Introduction to Intrusion Detection Systems Presented by Parwez

Overview of Seminar Introdcution Need for Intrusion Dectection Systems Classification of Systems Anomaly Detection Misuse Detection Other Models and Directions Conclusion

Introduction The networking revolution has come of age. Internet is changing computing. The possibilities and oppurtunities are limitless. Risks and chances of malicious intrusions is increasing. Intrusion attempt: The potential possibility of a deliberate unauthorized attempt to Access Information Manipulate Information Render a system unreliable or unusable.

The need for IDSs A computer system should provide Confidentiality Integrity Assurance Subversion attempts try to exploit flaws in the operating system as well as in application programs and have resulted in spectacular incidents like the Internet Worm incident of 1988.

Ways to handle subversion attempts Prevent subversion by building a completely secure system. We could require all users to identify and authenticate themselves. We could protect data by various cryptographic methods and very tight access control mechanisms. Limitations Complete security not possible in real life. Transition will be long in coming. Cryptograhic methods have their own problems. Abuse by insiders who abuse their privilages. The stricter the mechanisms the lower the efficiency.

An Intrsusion Detection System(IDS) An IDS detects attacks as soon as possible and takes appropriate action. An IDS does not usually take preventive measures when an attack is detected. It is a reactive rather than a pro-active agent. It plays a role of informant rather than a police officer.

IDS(Contd.) The most popular way to detect intrusions has been using the audit data generated by the operating system. And audit trail is a record of activities on a system that are logged to a file in chronologically sorted order. Audit trails are particularly useful in establishing the guilt attackers. They are often the only way to detect unauthorized but subversive user activity.

IDS (Contd.) Eugene Spafford reports: Information theft is up over 250% in the last 5 years. 99% of all major companies report at least one major incident. Telecom and computer fraud totaled $10 billion in the US alone. Since it seems obvious that we cannot prevent subversion, we should at least ry to detect it and prevent similar attacks in future.

Terminology used in IDSs Risk : Accidental exposure of information, or voilation of operations integrity due to the malfunction of hardware or incomplete or incorrect software design. Vulnerability: A known or suspected flaw in the h/w or s/w or operation of a system that exposes the system to penetration or its information to accidental disclosure. Attack: A specific formulation or execution of a plan to carry out a threat. Penetration: A successful attack.

Classification of IDSs Attempted break-ins Masquerade attacks Penetration of the security control system Leakage Denial of service Malicious use Techniques: Anomaly Detection Misuse detection

Anomaly Detection Systems Anomaly detection systems(ADSs) assume that all intrusive activities are necessarily anomalous. Anomalous activities that are not intrusive are flagged as intrusive. Intrusive activities that are not anomalous result in false negatives(events are not flagged intrusive, though they actually are) ADSs are also computationally expensive because of the overhead of keeping track of, and possibly updating several system profile metrics.

ADSs(Contd.) A typical anomaly detection system Audit DataSystem Profile attack state Update Profile generate new profiles dynamically statistically devalant ?

Approaches to ADSs Statistical approaches Behaviour profiles for subjects are generated. The aomaly detector constantly generates the variance of the present profile from the original one. They adaptively learn the behavior of users. Potentially more sensitive than humans. Problems with Statistical approaches They can gradually be trained by intruders so that eventually, intrusive events are considered normal. It is not known exactly what the subset of all possible measures that accurately predicts intrusive activities is.

Approaches to ADSs(Contd.) Predictive pattern generation This method tries to predict future events based on the events that have already occurred. We could have a rule E1 – E2 --> (E3 = 80%, E4 =15%, E5 = 5%) The problem is that some intrusion scenarios that are not described by the rules will not be flaged intrusive. Advantages: Rule based sequential patterns can detect anomalous activities that were difficult with traditional methods. Systems built using this model are highly adaptive to changes. It is easier to detect users who try to train the system during its learning period. Anomalous activities can be detected and reported within seconds of recievig audit events.

Approaches to ADSs(Contd.) Neural Networks The ides here is to train neural netwrk to predict a user’s next action or command, given the window of n previous actions. Advantages: They cope with noisy data Their success does not depend on any statistical assumption about the nature of the underlyning data They are easier to modify for new user communities Problems: A small window will result in false positives, a large window will euslt in irrelevant data as well as increase the chance of false negatives. The net topology is only determined after considerable trail and error. The intruder can train the net during its learming phase.

Misuse Detection Systems(MDSs) The concept behind the MDSs is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. They can detect many or all known attack patterns, but they are of little use for unknown attack methods. Misuse detection systems try to recognize known “bad” behavior.

MDSs (Contd.) A typical misuse detection system Audit DataSystem Profile attack state Rule match ? modify existing rules Add new rules Timing Information

Types of MDSs Expert systems These are modelled in such a way as to separate the rule matching phase from the action phase. Ex: NIDES developed by SRI. NIDES follows a hybrid ID technique. It builds user profiles based on many differrent criteria. The expert system misused detection component encodes known scenarios and attack patterns

Types of MDSs (Contd.) Key Stroke Monitoring This is a very simple technique that monitors keystrokes for attack patterns. Features of shells in which user definable aliases are present defeat the tecnique unless alias expansion and semantic analysis of commands is taken up. Operating systems do not offermuch support for keystroke capturing, so the keystroke monitor should have a hook that analyses keystrokes before sending them to their intended reciever. An improvement would be to monitor system calls by application programs as well.

Types of MDSs (Contd.) Model Based Intrusion Detection This states that certain scenarios are inferred by certain other observable activities. The model based scheme consists of three important modules The antcipator uses the active models and the scenario models to try to predict the next step in the scenario that is expected to occur. The planner then translates this hypothesis into a format that shows the behavior as it would occur in the audit trail. The interpreter then searches for this data in the audit trail. The system proceeds in this way, accumulating more and more evidence for an intrusion attempt until a threshold is crossed.

Types of MDSs (Contd.) State Transition Analysis The monitored system is presented as a state transition diagram. As data is analyzed, the system makes transitions from one state to another. A transition takes place on some boolean condition being true. Drawbacks Attack patterns can specify only a sequence of events, rather than more complex forms. There are no general purpose methods to prune the search except through the assertion primitives. They can’t detect denail of service attacks.

Types of MDSs (Contd.) Pattern Matching This model encodes known intrusion signatures as patterns that are then matched against the auidt data. The implementation makes transitions on certain events called labels, and boolean variables called guards can be placed at each transition. Advantages Declarative Specification Multiple event streams Portability Real-time capabilities

Other Models Generic Intrusion Detection Model Independent of any particular system, application environment, system vulnerability, or type of intrusion. Network Security Monitor It is an Intrusion Detection System developed at the UC-Davis. NSM is a network based IDS that differs from all of the IDSs as it doesn’t use or analyze the host machines(s) audit trails.

Conclusions Future research trends seem to be converging towards a model that is hybrid of the anomaly and misuse detection models. It is slowly acknowledged that neither of the models can detect all intrusion attempts on their own.

???