New Methods of Intrusion Detection by HC120917102556


									     Survey of
Intrusion Detection

• The worldwide impact of malicious code attacks is
  estimated to be over $10 Billion annually.
• The CERT center at CMU reported 73,359
  security incidents between 1/1/02 and 9/31/02,
  equal to all of the security incidents reported in
  2000-2001 combined.
• Novice attackers can easily acquire and use
  automated denial-of-service attack software.
• Human security analysts can't keep up with it all
            Intrusion Detection

Attempts to detect unauthorized or malicious
 activities in a network or on a host system
  – Signature-based - looks for patterns that are
    known to be intrusive in packets or audit logs
  – Anomaly-based - looks for 'abnormal' activity,
    usually requires a template of 'normal' activity
Determining 'who' is much harder than just
 detecting that an intrusion occurred.
        Early Work on Security

• Saltzer and Schroeder (1974) - established
  security design principals and mechanisms
• Orange Book (1985) - DoD specifications
• Formal Models
  – Bell -LaPadula (1976) - supported formal
    proofs of conformance to security policies
  – Denning (1987) - described the requirements
    for designing an intrusion detection system
              Early Systems

• IDES - statistical anomaly detection
• Haystack - also added signature detection
• Wisdom & Sense - automatically created a
  profile of 'normal' behavior from past user
  and host activities
• ISOA - uses both real-time monitoring and
  post-session analysis to detect suspicious
  behavior, developed profiles at both levels
         Recent Research in ID

• NIDES - distributed collection of host data,
  centralized analysis (extension of IDES)
• NSM - network traffic monitoring for
  anomalous packets
• DIDS - combines host-based (Haystack)
  and network monitoring (NSM)
• CSM - peer-to-peer distributed analysis
      Recent Research (continued)

• Bro - analyzes packet contents
• GrIDS - builds graphs of network activity
  and looks for anomalies
• STAT and NetSTAT - model attack with
  state machine. if accepted, attack occurred
• EMERALD - framework for building an
  ID system with distributed collection and
  analysis, modular design (extended NIDES)
        Additional IDS Projects

• Data-mining for ID - numerous projects
  mining host audit data, captured packets
• Autonomous Agents - independent agents
  monitor specific activities/resources and
  report to hierarchy of analyzers
• Open source projects - (e.g. SHADOW
  and Snort) - performance comparable to
  commercial and research systems
             Major Problems

• High False-Alarm Rates - real-world tests
  show overwhelming numbers of false
  alarms, little success in filtering them out
• Availability of Training Data - most
  anomaly-based ID systems need attack-free
  datasets. Currently, no clear way to create
  or certify realistic attack-free data

To top