Published on September 13, 2007
The Many Faces of Intrusion Detection System: The Many Faces of Intrusion Detection System Ameya Anil Velankar Department of Computer Science The University of Texas at Dallas Motivation: Motivation On May 22, 1996, the U.S. General Accounting Office (GAO) disclosed that approximately 250,000 break-ins into Federal computer systems were attempted over the year 1995. 64% of these attacks were successful. It gets worse ! The number of attacks is doubling every one year. GAO estimates that only 1% of these attacks will be reported. Outline: Outline Introduction to Intrusion Detection System (or IDS) Survey of current IDSs Conclusion - Desirable characteristics of IDS What is Intrusion?: What is Intrusion? Intrusion is 'Any set of activities that attempt to compromise the integrity, confidentiality or availability of a resource'. Examples DoS – attempts to starve a host of resources needed to function correctly. Compromises – obtain privilege access to a host by known vulnerabilities. Why Intrusion Detection?: Why Intrusion Detection? A conventional approach to secure a computer system is to identify and authenticate the users. This prevention-based approach has the following limitations: It is very difficult to build a useful system that is perfectly secure. Crypto-based systems cannot protect against lost or stolen keys and cracked passwords. System can be vulnerable to insiders abusing their privileges. Intrusion Detection: Intrusion Detection An alternate approach – intrusion detection – proved to be more effective compared to prevention based approach. Intrusion detection is the process of identifying malicious activities of unauthorized users (outside threat) and abuse of privileges (inside threat). Model of Intrusion Detection: Model of Intrusion Detection The model of intrusion detection is broadly categorized as Anomaly detection model: it statistically analyses user’s current sessions, compares them to the profile describing user’s normal behavior and reports significant deviations to security officer. Misuse detection model: it looks for attack signatures in the user’s behavior. Intrusion Detection System : Intrusion Detection System Intrusion Detection System (or IDS) is a computer program that attempts to perform intrusion detection, preferably in real time, by either anomaly detection or misuse detection or a combination of both. Notion of IDS does not include prevention of intrusion from occurring, but only detecting intrusion and reporting it to an operator. Host-based vs. Network-based IDS: Host-based vs. Network-based IDS Host-based systems employ audit data from a single host as the main source of input to detect intrusion. Network-based IDSs obtain the data by monitoring the traffic of the network to which hosts are connected to perform intrusion detection. Intrusion Detection Using Honey Pot: Intrusion Detection Using Honey Pot Honey pot is a 'decoy' system that appears to have several vulnerabilities for easy access to its resources. It provides a mechanism so that intrusions can be trapped before attack is made on real assets. Intrusion Detection Using Honey Pot (cont.): Intrusion Detection Using Honey Pot (cont.) Multi-level Log Mechanism (MLLM) MLLM logs the attacker’s activities into Remote Log Server Sniffer Server Intrusion Detection Using Honey Pot (cont.): Intrusion Detection Using Honey Pot (cont.) AAIDHP (An Architecture for Intrusion Detection using Honey Pot) Intrusion Detection Using Honey Pot (cont.): Intrusion Detection Using Honey Pot (cont.) Characteristics of AAIDHP Flexibility: A network environment that realistically mirrors the production network is created. Configurability: Data control and Route control can be deployed dynamically. Security: Intruders can be trapped in the honey pot before an attack is made on real assets. A Web-based IDS: A Web-based IDS It is a web-based application providing remote monitoring of intrusions. The web-based IDS identifies anomalies in the network traffic using data mining techniques. A Web-based IDS (cont.): A Web-based IDS (cont.) System Architecture A Web-based IDS (cont.): A Web-based IDS (cont.) Data collection using Snort Snort generates alerts and captures network packets to form audit data. This raw data is stored in MySQL database for further mining. Data mining Clustering Sequence analysis Drilldown Visualization The rules mined from audit data are merged and added into aggregate rule set to detect intrusion. A Peer-based Hardware Protocol for IDS: A Peer-based Hardware Protocol for IDS Why Hardware Protocol ? The security software is a common target of computer system intruders. It is logical to place as many of the security related functions as possible in hardware. A peer-based hardware protocol extends the Cooperative Security Manager (CSM) approach developed at Texas Aandamp;M University. A Peer-based Hardware Protocol for IDS (cont.): A Peer-based Hardware Protocol for IDS (cont.) Co-operative Security Managers (CSM) Each host running a CSM is responsible for the activities of its own users CSMs co-ordinate among themselves for intrusion detection. Drawback: all components are implemented in software. A Peer-based Hardware Protocol for IDS (cont.): A Peer-based