Introduction to Intrusion

Detection Systems
Presented by
Parwez

Overview of Seminar
Introdcution
Need for Intrusion Dectection Systems
Classification of Systems
Anomaly Detection
Misuse Detection

Other Models and Directions

Conclusion

Introduction
The networking revolution has come of age.
Internet is changing computing.
The possibilities and oppurtunities are limitless.

Risks and chances of malicious intrusions is

increasing.
Intrusion attempt: The potential possibility
of a deliberate unauthorized attempt to
Access Information
Manipulate Information
Render a system unreliable or unusable.

The need for IDSs

A computer system should provide
Confidentiality
Integrity
Assurance

Subversion attempts try to exploit

flaws in the operating system as
well as in application programs and
have resulted in spectacular
incidents like the Internet Worm
incident of 1988.

Ways to handle subversion

attempts
Prevent subversion by building a
completely secure system.
We could require all users to identify and
authenticate themselves.
We could protect data by various cryptographic
methods and very tight access control
mechanisms.

Limitations
Complete security not possible in real life.
Transition will be long in coming.
Cryptograhic methods have their own
problems.
Abuse by insiders who abuse their privilages.
The stricter the mechanisms the lower the
efficiency .

System(IDS)
An IDS detects attacks as soon as
possible and takes appropriate
action.
An IDS does not usually take
preventive measures when an
attack is detected.
It is a reactive rather than a proactive agent.
It plays a role of informant rather
than a police officer.

IDS(Contd.)
The most popular way to detect
intrusions has been using the audit
data generated by the operating
system.
And audit trail is a record of activities on
a system that are logged to a file in
chronologically sorted order.
Audit trails are particularly useful in
establishing the guilt attackers.
They are often the only way to detect
unauthorized but subversive user activity.

IDS (Contd.)
Eugene Spafford reports:
Information theft is up over 250% in
the last 5 years.
99% of all major companies report at
least one major incident.
Telecom and computer fraud totaled
$10 billion in the US alone.

Since it seems obvious that we

cannot prevent subversion, we
should at least ry to detect it and
prevent similar attacks in future.

Terminology used in IDSs

Risk : Accidental exposure of information,
or voilation of operations integrity due to
the malfunction of hardware or
incomplete or incorrect software design.
Vulnerability: A known or suspected flaw
in the h/w or s/w or operation of a system
that exposes the system to penetration or
its information to accidental disclosure.
Attack: A specific formulation or
execution of a plan to carry out a threat.
Penetration: A successful attack.

Classification of IDSs
Attempted break-ins
Masquerade attacks
Penetration of the security control
system
Leakage
Denial of service
Malicious use
Techniques:
Anomaly Detection
Misuse detection

Systems
Anomaly detection systems(ADSs)
assume that all intrusive activities are
necessarily anomalous.
Anomalous activities that are not intrusive
are flagged as intrusive.
Intrusive activities that are not anomalous
result in false negatives(events are not
flagged intrusive, though they actually are)

ADSs are also computationally

expensive because of the overhead of
keeping track of, and possibly updating
several system profile metrics.

ADSs(Contd.)
A typical anomaly detection system
Update Profile
statistically

Audit Data

System Profile

devalant ?

generate new profiles dynamically

attack
state

Approaches to ADSs
Statistical approaches
Behaviour profiles for subjects are
generated.
The aomaly detector constantly generates
the variance of the present profile from the
original one.
They adaptively learn the behavior of users.
Potentially more sensitive than humans.

Problems with Statistical approaches

They can gradually be trained by intruders
so that eventually, intrusive events are
considered normal.
It is not known exactly what the subset of
all possible measures that accurately
predicts intrusive activities is.

