Computer System Intrusion Detection: A Survey - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Computer System Intrusion Detection: A Survey

Description:

Computer System Intrusion Detection: A Survey Anita K. Jones & Robert S. Sielken Presented by Peixian Li (Rick) For CS551/651 Computer Security – PowerPoint PPT presentation

Number of Views:236
Avg rating:3.0/5.0
Slides: 33
Provided by: ITCL151
Category:

less

Transcript and Presenter's Notes

Title: Computer System Intrusion Detection: A Survey


1
Computer System Intrusion Detection A Survey
  • Anita K. Jones Robert S. Sielken
  • Presented by Peixian Li (Rick)
  • For CS551/651 Computer Security

2
Overview
  • Why IDS
  • IDS Overview
  • Anomaly Detection
  • UNM Pattern Matching
  • Misuse Detection
  • Extended to Networked Systems
  • Conclusion

3
Why IDS ?
  • In defending network resources, we have
  • Firewalls
  • Encryption technology
  • Authentication devices
  • Vulnerability checking tools
  • Others

4
Why IDS ? -2-
  • But computer system is still susceptible
  • Due to unknown system flaws
  • Due to known system flaws better stay than gone
    because of functionality or cost.
  • Due to social engineering tricks
  • A recent news
  • An 18 year old boy broke into a eCom web site
  • Thousands customer's credit info was stolen
  • Including Bill Gates

5
Why IDS ? -3-
  • Based on the fact that
  • Penetrations always exist
  • We need
  • A second line of defense
  • A mechanism to detect the penetrations and the
    attempting intrusions
  • Which is in the form of an Intrusion Detection
    System
  • Even attempts are guaranteed to fail
  • IDS can still help us to find out potential
    vulnerabilities

6
Approaches
  • Anomaly Detection
  • Defines and Characterizes correct static form and
    acceptable dynamic behavior
  • Detects anomalous changes or behaviors which may
    not be intrusions
  • Misuse Detection
  • Characterizes known ways to penetrate a system as
    patterns
  • Monitors for explicit patterns which are known to
    be intrusions

7
Anomaly vs. Misuse
  • Anomaly Detection
  • May have high rate of false alarms
  • Can detect novel attacks
  • Normal databases are relatively more stable
  • Misuse Detection
  • May miss novel attacks
  • Complexity grows as the number of well-known
    attacks grows
  • Difficult to keep them updated as the catalog of
    attacks grows

8
Three Generations
  • First Generation
  • The emphasis was on single computer systems
  • O/S audit records were post-processed
  • Second Generation
  • Extended and scaled to address distributed
    system.
  • More sophisticated
  • Primitive real-time alerts became possible

9
Three Generations -2-
  • The Third Generation
  • Further extended to address loosely coupled
    networks, such as LAN
  • Two Primary Challenges
  • Tracking users as they move through nodes
  • Managing the data as the size of the network
    scales up

10
What Makes A Good IDS ?
  • Manage the volume of data, communications, and
    processing in large scale networks
  • Increase coverage, i.e. miss ALAP
  • Decrease false alarms
  • Detect intrusion in progress
  • React in real-time

11
Basic Components
  • Focus
  • Which entitys self or which elements of the
    entity do we try to focus on
  • Definitions of events or behavior of interest
  • Representation
  • How to represent signatures effective and
    efficient

12
Basic Components -2-
  • Initial Database
  • Initial behavior profile or normal database
  • Which can characterize behavior of interest
  • Which can represent entity of interest
  • Detection Algorithm
  • Statistical processing techniques for divining
    the difference between normal and anomalous
    behavior (effective and efficient)

13
Anomaly Detection
  • Static
  • Assume that a portion of the system remain
    constant
  • System code and portion of system data
  • Represented as a binary bit string or a set of
    such string
  • A single bit change
  • Dynamic
  • Assume that systems behavior is stable
  • Include a definition behavior
  • Represented as a sequence of distinct events
  • Empirical threshold

14
Static Anomaly Detection
  • How does it work?
  • Defines the desired state of the system using
    static bit strings
  • Archives a representation of the state
  • Periodically compares the current state and the
    archived state
  • Any difference signals an error

15
Signature
  • Storing and comparing actual bit strings
    representation is quite costly
  • Compressed representation is called signature
  • Signatures include checksums, message-digest
    algorithms and hash functions
  • Meta-data knowledge about the structure

