The importance of the network security problems comes into prominence by the growth of the Internet. This article introduces the basics of the host security problem, reviews the most important intrusion detection methods, and finally proposes a novel solution. Different kinds of security software utilizing the network have been described (Snort, 2006). The novelty of the proposed method is that its clients running in each host create a peer-to-peer (P2P) overlay network. Organization is automatic; it requires no user interaction. This network model ensures stability, which is important for quick and reliable communication between nodes. Its main idea is that the network that is the easiest way to attack the networked computers is utilized in the novel approach in order to improve the efficiency of the protection. By this build-up the system remains useful over the unstable network. The first implementation of the proposed method has proved its ability to protect operating systems of networked hosts.
The Problem Of Host Security
This section describes basic security concepts, dangers threatening user data and resources. We describe different means of attacks and their common features one by one, and show the common protection methods against them.
Information stored on a computer can be personal or business character, private or confidential. An unauthorized person can therefore steal it; its possible cases are shown in Table 1. Stored data can not only be stolen, but also changed. Information modified on a host is extremely useful to cause economic damage to a company.Table 1.
The types of the information stealth
|• An unauthorized person gains access to a host.|
• Abuse of an authorized user.
• Monitoring or intercepting network traffic by someone.
Not only data, but also resources are to be protected. Resource is not only hardware. A typical type of attack is to gain access to a computer to initiate other attacks from it. This is to make the identification of the original attacker more difficult, as the next intruded host in this chain sees the IP address of previous one as its attacker.
Intrusion attempts, based on their purpose, can be of different methods. But these methods share things in common, scanning networks ports or subnetworks for services, and making several attempts in a short time. This can be used to detect these attempts and to prepare for protection.
With attempts of downloading data, or disturbing the functionality of a host, the network address of the target is known by the attacker. He or she scans the host for open network ports, in order to find buggy service programs. This is the well-known port scan. The whole range of services is probed one by one. The object of this is to find some security hole, which can be used to gain access to the system (Teo, 2000). The most widely known software application for this purpose is Nmap (Nmap Free Security Scanner, Tools, & Hacking Resources, 2006). It is important to notice that this is not written for bad intention, but (as everything) it can also be used in an unlawful way.
Modern intrusion methods exert software and hardware weaknesses simultaneously. A well-known example is ARP poisoning. An attacker, already having gained access to a host of a subnetwork, sends many address resolution protocol (ARP) packets through its interface. This causes network switches to enter hub mode, resulting in every host on the subnetwork being able to see all traffic, also packets addressed to other hosts. The traffic can then be analyzed by the attacker, to gain passwords or other data. Therefore, to detect modern, multi-level intrusions, a single probe is not enough (Symantec Internet Security Threat Report, Volume III, 2005).