The ACM Student Magazine Computer Security and Intrusion Detection by Khaled Labib Introduction Computer attacks are now commonplace. By connecting your computer to the Internet, you increase the risk of having someone break in, install malicious programs and tools on it, and possibly use it to attack other machines on the Internet by controlling it remotely. Several major banks have been subject to attacks, in which attackers gained access into customers' accounts and viewed detailed information about the activities on these accounts. In some instances the attackers stole credit card information to blackmail e- commerce companies by threatening to sell this information to unauthorized entities. Several online trading companies and e-commerce sites were shut down temporarily due to major packet flood attacks, also known as Denial-of-Service (DoS) attacks, causing these companies to lose revenue, customer satisfaction, and trust [10]. A major software development company discovered that attackers had broken into its network and stolen the source code for future releases of its popular products. Just recently, the source code of the future flagship product belonging to a major software development company was stolen and made publicly available on the Internet. In order to combat this growing trend of computer attacks, both academic and industry groups have been developing systems to monitor networks and systems and raise alarms of suspicious activities. These systems are called Intrusion Detection Systems (IDS). Anatomy of An Attack

Before discussing the recent work in IDS development, a brief introduction to the nature and methodology of a typical computer attack is provided in this section. Computer attacks generally follow a five step approach as described below. 1. Reconnaissance: Before launching an attack, attackers conduct detailed reconnaissance to collect information about their prey. This process typically involves using low-technology reconnaissance, general web searches, the "whois" database, and the Domain Name System (DNS). 2. Scanning: The attacker, equipped with information about the infrastructure of the victim's network, begins scanning the victim's systems looking for vulnerabilities and openings. At the end of this phase the attacker will have gained valuable information about the victim's network, including lists of phone numbers with modems, addresses of live hosts, network topology, open ports, and firewall rule sets. There are a number of powerful freely-available network scanners on the web for that purpose. 3. Gaining access: If the attacker is a legitimate user of the system, then most likely he/she will attempt to gain access using operating system and application attacks. If the attacker is an outsider, then the attack is most likely to be through the network. ��� Operating System and Application attacks: This approach depends on the skill of the attacker with simple inexperienced attackers, usually referred to as "script kiddies," utilizing prepackaged exploits to more advanced attackers using highly systematic approaches. Generally, variations of the operating system buffer overflow attacks are used to gain root access to the target. In addition, password guessing is used as an entry point to log in to the target. ��� Network attacks: Network sniffers are usually utilized by attackers to collect Data Link Layer (DLL) information from all computers on the same subnet. A sniffer is a program that gathers traffic data from the network. In addition, other techniques like spoofing and session hijacking are used typically with a freely available tool called Netcat. In some cases, attackers are not interested in gaining access to the network, but would just like to prevent legitimate users from accessing its resources. In this case, the attackers would launch a DoS attack to consume the resources of the network and computers, especially web servers. 4. Maintaining Access: Now that the attackers have gained access to the target system, they need to maintain this access. Many techniques are utilized here, based on malicious software such as Trojan horses, backdoors, and RootKits. A Trojan horse is a program that looks like it has a benign or beneficial purpose, but is actually implementing some malicious function. A RootKit is a tool that allows an