Intrusion Detection Approaches and Techniques

1
Intrusion Detection Approaches and Techniques

• Meikang Qiu
• Chang-en Yang
• Dept. of Computer Science
• University of Texas at Dallas

2
Introduction

• Intrusion Detection
• Intrusion illegal action
• unauthorized access
• Intruder External
• Internal
• Detection prevent intrusion

3
Anti-intrusion techniques
4
Types of Intrusion Detection

• two major detection approaches
• Anomaly Detection
• define correct static behavior
• define acceptable dynamic behavior
• detect wrongful changes
• Misuse Detection (or Signature)
• known intrusion pattern
• monitor previous defined intrusion pattern

5
Anomaly Detection

• Two types
• Static anomaly detector
• system code
• Constant data
• Dynamic anomaly detector
• sequence of events
• audit records

6
Static anomaly detection

• techniques
• Compare
• the archived state representation
• computed current state
• String match
• checksums, meta-data
• message-digest algorithms
• hash functions

7
Dynamic anomaly detection

• a base profile -- acceptable behavior
• - log-in time, log-in location, and favorite
  editor
• - length of interactive session
• - representative sequences of actions
• Difficulties
• - Feature selection
• - statistical way

8
Misuse Detection

• Techniques
• Aware of all the known vulnerabilities
• Intrusion scenario
• First generation
• rule-based
• second generation
• state-based

9
Rule-Based Systems

• Techniques
• intrusion scenarios a set of rules
• knowledge base
• - fact base
• - rule base
• Rule-fact binding
• - fires

10
State-based Systems

• intrusion scenarios
• transitions between states

11
Comparison of the two approaches

• Anomaly detection
• Advantages
• - automatically learns, run unattended
• - possible to catch novel intrusions
• Disadvantages
• - unusual not mean illegal
• Misuse Detection
• Advantages
• - knows correct behavior
• Disadvantages
• - can not detect novel intrusions
• - difficult to define correct behavior

12
Network Intrusion Detection

• Cooperative intrusion
• Network-user Identification (NID) problem
• Clock synchronization
• Two types
• Centralized analysis
• Hierarchical analysis

13
Centralized analysis

• distributed, heterogeneous
• audit collection
• centralized analysis
• well for smaller network
• inadequate for larger networks
• e.g. setuid shell intrusion in SunOS

14
Decentralized (hierarchical) analysis

• distributed audit data collection
• distributed analysis
• modeled as hierarchies
• partition into domains

15
Conclusions

• - First generation
• single operating systems
• - Second generation
• distributed systems
• - Third generation
• heterogeneous networks

16
Future Trends

• Future Trends
• (Fourth generation)
• - hybrid between anomaly and
• misuse
• - real time detection
• - consider consumption of
• resource