Embed Size (px)
Citation preview
Intrusion Detection TechniquesCONTENTS
1Abstract 21.Introduction 32.Evolution: 4
3.Overview of Intrusion Detection Systems: 4
3.1. What are intrusions? 4
3.2. What is intrusion detection? 4
3.3. 3.3.Functions of Intrusion detection systems: 4
3.4. 3.4.Benefits of intrusion detection : 5
3.5. 3.5.An attack victim’s view : 5
3.6. 3.6.Information that an Attacker want: 5
4.IDS Taxonomy 6
5.Process model for Intrusion Detection: 7
6.Architecture: 7
7.Information Sources or targets: 8
7.1.Network-Based IDSs(NIDS): 8
7.2. Host-Based IDSs(HIDS): 9
7.3. Application-Based IDSs: 10
8.IDS Analysis: 11
8.1.Misuse Detection 11
8.2.Anomaly Detection: 128.3.EXAMPLE:A TEXT BASED TECHNIQUES WITH A BWC TECHNIQUE:
8.3.1.FEATURE VECTOR AND SIMILARITY MEASURE: 138.3.2.BINARY SIMILARITY MEASURE: 148.3.3.FREQUENCY SIMILARITY MEASURE 15
8.3.4. PROPOSED SCHEME: 168.4.Specification-based detection: 17
9. Tools that Complement IDSs: 1710. Deploying IDSs:
10.1.Deploying Network-Based IDSs: 1710.2.Deploying Host-Based IDSs: 19
11.Strengths and Limitations of IDSs: 2012.Challenges with IDS Techniques: 2113.Conclusion: 2114.Referenc 22
1
Intrusion Detection Techniques
ABSTRACT
Today’s information systems in government and commercial sectors are
distributed and highly interconnected via local area and wide area computer
networks. While indispensable, these networks provide potential avenues of attack
by hackers, international competitors, and other adversaries. The increasingly
frequent attacks on Internet visible systems are attempts to breach information
security requirements for protection of data. Intrusion detection technology allows
organizations to protect themselves from losses associated with network security
problems.
Intrusion detection systems (IDSs) attempt to identify attacks by comparing
collected data to predefined signatures known to be malicious (misuse-based
IDSs) or to a model of legal behavior (anomaly-based IDSs). Anomaly-
based approaches have the advantage of being able to detect previously
unknown attacks, but they suffer from the difficulty of building robust
models of acceptable behavior which may result in a large number of false
alarms. Almost all current anomaly-based intrusion detection systems
classify an input event as normal or anomalous by analyzing its features,
utilizing a number of different models
Pusparaj mohapatra
2
Intrusion Detection Techniques05IT6014
1. Introduction
Systems and networks are subject to electronic attacks. Today’s information systems in government and commercial sectors are distributed and highly interconnected via local area and wide area computernetworks. While indispensable, these networks provide potential avenues of attack by hackers, international competitors, and other adversaries.
The increasingly frequent attacks on Internet visible systems are attempts to breach information security requirements for protection of data. Intrusion detection technology allow organizations to protect themselves from losses associated with network security problems
Intrusion detection systems (IDSs) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations.
Although firewalls have traditionally been seen, as the “first line of defense” against would be attackers, intrusion detection software is rapidly gaining ground as a novel but effective approach to making your networks more secure. Intrusion detection operates on the principle that any attempt to penetrate your systems can be detected and the operator alerted - rather than actually stopping them from happening. This is based on the assumption that it is virtually impossible to close every potential security breach; intrusion detection takes a very “real world” viewpoint, emphasizing instead the need to identify attempts at breaking in and to assess the damage they have caused.
3
Intrusion Detection Techniques
2.EVOLUTION:
Intrusion detection has been an active field of research for about two decades, starting in 1980 with the publication of John Anderson’sComputer Security Threat Monitoring and Surveillance, which was one of the earliest papers in the field. Dorothy Denning’s seminal paper, “An Intrusion Detection Model,” published in 1987, provided a methodologicalFramework that inspired many researchers and laid the groundwork for commercial products .
