Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
-
Upload
marjory-powell -
Category
Documents
-
view
219 -
download
0
Transcript of Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko.
Intrusion Detection Systems: A Survey and Taxonomy
A presentation by Emily Fetchko
About the paper
• By Stefan Axelson of Chalmers University of Technology, Sweden
• From 2000• Cited by 92 (Google Scholar)• Featured on InfoSysSec• Used in Network Security (691N)• Followup to 1999 IBM paper
“Towards a Taxonomy of Intrusion Detection Systems”
Outline
• New and Significant• What is a taxonomy?• Introduction to IDS• Introduction to classification• Taxonomy by Intrusion Detection
Principle• Example systems• Taxonomy by System Characteristics• Trends in Research and Conclusion
New and Significant
• First taxonomy paper• Predicts research areas for
Intrusion Detection• Followup to 93 page survey report
of research and IBM paper
What is a taxonomy?
• “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia)
• Serves three purposes– Description– Prediction– Explanation
Intrusion Detection Systems
• Compare them to burglar alarms• Alarm/siren component
– Something that alerts
• Security officer/response team component– Something to respond/correct
• Different from perimeter defense systems (such as a firewall)
Types of intrusions
• Masquerader– Steals identity of user
• Legitimate users who abuse the system
• Exploits– Trojan horse, backdoor, etc.
• And more
Two major types of detection
• Anomaly detection– “abnormal behavior”– May not be undesirable behavior– High false positive rate
• Signature detection– Close to previously-defined bad
behavior– Has to be constantly updated– Slow to catch new malicious behavior
Approaches to classfication
• Type of intrusion detected• Type of data gathered• Rules to detect intrusion
Taxonomy by Intrusion Detection Principles
• “self-learning”– Trains on “normal”
behavior • “programmed”
– User must know difference between normal & abnormal
• “signature inspired”– Combination of
anomaly and signature methods
Anomaly detection
• Time series vs. non time series• Rule modeling
– Create rules describing “normal behavior”– Raise alarm if activity does not match
rules• Descriptive statistics
– Compute distance vector between current system statistcs and “normal” stats
• ANN – Artificial Neural Network– Black box modeling approach
Anomaly detection, continued
• Descriptive Statistics– Collect statistics about parameters such
as #logins, #connections, etc.– Simple statistics – abstract– Rule-based – Threshold
• Default Deny– Define safe states– All other states are “deny” states
Signature Detection
• State-modeling– If the system is in this state (or followed
a series of states) then an intrusion has occurred
– Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)
Signature Detection, continued
• Expert system– Reasoning based on rules– Forward-chaining most popular
• String-matching– Look for text transmitted
• Simple rule-based– Less advanced but speeder than expert system
Signature Inspired Detection
• Only one system in the taxonomy (Signature Inspired and Self Learning)
• Automatic feature selection– Automatically determines which
features are interesting– Isolate, use them to decide if intrusion
or not
Classification by Type of Intrusion
• Well-known intrusions– Correspond to signature detection
systems
• Generalized intrusions– Like a well-known intrusion, but with
some parameters left blank– Correspond to signature-inspired
detectors
• Unknown intrusions– Correspond to anomaly detectors
Effectiveness of Detection
• Two categories marked as least effective
• Anomaly – Self Learning – Non-time series– Weak in collecting statistics on normal
behavior– Will create many false positives
• Anomaly – Programmed – Descriptive Statistics– If attacker knows stats used, can avoid
them– Leads to false negatives
Taxonomy by System Characteristics
• Define system beyond the detection principle
• Time of detection– Real time or non real time
• Granularity of data processing– Continuous or batch
• Source of audit data– Network or host
System Characteristics, continued
• Response to detected intrusions– Active or passive– Modify attacked or attacking system
• Locus of data processing– Centralized or distributed
• Locus of data collection• Security (ability to defend against
direct attack)• Degree of interoperability
– Work with other systems– Accept other forms of data
Example Systems
• Haystack, 1988– Air Force– Anomaly detection based on per user
profile, and user group profile– Signature based detection
• MIDAS, 1988– National Computer Security Centre and
Computer Science Laboratory, SRI International
– Heuristic intrusion detection– Expert system with two-tiered rule base
Example Systems, continued
• IDES – Intrusion Detection Expert System, 1988-1992– Multiple authors, long term effort– Real time expert system with statistics– Compare current profile with known
profile– Distinction between “on” and “off” days– NIDES = next generation IDES
• NSM – Network Security Monitor– Monitors broadcast traffic – Layered approach – connection & lower
layers– Profile by protocol (telnet, etc)
Example Systems, continued
• DIDS – Distributed IDS, 1992– Incorporates Haystack and NSM– Three components: Host monitor, LAN
monitor, DIDS director– DIDS director contains expert system
• Bro, 1998– Network-based (with traffic analysis)– Custom scripting language– Prewritten policy scripts– Signature matching– Action after detection– Snort compatibility
System Characteristics, continued
System characteristics, continued
Trends in Research
• Active response – Legal ramifications, however
• Distributed detection– Corresponds with distributed
computing in general
• Increased security• Increased interoperability
Opportunities for Further Research
• Taxonomies by other classifications• Signature – self-learning detectors• Two tiered detectors• False positive rates for anomaly
detectors• Active response detectors• Distributed detectors• High security detectors
Bibliography
• Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000.
• Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999.
• Bro Intrusion Detection System, www.bro-ids.org
• Google Scholar, http://scholar.google.com