Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Intrusion Detection Systems and Practices
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Lesson 19: Configuring Windows Firewall
seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Lesson 11: Configuring and Maintaining Network Security
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
A Blackboard-Based Learning Intrusion Detection System: A New Approach
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System Authors : Martin Botha, Rossouw von Solms, Kent Perry, Edwin Loubser.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Intrusion Detection and Prevention Systems By Colton Delman COSC 454 Information Assurance Management.
Some Great Open Source Intrusion Detection Systems (IDSs)
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Application Intrusion Detection
Ch.22 INTRUSION DETECTION
Intrusion Control.
Security Methods and Practice CET4884
Intrusion Detection Systems
Principles of Computer Security
Intrusion Detection & Prevention
A Real-time Intrusion Detection System for UNIX
IDS Survey Based on Two Surveys
Intrusion Detection Systems
Intrusion Detection system
Intrusion Detection Systems
Presentation transcript:

Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko

About the paper By Stefan Axelson of Chalmers University of Technology, Sweden From 2000 Cited by 92 (Google Scholar) Featured on InfoSysSec Used in Network Security (691N) Followup to 1999 IBM paper “Towards a Taxonomy of Intrusion Detection Systems”

Outline New and Significant What is a taxonomy? Introduction to IDS Introduction to classification Taxonomy by Intrusion Detection Principle Example systems Taxonomy by System Characteristics Trends in Research and Conclusion

New and Significant First taxonomy paper Predicts research areas for Intrusion Detection Followup to 93 page survey report of research and IBM paper

What is a taxonomy? “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia) Serves three purposes –Description –Prediction –Explanation

Intrusion Detection Systems Compare them to burglar alarms Alarm/siren component –Something that alerts Security officer/response team component –Something to respond/correct Different from perimeter defense systems (such as a firewall)

Types of intrusions Masquerader –Steals identity of user Legitimate users who abuse the system Exploits –Trojan horse, backdoor, etc. And more

Two major types of detection Anomaly detection –“abnormal behavior” –May not be undesirable behavior –High false positive rate Signature detection –Close to previously-defined bad behavior –Has to be constantly updated –Slow to catch new malicious behavior

Approaches to classfication Type of intrusion detected Type of data gathered Rules to detect intrusion

Taxonomy by Intrusion Detection Principles “self-learning” –Trains on “normal” behavior “programmed” –User must know difference between normal & abnormal “signature inspired” –Combination of anomaly and signature methods

Anomaly detection Time series vs. non time series Rule modeling –Create rules describing “normal behavior” –Raise alarm if activity does not match rules Descriptive statistics –Compute distance vector between current system statistcs and “normal” stats ANN – Artificial Neural Network –Black box modeling approach

Anomaly detection, continued Descriptive Statistics –Collect statistics about parameters such as #logins, #connections, etc. –Simple statistics – abstract –Rule-based –Threshold Default Deny –Define safe states –All other states are “deny” states

Signature Detection State-modeling –If the system is in this state (or followed a series of states) then an intrusion has occurred –Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)

Signature Detection, continued Expert system –Reasoning based on rules –Forward-chaining most popular String-matching –Look for text transmitted Simple rule-based –Less advanced but speeder than expert system

Signature Inspired Detection Only one system in the taxonomy (Signature Inspired and Self Learning) Automatic feature selection –Automatically determines which features are interesting –Isolate, use them to decide if intrusion or not

Classification by Type of Intrusion Well-known intrusions –Correspond to signature detection systems Generalized intrusions –Like a well-known intrusion, but with some parameters left blank –Correspond to signature-inspired detectors Unknown intrusions –Correspond to anomaly detectors

Effectiveness of Detection Two categories marked as least effective Anomaly – Self Learning – Non-time series –Weak in collecting statistics on normal behavior –Will create many false positives Anomaly – Programmed – Descriptive Statistics –If attacker knows stats used, can avoid them –Leads to false negatives

Taxonomy by System Characteristics Define system beyond the detection principle Time of detection –Real time or non real time Granularity of data processing –Continuous or batch Source of audit data –Network or host

System Characteristics, continued Response to detected intrusions –Active or passive –Modify attacked or attacking system Locus of data processing –Centralized or distributed Locus of data collection Security (ability to defend against direct attack) Degree of interoperability –Work with other systems –Accept other forms of data

Example Systems Haystack, 1988 –Air Force –Anomaly detection based on per user profile, and user group profile –Signature based detection MIDAS, 1988 –National Computer Security Centre and Computer Science Laboratory, SRI International –Heuristic intrusion detection –Expert system with two-tiered rule base

Example Systems, continued IDES – Intrusion Detection Expert System, –Multiple authors, long term effort –Real time expert system with statistics –Compare current profile with known profile –Distinction between “on” and “off” days –NIDES = next generation IDES NSM – Network Security Monitor –Monitors broadcast traffic –Layered approach – connection & lower layers –Profile by protocol (telnet, etc)

Example Systems, continued DIDS – Distributed IDS, 1992 –Incorporates Haystack and NSM –Three components: Host monitor, LAN monitor, DIDS director –DIDS director contains expert system Bro, 1998 –Network-based (with traffic analysis) –Custom scripting language –Prewritten policy scripts –Signature matching –Action after detection –Snort compatibility

System Characteristics, continued

System characteristics, continued

Trends in Research Active response –Legal ramifications, however Distributed detection –Corresponds with distributed computing in general Increased security Increased interoperability

Opportunities for Further Research Taxonomies by other classifications Signature – self-learning detectors Two tiered detectors False positive rates for anomaly detectors Active response detectors Distributed detectors High security detectors

Bibliography Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p , Bro Intrusion Detection System, ids.orgwww.bro- ids.org Google Scholar,