Professional Documents
Culture Documents
Definitions
Intrusion
A set of actions aimed to compromise the security goals, namely
Integrity, confidentiality, or availability, of a computing and networking resource
Intrusion detection
The process of identifying and responding to intrusion activities
Prevent
Detect
React/ Survive
Primary assumptions:
System activities are observable Normal and intrusive activities have distinct evidence
Modeling
Features: evidences extracted from audit data Analysis approach: piecing the evidences together
Misuse detection (a.k.a. signature-based) Anomaly detection (a.k.a. statistical-based)
Misuse Detection
pattern matching
Intrusion Patterns
activities
intrusion
Example: if (src_ip == dst_ip) then land attack Cant detect new attacks
Anomaly Detection
90 80 70 60 activity 50 measures40 30 20 10 0 CPU Process Size
probable intrusion
normal profile abnormal
Relatively high false positive rate anomalies can just be new normal activities.
tcpdump
BSM
Algorithm
Architecture
P I A
Base-rate fallacy
P I P AI P I P AI P I P A I
Even if false alarm rate P(A|I) is very low, Bayesian detection rate P(I|A) is still low if base-rate P(I) is low E.g. if P(A|I) = 1, P(A|I) = 10-5, P(I) = 210-5, P(I|A) = 66%
Implications to IDS
Design algorithms to reduce false alarm rate Deploy IDS to appropriate point/layer with sufficiently high base rate
% False Alarm
Ideal system should have 100% detection rate with 0% false alarm
Host-Based IDSs
Network IDSs
Other problems
Event Engine
tcpdump filters Filtered packet stream
libpcap
Packet stream
Network
Firewall
Active filtering Fail-close
Network IDS
Passive monitoring Fail-open
IDS
FW
High-speed, large volume monitoring Real-time notification Mechanism separate from policy Extensible Broad detection coverage Economy in resource usage Resilience to stress Resilience to attacks upon the IDS itself!
No packet filter drops
What the IDS sees may not be what the end system gets.
Insertion and evasion attacks.
IDS needs to perform full reassembly of packets.
Insertion Attack
End-System sees: A T T A C K A IDS sees: T X T A C K
Evasion Attack
End-System sees: A T T A IDS sees: K A T T C K
Resource exhaustion
CPU resources Memory Network bandwidth