IDS Analysis Scheme
advertisement
IDS ANALYSIS SCHEME
1
OBJECTIVES
Able to compare between anomaly and signature
based detection
Able to explain hybrid characteristics for IDS
To explain the benefits and drawbacks of IDS
2
IDS
Burglar alarm on doors and windows of your home
= IDS for your home
IDS used to protect your network operates in a
similar manner.
Locate intrusive activity by examining:
Network traffic
Host logs
System calls
Other areas – signal an attack against your network
3
Alarm raised No alarm
IDS TERMINOLOGY
Attack exists
T+
F-
No attack
F+
T-
Alert/Alarm: A signal suggesting that a system has been or is
being attacked.
True Positive: A legitimate attack which triggers an IDS to
produce an alarm.
False Positive: An event signaling an IDS to produce an
alarm when no attack has taken place.
False Negative: A failure of an IDS to detect an actual attack.
True Negative: When no attack has taken place and no alarm
is raised.
Noise: Data or interference that can trigger a false positive.
4
Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems
(IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94).
http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf. Retrieved 1 January 2010.
IDS TERMINOLOGY
Site policy: Guidelines within an organization that control the
rules and configurations of an IDS.
Site policy awareness: The ability an IDS has to dynamically
change its rules and configurations in response to changing
environmental activity.
Confidence value: A value an organization places on an IDS
based on past performance and analysis to help determine its
ability to effectively identify an attack.
Alarm filtering: The process of categorizing attack alerts
produced from an IDS in order to distinguish false positives
from actual attacks.
5
Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems
(IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94).
http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf. Retrieved 1 January 2010.
EVALUATE IDS
By looking at the following:
Triggers
Monitoring locations
Hybrid characteristics
6
1. IDS TRIGGERS
7
IDS TRIGGERS
Current IDS use 2 major triggering mechanisms to
generate intrusion alarms
They are:
Anomaly detection
Signature based detection
Trigger mechanisms:
Refer to action that causes the IDS to generate an
alarm
8
IDS TRIGGERS
NIDS – generates alarm if it sees a packet to a
certain port with a certain data in it.
HIDS – generates alarm if a certain system call
executes.
A system call is a request made by any arbitrary
program to the OS for performing tasks.
Improper use of the system can easily cause a system
crash.
9
ANOMALY DETECTION
We are drowning in the overflow of data that are
being collected world-wide, while starving for
knowledge at the same time
Anomalous events occur relatively infrequently
However, when they occur, their consequences can
be quite dramatic and quite often in a negative
sense.
10
WHAT ARE ANOMALIES?
Anomaly is a pattern in the data that does not
conform to the expected behaviour
Also referred to as outliers, exceptions,
peculiarities, surprise, etc.
Anomalies translate to significant (often critical) real
life entities
Cyber intrusions
A web server involved in ftp traffic
Credit card fraud
An abnormally high purchase made on a credit card
11
WHAT ARE ANOMALIES?