3.Overview of Intrusion Detection Systems:
3.1. What are intrusions?Any set of actions that threatens the integrity, availability, or
confidentiality of a network resource.EXP:Denial of service (DOS): Attempts to starve a host of resources
needed to function correctly.
3.2. What is intrusion detection?
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions. Intrusions are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. Intrusion Detection Systems (IDSs) are software or hardware products that automate this monitoring and analysis process.
3.3.Functions of Intrusion detection systems:
Monitoring and analysis of user and system activity Auditing of system configurations and vulnerabilities Assessing the integrity of critical system and data files Recognition of activity patterns reflecting known attacks
4
Intrusion Detection Techniques Statistical analysis for abnormal activity patterns
3.4.Benefits of intrusion detection : Improving integrity of other parts of the information security
infrastructure Improved system monitoring Tracing user activity from the point of entry to point of exit or impact Recognizing and reporting alterations to data files Spotting errors of system configuration and sometimes correcting
them Recognizing specific types of attack and alerting appropriate staff for
defensive responses Keeping system management personnel up to date on recent
corrections to programs Allowing non-expert staff to contribute to system security Providing guidelines in establishing information security policies
3.5.An attack victim’s view :
_ What happened?_ Who is affected and how?_ Who is the intruder?_ Where and when did the intrusion originate?_ How and why did the intrusion happen?
3.6.Information that an Attacker want:_ What is my objective?_ What vulnerabilities exist in the target system?_What damage or other consequences are likely?_ What exploit scripts or other attack tools are available?_ What is my risk of exposure?
5
Intrusion Detection Techniques
4.IDS Taxonomy
A distributed intrusion detection system is one where data is collected
and analyzed in multiple host, as opposed to a centralizedintrusion detection system. Both distributed and centralized intrusiondetection systems may use host- or network-based data collection methods, or most likely a combination of the two.
6
Intrusion Detection Techniques
--IDS can react to intrusion in two ways: Active - takes some action as a reaction to intrusion (such shutting down services, connection, logging user...) Passive - generates alarms or notification.--Audit information analysis can be done generally in two modes. Intrusion detection process can run continuously, also called in real-time. The term "real-time" indicates not more than a fact that IDS reacts to an intrusion "quick enough". Intrusion detection process also can be run periodically
5. Process model for Intrusion Detection:
Many IDSs can be described in terms of three fundamental functionalcomponents:
Information Sources – the different sources of event informationused to determine whether an intrusion has taken place. Thesesources can be drawn from different levels of the system, withnetwork, host, and application monitoring most common.
Analysis – the part of intrusion detection systems that actuallyorganizes and makes sense of the events derived from theinformation sources, deciding when those events indicate thatintrusions are occurring or have already taken place. The mostcommon analysis approaches are misuse detection and anomalydetection.
Response – the set of actions that the system takes once it detectsintrusions. These are typically grouped into active and passivemeasures, with active measures involving some automatedintervention on the part of the system, and passive measuresinvolving reporting IDS findings to humans, who are then expectedto take action based on those reports.
6.Architecture:
The architecture of an IDS refers to how the functional components of theIDS are arranged with respect to each other.According to one study [Axelsson, 1998], an IDS can be thought of as consisting of an Audit Collection/Storage Unit, Processing Unit and an Alarm/Response unit.
7
Intrusion Detection TechniquesThe Audit Collection/Storage Unit collects data that is to be analyzed for signs of intrusion. The Processing Unit analyzes the data received from Audit collection/Storage Unit to find the intrusions. Alarm/Response Unit triggers an alarm on detecting an intrusion and it may execute defensive action too.
7.Information Sources or targets:
The most common way to classify IDSs is to group them by information source. Some IDSs analyze network packets, captured from network backbones or LAN segments, to find attackers. Other IDSs analyzeinformation sources generated by the operating system or application software for signs of intrusion.
