Title: IDSIC:%20A%20Modeling%20of%20Intrusion%20Detection%20System%20with%20Identification%20Capability
1IDSIC A Modeling of Intrusion Detection System
with Identification Capability
- Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih
- Cryptology Network Security Lab.
- Electrical Engineering Department
- National Cheng Kung University
2Outline
- Introduction
- Traditional IDS model
- A New model IDSIC
- Implementation issues of IDSIC
- Conclusion
31.Introduction
- Three fundamental functional components of
intrusion detection system (IDS) - Collection
- collects the different sources of information
- Detection
- analyze the information sources
- Response
- notifies the system managers when or where an
intrusion happens - Active measures Passive measures
41.Introduction (cont.)
- In some security standards, e.g., ISO 17799, it
suggests that there should be an inner auditor
periodically checks the security issues in the
enterprise networks - In order to discover the real security holes or
vulnerabilities, the security tools using by the
auditors are the same tools used by the outside
hackers
51.Introduction (cont.)
- These tests can be separated into two situations
- Rehearsal
- the auditors notify the system managers when the
security auditing starts and how the security
tests go on - both the system managers and the auditors know
scenarios of security tests, the testing results
in this situation are very little
61.Introduction (cont.)
- auditors imitate hackers behaviors when
performing security test - The system managers do not know when, where, and
how the tests will take place in advance - active response measure would enable
self-protecting ability - passive response measure will alert much alarms
notifying the system managers to cope with
71.Introduction (cont.)
- Lee et al. propose a cost-sensitive model for
IDSs by using some major cost factors, such as
damage cost, response cost, operational cost,
etc, to evaluate the total cost of IDSs - IDSs should minimize these costs
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E.
Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of
Computer Security, Vol. 10, Numbers 1,2, 2002.
8Motivation
- The traditional IDSs (TIDSs) do not consider the
behavior of the security auditors. - We are motived to study whether the IDSs cost is
minimal in the top-secret enterprise network with
security auditors.
92.Traditional IDS model
- Traditional IDSs (TIDSs) requirements
- Roles and costs in TIDSs
10TIDSs requirements
J. Cannady. An Adaptive Neural Network Approach
to Intrusion Detection and Response. Ph.D Thesis,
Nova Southeastern University, 2000.
- Detection of known attacks
- should have the ability to determine the
malicious attackers - Real-time/near real-time analysis
- analyze information sources gathered by the IDS
sensor as soon as possible - Minimal resource
- use the minimal resource in the systems when
monitoring - High accuracy
- make sure the detection is correct and lower the
false alarms
11The roles in TIDSs
- Hackers
- People who attempt to gain unauthorized access to
a computer system. These people are often
malicious and have many tools for breaking into a
system. - System Manager (SM)
- the person who takes charge to minimize the use
of excess, network management, and system
maintenance costs. If a system under some attacks
results IDSs alarms, they have to make efforts to
find out where the problem is.
12The roles in TIDSs (cont.)
- Detection System (DS)
- the system that monitor the events occurring in
protected hosts or networks and analyze them for
signs of intrusions.
13The roles and relationships in TIDSs
14The costs of TIDSs
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E.
Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of
Computer Security, Vol. 10, Numbers 1,2, 2002.
- damage cost (DCost)
- the cost of damage caused by hackers when IDSs do
not work appropriately - response cost (RCost)
- the costs of actions when response components
generate alarms - operational cost (OpCost)
- the cost of processing and analyzing the
activities of events
15The costs of TIDSs (cont.)
- False Negative cost is the cost of not detecting
an attack, but an attack really happened. - False Positive cost occurs when normal behavior
is misidentified as the attack . - True Positive cost means the detection cost when
attacks really happen. - True Negative is incurred when an IDS correctly
decides there are no attacks.
16The costs of TIDSs (cont.)
?1 the function of the events progress
17The costs of TIDSs (cont.)
183.A New model IDSIC
- Roles and components in IDSIC
- New Requirements in IDSIC
- Cost analysis in IDSIC
19Roles in IDSIC
- Security Auditor (SA)
- A person appointed and authorized to audit
whether the security equipments work regularly or
not by using the vulnerability testing tools. - One of security auditors main works is to check
the security holes or vulnerabilities in the
system. - Note traditional IDSs have no abilities to
distinguish the security auditors and hackers.
20Roles in IDSIC (cont.)
- Detection System with Identification Capability
(DSIC) - One type of DS that runs the same function of DS.
However, it has an extra functionality to
distinguish between the roles of hackers and SAs.
