Académique Documents
Professionnel Documents
Culture Documents
Detection Systems
Presented by
Parwez
Overview of Seminar
Introdcution
Need for Intrusion Dectection Systems
Classification of Systems
Anomaly Detection
Misuse Detection
Introduction
The networking revolution has come of age.
Internet is changing computing.
The possibilities and oppurtunities are limitless.
Limitations
Complete security not possible in real life.
Transition will be long in coming.
Cryptograhic methods have their own
problems.
Abuse by insiders who abuse their privilages.
The stricter the mechanisms the lower the
efficiency .
System(IDS)
An IDS detects attacks as soon as
possible and takes appropriate
action.
An IDS does not usually take
preventive measures when an
attack is detected.
It is a reactive rather than a proactive agent.
It plays a role of informant rather
than a police officer.
IDS(Contd.)
The most popular way to detect
intrusions has been using the audit
data generated by the operating
system.
And audit trail is a record of activities on
a system that are logged to a file in
chronologically sorted order.
Audit trails are particularly useful in
establishing the guilt attackers.
They are often the only way to detect
unauthorized but subversive user activity.
IDS (Contd.)
Eugene Spafford reports:
Information theft is up over 250% in
the last 5 years.
99% of all major companies report at
least one major incident.
Telecom and computer fraud totaled
$10 billion in the US alone.
Classification of IDSs
Attempted break-ins
Masquerade attacks
Penetration of the security control
system
Leakage
Denial of service
Malicious use
Techniques:
Anomaly Detection
Misuse detection
Systems
Anomaly detection systems(ADSs)
assume that all intrusive activities are
necessarily anomalous.
Anomalous activities that are not intrusive
are flagged as intrusive.
Intrusive activities that are not anomalous
result in false negatives(events are not
flagged intrusive, though they actually are)
ADSs(Contd.)
A typical anomaly detection system
Update Profile
statistically
Audit Data
System Profile
devalant ?
attack
state
Approaches to ADSs
Statistical approaches
Behaviour profiles for subjects are
generated.
The aomaly detector constantly generates
the variance of the present profile from the
original one.
They adaptively learn the behavior of users.
Potentially more sensitive than humans.
ADSs(Contd.)
Predictive pattern generation
This method tries to predict future events
based on the events that have already
occurred. We could have a rule
E1 E2 --> (E3 = 80%, E4 =15%, E5 = 5%)
ADSs(Contd.)
Neural Networks
The ides here is to train neural netwrk to predict a
users next action or command, given the window of n
previous actions.
Advantages:
They cope with noisy data
Their success does not depend on any statistical
assumption about the nature of the underlyning data
They are easier to modify for new user communities
Problems:
A small window will result in false positives, a large
window will euslt in irrelevant data as well as increase
the chance of false negatives.
The net topology is only determined after considerable
trail and error.
The intruder can train the net during its learming phase.
Misuse Detection
Systems(MDSs)
The concept behind the MDSs is
that there are ways to represent
attacks in the form of a pattern or a
signature so that even variations of
the same attack can be detected.
They can detect many or all known
attack patterns, but they are of little
use for unknown attack methods.
MDSs (Contd.)
A typical misuse detection system
modify existing rules
Audit Data
System Profile
Timing
Information
Rule
match ?
attack
state
Types of MDSs
Expert systems
These are modelled in such a way as to
separate the rule matching phase from
the action phase. Ex: NIDES developed
by SRI.
NIDES follows a hybrid ID technique.
It builds user profiles based on many
differrent criteria.
The expert system misused detection
component encodes known scenarios
and attack patterns
Drawbacks
Attack patterns can specify only a sequence
of events, rather than more complex forms.
There are no general purpose methods to
prune the search except through the
assertion primitives.
They cant detect denail of service attacks.
Advantages
Declarative Specification
Multiple event streams
Portability
Real-time capabilities
Other Models
Generic Intrusion Detection Model
Independent of any particular system,
application environment, system
vulnerability, or type of intrusion.
Conclusions
Future research trends seem to be
converging towards a model that is
hybrid of the anomaly and misuse
detection models.
It is slowly acknowledged that
neither of the models can detect
all intrusion attempts on their own.
???