Hardware Protocol for IDS (cont.) Hardware-based protcol for IDS: Directing functions of IDS are placed in hardware and system specific functions are managed by software. The CSM hardware platform detects intrusive activity on a host as well as coordinates activities among hosts; the Security Manager and Local IDS functions of CSM system. The User Interface, Intuder Handling and Command Monitor are system specific and will be implemented in software. Limitation if hardware-based protocol It requires that the majority of the systems connected to the network have the hardware platform attached. Intrusion Detection in Wireless Ad-Hoc Networks: Intrusion Detection in Wireless Ad-Hoc Networks Architecture for IDS in wireless ad-hoc networks Intrusion Detection in Wireless Ad-Hoc Networks (cont.): Intrusion Detection in Wireless Ad-Hoc Networks (cont.) A conceptual model for an IDS agent Intrusion Detection in Wireless Ad-Hoc Networks (cont.): Intrusion Detection in Wireless Ad-Hoc Networks (cont.) Individual IDS agents are placed on each and every node. Each IDS agent monitors local activities independently, detects intrusion from local traces and initiates response if it has strong evidence of intrusion. If intrusion evidence is inconclusive, neighboring IDS agents will cooperatively participate in global intrusion detection action. IDS for ATM Networks: IDS for ATM Networks Challenges: Point-to-point data flows can only be viewed by the intermediate switches. ATM networks can grow very large, requiring a large number of sensors. ATM encompasses a wide range of link rates, therefore IDS must support a variety of sensor types. IDS for ATM Networks (cont.): IDS for ATM Networks (cont.) ATM Intrusion Detection Architecture IDS for ATM Networks (cont.): IDS for ATM Networks (cont.) The four main components of in this system are Sensors – send network events to assessment engine. Assessment Engine – formulate the strategy to respond. Rule Editor – facilitates administrator in creating rule files. Responses – perform response actions. Autonomous Agents for Intrusion Detection (AAFID): Autonomous Agents for Intrusion Detection (AAFID) Independently running agents facilitate reconfiguration without having to restart IDS. System can be made scalable by organizing the agents in a hierarchical structure. Each agent can implemented as per the requirements for the given task. IDS can cross the traditional boundaries between host-based and network-based IDSs. Autonomous Agents for Intrusion Detection (cont.): Autonomous Agents for Intrusion Detection (cont.) Physical layout of the components in AAFID system Autonomous Agents for Intrusion Detection (cont.): Autonomous Agents for Intrusion Detection (cont.) Logical organization of AAFID system Autonomous Agents for Intrusion Detection (cont.): Autonomous Agents for Intrusion Detection (cont.) Components of AAFID Agents – monitor certain aspects of a host and report abnormal behavior to the appropriate transceiver. Transceivers – have two roles: control and data processing. Monitors – have control and data processing roles, also provide access point for the whole AAFID system. Autonomous Agents for Intrusion Detection (cont.): Autonomous Agents for Intrusion Detection (cont.) Limitations of AAFID Monitors are single point of failure. Redundant monitors may produce inconsistencies in the system. Response time can be poor. Desirable Characteristics of IDS: Desirable Characteristics of IDS IDS must have distributed and cooperative approach for intrusion detection. IDS should easily allow for 'back-hacking'. IDS should be scalable. IDS should offer a user friendly interface. IDS should combine host-based and network-based intrusion detection approaches. References: References G. B. White and M. L. Huson, 'A peer-based hardware protocol for intrusion detection systems,' IEEE Military Communications Conference, MILCOM ’96 Conference Proceedings, Vol. 2, Pages: 468 - 472, 1996. A. Nalluri and D. Kar, 'A web-based system for intrusion detection,' ACM Journal of Computing Sciences in Colleges, Vol. 20, Issue: 4, 2005. T. D. Tarman, E. L. Witzke, K. C. Bauer, B. R. Kellogg, and W. F. Young, 'Asynchronous transfer mode (ATM) intrusion detection,' IEEE Military Communications Conference, MILCOM 2001 Conference Proceedings, Vol. 1 , Pages: 87 – 91, 2001. Y. Zhang and W. Lee, 'Intrusion detection in wireless ad - hoc networks,' 6th annual international Mobile computing and networking Conference Proceedings, 2000. References (cont.): References (cont.) Z. Tian, B. Fang, and X. Yun, 'An architecture for intrusion detection using honey pot,' IEEE International Conference on Machine Learning and Cybernetics, Vol. 4, Pages: 2096 – 2100, 2003. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. Spafford, and D. Zamboni, 'An architecture for intrusion detection using autonomous agents,' 14th Annual IEEE Computer Security Applications Conference Proceedings, Pages: 13 – 24, 1998. R. Durst, T. Champion, B. Witten, E. Miller, and L. Spagnuolo, 'Testing and evaluating computer intrusion detection systems,' Communications of the ACM, Vol. 42, Issue: 7, 1999. B. Mukherjee, L. T. Heberlein, K. N. Levitt, 'Network intrusion detection', IEEE Network, Vol. 8, Issue: 3, Pages: 26-41, 1994.