N1 and N2 are regions
of normal behaviour
Points O1 and O2 are
anomalies
Points in region O3 are
anomalies
12
KEY CHALLENGES
Defining a representative normal region is
challenging
The boundary between normal and outlying
behaviour is often not precise
The exact notion of an outlier is different for
different applications domains
Availability of labeled data for training /validation
Malicious adversaries
Data might contain noise
Normal behaviour keeps evolving
13
INPUT DATA
Engine
Temperature
Most
common form of
data handled by
anomaly detection
techniques is Record
Data
192
195
180
199
19
177
Univariate
Multivariate
172
285
195
163
10
INPUT DATA
Tid
Most
common form of
data handled by
anomaly detection
techniques is Record
Data
Univariate
Multivariate
SrcIP
Start
time
Dest IP
Dest
Port
Number
Attack
of bytes
1 206.135.38.95 11:07:20 160.94.179.223
139
192
No
2 206.163.37.95 11:13:56 160.94.179.219
139
195
No
3 206.163.37.95 11:14:29 160.94.179.217
139
180
No
4 206.163.37.95 11:14:30 160.94.179.255
139
199
No
5 206.163.37.95 11:14:32 160.94.179.254
139
19
Yes
6 206.163.37.95 11:14:35 160.94.179.253
139
177
No
7 206.163.37.95 11:14:36 160.94.179.252
139
172
No
8 206.163.37.95 11:14:38 160.94.179.251
139
285
Yes
9 206.163.37.95 11:14:41 160.94.179.250
139
195
No
10 206.163.37.95 11:14:44 160.94.179.249
139
163
Yes
10
19 …. 163 … 172, 177, 180 … 192, 195, 195, 199 …. 285
INPUT DATA – NATURE OF ATTRIBUTES
Nature of attributes
Binary
Categorical
Continuous
Hybrid
Tid
SrcIP
Number
Internal
of bytes
Duration
Dest IP
1 206.163.37.81
0.10
160.94.179.208
150
No
2 206.163.37.99
0.27
160.94.179.235
208
No
3 160.94.123.45
1.23
160.94.179.221
195
Yes
4 206.163.37.37 112.03
160.94.179.253
199
No
5 206.163.37.41
160.94.179.244
181
No
0.32
TYPES OF ANOMALY
Point anomalies
Contextual anomalies
Collective anomalies
17
* Varun Chandola, Arindam Banerjee, and Vipin Kumar, Anomaly Detection - A Survey, in ACM Computing
Surveys 2008.
POINT ANOMALIES
An individual data instance is anomalous w.r.t. the
data
Y
N1
o1
O3
o2
N2
18
X
CONTEXTUAL ANOMALIES
An individual data instance is anomalous within a
context
Requires a notion of context
Also referred to as conditional anomalies*
Anomaly
Normal
* Xiuyao Song, Mingxi Wu, Christopher Jermaine, Sanjay Ranka, Conditional Anomaly Detection, IEEE19
Transactions on Data and Knowledge Engineering, 2006.
COLLECTIVE ANOMALIES
A collection of related data instances is anomalous
Requires a relationship among data instances
Sequential Data
Spatial Data
Graph Data
The individual instances within a collective anomaly are not
anomalous by themselves
Anomalous Subsequence
20
OUTPUT OF ANOMALY DETECTION
Label
Each test instance is given a normal or anomaly label
This is especially true of classification-based
approaches
Score
Each test instance is assigned an anomaly score
Allows the output to be ranked
Requires additional threshold parameter
21
APPLICATIONS OF ANOMALY DETECTION
Network intrusion detection
Insurance / credit card fraud detection
Healthcare informatics / medical diagnostics
Industrial damage detection
Image processing / video surveillance
Novel topic detection in text mining
… etc.
22
INTRUSION DETECTION
Intrusion Detection:
Challenges
Process of monitoring the events occurring in a computer system
or network and analyzing them for intrusions
Intrusions are defined as attempts to bypass the security
mechanisms of a computer or network
Traditional signature-based intrusion detection
systems are based on signatures of known
attacks and cannot detect emerging cyber threats
Substantial latency in deployment of newly
created signatures across the computer system
Anomaly detection can alleviate these
limitations
23
FRAUD DETECTION
Fraud detection refers to detection of criminal activities
occurring in commercial organizations
Types of fraud
Malicious users might be the actual customers of the organization
or might be posing as a customer (also known as identity theft).
Credit card fraud
Insurance claim fraud
Mobile / cell phone fraud
Insider trading
Challenges
Fast and accurate real-time detection
Misclassification cost is very high
CLASSIFICATION BASED TECHNIQUES
Main
idea: build a classification model for normal (and
anomalous (rare)) events based on labelled training data,
and use it to classify each new unseen event
Classification
models must be able to handle skewed
(imbalanced) class distributions
Categories:
Supervised classification techniques
Require knowledge of both normal and anomaly class
Build classifier to distinguish between normal and known anomalies
Semi-supervised classification techniques
Require knowledge of normal class only!
