Improving Intrusion Detection System - PowerPoint PPT Presentation

About This Presentation
Title:

Improving Intrusion Detection System

Description:

... who have succeeded in the gaining access to the system.(credit card defrauder) ... the process or whoever the process was executed is associated with each event. ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 23
Provided by: AT174
Learn more at: http://www.cs.bsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Improving Intrusion Detection System


1
Improving Intrusion Detection System
  • Taminee Shinasharkey
  • CS689
  • 11/2/00

2
Introduction
  • Intrusion is when the user takes an action that
    the user was not legally allowed to
  • take.
  • Intrusion attempt (Anderson,1980) is defined to
    be potential possibility of an unauthorized
    attempt to
  • Access information
  • Manipulate information, or
  • Render a system unreliable or unusable.

3
Introduction (cont)
  • Intruder detection involves determining that an
    intruder has tried to gain or has gained
    unauthorized access to the system.
  • Most intrusion detection systems attempt to
    detect a presumed intrusion and alert a system
    administrator. System administrators take action
    to prevent intrusion.
  • Audit record is a record of activities on a
    system that are logged to a file in sorted order.

4
  • From Lincoln LaboratoryMassachusetts Institute
    of Technology

5
Intrusion Classification
  • The COAST group at Purdue University defined an
    intruder as any set of actions that attempt to
    compromise the integrity, confidentiality or
    availability of a resource.
  • There are two techniques of intrusion detection
  • Anomaly Detection based on observations of
    deviations from normal system usage patterns.
  • Misuse Detection attacks on weak point of a
    system.

6
Anomaly Detection
  • Try to detect the complement of bad behavior.
  • This system could verify a normal activity
    profile for a system and flag all states altering
    from the verified profile.
  • Must be able to distinguish between anomalous and
    normal behavior.

7
Anomaly Detection
  • A block diagram of a typical anomaly detection
    system

8
Misuse Detection
  • Try to recognize known bad behavior.
  • This system detects by using the form of pattern
    or a signature , so that variations of the same
    attack can be detected.
  • Concerned with catching intruders who are attempt
    to break into a system by exploiting some known
    vulnerability.

9
Misuse Detection
  • A block diagram of a typical misuse detection
    system

10
Intruder Classification
  • Intruders are classified into two groups.
  • External intruders who are unauthorized users
    of the systems they attacks.
  • Internal intruders who have some authority
  • - Masqueraders external intruders who have
    succeeded in the gaining access to the
    system.(credit card defrauder)
  • - Legitimates intruders who have access to
    sensitive data, but misuse this access.
  • - Clandestine intruders who have the power to
    control the system and have power to turn off
    audit control for themselves.

11
Problem Description
  • An Application Intrusion Detection System will
    be concerned with anomaly detection more than
    misuse detection. Since OS Intrusion Detection
    and Application Intrusion Detection have many
    relations on the same basic observation entity,
    there should be some correlation between events
    at the operating system and application levels.
    Is it possible to have these two systems
    cooperate in order to improve the effectiveness
    of Intrusion Detection System.

12
Research Objectives
  • The goal of this research is to try to improve
    the effectiveness of Intruder Detection and to
    see the possibilities of how the OS Intrusion
    Detection System might cooperate with Application
    Intrusion Detection System to achieve this goal.

13
OS Intrusion Detection System
The different between an OS and an Application
  • Detects external intruders
  • Organizes in such a way that the process the user
    that started the process or whoever the process
    was executed is associated with each event.
  • Lower resolution
  • Views the file as a container whose contents
    cannot be deciphered except for changes in size.
  • Can only define a relation on a file as a whole,
    such as whether or not it was changed in the last
    period of time.

14
Application Intrusion Detection System
  • Only detects internal intruders after they either
    penetrated the operating system to get access to
    the application ,or they were given some
    legitimate access to the application.
  • May not be set up to perform mapping between the
    event and the event causing entity.
  • Higher resolution
  • Can define a relation on the different records of
    fields of the file.

15
Similarities
  • Attempts to detect intrusion by evaluating
    relations to differentiate between anomalous and
    normal behavior.
  • The database file are the same size.
  • Could build event records containing listings of
    all events and associated event causing entities
    of the application using whatever form of
    identification available.
  • Structure.

16
Literature review
  • The COAST laboratory at Purdue University
    characterized a good Intrusion Detection System
    as having the following qualities
  • Run continually
  • The system must be reliable enough to allow it to
    run in the background of the system being
    observed.
  • Fault tolerant
  • The system must survive a system crash and not
    have its knowledge-base rebuilt at start.
  • Resist subversion
  • The system can monitor itself to ensure that it
    has not been subverted

17
Literature Review (cont)
  • Minimal overhead
  • The system that slows a computer to a creep will
    not be used.
  • Observe deviations (from normal behavior.)
  • Easily tailored
  • Every system has a different usage pattern, and
    the defense mechanism should be easily adapt to
    the patterns.
  • Changing system behavior
  • The system profile will change over time, and the
    Intrusion Detection System must be able to adapt.
  • Difficult to fool

18
Literature Review (cont)
  • The Information Systems Technology Group of MIT
    Lincoln Laboratory, under Defense Advanced
    Research Projects Agency (DARPA) Information
    Technology Office and Air Force Research
    Laboratory (AFRL/SNHS) sponsorship, has collected
    and evaluated computer network intrusion
    detection systems since 1998 - 1999.

19
Benefits of this Research
  • We will know the ability of application
    intrusion detection system cooperate with OS
    Intrusion Detection System and improve ability of
    Intrusion Detection Systems to defend against
    intruders.

20
Research Design
  • Case study of Application Intrusion Detection
    System
  • Study the differences and cooperation between the
    Application Intrusion Detection System and the OS
    Intrusion Detection System
  • Research the possibility of the two systems
    working cooperatively.

21
Conclusion
  • The Application Intrusion Detection System can
    be more effective in detecting intruders than the
    OS Intrusion Detection System because Application
    Intrusion Detection operates with a higher
    resolution. Since the Application Intrusion
    Detection System depends on OS Intrusion
    Detection System and only OS Intrusion Detection
    System can detect the external intruders, we need
    both an OS Intrusion Detection System and an
    Application Intrusion Detection System to
    cooperate for increased potential in detecting
    intruders.

22
Thank you.
Write a Comment
User Comments (0)
About PowerShow.com