1 / 25

A Survey of Intrusion Detection Techniques

A Survey of Intrusion Detection Techniques. Teresa F. Lunt. Discussion Layout. Introduction What is Intrusion Detection? How does Intrusion Detection work? Different approaches to Intrusion Detection Where and when should Intrusion Detection be implemented Privacy issues

collin
Télécharger la présentation

A Survey of Intrusion Detection Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Survey of Intrusion Detection Techniques Teresa F. Lunt

  2. Discussion Layout • Introduction • What is Intrusion Detection? • How does Intrusion Detection work? • Different approaches to Intrusion Detection • Where and when should Intrusion Detection be implemented • Privacy issues • The future of Intrusion Detection • Conclusion

  3. What is Intrusion Detection? • What is Intrusion Detection? • Intrusion Detection should detect: • External penetrators • Persons unauthorized to use the computer • Internal penetrators • Persons authorized to use the computer, but accessing an unauthorized program, data, or resource • Masqueradors-users operating under a false password • Clandestine users-users who evade auditing • Misfeasors • Authorized users who abuse their privileges

  4. What is Intrusion Detection? • Detect external penetrators by keeping track of failed login attempts • Detect masqueradors by establishing “normal” user behavior and flagging instances where a user has strayed from this behavior • Difficult to detect clandestine users because they may have privileges that allow them to work outside or monitored areas on the system • A solution to this is to monitor certain system-wide parameters • Difficult to detect normal users who abuse their privileges

  5. How does Intrusion Detection work? • How does Intrusion Detection Work? • Access controls • Not a complete defense against insider attack or outside penetration • No protection from privilege abuse • Auditing • Audit trials collect information on use of the computer and normal user activity • Audit data must be interpreted correctly, and the collected information must be relevant • The rest of this talk will focus on tools developed to interpret audited information

  6. Auditing • Audit data interpretation for security purposes can be: • In-depth offline – this is after the fact analysis of audit data • Real-time – this is immediate testing of audit data allowing for a timely response • Damage Assessment This talk will focus on the first two types of audit interpretation

  7. Approaches to interpreting audit data for security analysis • Determining user norms • Using expert systems • Model-based reasoning • The IDES resolver • Other approaches

  8. User norms-IDES • IDES (Intrusion Detection Expert System)-used for auditing and interpreting data • This was developed by SRI • Flags departures from established user “norms” in order to detect system penetration • Maintains a dynamic user profile that determines regular use

  9. User norms-IDES • How the audit information in the IDES can be stored: • Ordinal measure • Count of numerically quantifiable behavior-e.g., the amount of CPU time used • Categorical measure • Function of observed behavior over a finite set of categories-each value is determined in relation to other categories • Binary categorical measure • Has a finite number of categories, and assigns each a 1 or 0 depending on whether or not they are invoked • Linear categorical measure • This has a score function that counts the number of times each category occurs

  10. User norms-IDES • Disadvantages to establishing normal user behavior: • Depends greatly on the consistency of the user • An insider may know that behavior is monitored and intentionally change it over time • A user’s behavior is subject to change without notice • Alternatives to auditing normal behavior in the IDES • Profiling the normal behavior of programs • Use keystroke dynamics to continuously verify user identity

  11. User norms-Neural Networks • SRI has looked into Neural Networks (NN) to counter the following IDES problems: • The need for accurate statistical distributions • NNs do not require assumptions about normal user behavior • Difficulty in evaluating detection measures • NNs can evaluate the effectiveness of detection measures • High cost of algorithm development • NN simulators are easier to modify for new user communities • Difficulty in scaling • NNs could be used to classify users depending on their observed behavior as opposed to manual groupings

  12. User norms-Neural Networks • So, what IS a Neural Network? • In principle, NNs can compute any computable function, i.e., they can do everything a normal digital computer can do. • In practice, NNs are especially useful for classification and function approximation/mapping problems which are tolerant of some imprecision, which have lots of training data available, but to which hard and fast rules (such as those that might be used in an expert system) cannot easily be applied. Source: http://www.rdt.monash.edu.au/~app/CSC437nn/Lnts/L01.html#CITEnnFAQ • In general, NNs are capable of “learning” and can be used for such purposes as pattern recognition

