Intrusion detection systems a survey and taxonomy
1 / 27

- PowerPoint PPT Presentation

  • Updated On :

Intrusion Detection Systems: A Survey and Taxonomy. A presentation by Emily Fetchko. About the paper. By Stefan Axelson of Chalmers University of Technology, Sweden From 2000 Cited by 92 (Google Scholar) Featured on InfoSysSec Used in Network Security (691N)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - Olivia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

About the paper l.jpg
About the paper

  • By Stefan Axelson of Chalmers University of Technology, Sweden

  • From 2000

  • Cited by 92 (Google Scholar)

  • Featured on InfoSysSec

  • Used in Network Security (691N)

  • Followup to 1999 IBM paper “Towards a Taxonomy of Intrusion Detection Systems”

Outline l.jpg

  • New and Significant

  • What is a taxonomy?

  • Introduction to IDS

  • Introduction to classification

  • Taxonomy by Intrusion Detection Principle

  • Example systems

  • Taxonomy by System Characteristics

  • Trends in Research and Conclusion

New and significant l.jpg
New and Significant

  • First taxonomy paper

  • Predicts research areas for Intrusion Detection

  • Followup to 93 page survey report of research and IBM paper

What is a taxonomy l.jpg
What is a taxonomy?

  • “either a hierarchical classification of things, or the principles underlying the classification” (Wikipedia)

  • Serves three purposes

    • Description

    • Prediction

    • Explanation

Intrusion detection systems l.jpg
Intrusion Detection Systems

  • Compare them to burglar alarms

  • Alarm/siren component

    • Something that alerts

  • Security officer/response team component

    • Something to respond/correct

  • Different from perimeter defense systems (such as a firewall)

Types of intrusions l.jpg
Types of intrusions

  • Masquerader

    • Steals identity of user

  • Legitimate users who abuse the system

  • Exploits

    • Trojan horse, backdoor, etc.

  • And more

Two major types of detection l.jpg
Two major types of detection

  • Anomaly detection

    • “abnormal behavior”

    • May not be undesirable behavior

    • High false positive rate

  • Signature detection

    • Close to previously-defined bad behavior

    • Has to be constantly updated

    • Slow to catch new malicious behavior

Approaches to classfication l.jpg
Approaches to classfication

  • Type of intrusion detected

  • Type of data gathered

  • Rules to detect intrusion

Taxonomy by intrusion detection principles l.jpg
Taxonomy by Intrusion Detection Principles

  • “self-learning”

    • Trains on “normal” behavior

  • “programmed”

    • User must know difference between normal & abnormal

  • “signature inspired”

    • Combination of anomaly and signature methods

Anomaly detection l.jpg
Anomaly detection

  • Time series vs. non time series

  • Rule modeling

    • Create rules describing “normal behavior”

    • Raise alarm if activity does not match rules

  • Descriptive statistics

    • Compute distance vector between current system statistcs and “normal” stats

  • ANN – Artificial Neural Network

    • Black box modeling approach

Anomaly detection continued l.jpg
Anomaly detection, continued

  • Descriptive Statistics

    • Collect statistics about parameters such as #logins, #connections, etc.

    • Simple statistics – abstract

    • Rule-based

    • Threshold

  • Default Deny

    • Define safe states

    • All other states are “deny” states

Signature detection l.jpg
Signature Detection

  • State-modeling

    • If the system is in this state (or followed a series of states) then an intrusion has occurred

    • Petri-net – states form a petri net, a type of directed bipartite graph (place vs transition nodes)

Signature detection continued l.jpg
Signature Detection, continued

  • Expert system

    • Reasoning based on rules

    • Forward-chaining most popular

  • String-matching

    • Look for text transmitted

  • Simple rule-based

    • Less advanced but speeder than expert system

Signature inspired detection l.jpg
Signature Inspired Detection

  • Only one system in the taxonomy (Signature Inspired and Self Learning)

  • Automatic feature selection

    • Automatically determines which features are interesting

    • Isolate, use them to decide if intrusion or not

Classification by type of intrusion l.jpg
Classification by Type of Intrusion

  • Well-known intrusions

    • Correspond to signature detection systems

  • Generalized intrusions

    • Like a well-known intrusion, but with some parameters left blank

    • Correspond to signature-inspired detectors

  • Unknown intrusions

    • Correspond to anomaly detectors

Effectiveness of detection l.jpg
Effectiveness of Detection

  • Two categories marked as least effective

  • Anomaly – Self Learning – Non-time series

    • Weak in collecting statistics on normal behavior

    • Will create many false positives

  • Anomaly – Programmed – Descriptive Statistics

    • If attacker knows stats used, can avoid them

    • Leads to false negatives

Taxonomy by system characteristics l.jpg
Taxonomy by System Characteristics

  • Define system beyond the detection principle

  • Time of detection

    • Real time or non real time

  • Granularity of data processing

    • Continuous or batch

  • Source of audit data

    • Network or host

System characteristics continued l.jpg
System Characteristics, continued

  • Response to detected intrusions

    • Active or passive

    • Modify attacked or attacking system

  • Locus of data processing

    • Centralized or distributed

  • Locus of data collection

  • Security (ability to defend against direct attack)

  • Degree of interoperability

    • Work with other systems

    • Accept other forms of data

Example systems l.jpg
Example Systems

  • Haystack, 1988

    • Air Force

    • Anomaly detection based on per user profile, and user group profile

    • Signature based detection

  • MIDAS, 1988

    • National Computer Security Centre and Computer Science Laboratory, SRI International

    • Heuristic intrusion detection

    • Expert system with two-tiered rule base

Example systems continued l.jpg
Example Systems, continued

  • IDES – Intrusion Detection Expert System, 1988-1992

    • Multiple authors, long term effort

    • Real time expert system with statistics

    • Compare current profile with known profile

    • Distinction between “on” and “off” days

    • NIDES = next generation IDES

  • NSM – Network Security Monitor

    • Monitors broadcast traffic

    • Layered approach – connection & lower layers

    • Profile by protocol (telnet, etc)

Example systems continued22 l.jpg
Example Systems, continued

  • DIDS – Distributed IDS, 1992

    • Incorporates Haystack and NSM

    • Three components: Host monitor, LAN monitor, DIDS director

    • DIDS director contains expert system

  • Bro, 1998

    • Network-based (with traffic analysis)

    • Custom scripting language

    • Prewritten policy scripts

    • Signature matching

    • Action after detection

    • Snort compatibility

Trends in research l.jpg
Trends in Research

  • Active response

    • Legal ramifications, however

  • Distributed detection

    • Corresponds with distributed computing in general

  • Increased security

  • Increased interoperability

Opportunities for further research l.jpg
Opportunities for Further Research

  • Taxonomies by other classifications

  • Signature – self-learning detectors

  • Two tiered detectors

  • False positive rates for anomaly detectors

  • Active response detectors

  • Distributed detectors

  • High security detectors

Bibliography l.jpg

  • Stefan Axelson. “Intrusion Detection Systems: A Survey and Taxonomy”. Chalmers University of Technology, Sweden, 2000.

  • Debar, Decier and Wespi. “Towards a taxonomy of intrusion-detection systems”. Computer Networks, p805-822, 1999.

  • Bro Intrusion Detection System,

  • Google Scholar,