GEOSPATIAL INTRUSION DETECTION

Abstract
Intrusion detection is the process of monitoring large amounts of data in order to identify possible threats. When this information is coupled with the geographical location of these alerts, in a process called geocoding, it is refered to as Geo-spatial Intrusion Detection (GID). Geointelligence has been in use for some time now and its application can be seen in various areas such as online shopping and shipping, credit card management to mention a few. However its capabiliteis did not stretch far beyond that, until recently where it has been applied to security products such as intrusion detection system. Its advantages have already been seen so far in various ways and more are yet to be fully exploited. This paper covers Geospatial intrusion detection (GID) and its advantages over the typical intrusion detection system.

1.0 Introduction to IDS/IPS and Significance
IDS/IPS ( Intrusion Detection System and Prevention System) can be described as a system that detects actions that ‘attempt to compromise the confidentiality, integrity or availability of a resource’ (Wikipedia). Its general purpose is thus to detect and alert the management station when there is unauthorised access or misuse of a computer.The difference between IDS and IPS mode is that an IDS system generally monitors and detects intrusion without interefering with network traffic.Whereas IPS can automatically detects and blocks intursions (WAN, item1.)
Intrusion Detection types include: Network Based(NIDS), Host Based(HIDS), and Physical (Physical IDS).
Although there are many different types of IDS systems, their detection schemes fall generally into two categories:
(a) Anomaly detection- these generally sound alerts when the behaviour of a system deviates from normal use. (CERIAS)
(b) Misuse detection- it looks for behaviour that matches a known attack scenario (CERIAS).
To understand Intrusion detection systems, we must first understand that data is transfered across the internet as data packets accroding to the Internet Protccol (IP).
1.1 Geospatial Intrusion Detection System
GID can be described as a cross- pollination of network security and Geographic Information Systems, as proposed by (Ryan W. Trost, Practical Analiysis. Chapter 10). As with any IDS, GIDs follow the same process of gathering data and behaviour to detect potential intrusions and make alerts. It then associates these alerts and their IP address with their geographic locations, in a process called Geocoding. The main aim of GID is to use inforamtion gathered through geocoding to reduce and filter false positive to as so to get the potential intrusion. It does this by spatial analysis.

1.2 Methodology Of Geospatial Intrusion Detection System
Step 1: Rolling Time
This period runs from one to two weeks.
Step 2: Eliminate Friendlies to Reduce IDS False Positives
IDS datasets are often coupled with many false positives which are produced by friendly facilities and locations. We do this by first geographically plotting remote branches, SOHO and verified business partner’s IP address so as to determine the distance between those locations and alert locations. If the alert location is in close proximity to the friendly location it can be eliminated as a false positive. Thus reducing the noisy data.
There are three methods that can be applied for this step:
(a) Street address: we geographically plot remote branches, small offices/ home office(SOHO) or business partner’s location by street address.
(b) IP translation by static IP address
(c) IP alerts. This are made when a customer authnicates to a website.
Step 3: Clustering Algorithm
In this step we run a clustering algorithm to group alerts that originate from the same place. There several algorithms to chose from: Poisson, nearest-neighbour, Moran’s index, Ripley’s K Function and Getis-Ord.
Step 4: Extract network alerts within identified ‘hotspots’.
The spot of a location is weighted by the number of alerts originating from that point.
Step 5: Run a Calculating Algorithm
This algorithm is used to evaluate the relationship between alerts. There are a number of elements that can be used to correlate alerts: -Destination ports, Timestamp and Alert severitty.

1.3 Intrusion Attacks
An attack can be defined as ‘an intended or deliberate visit to the system by an unauthorised visitor who snoops and vandalizes the system or web site’(ISACA,). While it is impossible to list completely all potential attacks, there are some which are common.Here are some of the common types of attacks:
1. Ping of Death.
2. Syn Flood
3. TCP/IP spoofing
4. Man in the Middle
5. Port Scan
6. DNS Hijack.

Summary
In an age where information plays a vital role in our day-to-day activities, guarding it has taken centre-stage in many or virtualy every business enviroments or organization to some extent. This has lead to production of many security products, among them being firewalls and intrusion detection systems. However innovation of hackers has pushed the limit to the kind of products being developed or being improved; among this being GIDs (GeoSpatial Intrusion Detection).
GID is an Intrusion Detection system that takes advantage of the powerful capabilities that geointelligence has to offer. Thus offering several advantages over the typical IDS, this including:
1.It enables less experienced analysts to visually identify the geographic location of the alert and pinpointing the local timezone in order to help determine the communication legitimacy.
2 By correlating the location source, a potential victim can take the appropriate measures to successfully block the exploit.
3. By associating the IP address of alerts to the physical location, an analyst is better placed to make a more educated decision about the nature of the connection.

Though there are evident advantages of this technique, the security industry still focuses its technologies on solution compatiblity in order to increase sales. However if more effort can be directed towards this technique, it can tremedously increase the way information is proctected over ones network.

References
1. Ryan W. Trost
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Chapter 10.
Safaribooksonline.com
m.safaribooksonline.com/public/content?id=9780321591890/ch10|ev1sec7#bookt_qcknv
1640hrs, November 03 2012
2. Ryan W. Trost
Defcon.org
www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-trost.pdf
July 2008
Print (pdf.)
3. Wan James.
James Wan Blog: Improve ROI for deploying Intrusion Detection/ Prevention Systems
www.jameswanonline.com/things-toconsider-for-deploying-intrusion-detectionprevention-system/?gdid=CLm75sOfsrMCFW_KtAod7RYAbA
1500hrs, November 03 2012
4. Berge Matthew and Ernst & Young
Intrusion Detection FAQ: What is Intrusion Detection.
SANS
www.sans.org/security-resources/idfaq/what is id.php
1500hrs, November 03 2012
5. The Center for Education and Research in Information Assurance and Security (CERIAS)
CERIAS: Intrusion Detection
PURDUE UNIVERSITY
www.cerias.purdue.edu/about/history/coast_resources/intrusion-detection/
1530hrs November 01 2012
6. Hal Burgiss
HOWTO : Intrusion
www.tldp.org/HOWTO/Security-Quickstart-HOWTO/intrusion.html
1100hrs November 03 2012
7. Chidambaram Mahadevan,CISA,FCA.
ISACA> Journal > 2001> Volume 6 > Intrusion, Attacks, Penetration
www.isaca.org/Journal/Past-Issues/2001/Volume-6/Pages/Intrusion-Attack-Penetration-Some-Issues.apx
1200hrs November 04 2012.
8. Threat Intelligence: View Top Intrusion Attacks
MCAfee: Threat Labs
www.mcafee.com/threat-intelligence/ips/top-attacks.aspx
1230hrs November 04 2012
9.
10. Wikipedia
Intrusion Detection
http//:en.m.wikipedia.org/wiki/Intrusion_detection_system
1300hrs November 04 2012

Latest Assignments