Real Time Internal Intrusion Detection: A Case Study of Embedded Sensors and Detectors in E-Government Websites

Introduction

Insider threat is one of the most complex problems in information security it requires a sophisticated response to detect the subtle variations in access patterns that separate intentional misuse from authorized use.

Historically, the detection technology dated back to 1980. Anderson introduced the concept of intrusion detection. Anderson proposed a “security surveillance system” involving formal examination of a system’s audit logs. In examining the system threats, Anderson also introduced the notion of categorizing intruders based upon their access to a system, and he defined the internal intruders with permissions to access the system and external intruders without any permission (Anderson, 1980).

In this chapter, the authors advocate improving the embedded sensors for real time internal intrusion detection system. This involves adding code to the e-Government website where monitoring will take place. The sensors check for specific conditions that indicate an attack is taking place, or an intrusion has occurred. Embedded sensors have advantages over other intruder detection techniques (usually implemented as separate processes) in terms of reduced host impact, resistance to attack, efficiency and effectiveness of detection.

The authors describe the use of embedded sensors in general, and their application to the detection of website attacks to protect all files in e-Government website. The Design and development of the sensors have been done in the real website hosting. Our tests show a high success rate in the detection of the attacks. The work we propose is divided into four stages:

• 1.

  Designing infrastructure for the development of the sensors.

• 2.

  Implementing sensors for detecting intrusions.

• 3.

  Performing analysis on the data obtained in step (2) and validating if the existing sensors can be used to detect new attacks.

• 4.

  Connecting to other ISP to open same e-Government website.

A method is proposed to detect internal intrusion for protecting e-Government website using Java language. This is done by dealing with the classes of the HTML file. This file contains all programmable steps to detect internal intrusion and protect all files, which deal with that site from unauthorized changing by an intruder inside ISP. Automatic audit for all files provides high security to the site protection without using any other protection programs. These programs might be used to detect intruder inside e-Government website in ISP. With this method we can protect all files, which are dealing with the e-Government website, and automatically check for all files inside class file. This method differs from other methods by not providing the program code inside the HTML file. Therefore, it is difficult to discover and analyze the proposed method because it is inside the class file.

By using real time technique, we can use our method to detect internal intruder and protect all kinds of files inside e-Government website and all those which deal with them without returning to or getting the help of the ISP and without stopping the site for service in case of intrusion through operating an alternative site from another ISP.

This chapter is organized as follows. Section 2 provides the background and related work on the intrusion detection. Section 3 explains the Intrusion Detection System (IDS) and methods of intrusion detection, intrusion tools and defense techniques. Section 4 discusses types of attack, methods of attack, vectors for attack and types of defenses. Section 5 describes the Sensors, detectors and embedded sensors for intrusion detection. This section also provides the main functions of the proposed system and the infrastructure of the internal embedded sensor. Section 6 provides concluding remarks of the work. Section 7 presents our suggestions for future work.