- Fingerprint
- some secret information is used to let DSIC
distinguish the difference between hackers and SAs
21Components in IDSIC
- In IDSIC, we include the basic components such
that collection, detection, and response
components in TIDSs - The fingerprint adder
- use fingerprint generation algorithms calculating
and adding the fingerprint into the packets - The fingerprint checker
- include some validation algorithms that help DSIC
to differentiate hackers attack and SAs tests
from packets
22The roles and components in IDSIC
23New Requirements in IDSIC
- Generating fingerprint ability
- SAs must have the ability to calculate the
fingerprint - The needed power for calculating fingerprint must
be as less as possible - Validity ability
- DSIC needs to have the validity ability to
determine if any fingerprint in the packets - this ability of determination must be as fast as
possible
24New Requirements in IDSIC (cont.)
- Security
- Hackers cannot generate a fingerprint without the
SAs secret - The probability of forging a fingerprint is as
small as possible
25Cost analysis in IDSIC
- The damage cost (DCost) could be divided into two
parts - HDCost(e) means the damage cost caused by hackers
that may harm to the systems - SDCost(e) is the amount of security testing cost
that may damage to the systems caused by SAs - HDCost(e) gtgt SDCost(e)
- the response cost (RCost) will also be separated
into two parts - HRCost(e) and SRCost(e)
- HRCost(e) SRCost(e)
26Cost analysis in IDSIC (cont.)
- False Negative (FNIC)
- False Positive (FPIC)
?2 the function of the events progress
Therefore, FNIC lt FN
CASE 1
CASE 2
Therefore, FPIC ? FP
27Cost analysis in IDSIC (cont.)
- True Positive (TPIC)
- True Negative (TNIC) 0
CASE 1
CASE 2
?3 the function of the events progress
Therefore, TPIC ? TP
28CCost v.s. ICCost
29Cost analysis in IDSIC (cont.)
- OpCost(e) is similar in TIDS and IDSIC
- CCost(e) in TIDS is greater than ICCost(e) in
IDSIC - IDSIC could have smaller CumulativeCost(E) than
TIDS.
304.Implementation issues of IDSIC
- How to generate the fingerprint
- Where and How to put the fingerprint in the
packets - Where to put the fingerprint checker component in
IDSIC
31How to generate the fingerprint
- packet messages (m)
- Information about IPs, the sequential number, the
packet timestamp, and so on - Three approaches to generate the needed
fingerprint - HMAC (Hashed Message Authentication Code)
- HMAC using secret value
- signature
32HMAC
33HMAC using secret value
34signature
- uses Public Key Infrastructure (PKI)
- the SAs should sign the packet messages with
their private keys and the DSIC uses SAs public
keys to check the signature - No matter what approaches are used, it should
satisfy the minimal resource requirement.
35Where to put the fingerprint in the packets
- We suggest using the IP identification field in
IP header to store fingerprint - This field is currently used to differentiate IP
fragments that belong to different packets - less than 0.25 of all Internet traffic is
fragments - Savage et al. use this field in IP marking
technique
36IP Header
37How to put the fingerprint in the packets
- The IP identification field contains only 16 bits
and the hackers forging probability is 2-16 - We could set a threshold k reducing the hackers
forging probability to (2-16)k
38Where to put the fingerprint checker in IDSIC
- two choices to deploy the fingerprint checker
component
Collection
Collection
Fingerprint checker
Detection
Before
Detection
Fingerprint checker
After
Response
Response
39Where to put the fingerprint checker in IDSIC
(cont.)
- before the detection component
- claims the fingerprint checker has to check every
receiving packet - may spend lots of time for checking
- the fingerprint checker may lost some packets
under mounts of packets
40Where to put the fingerprint checker in IDSIC
(cont.)
- after the detection component
- IDSIC would first determine whether an intrusion
happens - DSIC can work like DS and the fingerprint checker
only has to check the doubtful intrusion packets - if the SAs often perform the security tests, then
the detection component may be busy dealing with
these testing packets.
41Where to put the fingerprint checker in IDSIC
(cont.)
- The best deployment depends on
- the frequency of security tests (fst)(from SAs)
- the frequency of attacks (fa) (from Hackers)
- the fingerprint checker examining time (tfc)
- the DSIC dealing time (tDSIC)
- For example, in rehearsal situation, fst is
greater than fa, thus it would be better to
deploy the fingerprint checker before the
detection component.
42Conclusion
- We propose a new model, IDSIC, based on the
auditing point of view and propose the new
requirements in IDSIC. - We prove the CumulativeCost in TIDS does not
reach to minimal cost under the roles of SA
exists.