7.1.Network-Based IDSs(NIDS):
The majority of commercial intrusion detection systems are networkbased.These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby protecting those hosts.Network-based IDSs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. As the sensors are limited to running the IDS, they can be more easily secured against attack. Many of these sensors are designed to run in “stealth” mode, in order to make it more difficult for an attacker to determine their presence and location.
Advantages of Network-Based IDSs:
A few well-placed network-based IDSs can monitor a large network.The deployment of network-based IDSs has little impact upon an existing network. Network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include network-based IDSs with minimal effort.Network-based IDSs can be made very secure against attack andeven made invisible to many attackers.
8
Intrusion Detection Techniques
Disadvantages of Network-Based IDSs:
Network-based IDSs may have difficulty processing all packets in a large or busy network and, therefore, may fail to recognize an attack launched during periods of high traffic. Many of the advantages of network-based IDSs don’t apply to more modern switch-based networks. Switches subdivide networks into many small segments (usually one fast Ethernet wire per host) and provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring ports and this limits the monitoring range of a network-based IDS sensor to a single host. Even when switches provide such monitoring ports, often the single port cannot mirror all traffic traversing the switch.Network-based IDSs cannot analyze encrypted information.Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.Some network-based IDSs have problems dealing with network-basedattacks that involve fragmenting packets. These malformed packets cause the IDSs to become unstable and crash.
7.2. Host-Based IDSs(HIDS):
Host-based IDSs operate on information collected from within anIndividual computer system. This vantage point allows host-based IDSs to analyze activities with great reliability and precision, determining exactly which processes and users are involved in a particular attack on the operating system. Furthermore, unlike network-based IDSs, host-based IDSs can “see” the outcome of an attempted attack, as they can directly access and monitor the data files and system processes usually targeted by attacks. Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system, and are therefore more detailed and better protected than system logs. However, system logs are much less obtuse and much smaller than audit trails, and are furthermore far easier to comprehend.
9
Intrusion Detection TechniquesAdvantages:
Host-based IDSs, with their ability to monitor events local to a host, can detect attacks that cannot be seen by a network-based IDS.Host-based IDSs can often operate in an environment in which network traffic is encrypted, when the host-based information sources are generated before data is encrypted and/or after the data is decrypted at the destination hostHost-based IDSs are unaffected by switched networks.When Host-based IDSs operate on OS audit trails, they can help detect Trojan Horse or other attacks that involve software integrity breaches. These appear as inconsistencies in process execution.
Disadvantages:
Host-based IDSs are harder to manage, as information must be configured and managed for every host monitored.Since at least the information sources (and sometimes part of the analysis engines) for host-based IDSs reside on the host targeted by attacks, the IDS may be attacked and disabled as part of the attack.Host-based IDSs are not well suited for detecting network scans or other such surveillance that targets an entire network, because the IDS only sees those network packets received by its host.Host-based IDSs can be disabled by certain denial-of-service attacks.When host-based IDSs use operating system audit trails as an information source, the amount of information can be immense,requiring additional local storage on the system.Host-based IDSs use the computing resources of the hosts they are monitoring, therefore inflicting a performance cost on the monitored systems.
7.3. Application-Based IDSs:
Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a software application. The most common information sources used by application-based IDSs are the application’s transaction log files. The ability to interface with the application directly, with significant domain or application-specific knowledge included in the analysis engine, allows application-based IDSs to detect suspicious behavior due to authorized users exceeding their authorization. This is because such
10
Intrusion Detection Techniquesproblems are more likely to appear in the interaction between the user, the data, and the application.
Advantages:
Application-based IDSs can monitor the interaction between userand application, which often allows them to trace unauthorized activity to individual users.Application-based IDSs can often work in encrypted environments, since they interface with the application at transaction endpoints, where information is presented to users in unencrypted form.