Use modified classification model to learn the normal behavior and then
detect any deviations from normal behavior as anomalous
25
CLASSIFICATION BASED TECHNIQUES
Advantages:
Supervised classification techniques
Models that can be easily understood
High accuracy in detecting many kinds of known anomalies
Semi-supervised classification techniques
Models that can be easily understood
Normal behaviour can be accurately learned
Drawbacks:
Supervised classification techniques
Require both labels from both normal and anomaly class
Cannot detect unknown and emerging anomalies
Semi-supervised classification techniques
Require labels from normal class
Possible high false alarm rate - previously unseen (yet legitimate) data
records may be recognized as anomalies
26
RULE BASED TECHNIQUES
Creating
new rule based algorithms (PN-rule, CREDOS)
Adapting existing rule based techniques
Robust C4.5 algorithm [John95]
Adapting multi-class classification methods to single-class classification
problem
Association rules
Rules with support higher than pre specified threshold may characterize normal
behaviour [Barbara01, Otey03]
Anomalous data record occurs in fewer frequent item sets compared to normal
data record [He04]
Frequent episodes for describing temporal normal behaviour [Lee00,Qin04]
Case specific feature/rule weighting
Case specific feature weighting [Cardey97] - Decision tree learning, where for
each rare class test example replace global weight vector with dynamically
generated weight vector that depends on the path taken by that example
Case specific rule weighting [Grzymala00] - LERS (Learning from Examples
based on Rough Sets) algorithm increases the rule strength for all rules
describing the rare class
27
CONTEXTUAL ANOMALY DETECTION
Detect
contextual anomalies.
Key Assumption : All normal instances within a context
will be similar (in terms of behavioural attributes), while
the anomalies will be different from other instances within
the context.
General Approach :
Identify a context around a data instance (using a set of
contextual attributes).
Determine if the test data instance is anomalous within the
context (using a set of behavioural attributes).
28
COLLECTIVE ANOMALY DETECTION
Detect collective anomalies.
Exploit the relationship among data instances.
Sequential anomaly detection
Spatial anomaly detection
Detect anomalous sequences
Detect anomalous sub-regions within a spatial data set
Graph anomaly detection
Detect anomalous sub-graphs in graph data
29
WHAT ARE INTRUSIONS?
Intrusions are actions that attempt to bypass security mechanisms of
computer systems. They are usually caused by:
Attackers accessing the system from Internet
Insider attackers - authorized users attempting to gain and misuse nonauthorized privileges
Typical intrusion scenario
Computer
Network
Scanning
activity
Compromised
Machine
Attacker
Machine with
vulnerability
30
IDS ANALYSIS STRATEGY
Misuse/signature detection is based on extensive knowledge of
patterns associated with known attacks provided by human
experts
Existing approaches: pattern (signature) matching, expert systems,
state transition analysis, data mining
Major limitations:
Unable to detect novel & unanticipated attacks
Signature database has to be revised for each new type of discovered
attack
Anomaly detection is based on profiles that represent normal
behaviour of users, hosts, or networks, and detecting attacks as
significant deviations from this profile
Major benefit - potentially able to recognize unforeseen attacks.
Major limitation - possible high false alarm rate, since detected
deviations do not necessarily represent actual attacks
Major approaches: statistical methods, expert systems, clustering,
neural networks, support vector machines, outlier detection schemes
31
INTRUSION DETECTION
Intrusion Detection System
– combination of software
and hardware that attempts
to perform intrusion detection
– raises the alarm when possible
intrusion happens
Traditional intrusion detection system IDS tools (e.g. SNORT) are based
on signatures of known attacks
– Example of SNORT rule (MS-SQL “Slammer” worm)
any -> udp port 1434 (content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send")
Limitations
– Signature database has to be manually revised for each new type of
discovered intrusion
– They cannot detect emerging cyber threats
– Substantial latency in deployment of newly created signatures across the
computer system
• Data Mining can alleviate these limitations
32
DATA MINING FOR INTRUSION DETECTION
Increased interest in data mining based intrusion detection
Attacks for which it is difficult to build signatures
Attack stealthiness
Unforeseen/Unknown/Emerging attacks
Distributed/coordinated attacks
Data mining approaches for intrusion detection
Misuse detection
Anomaly detection
Building predictive models from labelled data sets (instances
are labelled as “normal” or “intrusive”) to identify known intrusions
High accuracy in detecting many kinds of known attacks
Cannot detect unknown and emerging attacks
Detect novel attacks as deviations from “normal” behaviour
Potential high false alarm rate - previously unseen (yet legitimate)
system behaviours may also be recognized as anomalies
Summarization of network traffic
33
DATA MINING FOR INTRUSION DETECTION
Tid
SrcIP
Start
time
Dest IP
Dest
Port
Number
Attack
of bytes
Misuse Detection –
Building Predictive
Models
Tid
SrcIP
Start
time
Dest
DestPort
IP
Number
Number
Attack
Attack
of bytes
bytes
of
1 206.135.38.95 11:07:20 160.94.179.223
139
192
No
2 206.163.37.95 11:13:56 160.94.179.219
139
195
No
1 206.163.37.81 11:17:51 160.94.179.208
160.94.179.208
150
150
?
