Intrusion Detection Systems: A Survey and Taxonomy

1
Intrusion Detection Systems A Survey and Taxonomy

• A presentation by Emily Fetchko

2
About the paper

• By Stefan Axelson of Chalmers University of
  Technology, Sweden
• From 2000
• Cited by 92 (Google Scholar)
• Featured on InfoSysSec
• Used in Network Security (691N)
• Followup to 1999 IBM paper Towards a Taxonomy of
  Intrusion Detection Systems

3
Outline

• New and Significant
• What is a taxonomy?
• Introduction to IDS
• Introduction to classification
• Taxonomy by Intrusion Detection Principle
• Example systems
• Taxonomy by System Characteristics
• Trends in Research and Conclusion

4
New and Significant

• First taxonomy paper
• Predicts research areas for Intrusion Detection
• Followup to 93 page survey report of research and
  IBM paper

5
What is a taxonomy?

• either a hierarchical classification of things,
  or the principles underlying the classification
  (Wikipedia)
• Serves three purposes
• Description
• Prediction
• Explanation

6
Intrusion Detection Systems

• Compare them to burglar alarms
• Alarm/siren component
• Something that alerts
• Security officer/response team component
• Something to respond/correct
• Different from perimeter defense systems (such as
  a firewall)

7
Types of intrusions

• Masquerader
• Steals identity of user
• Legitimate users who abuse the system
• Exploits
• Trojan horse, backdoor, etc.
• And more

8
Two major types of detection

• Anomaly detection
• abnormal behavior
• May not be undesirable behavior
• High false positive rate
• Signature detection
• Close to previously-defined bad behavior
• Has to be constantly updated
• Slow to catch new malicious behavior

9
Approaches to classfication

• Type of intrusion detected
• Type of data gathered
• Rules to detect intrusion

10
Taxonomy by Intrusion Detection Principles

• self-learning
• Trains on normal behavior
• programmed
• User must know difference between normal
  abnormal
• signature inspired
• Combination of anomaly and signature methods

11
Anomaly detection

• Time series vs. non time series
• Rule modeling
• Create rules describing normal behavior
• Raise alarm if activity does not match rules
• Descriptive statistics
• Compute distance vector between current system
  statistcs and normal stats
• ANN Artificial Neural Network
• Black box modeling approach

12
Anomaly detection, continued

• Descriptive Statistics
• Collect statistics about parameters such as
  logins, connections, etc.
• Simple statistics abstract
• Rule-based
• Threshold
• Default Deny
• Define safe states
• All other states are deny states

13
Signature Detection

• State-modeling
• If the system is in this state (or followed a
  series of states) then an intrusion has occurred
• Petri-net states form a petri net, a type of
  directed bipartite graph (place vs transition
  nodes)

14
Signature Detection, continued

• Expert system
• Reasoning based on rules
• Forward-chaining most popular
• String-matching
• Look for text transmitted
• Simple rule-based
• Less advanced but speeder than expert system

15
Signature Inspired Detection

• Only one system in the taxonomy (Signature
  Inspired and Self Learning)
• Automatic feature selection
• Automatically determines which features are
  interesting
• Isolate, use them to decide if intrusion or not

16
Classification by Type of Intrusion

• Well-known intrusions
• Correspond to signature detection systems
• Generalized intrusions
• Like a well-known intrusion, but with some
  parameters left blank
• Correspond to signature-inspired detectors
• Unknown intrusions
• Correspond to anomaly detectors

17
Effectiveness of Detection

• Two categories marked as least effective
• Anomaly Self Learning Non-time series
• Weak in collecting statistics on normal behavior
• Will create many false positives
• Anomaly Programmed Descriptive Statistics
• If attacker knows stats used, can avoid them
• Leads to false negatives

18
Taxonomy by System Characteristics

• Define system beyond the detection principle
• Time of detection
• Real time or non real time
• Granularity of data processing
• Continuous or batch
• Source of audit data
• Network or host

19
System Characteristics, continued

• Response to detected intrusions
• Active or passive
• Modify attacked or attacking system
• Locus of data processing
• Centralized or distributed
• Locus of data collection
• Security (ability to defend against direct
  attack)
• Degree of interoperability
• Work with other systems
• Accept other forms of data

20
Example Systems

• Haystack, 1988
• Air Force
• Anomaly detection based on per user profile, and
  user group profile
• Signature based detection
• MIDAS, 1988
• National Computer Security Centre and Computer
  Science Laboratory, SRI International
• Heuristic intrusion detection
• Expert system with two-tiered rule base

21
Example Systems, continued

• IDES Intrusion Detection Expert System,
  1988-1992
• Multiple authors, long term effort
• Real time expert system with statistics
• Compare current profile with known profile
• Distinction between on and off days
• NIDES next generation IDES
• NSM Network Security Monitor
• Monitors broadcast traffic
• Layered approach connection lower layers
• Profile by protocol (telnet, etc)

22
Example Systems, continued

• DIDS Distributed IDS, 1992
• Incorporates Haystack and NSM
• Three components Host monitor, LAN monitor, DIDS
  director
• DIDS director contains expert system
• Bro, 1998
• Network-based (with traffic analysis)
• Custom scripting language
• Prewritten policy scripts
• Signature matching
• Action after detection
• Snort compatibility

23
System Characteristics, continued
24
System characteristics, continued
25
Trends in Research

• Active response
• Legal ramifications, however
• Distributed detection
• Corresponds with distributed computing in general
• Increased security
• Increased interoperability

26
Opportunities for Further Research

• Taxonomies by other classifications
• Signature self-learning detectors
• Two tiered detectors
• False positive rates for anomaly detectors
• Active response detectors
• Distributed detectors
• High security detectors

27
Bibliography

• Stefan Axelson. Intrusion Detection Systems A
  Survey and Taxonomy. Chalmers University of
  Technology, Sweden, 2000.
• Debar, Decier and Wespi. Towards a taxonomy of
  intrusion-detection systems. Computer Networks,
  p805-822, 1999.
• Bro Intrusion Detection System, www.bro-ids.org
• Google Scholar, http//scholar.google.com