  13. Expert Systems • The Expert System approach simply monitors audit data for suspicious activity • This approach is likened to a security officer’s duties • The Expert System uses a set of defined activities to look for • This set of rules cannot possibly be comprehensive • The set of rules is fixed-it does not depend on previous activity • There may be a way to combine this approach with the statistical approach • Compare rule violation with normal user behavior and try to detect a correspondence

  14. Model-based reasoning • This type of Intrusion Detection relies on the fact that there are usually known procedures to breach system security • Known password attacks • Known system vulnerabilities • Model-based reasoning would monitor known user attacks via a specific model or proscribed activities • Gather “evidence” of an intrusive procedure by looking for intrusion scenarios • Top-down models allow the system to predict the action an intruder would take if following such a scenario and determine specifically which audit data to examine next

  15. Model-based reasoning • Data is systematically examined until enough “evidence” is gathered to support the suspicion of an attack • Good candidates for model-based reasoning are • Attacks which are easily recognizable • Attacks which contain sets of instructions unique to that specific attack • Attacks which contain sets of instructions that are not associated with normal behavior

  16. Model-based reasoning • Benefits: • Narrow down the information that needs to be processed • Intuitive explanations of detected attacks • Be able to take preventative actions before an attack is completed • Drawbacks: • Can only detect known attacks • An intruder may be able to vary the scenario and avoid detection

  17. The IDES resolver • This will combine statistical and expert system components • Can make more complex deductions about suspicious behavior • Reduce the number of false positive rates • Be able to detect with more accuracy the gravity of a situation • Correlate audit data with other available data • Information about changes in user status (new users, user locations…) • Information about files, directories, devices, authorizations…

  18. Other approaches • Define acceptable, as opposed to suspicious, behavior • Use trap doors (bait malicious users) • Bogus passwords • “tripwire” files • Good Intrusion Detection systems will incorporate a number of methods for system security

  19. More thoughts on auditing • In addition to normal security audit data, the following information should be maintained: • Facts about user status, new users, terminated users, users on vacations, changed job assignments, etc. • Facts about files, directories, devices, and authorizations • Profiles of expected or socially acceptable user behavior • Users, even privileged ones, should not be able to tamper with the audit mechanisms

  20. What is the appropriate level of auditing? • Auditing should be implemented at the lowest level possible so that those users with direct programming access cannot bypass the security checks • This will detect clandestine users • It is also useful to audit at the command line and application level • This allows for expert systems and model-based security.

  21. Where should auditing take place? • Auditing ideally takes place on a separate system devoted to monitoring user behavior • An advantage to this is that performance is not affected on the monitored system • Another advantage is that a higher level of security could be implemented on the Intrusion Detection system • Data should be preprocessed on the monitored system to reduce storage and performance requirements on the Intrusion Detection system • Intrusion Detection systems could be generalized to monitor more than one machine at one time

  22. Privacy issues? • Maintaining a large database of user activity could be a major violation of privacy • Employee monitoring may take place • The audit files may fall in to the wrong hands

  23. Future • So, what’s going on with IDES now? • Visit the Intrusion Detection Homepage at: • http://www.sdl.sri.com/intrusion/index.html • What happened to the IDES? • It was revised and became if NIDES at some point after 1993 • According to SRI: • These efforts did, however, have some inherent limitations in scalability, applicability to network environments by their focus on users as the analysis targets, and lack of features to support interoperability

  24. Future • Now SRI is working on EMERALD, the successor system to NIDES • This system will “considerably extend the NIDES concept to accommodate network-based analyses and dramatically increase interoperability and ease of integration into distributed computing environments. This effort will include extending components for profile-based analysis, signature-based analysis, and localized results fusion with automated response capability. In addition, we are considerably extending our results analysis capability to facilitate hierarchical interpretations of our distributed monitoring units, which will enable cross-platform analysis at various layers of abstraction, and successive refinement of the resulting analyses within increasingly broader scopes” (Intrusion Detection Homepage).

  25. Conclusion • There is no perfect Intrusion Detection system • Only through a combination of systems can the best possible security monitoring be implemented • Probably the best approach is to maintain a profile of normal user activity and check this profile against a set of known suspicious behaviors • Although privacy may be an issue, it is possible to implement regulations on auditing to protect the users and maintain security

More Related