Disadvantages:
Application-based IDSs may be more vulnerable than host-based IDSs to attacks as the applications logs are not as well-protected as the operating system audit trails used for host-based IDSs.As Application-based IDSs often monitor events at the user level of abstraction, they usually cannot detect Trojan Horse or other such software tampering attacks. Therefore, it is advisable to use an Application-based IDS in combination with Host-based and/or Network-based IDSs..8.IDS Analysis:
There are two primary approaches to analyzing events to detect attacks:misuse detection and anomaly detection. Misuse detection, in which theanalysis targets something known to be “bad”, is the technique used by mostcommercial systems. Anomaly detection, in which the analysis looks forabnormal patterns of activity, has been, and continues to be, the subject of agreat deal of research. Anomaly detection is used in limited form by anumber of IDSs. There are strengths and weaknesses associated with eachapproach, and it appears that the most effective IDSs use mostly misusedetection methods with a smattering of anomaly detection components.There is also another technique which combines the two approaches.
8.1.Misuse Detection:
Misuse detectors analyze system activity, looking for events or sets ofevents that match a predefined pattern of events that describe a knownattack. As the patterns corresponding to known attacks are calledsignatures, misuse detection is sometimes called “signature-based
11
Intrusion Detection Techniquesdetection.” The most common form of misuse detection used incommercial products specifies each pattern of events corresponding to anattack as a separate signature. However, there are more sophisticatedapproaches to doing misuse detection (called “state-based” analysistechniques) that can leverage a single signature to detect groups ofattacks.
Advantages:
Misuse detectors are very effective at detecting attacks without generating an overwhelming number of false alarms.Misuse detectors can quickly and reliably diagnose the use of a specific attack tool or technique. This can help security managers prioritize corrective measures.Misuse detectors can allow system managers, regardless of their level of security expertise, to track security problems on their systems, initiating incident handling procedures.
Disadvantages:Misuse detectors can only detect those attacks they know about –therefore they must be constantly updated with signatures of new attacks.Many misuse detectors are designed to use tightly defined signatures that prevent them from detecting variants of common attacks. State-based misuse detectors can overcome this limitation, but are not commonly used in commercial IDSs.
8.2.Anomaly Detection:Anomaly detectors identify abnormal unusual behavior (anomalies) on ahost or network. They function on the assumption that attacks aredifferent from “normal” (legitimate) activity and can therefore bedetected by systems that identify these differences. Anomaly detectorsconstruct profiles representing normal behavior of users, hosts, ornetwork connections. These profiles are constructed from historical data
12
Intrusion Detection Techniquescollected over a period of normal operation. The detectors then collectevent data and use a variety of measures to determine when monitoredactivity deviates from the norm.Figure:-
* The measures and techniques used in anomaly detection include:Threshold detection, Statistical measures, Rule-based measures
Advantages:
IDSs based on anomaly detection detect unusual behavior and thus have the ability to detect symptoms of attacks without specific knowledge of details.Anomaly detectors can produce information that can in turn be used to define signatures for misuse detectors.
Disadvantages:
Anomaly detection approaches usually produce a large number of false alarms due to the unpredictable behaviors of users and networks.Anomaly detection approaches often require extensive “training sets” of system event records in order to characterize normal behavior patterns.
8.3.EXAMPLE:A TEXT BASED TECHNIQUES WITH A BWC TECHNIQUE: The starting point of the method is the observation that any normal execution of a process follows a pattern and hence the normal behavior of a process can be profiled by a set of sequences of system calls. Any deviation in this pattern of system calls is termed an intrusion in the frameworkof anomaly-based IDS. The problem of intrusion detection thus boils down to detecting anomalous sequence of system calls, which are measurably different from the normal behavior. We propose a new scheme in which we
13
Intrusion Detection Techniquesmeasure the similarity between two processes using a metric that considers two factors - occurrence of system calls shared by the two said processesand the frequency of all system calls in the processes. Due to the way it is constructed, we term this similarity metric Binary Weighted Cosine (BWC) metric.
