Intrusion Detection: Principles, Models, and Architecture - Prof. Feng Zhu, Study notes of Computer Science

Download Intrusion Detection: Principles, Models, and Architecture - Prof. Feng Zhu and more Study notes Computer Science in PDF only on Docsity!

Chapter 25: Intrusion

Detection

• Principles
• Basics
• Models of Intrusion Detection
• Architecture of an IDS
• Incident Response

Principles of Intrusion

Detection

• Characteristics of systems not under attack
  • User, process actions conform to statistically predictable pattern
  • User, process actions do not include sequences of actions that subvert the security policy
  • Process actions correspond to a set of specifications describing what the processes are allowed to do
• Systems under attack do not meet at least one of these

Basic Intrusion Detection

• Attack tool is automated script designed

to violate a security policy

• Example: rootkit
  • Includes password sniffer
  • Designed to hide itself using Trojaned versions of various programs ( ps , ls , find , netstat , etc.)
  • Adds back doors ( login , telnetd , etc.)
  • Has tools to clean up log entries ( zapper, etc.)

Rootkit (1)

• Rootkit configuration files cause ls , du ,

etc. to hide information

• ls lists all files in a directory
  • Except those hidden by configuration file
• dirdump (local program to list directory entries) lists them too - Run both and compare counts - If they differ, ls is doctored
• Other approaches possible

Denning’s Model

• Hypothesis: exploiting vulnerabilities

requires abnormal use of normal

commands or instructions

• Includes deviation from usual actions
• Includes execution of actions leading to break-ins
• Includes actions inconsistent with specifications of privileged programs

Goals of IDS

• Detect wide variety of intrusions
  • Previously known and unknown attacks
  • Suggests need to learn/adapt to new attacks or changes in behavior
• Detect intrusions in timely fashion
  • May need to be be real-time, especially when system responds to intrusion - Problem: analyzing commands may impact response time of system
  • May suffice to report intrusion occurred a few minutes or hours ago

Models of Intrusion Detection

• Anomaly detection
  • What is usual, is known
  • What is unusual, is bad
• Misuse detection
  • What is bad, is known
  • What is not bad, is good
• Specification-based detection
  • What is good, is known
  • What is not good, is bad

Anomaly Detection

• Analyzes a set of characteristics of

system, and compares their values with

expected values; report when computed

statistics do not match expected

statistics

• Threshold metrics
• Statistical moments
• Markov model

Difficulties

• Appropriate threshold may depend on

non-obvious factors

• Typing skill of users
• If keyboards are US keyboards, and most users are French, typing errors very common

Statistical Moments

• Analyzer computes standard deviation

(first two moments), other measures of

correlation (higher moments)

• If measured values fall outside expected interval for particular moments, anomalous
• Potential problem
• Profile may evolve over time; solution is to weigh data appropriately or alter rules to take changes into account

Potential Problems

• Assumes behavior of processes and

users can be modeled statistically

• Ideal: matches a known distribution such as Gaussian or normal
• Otherwise, must use techniques like clustering to determine moments, characteristics that show anomalies, etc.
• Real-time computation a problem too

Markov Model

• Past state affects current transition
• Anomalies based upon sequences of events, and not on occurrence of single event
• Problem: need to train system to establish valid sequences - Use known, training data that is not anomalous - The more training data, the better the model - Training data should cover all possible normal uses of system

19

Derivation of Statistics

• IDES assumes Gaussian distribution of

events

• Clustering
  • Does not assume a priori distribution of data
  • Obtain data, group into subsets ( clusters ) based on some property ( feature )
  • Analyze the clusters, not individual data points

Finding Features

• Which features best show anomalies?
  • CPU use may not, but I/O use may
• Use training data
  • Anomalous data marked
  • Feature selection program picks features, clusters that best reflects anomalous data