No
3 206.163.37.95 11:14:29 160.94.179.217
139
180
No
2 206.163.37.99 11:18:10 160.94.179.235
160.94.179.235
208
208
?
No
4 206.163.37.95 11:14:30 160.94.179.255
139
199
No
3 206.163.37.55 11:34:35 160.94.179.221
160.94.179.221
195
195
?
Yes
5 206.163.37.95 11:14:32 160.94.179.254
139
19
Yes
4 206.163.37.37 11:41:37 160.94.179.253
160.94.179.253
199
199
?
No
6 206.163.37.95 11:14:35 160.94.179.253
139
177
No
5 206.163.37.41 11:55:19 160.94.179.244
160.94.179.244
181
181
?
Yes
7 206.163.37.95 11:14:36 160.94.179.252
139
172
No
8 206.163.37.95 11:14:38 160.94.179.251
139
285
Yes
9 206.163.37.95 11:14:41 160.94.179.250
139
195
No
10 206.163.37.95 11:14:44 160.94.179.249
139
163
Yes
10
Summarization of
attacks using
association rules
Training
Set
Learn
Classifier
Test
Set
Model
Anomaly Detection
Rules Discovered:
{Src IP = 206.163.37.95,
Dest Port = 139,
Bytes [150, 200]} --> {ATTACK}
34
ANOMALY DETECTION ON REAL NETWORK DATA
Anomaly detection was used at U of Minnesota and Army Research Lab
to detect various intrusive/suspicious activities
Many of these could not be detected using widely used intrusion
detection tools like SNORT
Anomalies/attacks picked by MINDS
Scanning activities
Non-standard behavior
Policy violations
Worms
MINDS – Minnesota Intrusion Detection System
Anomaly
scores
network
Data capturing
device
Net
Anomaly
detection
flow tools
tcpdump
Filtering
…
…
Association
pattern analysis
Detected
novel attacks
MINDSAT
M
I
N
D
S
Summary and
characterization
of attacks
Human
analyst
Labels
Feature
Extraction
Known attack
detection
Detected
known attacks
35
Feature Extraction
Three groups of features
Basic features of individual TCP connections
source & destination IP
Features 1 & 2
dst …
source & destination port
Features 3 & 4
h1
h1
Protocol
Feature 5
h1
Duration
Feature 6
h2
Bytes per packets
Feature 7
h4
number of bytes
Feature 8
h2
dst … service … flag %S0
service … flag
http
http
http
S0
S0
S0
http
S0
http
S0
ftp
S0
existing features
useless
syn flood
normal
h1
h1
h1
http
http
http
S0
S0
S0
70
72
75
h2
http
S0
0
h4
http
S0
0
h2
ftp
S0
0
construct features with
high information gain
Time based features
For the same source (destination) IP address, number of unique destination (source)
IP addresses inside the network in last T seconds – Features 9 (13)
Number of connections from source (destination) IP to the same destination (source)
port in last T seconds – Features 11 (15)
Connection based features
For the same source (destination) IP address, number of unique destination (source)
IP addresses inside the network in last N connections - Features 10 (14)
Number of connections from source (destination) IP to the same destination (source)
port in last N connections - Features 12 (16)
36
TYPICAL ANOMALY DETECTION OUTPUT
48 hours after the “slammer” worm
score
37674.69
26676.62
24323.55
21169.49
19525.31
19235.39
17679.1
8183.58
7142.98
5139.01
4048.49
4008.35
3657.23
3450.9
3327.98
2796.13
2693.88
2683.05
2444.16
2385.42
2114.41
2057.15
1919.54
1634.38
1596.26
1513.96
1389.09
1315.88
1279.75
1237.97
1180.82
srcIP
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
63.150.X.253
142.150.Y.101
200.250.Z.20
202.175.Z.237
63.150.X.253
63.150.X.253
63.150.X.253
142.150.Y.101
63.150.X.253
142.150.Y.236
142.150.Y.101
63.150.X.253
142.150.Y.101
142.150.Y.101
142.150.Y.101
63.150.X.253
142.150.Y.107
63.150.X.253
63.150.X.253
142.150.Y.103
