Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.

Published byMarjory Powell Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko."— Presentation transcript:

1 Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko

2 About the paper By Stefan Axelson of Chalmers University of Technology, Sweden From 2000 Cited by 92 (Google Scholar) Featured on InfoSysSec Used in Network Security (691N) Followup to 1999 IBM paper “Towards a Taxonomy of Intrusion Detection Systems”

3 Outline New and Significant What is a taxonomy? Introduction to IDS Introduction to classification Taxonomy by Intrusion Detection Principle Example systems Taxonomy by System Characteristics Trends in Research and Conclusion

4 New and Significant First taxonomy paper Predicts research areas for Intrusion Detection Followup to 93 page survey report of research and IBM paper

5 What is a taxonomy? “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia) Serves three purposes –Description –Prediction –Explanation

6 Intrusion Detection Systems Compare them to burglar alarms Alarm/siren component –Something that alerts Security officer/response team component –Something to respond/correct Different from perimeter defense systems (such as a firewall)

7 Types of intrusions Masquerader –Steals identity of user Legitimate users who abuse the system Exploits –Trojan horse, backdoor, etc. And more

8 Two major types of detection Anomaly detection –“abnormal behavior” –May not be undesirable behavior –High false positive rate Signature detection –Close to previously-defined bad behavior –Has to be constantly updated –Slow to catch new malicious behavior

9 Approaches to classfication Type of intrusion detected Type of data gathered Rules to detect intrusion

10 Taxonomy by Intrusion Detection Principles “self-learning” –Trains on “normal” behavior “programmed” –User must know difference between normal & abnormal “signature inspired” –Combination of anomaly and signature methods

11 Anomaly detection Time series vs. non time series Rule modeling –Create rules describing “normal behavior” –Raise alarm if activity does not match rules Descriptive statistics –Compute distance vector between current system statistcs and “normal” stats ANN – Artificial Neural Network –Black box modeling approach

12 Anomaly detection, continued Descriptive Statistics –Collect statistics about parameters such as #logins, #connections, etc. –Simple statistics – abstract –Rule-based –Threshold Default Deny –Define safe states –All other states are “deny” states

13 Signature Detection State-modeling –If the system is in this state (or followed a series of states) then an intrusion has occurred –Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)

14 Signature Detection, continued Expert system –Reasoning based on rules –Forward-chaining most popular String-matching –Look for text transmitted Simple rule-based –Less advanced but speeder than expert system

15 Signature Inspired Detection Only one system in the taxonomy (Signature Inspired and Self Learning) Automatic feature selection –Automatically determines which features are interesting –Isolate, use them to decide if intrusion or not

16 Classification by Type of Intrusion Well-known intrusions –Correspond to signature detection systems Generalized intrusions –Like a well-known intrusion, but with some parameters left blank –Correspond to signature-inspired detectors Unknown intrusions –Correspond to anomaly detectors

17 Effectiveness of Detection Two categories marked as least effective Anomaly – Self Learning – Non-time series –Weak in collecting statistics on normal behavior –Will create many false positives Anomaly – Programmed – Descriptive Statistics –If attacker knows stats used, can avoid them –Leads to false negatives

18 Taxonomy by System Characteristics Define system beyond the detection principle Time of detection –Real time or non real time Granularity of data processing –Continuous or batch Source of audit data –Network or host

19 System Characteristics, continued Response to detected intrusions –Active or passive –Modify attacked or attacking system Locus of data processing –Centralized or distributed Locus of data collection Security (ability to defend against direct attack) Degree of interoperability –Work with other systems –Accept other forms of data

20 Example Systems Haystack, 1988 –Air Force –Anomaly detection based on per user profile, and user group profile –Signature based detection MIDAS, 1988 –National Computer Security Centre and Computer Science Laboratory, SRI International –Heuristic intrusion detection –Expert system with two-tiered rule base

21 Example Systems, continued IDES – Intrusion Detection Expert System, 1988-1992 –Multiple authors, long term effort –Real time expert system with statistics –Compare current profile with known profile –Distinction between “on” and “off” days –NIDES = next generation IDES NSM – Network Security Monitor –Monitors broadcast traffic –Layered approach – connection & lower layers –Profile by protocol (telnet, etc)

22 Example Systems, continued DIDS – Distributed IDS, 1992 –Incorporates Haystack and NSM –Three components: Host monitor, LAN monitor, DIDS director –DIDS director contains expert system Bro, 1998 –Network-based (with traffic analysis) –Custom scripting language –Prewritten policy scripts –Signature matching –Action after detection –Snort compatibility

23 System Characteristics, continued

24 System characteristics, continued

25 Trends in Research Active response –Legal ramifications, however Distributed detection –Corresponds with distributed computing in general Increased security Increased interoperability

26 Opportunities for Further Research Taxonomies by other classifications Signature – self-learning detectors Two tiered detectors False positive rates for anomaly detectors Active response detectors Distributed detectors High security detectors

27 Bibliography Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000. Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999. Bro Intrusion Detection System, www.bro- ids.orgwww.bro- ids.org Google Scholar, http://scholar.google.comhttp://scholar.google.com

Download ppt "Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.

1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
seminar on Intrusion detection system

seminar on Intrusion detection system
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Similar presentations

Ads by Google