8.3.1.FEATURE VECTOR AND SIMILARITY MEASURE:Let S (say, Card(S) = m) be a set of system calls made by all the processes under normal execution. From all the normal processes a matrix A = [aij] is formed, where aij denotes the frequency of ith system call in the jth process. We also form a matrix B = [bij] where, bij = 1, if ith system calls is present in the jth process, otherwise bij = 0. Thus the binary representation ofprocess P, namely Pbj, is defined by the m-vector Pbj = [0,1]m as a column in B. For example,Let S = {access audit chdir close creat exit fork ioctl}.Let the two normal processes beP1 = access close ioctl access exitP2 = ioctl audit chdir chdir accessThen we have
The rows of A (and B) correspond to the elements of S in the same order and columns of A (and B) correspond to processes P1 and P2. Thus the first entry in A is calculated by counting the frequency of system call access in the process P1 that is 2. Similarly the first entry of the second column of A is calculated by counting the frequency of the system calls access in the process P2 which is 1, and so on. Similarly the first entry of the first column of B is 1 because the system call access is present in P1 whereas the second entry is 0, which shows that the system call audit is absent in P1.
14
Intrusion Detection Techniques
8.3.2.BINARY SIMILARITY MEASURE: We define a similarity score between any two processes Pbi and Pbj (ith and jth columns of B) as follows:
where the summation runs over n, which is a subscript on the elements of the processes Pbi and Pbj and m is the length of each process vector. It may be noticed that 0 ≤ μ ≤ 1. The value of μ increases when there are more shared system calls between the two processes (due to the numerator) and value ofμ decreases when the number of system calls, not shared by both the processes, is more than the shared ones (due to the denominator) in Pbi and Pbj.
8.3.3.FREQUENCY SIMILARITY MEASURE:
Another similarity score, known as cosine similarity measure between the processes Pi and Pj (ith and jth columns of A) is
defined as follows:
Now we define our new similarity measure, termed as Binary Weighted Cosine (BWC) metric, Sim(Pi, Pj) as follows:
The motive behind multiplying μ and λ is that measures the similarity based on the frequency and is the weight associated with Pi and Pj. In other words, tunes the similarity score
according to the number of similar and dissimilar system calls between the two processes. Therefore, the similarity measure Sim(Pi, Pj)
15
Intrusion Detection Techniquestakes frequency and the number of shared system calls into consideration while calculating similarity between two process.
8.3.4. PROPOSED SCHEME:As discussed , the matrices A=[aij] and B=[bij] are constructed using normal processes and the set S. For every new process P, if P contains a system call that is not in S, the process P is classified as abnormal; if not, it is first converted into a vector for further processing. The binary equivalent Pb of this vector is then calculated. Next, the similarity score is calculated for every normal vector Pj by using equation (2). If = 1, P is classified as normal. Otherwise, using equations , the values of
and Sim(P, Pj) are calculated. Values of Sim(P, Pj) are sorted in descending order and the k nearest neighbors (first k highest values) are chosen. We calculate the average value (Avg_Sim) of the k nearest neighbors. The kNN classifier categorizes the new process P as either normal or abnormal according to the rule given below.If Avg_Sim > Sim_Threshold, classify P as normal, otherwise P isAbnormal where Sim_Threshold is a predefined threshold value for similarity measurement. The pseudocode for the proposed scheme is shown in Figure 1.
Given a set of processes and system calls S, form the matrices A=[aij] &B=[bij]for each process P in the test data doif P has some system calls which does not belongs to S thenP is abnormal; exit;else thenfor each process Aj in the training data A docalculate Sim(P, Aj);if Sim(P, Aj) equals 1.0 thenP is normal; exit;find first k highest values of Sim(P, Aj);calculate Avg_Sim for k nearest neighbors so obtained;calculate Avg_Dist for k nearest neighbors;if Avg_Sim is greater than Sim_Threshold thenP is normal;else thenP is abnormal;Figure 1. Pseudo code for the proposed scheme.
