1 / 9

Survey of Intrusion Detection Systems

Survey of Intrusion Detection Systems. Motivation. The worldwide impact of malicious code attacks is estimated to be over $10 Billion annually.

wells
Download Presentation

Survey of Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Survey of Intrusion DetectionSystems

  2. Motivation • The worldwide impact of malicious code attacks is estimated to be over $10 Billion annually. • The CERT center at CMU reported 73,359 security incidents between 1/1/02 and 9/31/02, equal to all of the security incidents reported in 2000-2001 combined. • Novice attackers can easily acquire and use automated denial-of-service attack software. • Human security analysts can't keep up with it all

  3. Intrusion Detection Attempts to detect unauthorized or malicious activities in a network or on a host system • Signature-based - looks for patterns that are known to be intrusive in packets or audit logs • Anomaly-based - looks for 'abnormal' activity, usually requires a template of 'normal' activity Determining 'who' is much harder than just detecting that an intrusion occurred.

  4. Early Work on Security • Saltzer and Schroeder (1974) - established security design principals and mechanisms • Orange Book (1985) - DoD specifications • Formal Models • Bell -LaPadula (1976) - supported formal proofs of conformance to security policies • Denning (1987) - described the requirements for designing an intrusion detection system

  5. Early Systems • IDES - statistical anomaly detection • Haystack - also added signature detection • Wisdom & Sense - automatically created a profile of 'normal' behavior from past user and host activities • ISOA - uses both real-time monitoring and post-session analysis to detect suspicious behavior, developed profiles at both levels

  6. Recent Research in ID • NIDES - distributed collection of host data, centralized analysis (extension of IDES) • NSM - network traffic monitoring for anomalous packets • DIDS - combines host-based (Haystack) and network monitoring (NSM) • CSM - peer-to-peer distributed analysis

  7. Recent Research (continued) • Bro - analyzes packet contents • GrIDS - builds graphs of network activity and looks for anomalies • STAT and NetSTAT - model attack with state machine. if accepted, attack occurred • EMERALD - framework for building an ID system with distributed collection and analysis, modular design (extended NIDES)

  8. Additional IDS Projects • Data-mining for ID - numerous projects mining host audit data, captured packets • Autonomous Agents - independent agents monitor specific activities/resources and report to hierarchy of analyzers • Open source projects - (e.g. SHADOW and Snort) - performance comparable to commercial and research systems

  9. Major Problems • High False-Alarm Rates - real-world tests show overwhelming numbers of false alarms, little success in filtering them out • Availability of Training Data - most anomaly-based ID systems need attack-free datasets. Currently, no clear way to create or certify realistic attack-free data

More Related