16
Some Actual Systems
  • Tripwire
  • A file integrity checker
  • Uses signatures as well as Unix file meta-data
  • Virus Checkers
  • Uses actual bit string inserted by the virus
  • Strings are short, thus uncompressed
  • Self-Noself
  • Unlike Tripwire, the Self-Nonself signatures are
    for unwanted string values

17
Dynamic Anomaly Detection
  • Before Running
  • For each individual entity, IDS creates a base
    profile to characterize normal, acceptable
    behavior
  • Entities can be users, workstations, remote
    hosts, or applications
  • Behaviors can be preferred choices, resources
    consumed, representative sequences of actions

18
Dynamic Anomaly Detection -2-
  • Two ways to build up base profiles
  • By synthetically running the system
  • Can it represents the real system?
  • By observing normal user behavior over a
    sufficiently long time
  • Can we be sure that no intrusion undertaking
    during the period of time?

19
Dynamic Anomaly Detection -3-
  • When Running
  • Observes events related or attributed to the
    entity
  • Incrementally builds a current profile
  • Some operate in real-time, or near real-time, or
    directly observe the events during occurrence

20
Dynamic Anomaly Detection -4-
  • Static detections do not care the degree of the
    difference
  • Dynamic detections do care
  • Comparison is based on empirically determined
    thresholds
  • Only those mismatch over the thresholds will
    result in alert

21
UNM Pattern Matching
  • Focus
  • Individual application and its behavior
  • E.g. Sendmail
  • Representation
  • Uses privileged system call sequences to
    represent an applications behavior
  • E.g. (open, read, mmap), (read, mmap, mmap)
  • Sequence length usually between 3 to 6

22
UNM Pattern Matching -2-
  • Initial Database
  • Built either by synthetically running the
    application or by observing its real running
  • Normal sequences are stored as forest in normal
    database to save space
  • Detection Algorithm
  • Largest Minimum Hamming Distance
  • Normalized LMHD
  • Local Frame Count

23
UNM Pattern Matching -3-
24
UNM Pattern Matching -4-
  • 1.sendmai
  • 2.ftpd
  • 3.lpr
  • 4.ps

25
UNM Pattern Matching -5-
26
Misuse Detection
  • Remember known technique
  • Monitor the system if any of those known
    technique presents
  • Intrusion scenario A description of a fairly
    precisely know kind of intrusion which usually a
    sequence of actions

27
Rule-Based vs. State-Based
  • Rule-Based
  • Encode scenarios as a set of rules, where rules
    reflect the sequence of actions
  • Fact base is a collection of assertions based on
    accumulated data
  • Rule base contains the rules that describe known
    intrusion scenarios
  • Rule-face binding
  • Rule firs
  • State-Based
  • Attribute-value pairs characterize systems states
    of interest
  • Actions are defined as transitions between states
  • Monitor the actions and then change the state
  • If compromised state reached, the intrusion
    happens

28
Extended to Networked Systems
  • New situations
  • Cooperative intrusions are more frequent
  • Intruder(s) use multiple nodes in an attempt to
  • Parallel actions to make intrusion faster
  • Distribute actions to disguise their activities
  • New elements in Network IDS
  • Include network traffic as part of behavior
  • Data sharing and communication

29
Centralized vs. Decentralized
  • Centralized Analysis
  • Audit data is collected on individual systems
  • Reported to some centralized location
  • Intrusion detection analysis is performed there
  • Dont work well for large network due to sheer
    volume of data
  • Need data translation in heterogeneous systems
  • Decentralized Analysis
  • Distributed audit data collection
  • Distribute intrusion detection analysis
  • Works well for large networks because less data
    shared between different components
  • Can eliminate translation problem by grouping
    homogeneous systems

30
Partition
  • In decentralized system, entire system is divided
    into smaller domains for the purpose of
    communication
  • Partition can base on
  • Geography
  • Administrative control
  • Collections of similar software platforms
  • Anticipated types of intrusions
  • Still centralized within a domain

31
Vulnerabilities
  • Intrusion detection software themselves are not
    inherently survivable and need protection also
  • Initialization will be flawed if the intrusions
    are present
  • Audit data must be timely available
  • IDS should not compete resource with the rest of
    the system

32
Conclusion
  • Why IDS
  • The generations of IDS
  • What makes a good IDS
  • Basic components of an IDS
  • Different approaches used in IDS
  • Exam how the UNM pattern matching works with
  • How IDS extended for networked systems
  • What is the vulnerabilities of IDS
Write a Comment
User Comments (0)
About PowerShow.com