Active Intrusion Detection

Protecting against data leaks from authorized network users
by Fiach Reid, Director, Infinite Loop Development Ltd

The weakest point of security on a network can often be its users. If a disgruntled employee emails your server passwords to a competitor, there is no firewall or antivirus that can detect this. Systems like Firewalls and Antivirus software stop unauthorized users access your network, but authorized users being either careless or malicious with your sensitive data is not something that would be detected or prevented by standard network security. A recently released software package, named “Active Intrusion Detection”, or “AID” for short has been developed by an Irish software development company named Infinite Loop, which aims at addressing this significant security hole in modern data networks.

What this software does, is allow the network administrator to define a set of “Red Flags”, which can be either password fragments or other sensitive data, and then set the software to listen silently to network traffic until such time as the user tries to send this sensitive data insecurely over the network. If an insecure transmission of sensitive data is detected, then immediately an email is sent to the network administrator, who can take action by resetting the passwords on any compromised systems and track down the perpetrator of the leak via the user’s computer name and IP address.

Although this system does not prevent the transmission of sensitive data over the network, it does detect when such transmission has occurred and allows prompt action to limit the damage caused by such a leak. The concept behind the Active Intrusion Detection system is the idea of “Red Flags”. These are network-administrator defined pieces of text that indicate a data breach has occurred.

A sample “Red Flag” could be a password fragment to your production servers. It would be a network admin’s worst nightmare to think that a junior developer in a company decided to post the production server’s administrator password onto a public forum. Even if there was no malicious intent, the security risk would be considerable.

The “Red Flag” itself should be long enough so that it would not randomly occur in a stream of network traffic that could be completely unrelated, such as within a video or audio data, but at the same time, should not itself be identifiable enough to become an attack vector in of itself. So a long fragment would be ideal. Other possible triggers could include a password for a “dummy” user in a database. This particular user would not be normally accessible to regular users of a system, but if the password were to be detected in network traffic, then it would be an indication that a hacker or careless employee was creating an insecure dump of the user’s database.

At present, the software is available for 64 bit Windows, but a Linux and Mac OS version is in the pipeline, it can be downloaded from https://www.activeintrusiondetection.info for free, and it installs as a Windows Service on the local machine. Once installed, the website will detect a local installation, and allow the administrator define configuration settings such as selecting the network adaptor to monitor, and the “Red Flags”, or snippets of sensitive data that would indicate an imminent data breach.

After downloading the ZIP file from the download link on the website, there will be a readme file, the WinPCap driver installation executable, and the Active Intrusion Detection Monitor installation file contained within the ZIP. The core functionality of the monitoring software is provided by WinPCap, which is a network packet capture driver, which is used by software packages such as WireShark – a popular network packet sniffing tool. This driver should be installed prior to the installation of the Windows service. You can install using the bundled WinPCap installer, or download the latest version from https://www.winpcap.org

After WinPCap is installed, then the Active Intrusion Detection software can then be installed, this is done by clicking on the MSI, or setup.exe, and following the on-screen instructions. Once this is installed, a new Windows service named “Active Intrusion Detection” will be installed on the local system, and begin running. On first run, this will await configuration via the website https://www.activeintrusiondetection.info Once installed, the user should visit the website https://www.activeintrusiondetection.info , from the same PC that you have installed the Windows service, where the website should detect a local installation, and ask you to configure the service. You then press the configure button to continue.

On filling out the form, including an email address, a password, selecting the network adaptor connected to the Internet, and adds a Red Flag (a piece of text that represents some sensitive data that you don’t want to be sent insecurely). Then the user presses save. Within 30 seconds the Windows Service should detect the change and begin monitoring your network, and the Windows service should transition between the “Starting” and “Running” states. Active Intrusion Detection does not prevent or block a hacker or careless employee from sharing company secrets with the outside world, but it can help notify network admins to that they can act swiftly to reset passwords, or otherwise nullify the effect of the breach.

If the data being leaked is sent via secure means, such as over a VPN, or HTTPS, then the network monitor will not detect the breach – however, it would be most effective against accidental data leaks by careless employees, rather than hackers who are aware of all the security systems employed within a network.

About The Author
Fiach Reid is the Director of Infinite Loop Development Ltd, he is also the author of “Network Programming in .NET”, published by Elsevier Digital Press. Fiach has 15 years of software development experience, primarily in C# / .NET – he is based in Ireland, but regularly consults for clients in the USA, Australia, and the UK. Fiach can be reached online at [email protected] – or via Twitter at @webtropy, and at our company website http://www.infiniteloop.ie