63.150.X.253
63.150.X.253
sPort
1161
1161
1161
1161
1161
1161
1161
1161
1161
1161
0
27016
27016
1161
1161
1161
0
1161
0
0
1161
0
0
0
1161
0
1161
1161
0
1161
1161
dstIP
128.101.X.29
160.94.X.134
128.101.X.185
160.94.X.71
160.94.X.19
160.94.X.80
160.94.X.220
128.101.X.108
128.101.X.223
128.101.X.142
128.101.X.127
128.101.X.116
128.101.X.116
128.101.X.62
160.94.X.223
128.101.X.241
128.101.X.168
160.94.X.43
128.101.X.240
128.101.X.45
160.94.X.183
128.101.X.161
128.101.X.99
128.101.X.219
128.101.X.160
128.101.X.2
128.101.X.30
128.101.X.40
128.101.X.202
160.94.X.32
128.101.X.61
dPort
1434
1434
1434
1434
1434
1434
1434
1434
1434
1434
2048
4629
4148
1434
1434
1434
2048
1434
2048
2048
1434
2048
2048
2048
1434
2048
1434
1434
2048
1434
1434
protocolflags packets bytes
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [2,4)
[0,1829)
17
16 [2,4)
[0,1829)
17
16 [2,4)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [2,4)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [2,4)
[0,1829)
1
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [0,2)
[0,1829)
1
16 [2,4)
[0,1829)
1
16 [2,4)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
1
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
17
16 [0,2)
[0,1829)
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
4
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
5
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
6
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
7
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Anomalous connections that correspond to the “slammer” worm
Anomalous connections that correspond to the ping scan
Connections corresponding to UM machines connecting to “half-life” game servers
8
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
9
10 11 12 13 14 15 16
0.81 0 0.59 0 0 0 0 0
0.81 0 0.59 0 0 0 0 0
0.81 0 0.58 0 0 0 0 0
0.81 0 0.58 0 0 0 0 0
0.81 0 0.58 0 0 0 0 0
0.81 0 0.58 0 0 0 0 0
0.81 0 0.58 0 0 0 0 0
0.82 0 0.58 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0
0
0
0 0 0 1 0
0
0
0
0 0 0 1 0
0.82 0 0.57 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.82 0 0.57 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
0.83 0 0.56 0 0 0 0 0
37
“SLAMMER” WORM
SQL Slammer is a computer worm that caused a denial of service on some
Internet hosts and dramatically slowed down general Internet traffic
spreads rapidly, infecting most of its 75,000 victims within ten minutes.
Discovered: January 24, 2003
Also Known As: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend],
W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye],
W32/SQLSlam-A [Sophos]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP
W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL
Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends
376 bytes to UDP port 1434, the SQL Server Resolution Service Port.
Although titled "SQL slammer worm", the program did not use the SQL language; it
exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop
Engine database products, for which a patch had been released six months earlier
in MS02-039.
The worm has the unintended payload of performing a Denial of Service attack due 38
to the large number of packets it sends.
IDS TRIGGERS – ANOMALY DETECTION
Also referred – profile-based detection – must build
profiles for each user group on the system
Other systems might automatically build profiles for
individual users.