ADSs(Contd.)
Predictive pattern generation
This method tries to predict future events
based on the events that have already
occurred. We could have a rule
E1 E2 --> (E3 = 80%, E4 =15%, E5 = 5%)

The problem is that some intrusion scenarios

that are not described by the rules will not be
flaged intrusive.
Advantages:
Rule based sequential patterns can detect anomalous
activities that were difficult with traditional methods.
Systems built using this model are highly adaptive to
changes.
It is easier to detect users who try to train the system
during its learning period.
Anomalous activities can be detected and reported
within seconds of recievig audit events.

ADSs(Contd.)
Neural Networks
The ides here is to train neural netwrk to predict a
users next action or command, given the window of n
previous actions.

Advantages:
They cope with noisy data
Their success does not depend on any statistical
assumption about the nature of the underlyning data
They are easier to modify for new user communities

Problems:
A small window will result in false positives, a large
window will euslt in irrelevant data as well as increase
the chance of false negatives.
The net topology is only determined after considerable
trail and error.
The intruder can train the net during its learming phase.

Misuse Detection
Systems(MDSs)
The concept behind the MDSs is
that there are ways to represent
attacks in the form of a pattern or a
signature so that even variations of
the same attack can be detected.
They can detect many or all known
attack patterns, but they are of little
use for unknown attack methods.

Misuse detection systems try to

recognize known bad behavior.

MDSs (Contd.)
A typical misuse detection system
modify existing rules

Audit Data

System Profile

Timing
Information

Add new rules

Rule

match ?

attack
state

Types of MDSs
Expert systems
These are modelled in such a way as to
separate the rule matching phase from
the action phase. Ex: NIDES developed
by SRI.
NIDES follows a hybrid ID technique.
It builds user profiles based on many
differrent criteria.
The expert system misused detection
component encodes known scenarios
and attack patterns

Types of MDSs (Contd.)

Key Stroke Monitoring
This is a very simple technique that monitors
keystrokes for attack patterns.
Features of shells in which user definable
aliases are present defeat the tecnique unless
alias expansion and semantic analysis of
commands is taken up.
Operating systems do not offermuch support
for keystroke capturing, so the keystroke
monitor should have a hook that analyses
keystrokes before sending them to their
intended reciever.
An improvement would be to monitor system
calls by application programs as well.

Types of MDSs (Contd.)

Model Based Intrusion Detection
This states that certain scenarios are inferred
by certain other observable activities.
The model based scheme consists of three
important modules
The antcipator uses the active models and the
scenario models to try to predict the next step in
the scenario that is expected to occur.
The planner then translates this hypothesis into a
format that shows the behavior as it would occur in
the audit trail.
The interpreter then searches for this data in the
audit trail.

The system proceeds in this way,

accumulating more and more evidence for an
intrusion attempt until a threshold is crossed.

Types of MDSs (Contd.)

State Transition Analysis
The monitored system is presented as a
state transition diagram.
As data is analyzed, the system makes
transitions from one state to another.
A transition takes place on some boolean
condition being true.

Drawbacks
Attack patterns can specify only a sequence
of events, rather than more complex forms.
There are no general purpose methods to
prune the search except through the
assertion primitives.
They cant detect denail of service attacks.

Types of MDSs (Contd.)

Pattern Matching
This model encodes known intrusion
signatures as patterns that are then matched
against the auidt data.
The implementation makes transitions on
certain events called labels, and boolean
variables called guards can be placed at each
transition.

Advantages
Declarative Specification
Multiple event streams
Portability
Real-time capabilities

Other Models
Generic Intrusion Detection Model
Independent of any particular system,
application environment, system
vulnerability, or type of intrusion.

Network Security Monitor

It is an Intrusion Detection System
developed at the UC-Davis. NSM is a
network based IDS that differs from all
of the IDSs as it doesnt use or analyze
the host machines(s) audit trails.

Conclusions
Future research trends seem to be
converging towards a model that is
hybrid of the anomaly and misuse
detection models.
It is slowly acknowledged that
neither of the models can detect
all intrusion attempts on their own.

???