1 / 27

Intrusion Detection Systems: A Survey and Taxonomy

Intrusion Detection Systems: A Survey and Taxonomy. A presentation by Emily Fetchko. About the paper. By Stefan Axelson of Chalmers University of Technology, Sweden From 2000 Cited by 92 (Google Scholar) Featured on InfoSysSec Used in Network Security (691N)

elia
Download Presentation

Intrusion Detection Systems: A Survey and Taxonomy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko

  2. About the paper • By Stefan Axelson of Chalmers University of Technology, Sweden • From 2000 • Cited by 92 (Google Scholar) • Featured on InfoSysSec • Used in Network Security (691N) • Followup to 1999 IBM paper “Towards a Taxonomy of Intrusion Detection Systems”

  3. Outline • New and Significant • What is a taxonomy? • Introduction to IDS • Introduction to classification • Taxonomy by Intrusion Detection Principle • Example systems • Taxonomy by System Characteristics • Trends in Research and Conclusion

  4. New and Significant • First taxonomy paper • Predicts research areas for Intrusion Detection • Followup to 93 page survey report of research and IBM paper

  5. What is a taxonomy? • “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia) • Serves three purposes • Description • Prediction • Explanation

  6. Intrusion Detection Systems • Compare them to burglar alarms • Alarm/siren component • Something that alerts • Security officer/response team component • Something to respond/correct • Different from perimeter defense systems (such as a firewall)

  7. Types of intrusions • Masquerader • Steals identity of user • Legitimate users who abuse the system • Exploits • Trojan horse, backdoor, etc. • And more

  8. Two major types of detection • Anomaly detection • “abnormal behavior” • May not be undesirable behavior • High false positive rate • Signature detection • Close to previously-defined bad behavior • Has to be constantly updated • Slow to catch new malicious behavior

  9. Approaches to classfication • Type of intrusion detected • Type of data gathered • Rules to detect intrusion

  10. Taxonomy by Intrusion Detection Principles • “self-learning” • Trains on “normal” behavior • “programmed” • User must know difference between normal & abnormal • “signature inspired” • Combination of anomaly and signature methods

  11. Anomaly detection • Time series vs. non time series • Rule modeling • Create rules describing “normal behavior” • Raise alarm if activity does not match rules • Descriptive statistics • Compute distance vector between current system statistcs and “normal” stats • ANN – Artificial Neural Network • Black box modeling approach

  12. Anomaly detection, continued • Descriptive Statistics • Collect statistics about parameters such as #logins, #connections, etc. • Simple statistics – abstract • Rule-based • Threshold • Default Deny • Define safe states • All other states are “deny” states

  13. Signature Detection • State-modeling • If the system is in this state (or followed a series of states) then an intrusion has occurred • Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)

  14. Signature Detection, continued • Expert system • Reasoning based on rules • Forward-chaining most popular • String-matching • Look for text transmitted • Simple rule-based • Less advanced but speeder than expert system

  15. Signature Inspired Detection • Only one system in the taxonomy (Signature Inspired and Self Learning) • Automatic feature selection • Automatically determines which features are interesting • Isolate, use them to decide if intrusion or not

  16. Classification by Type of Intrusion • Well-known intrusions • Correspond to signature detection systems • Generalized intrusions • Like a well-known intrusion, but with some parameters left blank • Correspond to signature-inspired detectors • Unknown intrusions • Correspond to anomaly detectors

  17. Effectiveness of Detection • Two categories marked as least effective • Anomaly – Self Learning – Non-time series • Weak in collecting statistics on normal behavior • Will create many false positives • Anomaly – Programmed – Descriptive Statistics • If attacker knows stats used, can avoid them • Leads to false negatives

  18. Taxonomy by System Characteristics • Define system beyond the detection principle • Time of detection • Real time or non real time • Granularity of data processing • Continuous or batch • Source of audit data • Network or host

  19. System Characteristics, continued • Response to detected intrusions • Active or passive • Modify attacked or attacking system • Locus of data processing • Centralized or distributed • Locus of data collection • Security (ability to defend against direct attack) • Degree of interoperability • Work with other systems • Accept other forms of data

  20. Example Systems • Haystack, 1988 • Air Force • Anomaly detection based on per user profile, and user group profile • Signature based detection • MIDAS, 1988 • National Computer Security Centre and Computer Science Laboratory, SRI International • Heuristic intrusion detection • Expert system with two-tiered rule base

  21. Example Systems, continued • IDES – Intrusion Detection Expert System, 1988-1992 • Multiple authors, long term effort • Real time expert system with statistics • Compare current profile with known profile • Distinction between “on” and “off” days • NIDES = next generation IDES • NSM – Network Security Monitor • Monitors broadcast traffic • Layered approach – connection & lower layers • Profile by protocol (telnet, etc)

  22. Example Systems, continued • DIDS – Distributed IDS, 1992 • Incorporates Haystack and NSM • Three components: Host monitor, LAN monitor, DIDS director • DIDS director contains expert system • Bro, 1998 • Network-based (with traffic analysis) • Custom scripting language • Prewritten policy scripts • Signature matching • Action after detection • Snort compatibility

  23. System Characteristics, continued

  24. System characteristics, continued

  25. Trends in Research • Active response • Legal ramifications, however • Distributed detection • Corresponds with distributed computing in general • Increased security • Increased interoperability

  26. Opportunities for Further Research • Taxonomies by other classifications • Signature – self-learning detectors • Two tiered detectors • False positive rates for anomaly detectors • Active response detectors • Distributed detectors • High security detectors

  27. Bibliography • Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000. • Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999. • Bro Intrusion Detection System, www.bro-ids.org • Google Scholar, http://scholar.google.com

More Related