This profile incorporates:
A typical user’s habits
The services he normally uses
Established baseline for the activities that a normal user
routinely does to perform his job
A user group:
Represents a group of users who perform similar functions on
the network
Can build user groups based on job classification, such as
engineers, clerks
How you assign the groups is not important, as long as the
users in the group perform on the network
39
IDS TRIGGERS – ANOMALY DETECTION
Building and updating these profiles represent a
significant portion of the work required to deploy an
anomaly-based IDS
The quality of your profiles directly related to how
successful your IDS is at detecting attacks against
your network
The most common approaches to build user
profiles include the following:
Statistical sampling
Rule-based approach
Neural networks
40
ANOMALY DETECTION – STATISTICAL SAMPLING
For profile creation:
alarms are based on deviations from your defined
normal state.
you measure deviation from normal by calculating the
standard deviation.
Control the sensitivity of your IDS:
by varying the number of standard deviations required to
generate an alarm,
to roughly regulate the number of false positives that your IDS
generates because small user deviations are less likely to
generate false positives/alarm.
41
ANOMALY DETECTION – STATISTICAL SAMPLING
Standard deviation measures the deviation from the
median or average of a data set.
When your data is based on a well-defined
distribution, each standard deviation defines a
percentage of data that falls within it.
For example:
maybe 90 percent of all data falls within one standard
deviation, 95 percent of the data falls within two standard
deviations, and 98 percent of the data falls within three
standard deviations. In this example, only 2 percent of the
data falls outside three standard deviations from the mean.
By using this process, you can define statistically how
abnormal specific data is.
42
STATISTICS BASED TECHNIQUES
Key Assumption: Normal data instances occur in high
probability regions of a statistical distribution, while
anomalies occur in the low probability regions of the
statistical distribution.
General Approach: Estimate a statistical distribution using
given data, and then apply a statistical inference test to
determine if a test instance belongs to this distribution or
not.
If an observation is more than 3 standard deviations away from the
sample mean, it is an anomaly.
Anomalies have large value for
43
STATISTICS BASED TECHNIQUES
Advantages
Utilize existing statistical modeling techniques to model
various type of distributions.
Provide a statistically justifiable solution to detect
anomalies.
Drawbacks
With high dimensions, difficult to estimate parameters,
and to construct hypothesis tests.
Parametric assumptions might not hold true for real data
sets.
44
TYPES OF STATISTICAL TECHNIQUES
Parametric Techniques
Assume that the normal (and possibly anomalous) data is generated
from an underlying parametric distribution.
Learn the parameters from the training sample.
Non-parametric Techniques
Do not assume any knowledge of parameters.
Use non-parametric techniques to estimate the density of the
distribution – e.g., histograms, parzen window estimation.
45
ANOMALY DETECTION – RULE-BASED APPROACH
Analyze the normal traffic for different users over a
period of time and then create rules that model this
behavior.
Any other behavior then can be considered
abnormal and generate an alarm.
Creating the rules that define normal behavior can
be a complicated task.
46
ANOMALY DETECTION – NEURAL NETWORKS
Neural networks are a form of artificial intelligence
in which you attempt to approximate the working of
biological neurons, such as those found in the
human brain.
With these systems, you train them by-presenting
them with a large amount of data and rules about
data relationships.
This information is used to adjust the connection
between the neurons. After the system is trained,
network traffic is used as a stimulus to the neural
network to determine whether the traffic is
considered normal.
47
ANOMALY DETECTION – NEURAL NETWORKS
Multi-layer
Perceptrons
Measuring the activation of output nodes [Augusteijn02]
Extending the learning beyond decision boundaries
Equivalent error bars as a measure of confidence for classification [Sykacek97]
Creating hyper-planes for separating between various classes, but also to have flexible
boundaries where points far from them are outliers [Vasconcelos95]
Auto-associative
neural networks
Replicator NNs [Hawkins02]
Hopfield networks [Jagota91, Crook01]
Adaptive
Radial
Resonance Theory based [Dasgupta00, Caudel93]
Basis Functions based
Adding reverse connections from output to central layer allows each neuron to have
associated normal distribution, and any new instance that does not fit any of these
distributions is an anomaly [Albrecht00, Li02]
Oscillatory
networks
Relaxation time of oscillatory NNs is used as a criterion for novelty detection when a new
instance is presented [Ho98, Borisyuk00]
48
ANOMALY DETECTION – ISSUES
The USER PROFILES form the heart of an anomaly-based
IDS.
