Introduction to Intrusion Detection Systems

Presented byParwez

Overview of Seminar

IntrodcutionNeed for Intrusion Dectection SystemsClassification of Systems

Anomaly DetectionMisuse Detection

Other Models and DirectionsConclusion

Introduction

The networking revolution has come of age. Internet is changing computing.

The possibilities and oppurtunities are limitless.

Risks and chances of malicious intrusions is increasing.Intrusion attempt: The potential possibility of a deliberate unauthorized attempt to

Access InformationManipulate InformationRender a system unreliable or unusable.

The need for IDSsA computer system should provide

ConfidentialityIntegrityAssurance

Subversion attempts try to exploit flaws in the operating system as well as in application programs and have resulted in spectacular incidents like the Internet Worm incident of 1988.

Ways to handle subversion attempts

Prevent subversion by building a completely secure system.

We could require all users to identify and authenticate themselves.We could protect data by various cryptographic methods and very tight access control mechanisms.

LimitationsComplete security not possible in real life.Transition will be long in coming.Cryptograhic methods have their own problems.Abuse by insiders who abuse their privilages.The stricter the mechanisms the lower the efficiency .

An Intrsusion Detection System(IDS)

An IDS detects attacks as soon as possible and takes appropriate action.An IDS does not usually take preventive measures when an attack is detected.It is a reactive rather than a pro-active agent.It plays a role of informant rather than a police officer.

IDS(Contd.)The most popular way to detect intrusions has been using the audit data generated by the operating system.

And audit trail is a record of activities on a system that are logged to a file in chronologically sorted order.Audit trails are particularly useful in establishing the guilt attackers.They are often the only way to detect unauthorized but subversive user activity.

IDS (Contd.)Eugene Spafford reports:

Information theft is up over 250% in the last 5 years.99% of all major companies report at least one major incident.Telecom and computer fraud totaled $10 billion in the US alone.

Since it seems obvious that we cannot prevent subversion, we should at least ry to detect it and prevent similar attacks in future.

Terminology used in IDSsRisk : Accidental exposure of information, or voilation of operations integrity due to the malfunction of hardware or incomplete or incorrect software design.Vulnerability: A known or suspected flaw in the h/w or s/w or operation of a system that exposes the system to penetration or its information to accidental disclosure.Attack: A specific formulation or execution of a plan to carry out a threat.Penetration: A successful attack.

Classification of IDSsAttempted break-insMasquerade attacksPenetration of the security control systemLeakageDenial of serviceMalicious use

Techniques:Anomaly DetectionMisuse detection

Anomaly Detection Systems

Anomaly detection systems(ADSs) assume that all intrusive activities are necessarily anomalous.

Anomalous activities that are not intrusive are flagged as intrusive.Intrusive activities that are not anomalous result in false negatives(events are not flagged intrusive, though they actually are)

ADSs are also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics.

ADSs(Contd.)A typical anomaly detection system

Audit Data System Profileattackstate

Update Profile

generate new profiles dynamically

statistically

devalant ?

Approaches to ADSsStatistical approaches

Behaviour profiles for subjects are generated.The aomaly detector constantly generates the variance of the present profile from the original one.They adaptively learn the behavior of users.Potentially more sensitive than humans.

Problems with Statistical approachesThey can gradually be trained by intruders so that eventually, intrusive events are considered normal.It is not known exactly what the subset of all possible measures that accurately predicts intrusive activities is.

Approaches to ADSs(Contd.)

Predictive pattern generationThis method tries to predict future events based on the events that have already occurred. We could have a rule

E1 – E2 --> (E3 = 80%, E4 =15%, E5 = 5%)

The problem is that some intrusion scenarios that are not described by the rules will not be flaged intrusive.Advantages:

Rule based sequential patterns can detect anomalous activities that were difficult with traditional methods.Systems built using this model are highly adaptive to changes.It is easier to detect users who try to train the system during its learning period.Anomalous activities can be detected and reported within seconds of recievig audit events.

Approaches to ADSs(Contd.)

Neural NetworksThe ides here is to train neural netwrk to predict a user’s next action or command, given the window of n previous actions.

Advantages:They cope with noisy dataTheir success does not depend on any statistical assumption about the nature of the underlyning dataThey are easier to modify for new user communities

Problems:A small window will result in false positives, a large window will euslt in irrelevant data as well as increase the chance of false negatives.The net topology is only determined after considerable trail and error.The intruder can train the net during its learming phase.

Misuse Detection Systems(MDSs)

The concept behind the MDSs is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected.

They can detect many or all known attack patterns, but they are of little use for unknown attack methods.

Misuse detection systems try to recognize known “bad” behavior.

MDSs (Contd.)

A typical misuse detection system

Audit Data System Profileattackstate

Rule

match ?

modify existing rules

Add new rules

TimingInformation

Types of MDSsExpert systems

These are modelled in such a way as to separate the rule matching phase from the action phase. Ex: NIDES developed by SRI.NIDES follows a hybrid ID technique.It builds user profiles based on many differrent criteria.The expert system misused detection component encodes known scenarios and attack patterns

Types of MDSs (Contd.)Key Stroke Monitoring

This is a very simple technique that monitors keystrokes for attack patterns.Features of shells in which user definable aliases are present defeat the tecnique unless alias expansion and semantic analysis of commands is taken up.Operating systems do not offermuch support for keystroke capturing, so the keystroke monitor should have a hook that analyses keystrokes before sending them to their intended reciever.An improvement would be to monitor system calls by application programs as well.

Types of MDSs (Contd.)Model Based Intrusion Detection

This states that certain scenarios are inferred by certain other observable activities.The model based scheme consists of three important modules

The antcipator uses the active models and the scenario models to try to predict the next step in the scenario that is expected to occur.The planner then translates this hypothesis into a format that shows the behavior as it would occur in the audit trail.The interpreter then searches for this data in the audit trail.

The system proceeds in this way, accumulating more and more evidence for an intrusion attempt until a threshold is crossed.

Types of MDSs (Contd.)State Transition Analysis

The monitored system is presented as a state transition diagram.As data is analyzed, the system makes transitions from one state to another.A transition takes place on some boolean condition being true.

DrawbacksAttack patterns can specify only a sequence of events, rather than more complex forms.There are no general purpose methods to prune the search except through the assertion primitives.They can’t detect denail of service attacks.

Types of MDSs (Contd.)Pattern Matching

This model encodes known intrusion signatures as patterns that are then matched against the auidt data. The implementation makes transitions on certain events called labels, and boolean variables called guards can be placed at each transition.

AdvantagesDeclarative SpecificationMultiple event streamsPortabilityReal-time capabilities

Other Models

Generic Intrusion Detection ModelIndependent of any particular system, application environment, system vulnerability, or type of intrusion.

Network Security MonitorIt is an Intrusion Detection System developed at the UC-Davis. NSM is a network based IDS that differs from all of the IDSs as it doesn’t use or analyze the host machines(s) audit trails.

Conclusions

Future research trends seem to be converging towards a model that is hybrid of the anomaly and misuse detection models.It is slowly acknowledged that neither of the models can detect all intrusion attempts on their own.

???