Intrusion Detection Systems: A Survey and Taxonomy

A presentation by Emily Fetchko

About the paper

• By Stefan Axelson of Chalmers University of Technology, Sweden

• From 2000• Cited by 92 (Google Scholar)• Featured on InfoSysSec• Used in Network Security (691N)• Followup to 1999 IBM paper

“Towards a Taxonomy of Intrusion Detection Systems”

Outline

• New and Significant• What is a taxonomy?• Introduction to IDS• Introduction to classification• Taxonomy by Intrusion Detection

Principle• Example systems• Taxonomy by System Characteristics• Trends in Research and Conclusion

New and Significant

• First taxonomy paper• Predicts research areas for

Intrusion Detection• Followup to 93 page survey report

of research and IBM paper

What is a taxonomy?

• “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia)

• Serves three purposes– Description– Prediction– Explanation

Intrusion Detection Systems

• Compare them to burglar alarms• Alarm/siren component

– Something that alerts

• Security officer/response team component– Something to respond/correct

• Different from perimeter defense systems (such as a firewall)

Types of intrusions

• Masquerader– Steals identity of user

• Legitimate users who abuse the system

• Exploits– Trojan horse, backdoor, etc.

• And more

Two major types of detection

• Anomaly detection– “abnormal behavior”– May not be undesirable behavior– High false positive rate

• Signature detection– Close to previously-defined bad

behavior– Has to be constantly updated– Slow to catch new malicious behavior

Approaches to classfication

• Type of intrusion detected• Type of data gathered• Rules to detect intrusion

Taxonomy by Intrusion Detection Principles

• “self-learning”– Trains on “normal”

behavior • “programmed”

– User must know difference between normal & abnormal

• “signature inspired”– Combination of

anomaly and signature methods

Anomaly detection

• Time series vs. non time series• Rule modeling

– Create rules describing “normal behavior”– Raise alarm if activity does not match

rules• Descriptive statistics

– Compute distance vector between current system statistcs and “normal” stats

• ANN – Artificial Neural Network– Black box modeling approach

Anomaly detection, continued

• Descriptive Statistics– Collect statistics about parameters such

as #logins, #connections, etc.– Simple statistics – abstract– Rule-based – Threshold

• Default Deny– Define safe states– All other states are “deny” states

Signature Detection

• State-modeling– If the system is in this state (or followed

a series of states) then an intrusion has occurred

– Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)

Signature Detection, continued

• Expert system– Reasoning based on rules– Forward-chaining most popular

• String-matching– Look for text transmitted

• Simple rule-based– Less advanced but speeder than expert system

Signature Inspired Detection

• Only one system in the taxonomy (Signature Inspired and Self Learning)

• Automatic feature selection– Automatically determines which

features are interesting– Isolate, use them to decide if intrusion

or not

Classification by Type of Intrusion

• Well-known intrusions– Correspond to signature detection

systems

• Generalized intrusions– Like a well-known intrusion, but with

some parameters left blank– Correspond to signature-inspired

detectors

• Unknown intrusions– Correspond to anomaly detectors

Effectiveness of Detection

• Two categories marked as least effective

• Anomaly – Self Learning – Non-time series– Weak in collecting statistics on normal

behavior– Will create many false positives

• Anomaly – Programmed – Descriptive Statistics– If attacker knows stats used, can avoid

them– Leads to false negatives

Taxonomy by System Characteristics

• Define system beyond the detection principle

• Time of detection– Real time or non real time

• Granularity of data processing– Continuous or batch

• Source of audit data– Network or host

System Characteristics, continued

• Response to detected intrusions– Active or passive– Modify attacked or attacking system

• Locus of data processing– Centralized or distributed

• Locus of data collection• Security (ability to defend against

direct attack)• Degree of interoperability

– Work with other systems– Accept other forms of data

Example Systems

• Haystack, 1988– Air Force– Anomaly detection based on per user

profile, and user group profile– Signature based detection

• MIDAS, 1988– National Computer Security Centre and

Computer Science Laboratory, SRI International

– Heuristic intrusion detection– Expert system with two-tiered rule base

Example Systems, continued

• IDES – Intrusion Detection Expert System, 1988-1992– Multiple authors, long term effort– Real time expert system with statistics– Compare current profile with known

profile– Distinction between “on” and “off” days– NIDES = next generation IDES

• NSM – Network Security Monitor– Monitors broadcast traffic – Layered approach – connection & lower

layers– Profile by protocol (telnet, etc)

Example Systems, continued

• DIDS – Distributed IDS, 1992– Incorporates Haystack and NSM– Three components: Host monitor, LAN

monitor, DIDS director– DIDS director contains expert system

• Bro, 1998– Network-based (with traffic analysis)– Custom scripting language– Prewritten policy scripts– Signature matching– Action after detection– Snort compatibility

System Characteristics, continued

System characteristics, continued

Trends in Research

• Active response – Legal ramifications, however

• Distributed detection– Corresponds with distributed

computing in general

• Increased security• Increased interoperability

Opportunities for Further Research

• Taxonomies by other classifications• Signature – self-learning detectors• Two tiered detectors• False positive rates for anomaly

detectors• Active response detectors• Distributed detectors• High security detectors

Bibliography

• Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000.

• Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999.

• Bro Intrusion Detection System, www.bro-ids.org

• Google Scholar, http://scholar.google.com