identifying the things which are not common to the system. Some intruders may attempt to log into system using some well known techniques. Now here it is necessary that the corresponding system security administrator should know all the known characteristics of the attack then and then only the misuse detection system would be able to identify the occurrences of the uncommon processes or files and eliminate them. A fairly precisely known kind of intrusion is known as intrusion circumstances. A misuse detection system compares current system activity to a set of intrusion scenarios in an attempt to identify a scenario in progress. The differentiating factor between the various misuse detection techniques is the model used for

Cryptography: A Technique to Maintain Network Security ♦



describing bad behaviors that constitute intrusions. Rules have been primarily used to model the system administrator's knowledge about the system. Rule-based systems accumulate large numbers of rules which usually prove difficult to understand and modify. In order to overcome these problems model based rule organizations and state-transition representations were proposed. These modeling approaches are more unstructured particularly in misuse detection systems where users need to express and understand scenarios. An example of such system is USTAT (Unix State Transition Analysis Tool) [6].The main advantage of a misuse detection system is that the system knows for a fact how normal behavior should noticeable itself. This leads to a simple and efficient processing of the audit data. The obvious disadvantage of such systems is that the specification of the signatures to be detected is a time-consuming task that requires lots of domain knowledge. At the same time, misuse detection systems lack the ability to identify original intrusion profiles. Many systems attempt to combine both of these techniques. The problem of false positives causes many commercial IDS offerings to focus on misuse detection leaving anomaly detection to research systems. [9]. The concept behind misuse detection schemes is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. This means that these systems are not unlike virus detection systems they can detect many or all known attack patterns, but they are of little use for as yet unknown attack methods. An interesting point to note is that anomaly detection systems try to detect the accompaniment of terrible behavior. Misuse detection systems try to recognize known bad behavior. The main issues in misuse detection systems are how to write a signature that encompasses all possible variations of the related attack, and how to write signatures that do not also match non intrusive activity. Several methods of misuse detection, including a new pattern matching model are discussed later. A block diagram of a typical misuse detection system is shown in Figure 2 below.

3. Statistical Anomaly

To fully characterize the traffic behavior in any network, various statistical measures are used to capture this behavior. For example, normal TCP traffic follows

a well-defined three-way handshake process for connection setup, goes through data transfer phase, and then completes the communication by tearing down the connection. At any given point of observation on a network, there is a stable balance among different types of TCP packets in the absence of attacks. This balance can be learned and compared against short-term observations that will be affected by attack events. Additionally, the statistical algorithm must recognize the difference between the long-term (assumed normal) and the short-term observations in a given protected environment to avoid generating false alarms on normal traffic variations. Another type of measure could capture the intensity of the traffic monitored and traffic rate distributions on a multi-week scale are fairly stable for any normal network environments. [7]

4. Keystroke monitoring Keystroke Monitoring is a very simple technique that monitors keystrokes for attack patterns. Unfortunately the system has several defects of features of shells like bash, ksh, and tcsh in which user definable aliases are present defeat the technique unless alias expansion and semantic analysis of the commands is taken up. The method also does not analyze the running of a program, only the keystrokes. This means that a malicious program cannot be flagged for intrusive activities. Operating systems do not offer much support for keystroke capturing, so the keystroke monitor should have a hook that analyses keystrokes before sending them on to their intended receiver. An improvement to this would be to monitor system calls by application programs as well, so that an analysis of the program's execution is possible.

5. Model based intrusion detection

Model based intrusion detection states that certain scenarios are inferred by certain other observable activities. If these activities are monitored, it is possible to find intrusion attempts by looking at activities that infer a certain intrusion scenario. The model based scheme consists of three important modules [8]. The anticipator uses the active models and the scenario models to try to predict the next step in the scenario that is expected to occur. A scenario model is a knowledge base with specifications of intrusion scenarios. The planner then translates this hypothesis into a format that shows the behavior as it would occur in the audit trail. It uses the predicted information to plan what to search for next. The interpreter then searches for this data in the audit trail. The system proceeds this way, accumulating more and more evidence for an intrusion attempt until a threshold is crossed; at this point, it signals an intrusion attempt.



IV. CONCLUSION Cryptography is being used to maintain computer network security from external threats like Intruders. Intrusion detection is a viable and practical approach for providing a different notion of security in our huge and existing infrastructure of computer and network system. Intrusion detection system are based on host audit trail and network traffic analysis, and their goal is to detect attacks, preferably in real time. A number of prototype intrusion detection systems have been built, and this concept has been proven to be extremely talented. In future, it is expected that the current prototypes will be developed further in order to turn them into production quality systems. In addition much more experiment is expected to conducted unsuspicious behavior patterns.

REFERENCES [1] Methodology for Penetration Testing by Farkhod Alisherov A.,

and Feruza Sattarova Y. International Journal of of Grid and Distributed Computing Vol.2, No.2, June 2009

[2] J.P Anderson. Computer Security Threat Monitoring and Surveillance. Technical Report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980.

[3] Computer System Intrusion Detection:A Survey by Anita K. Jones and Robert S. Sielken Department of Computer Science University of Virginia Thornton Hall Charlottesville, 02/09/2000.

[4] Eugene H Spafford. The Internet Worm Program: An Analysis. In ACM Computer Communication Review; 19(1), pages 17-57, Jan 1989.

[5] Intrusion Detection Technology, Tyrone Grandison and Evimaria Terzi IBM Almaden Research Center 650 Harry Road, San Jose, CA 95120 ftyroneg,[email protected] September 7, 2007

[6] State transition analysis: Arule-based intrusion detection approach, Koral Ilgun, Richard A. Kemmerer, and Phillip A. Porras. IEEE Trans. Software Eng.,21(3):181{199,1995

[7] Anomaly based network intrusion detection by observing deviations from normal system patterns. By G.D Kurundkar, S.D Khamitkar & Naik Nitin CSCIT2010 9,11 Jan-2010.

[8] T.D Garvey and Teresa F Lunt. Model based intrusion detection. In Proceedings of the 14th National Computer Security Conference, pages 372-385, October 1991.

[9] Intrusion Detection Techniques and Approaches, Theuns Verwoerd and Ray Hunt,Department of Computer ScienceUniversity of Canterbury, New Zealand

Cryptography: A Technique to Maintain Network Security ♦



Cryptography: A Technique to Maintain Network Security

Documents

Transcript of Cryptography: A Technique to Maintain Network Security