16
Intrusion Detection Techniques
8.4.Specification-based detection: They distinguished between normal and intrusive behaviour by monitoring the traces of system calls of the target processes. A specification thatmodels the desired behaviour of a process tells the IDS whether the actual observed trace is part of an attack or not. With this approach, they attempt to combine the advantages of misuse and anomaly detection. It should reach the accuracy of a misuse detection system and have the ability to deal with future attacks of anomaly detection. Their systems managed the detection by inspecting log files.
Advantages: More or less the same as for misuse detection. However these systems manage to detect some types/classes of novel attacks. Additionally, they are more resistant against subtle changes in attacks.
Disadvantages:
Usually for every program that is monitored, a specification has to be designed. Furthermore, the modelling process can be regarded as more difficult than the design of patterns for misuse detection systems. Additionally some classes of attacks are not detectable at all.Their systems managed the detection by inspecting log files.
9. Tools that Complement IDSs: Several tools exist that complement IDSs and are often labeled as intrusion detection products by vendors since they perform similar functions. This section discusses four of these tools, Vulnerability Analysis Systems, File Integrity Checkers, Honey Pots, and Padded Cells, and describes how they can enhance an organization’s intrusion detection capability.10. Deploying IDSs: Intrusion detection technology is a necessary addition to every large organization’s computer network security infrastructure. However, given the deficiencies of today’s intrusion detection products, and the limited security skill level of many system administrators, an effective IDS deployment requires careful planning, preparation, prototyping, testing, and specialized training.
17
Intrusion Detection Techniques 10.1. Deploying Network-Based IDSs:
One question that arises when deploying network-based IDSs is where to locate the system sensors. There are many options for placing a network-based IDS with different advantages associated with each location:
Figure – Locations of Network-based IDS sensors
10.1.1.Location: Behind each external firewall, in the network DMZ (See Figure – Location 1)Advantages:Sees attacks, originating from the outside world, that penetrate the network’s perimeter defenses.Highlights problems with the network firewall policy or performanceSees attacks that might target the web server or ftp server, which commonly reside in this DMZEven if the incoming attack is not recognized, the IDS can sometimesrecognize the outgoing traffic that results from the compromised server 10.1.2.Location: Outside an external firewall (See Figure – Location 2)
18
Intrusion Detection TechniquesAdvantages:Documents number of attacks originating on the Internet that target thenetwork.Documents types of attacks originating on the Internet that target the network
10.1.3. Location: On major network backbones (See Figure – Location 3)Advantages:Monitors a large amount of a network’s traffic, thus increasing the possibility of spotting attacks.Detects unauthorized activity by authorized users within the organization’ssecurity perimeter. 10.1.4.Location: On critical subnets (See Figure – Location 4)Advantages:Detects attacks targeting critical systems and resources.Allows focusing of limited resources to the network assets considered ofgreatest value.10.2.Deploying Host-Based IDSs:
Once network-based IDSs are in place and operational, the addition of host-based IDSs can offer enhanced levels of protection for your systems. However, installing host-based IDSs on every host in the enterprise can be extremely time-consuming, as each IDS has to be installed and configured for each specific host. Therefore, we recommend that organizations first install host-based IDSs on critical servers. This will decrease overall deployment costs and allow novice personnel to focus on alarms generated from the most important hosts. Once the operation of host-based IDSs is routine, more security-conscious organizations may consider installing host-based IDSs on the majority of their hosts. In this case, purchase host-based systems that have centralized management and reporting functions. These features will significantly reduce the complexity of managing alerts from a large set of hosts. Another consideration when using host-based IDSs is that of allowing operators to become familiar with
19
Intrusion Detection Techniquesthe IDS in a sheltered, but active environment. Much of the effectiveness of any IDS, but particularly a host-based IDS depends on the operator’sability to discern between true and false alarms. Over a period of time, an operator, working with an IDS in a particular environment, will gain a sense of what is normal for that environment, as monitored by the IDS. It is also important (as host-based IDSs are often not continuously attended by operators) to establish a schedule for checking the results of the IDS. If this is not done, the risk that an adversary will tamper with the IDS in the course of an attack increases..