Some systems use an initial training period that monitors
the network for a predetermined period of time.
This traffic then is used to create a user baseline.
This baseline determines what normal traffic on the
network looks like.
The disadvantage with this approach:
if users’ jobs change over time, they start generating false
alarms.
a determined attacker can gradually train the system
incrementally until his actual attack traffic appears as
normal traffic on the network.
49
ANOMALY DETECTION – BENEFITS
It can easily detect many insider attacks or account theft,
If a particular account belonging to an office clerk starts attempting
network administration functions, for example, this probably triggers an
alarm.
An attacker is not quite sure what activity generates an alarm.
With a signature-based IDS, an attacker can test which traffic generates
alarms in a lab environment. By using this information, he can then craft
tools that bypass the signature-based IDS.
With the anomaly detection system, the attacker does not know the
training data that has been used; therefore, he cannot assume any
particular action will go undetected.
Not based on signatures for specific, known attacks.
based on a profile
can generate alarms for previously unpublished attacks
as long as the new attack deviates from normal user activity.
can detect new attacks the first time they are used.
50
ANOMALY DETECTION – DRAWBACKS
High initial training time
No protection of network during training
Difficult to define normal
Must update user profiles as habits change
Generates false negatives if traffic appears normal
Difficult to understand alarming
Complicated and hard to understand
51
FALSE NEGATIVE
When an IDS fails to generate an alarm for known
intrusive activity, it is called a false negative.
False negatives represent actual attacks that the
IDS missed even though it is programmed to detect
the attack.
Most IDS developers tend to design their systems
to prevent false negatives. It is difficult, however, to
totally eliminate false negatives.
Furthermore, as you sensitize your system to report
fewer false negatives, you tend to increase the
number of false positives that get reported. It is a
constant trade-off.
52
SIGNATURE-BASED DETECTION
It looks for intrusive activity that matches specific
signatures.
These signatures are based on a set of rules that
match typical patterns and exploits used by
attackers to gain access to your network.
Highly skilled network engineers research/study
known attacks and vulnerabilities to develop the
rules for each signature.
53
SIGNATURE-BASED DETECTION: BENEFITS
Signatures are based on known intrusive activity
Detected attacks are well-defined
The system is easy to understand
Attacks are challenged immediately after
installation
54
SIGNATURE-BASED DETECTION: DRAWBACKS
Maintaining state information (event horizon*)
Updating signature database
Attacks that circumvent the IDS (false negatives)
Inability to detect unknown attacks
55
*EVENT HORIZON
The maximum amount of time over which an attack signature
can be successfully detected (from initial data to the final data
needed to complete the attack signature) is known as the event
horizon.
The IDS must maintain state information during this event
horizon.
The important point to understand is that your IDS cannot
maintain the state information indefinitely therefore, it uses the
event horizon to limit the amount of time that it stores the state
information
56
2. IDS MONITORING LOCATIONS
57
IDS MONITORING LOCATIONS
Examine where an IDS watches for the intrusive
traffic
IDS typically monitors one of two locations:
The host
The network
58
HIDS
Checks for intrusions
by checking
information at the host
or OS level
These IDSs examine
many aspects of your
host, such as system
calls, audit logs, error
and messages
* Agent = IDS agent
59
HIDS: BENEFITS
It has first hand information on the success of the
attack.
Because a host-based IDS examines traffic after it reaches
the target of the attack (assuming the host is the target),
With a network-based IDS, the alarms are generated on
known intrusive activity,
Only a HIDS can determine the actual success or failure of
an attack.
HIDS can use the host's own IP stack to easily deal
with variable Time-To-Live (TTL)* attacks
TTL is difficult to detect using a network-based IDS.
60
*VARIABLE TIME-TO-LIVE ATTACKS
All packets traveling across the network have a TTL value.
Each router that handles the packet decreases the TTL value
by one.
If the TTL value reaches zero, the packet is discarded.
