Intrusion Detection

Harry R. Erwin, PhD

School of Computing and Technology

University of Sunderland

Resources

• B. Schneier, 2000, Secrets and Lies, Wiley, ISBN: 0-471-25311-1—a good survey for managers.

• E. Amoroso, 1999, Intrusion Detection, Intrusion.net, ISBN: 0-9666700-7-8

• R. G. Bace, 2000, Intrusion Detection, Macmillan Technical Publishing, ISBN: 1-57870-185-6

Intrusion Detection Systems (IDS)

• These are network monitors—they watch your network looking for suspicious behavior

• Often but not always based on audit trails• Provide reactive rather than proactive security• Should alert on successful and ongoing attacks• Need to be accurate in detecting attacks and in

determining that an attack is not underway.• Also may provide diagnosis tools.

The False Alarm Problem

• Base rate fallacy—suppose you have a test that is 99% accurate. Is this good?

Not necessarily!• Suppose the real attack rate is 1x10-6 per message

or packet. This test will generate 10,000 false positives for every real attack it detects.

• If network attacks are rare, a test has to be powerful to be useful.

The Timely Notification Problem

• You may want to be warned in time to do something, but…

• What about slow attacks? When should the IDS become suspicious and tell you?

• What about ambiguous evidence? Do you want to be warned about borderline cases?

The Response Problem

• What do you do if you do hear an alarm? Consider the problem with giving out general warnings of terrorist activity.

• Options include:– Wait– Collect more information– Do something– Hope it goes away

• You may be too busy fighting alligators to do anything intelligent about draining the swamp.

Approaches to Building an IDS

• Misuse detection– IDS knows what an attack looks like and looks

for it.– “Network virus scanner”– Fast, easy to build, has a low false positive rate.– Misses a lot and is easy to fool.– Probably will get better over time.

Approaches to Building an IDS (II)

• Anomaly detection– Learns a statistical or neural network model of

the network to figure out what is normal– Sounds an alarm for abnormal activity– Uses AI:

• Bayesian statistics

• Neural networks

• Expert systems

Problems with Anomaly Detection

• Does the training data include an attack? Then hacking will be considered normal. 8(

• New things happen on networks all the time. Successful retraining of an existing AI system to handle this is a hard problem, worth a PhD. 8(

• How can it categorize attacks? That requires expert input. 8(

• False positives are much higher. 8(• Attack indicators are brittle, so that hackers can

sneak past them. 8(

More Problems with Anomaly Detection

• The dynamic update problem is unsolved.– You can train these systems successfully to handle

static environments, but computer networks are dynamic.

– If you try to retrain an existing system to deal with new events, it will usually forget its old training. You have to give it the old training data as well as the new.

– One approach avoiding the use of old data is to give the old system random data and train the new version on the resulting outputs as well as the new data.

– Good research area.

Possible Approaches to Anomaly Detection

• Bayesian statistics—like current spam filters. Relies on human training, and can adapt over time if the human controller continues to train it.

• Neural networks—probably will not be as successful as the human trainer is less hands-on. Has to deal with the ‘catastrophic forgetting problem’, either by retaining training data or regenerating it.

• Expert systems—a hybrid anomaly/misuse detection solution. Depends on how easily it can be trained. Multiple experts will differ.

• Statistical decision theory—only if the cues used by the experts can be successfully identified.

Inline versus Audit-Based IDS

• Should the IDS detect attacks in real-time using a sniffer or use audit log processing?– Inline will have incomplete data.– Inline is also computationally expensive.– Audit log processing is after the fact.– Audit log formats vary quite a bit.– A combined approach is feasible, but costly.

Audit Log Architecture

The SystemBeing Monitored

Audit Trail

IDS

AlertsReports

After Amoroso

Cues Profiles

Audit LogData

Inline Architecture

The SystemBeing Monitored IDS

AlertsReports

After Amoroso

SnifferData

Cues Profiles

Host-Based versus Network-Based IDS

• Network-based IDS is basically wire-tapping using a sniffer:– Stealthy– Operating-system independent

• Host-based IDS uses audit logs – From workstations, servers, switches, routers,

etc.– Product-specific.

Make or Buy

• Do your own monitoring or pay someone else? E.g.,– Counterpane in America– Qinetiq in the UK

• Trust issues particularly important here.

• Inhouse expertise requirement.

Honey Pots and Burglar Alarms• Burglar alarms are resources on the network that generate

an alarm if accessed incorrectly.• Honey pots are burglar alarms dressed up to look attractive.

May incorporate subnetworks and dummy computers.– Costly– Have to look real to the attackers– Legality important. Entrapment may be an issue, so intruders must

be warned.

• Read http://csrc.nist.gov/publications/secpubs/berferd.ps• See also

http://www.strategypage.com/fyeo/howtomakewar/default.asp?target=HTIW.HTM

Incident Handling Issues

• Be prepared

• Have procedures

• Don’t panic

• Call in the police?

• Expectation management

• Damage control

• Dealing with witch hunts

IDS Requirements

• Must be:– Effective– Easy to use– Adaptable– Robust– Fast– Efficient– Safe

Future IDS Needs

• Should be:– Accommodating– Security enhancing– Scalable– Realistic– Hardened

Conclusions

• Intrusion Detection Systems are useful, but not a panacea.

• In particular, they cannot substitute for good security practices.

• They tell you if you have had a problem, but that can be too late.