11.Strengths and Limitations of IDSs:
Although Intrusion Detection Systems are a valuable addition to an organization’s security infrastructure, there are things they do well, and other things they do not do well. As you plan the security strategy for your organization’s systems, it is important for you to understand what IDSs should be trusted to do and what goals might be better served by other types of security mechanisms.
11.1. Strengths of Intrusion Detection Systems
Intrusion detection systems perform the following functions well:Monitoring and analysis of system events and user behaviorsTesting the security states of system configurationsBase lining the security state of a system, then tracking any changes to that BaselineRecognizing patterns of system events that correspond to known attacksRecognizing patterns of activity that statistically vary from normal activityManaging operating system audit and logging mechanisms and the data
they generate.Alerting appropriate staff by appropriate means when attacks are detected.Measuring enforcement of security policies encoded in the analysis engineProviding default information security policiesAllowing non-security experts to perform important security monitoring Functions.
11.2. Limitations of Intrusion Detection Systems
Intrusion detection systems cannot perform the following functions:
20
Intrusion Detection TechniquesCompensating for weak or missing security mechanisms in the protectionInfrastructure. Such mechanisms include firewalls, identification andAuthentication, link encryption, access control mechanisms, and virusDetection and eradication.Instantaneously detecting, reporting, and responding to an attack, when there is a heavy network or processing load.Detecting newly published attacks or variants of existing attacks.Effectively responding to attacks launched by sophisticated attackersAutomatically investigating attacks without human intervention.Resisting attacks that are intended to defeat or circumvent themCompensating for problems with the fidelity of information sourcesDealing effectively with switched networks.
12.Challenges with IDS Techniques:
• There exist over 100 Intrusion Detection Systems– Both open source and commercial– Can be network based or host based or combination• Main problem– Too many false positives– System administrators tend to ignore warnings after a while– Difficult to determine a good IDS policy• Other problems– Protecting the IDS itself against attack
13.Conclusion:
IDSs are here to stay, with billion dollar firms supporting the development of commercial security products and driving hundreds of millions in annual sales. However, they remain difficult to configure and operate and often can’t be effectively used by the very novice security personnel who need to benefit from them most. Due to the nationwide shortage of experienced security experts, many novices are assigned to deal with the IDSs that protect our nation’s computer systems and networks. Our intention, in writing this document, is to help those who would take on this task. We hope that this publication, in providing actionable information and advice on the topics,serves to acquaint novices with the world of IDSs and computer attacks. The information provided in this bulletin is by no means complete and we recommend further reading andformal training before one
21
Intrusion Detection Techniquestakes on the task of configuring and using an intrusion detection system.
REFERENCE
1. ID using Text processing with BWC metric:
Rawat,Pujari,Gulati,Vemuri.
2. ID systems:Rebecca Bace,Peter mall.
3. IDS with Snort:Rafeeq ur Rehman.
4. Datamining for ID:Shamhu,Pei,Upadhyaya,Farooq,Govindaraju.
5. Using text categorization techniques for ID:Liao,vemuri.
6. Undermining an anomaly-based detection
systems:Tan,Killourhy,Maxion.
7. An application of pattern maching in ID:Kumar,Spafford.
8. An introduction to ID:A.Sundaram.
9. Using CSP to detect insertion and evasion possibilities within ID
area:Rohrmair and Lowa.
10.Anomaly detection using call stack
information:Feng,Kolesnikov,Fogla,Lee,Gong.
11.Realtime user identification:Steven Eschrich.
22
![[mobidays] Km report7月《移动游戏市场的老千》](https://img.dokumen.tips/doc/110x75/55c4a77bbb61eb531f8b4701/mobidays-km-report7.jpg)