An attacker can launch an attack that includes bogus packets
with smaller TTL values than the packets that make up the
real attack.
If the network-based sensor sees all the packets, but the
target host sees only the actual attack packets, the attacker
has managed to distort the information that the sensor used,
causing the sensor to potentially miss the attack.
61
VARIABLE TIME-TOLIVE ATTACKS
The picture illustrates this
attack.
The fake packets start with a
TTL of 3, whereas the real
attack packets start with a TTL
of 7.
The sensor sees both sets of
packets, but the target host
sees only the real attack
packets. Although this attack
is possible, it is not easy to
use in practice because it
requires a detailed
understanding of the network
topology and location of IDS
sensors.
Real attack
packet
62
Fake packet
HIDS: DRAWBACKS
Limited network view
Most host-based IDSs, for example, do not detect port
scans against the host.
It is almost impossible for a host-based IDS to detect
reconnaissance (“spy”) scans against your network. These
scans represent a key indicator to more attacks against
your network.
Must operate on every OS on the network
HIDS must communicate this information to some type of
central management facility.
An attack might take a host's network communication
offline. This host then cannot communicate any information
to the central management facility.
63
NIDS: BENEFITS
A network-based IDS examines packets to locate
attacks against the network. The IDS sniffs the
network packets and compares the traffic against
signatures for known intrusive activity.
Benefits:
Overall network perspective
Does not have to run on every OS on the network
64
NIDS: DRAWBACKS
Bandwidth
As network pipes grow larger and larger, it is difficult to
successfully monitor all the traffic going across the network at a
single point in real time, without missing packets.
Need to install more sensors throughout the network at locations.
Fragment reassembly
Network packets have a maximum size.
If a connection needs to send data that exceeds this maximum
bound, the data must be sent in multiple packets.
This is known as fragmentation. When the receiving host gets the
fragmented packets, it must reassemble the data.
Not all hosts perform the reassembly process in the same order.
Some OSs start with the last fragment and work toward the first.
Others start at the first and work toward the last. The order does
not matter if the fragments do not overlap. If they overlap, the
results differ for each reassembly process.
Encryption
65
HYBRID CHARACTERISTICS
66
HYBRID CHARACTERISTICS
Hybrid systems combine the functionality from
several different IDS categories to create a system
that provides more functionality than a traditional
IDS.
Some hybrid systems might incorporate multiple
triggering techniques, such as anomaly and
signature-based detection.
Other hybrid IDSs might combine multiple
monitoring locations, such as host-based and
network-based monitoring.
The major hurdle to constructing a hybrid IDS is
getting the various components to operate in
harmony, and presenting the information to the end
user in a user-friendly manner.
67
HYBRID CHARACTERISTICS: BENEFITS
Different IDS technologies are combined.
A combined host-based and network-based system, for
example, provides the overall network visibility of a
network-based IDS, as well as detailed host-level
visibility.
Combining anomaly detection with misuse
detection can produce a signature-based IDS that
can detect previously unknown attacks.
Each hybrid system needs to be analyzed on its
unique strengths.
68
HYBRID CHARACTERISTICS: DRAWBACKS
Getting
these different technologies to work
together in a single IDS can be difficult
Normally, hybrid systems attempt to merge multiple
diverse intrusion detection technologies. Combining
these technologies can produce a stronger IDS.
Presenting
the information from these multiple
technologies to the end user in a coordinated
fashion can also be a challenge.
Each hybrid system needs to be examined to
understand its strengths and weaknesses
69
SUMMARY
The common triggering mechanisms are as follows:
Anomaly detection
Signature based detection
Anomaly detection is more complex than signature
based detection, but it provides the capability to
detect previously unpublished attacks
Each different types of the IDS has it owns
strengths and weaknesses.
70
SUMMARY
Anomaly detection can detect critical information in
data.
Highly applicable in various application domains.
Nature of anomaly detection problem is dependent
on the application domain.
Need different approaches to solve a particular
problem formulation.
71
EXERCISE - DISCUSS
What are the two major types of IDS monitoring?
What are the two types of IDS triggering?
What are some drawbacks to anomaly detection?
What is the difference between a false positive and
a false negative?
72
