280 likes | 616 Views
Intrusion Detection Systems: A Survey and Taxonomy. A presentation by Emily Fetchko. About the paper. By Stefan Axelson of Chalmers University of Technology, Sweden From 2000 Cited by 92 (Google Scholar) Featured on InfoSysSec Used in Network Security (691N)
E N D
Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko
About the paper • By Stefan Axelson of Chalmers University of Technology, Sweden • From 2000 • Cited by 92 (Google Scholar) • Featured on InfoSysSec • Used in Network Security (691N) • Followup to 1999 IBM paper “Towards a Taxonomy of Intrusion Detection Systems”
Outline • New and Significant • What is a taxonomy? • Introduction to IDS • Introduction to classification • Taxonomy by Intrusion Detection Principle • Example systems • Taxonomy by System Characteristics • Trends in Research and Conclusion
New and Significant • First taxonomy paper • Predicts research areas for Intrusion Detection • Followup to 93 page survey report of research and IBM paper
What is a taxonomy? • “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia) • Serves three purposes • Description • Prediction • Explanation
Intrusion Detection Systems • Compare them to burglar alarms • Alarm/siren component • Something that alerts • Security officer/response team component • Something to respond/correct • Different from perimeter defense systems (such as a firewall)
Types of intrusions • Masquerader • Steals identity of user • Legitimate users who abuse the system • Exploits • Trojan horse, backdoor, etc. • And more
Two major types of detection • Anomaly detection • “abnormal behavior” • May not be undesirable behavior • High false positive rate • Signature detection • Close to previously-defined bad behavior • Has to be constantly updated • Slow to catch new malicious behavior
Approaches to classfication • Type of intrusion detected • Type of data gathered • Rules to detect intrusion
Taxonomy by Intrusion Detection Principles • “self-learning” • Trains on “normal” behavior • “programmed” • User must know difference between normal & abnormal • “signature inspired” • Combination of anomaly and signature methods
Anomaly detection • Time series vs. non time series • Rule modeling • Create rules describing “normal behavior” • Raise alarm if activity does not match rules • Descriptive statistics • Compute distance vector between current system statistcs and “normal” stats • ANN – Artificial Neural Network • Black box modeling approach
Anomaly detection, continued • Descriptive Statistics • Collect statistics about parameters such as #logins, #connections, etc. • Simple statistics – abstract • Rule-based • Threshold • Default Deny • Define safe states • All other states are “deny” states
Signature Detection • State-modeling • If the system is in this state (or followed a series of states) then an intrusion has occurred • Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)
Signature Detection, continued • Expert system • Reasoning based on rules • Forward-chaining most popular • String-matching • Look for text transmitted • Simple rule-based • Less advanced but speeder than expert system
Signature Inspired Detection • Only one system in the taxonomy (Signature Inspired and Self Learning) • Automatic feature selection • Automatically determines which features are interesting • Isolate, use them to decide if intrusion or not
Classification by Type of Intrusion • Well-known intrusions • Correspond to signature detection systems • Generalized intrusions • Like a well-known intrusion, but with some parameters left blank • Correspond to signature-inspired detectors • Unknown intrusions • Correspond to anomaly detectors
Effectiveness of Detection • Two categories marked as least effective • Anomaly – Self Learning – Non-time series • Weak in collecting statistics on normal behavior • Will create many false positives • Anomaly – Programmed – Descriptive Statistics • If attacker knows stats used, can avoid them • Leads to false negatives
Taxonomy by System Characteristics • Define system beyond the detection principle • Time of detection • Real time or non real time • Granularity of data processing • Continuous or batch • Source of audit data • Network or host
System Characteristics, continued • Response to detected intrusions • Active or passive • Modify attacked or attacking system • Locus of data processing • Centralized or distributed • Locus of data collection • Security (ability to defend against direct attack) • Degree of interoperability • Work with other systems • Accept other forms of data
Example Systems • Haystack, 1988 • Air Force • Anomaly detection based on per user profile, and user group profile • Signature based detection • MIDAS, 1988 • National Computer Security Centre and Computer Science Laboratory, SRI International • Heuristic intrusion detection • Expert system with two-tiered rule base
Example Systems, continued • IDES – Intrusion Detection Expert System, 1988-1992 • Multiple authors, long term effort • Real time expert system with statistics • Compare current profile with known profile • Distinction between “on” and “off” days • NIDES = next generation IDES • NSM – Network Security Monitor • Monitors broadcast traffic • Layered approach – connection & lower layers • Profile by protocol (telnet, etc)
Example Systems, continued • DIDS – Distributed IDS, 1992 • Incorporates Haystack and NSM • Three components: Host monitor, LAN monitor, DIDS director • DIDS director contains expert system • Bro, 1998 • Network-based (with traffic analysis) • Custom scripting language • Prewritten policy scripts • Signature matching • Action after detection • Snort compatibility
Trends in Research • Active response • Legal ramifications, however • Distributed detection • Corresponds with distributed computing in general • Increased security • Increased interoperability
Opportunities for Further Research • Taxonomies by other classifications • Signature – self-learning detectors • Two tiered detectors • False positive rates for anomaly detectors • Active response detectors • Distributed detectors • High security detectors
Bibliography • Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000. • Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999. • Bro Intrusion Detection System, www.bro-ids.org • Google Scholar, http://scholar.google.com